 They were back, we're live, it was at the 3 o'clock block here on Think Tech Talks. We have an old friend and a former host at Think Tech, Angelos Serres. He was here from 1922 to 1924, as I recall. I'm a vampire. I bet you didn't know that. Yeah. Welcome back, Angelos. Well, thanks for having me. Now, we got an email from you that was really extraordinary. It was about Chase Bank naming names. Chase Bank, and it's a phishing scam, and your title was Chase Bank Fishing Scam Wants Your Selfie. And you had a couple of videos, I guess, on your website, or at least in that email. And I would like to go over that with you and see how that works, and what we can do about it. It was a fairly sophisticated scam, wasn't it? Yeah, and I think we're going to see a lot of these just in general. And that's why what we try to do is share with the community what's going on and ways to protect yourself. And I think one of the ways to do that is through ongoing education, and that's why you got the email, right? And got your interest. I like your emails. You can get on the TELUS email list, you get stuff like this every few days. It's very valuable. Right. And, you know, we took a little cue from Think Tech, and now we're starting to do some videos. There's just some real short ones, not like these, that can kind of abbreviate some of these things. You have to read these really long blogs and complicated things. Yeah. Short is good. Yeah. But the way that the Chase one works is that you get an email in your inbox, and in that email it says, your Chase account has been locked out. We have a problem. Click here, and then you get to a website that's been compromised. That'll get your attention. Mm-hmm. Because, you know, you wonder, let me interrupt by saying, suppose you don't have a Chase account. Well, there's been so much concern. Did they know whether or not I have a Chase account? No, but there's been so much consolidation now. It's kind of... You think you might have a Chase account anyway? Yeah, or you will shortly, even if you don't think you do. I mean, I personally, I have a few Chase accounts, but they didn't start off that way. Yeah. One was with Costco, the other one was with Amazon, and now they're together. Okay. All right. So, you get this email, and it wants you to... It tells you you've got a problem, and you better do something about it right now. Exactly. And you're motivated to do something about it right now. Now, that's, by the way, a key in terms of phishing emails, is that if there's something that, you know, spawns an emotional response, wants you to act now, that should be your kind of your tell-tale red flag that this is not legitimate, right? You probably shouldn't be paying attention to this. And we see this in not just, you know, for individual users with your accounts, but think about HR departments who are suddenly, you know, contacted by a third-party entity that they need to send all the employee WTs over, or the CFO that an invoice suddenly needs to be paid. When you just look at Kui Plaza, I mean, that's a great example of a local, you know... Did you know what happened? Oh, so in November of last year, Kui Plaza received a phishing email, and that phishing email said, Urgent, I need, you know, $276,000 money wired, transferred over, a money transfer, and, you know, the CFO, because it looked like it came from the board president or whoever was in charge, they approved it, $276,000, poof, gone, right? This isn't like the concert at UH, no, completed on a scam for hundreds of thousands. Well, you know, this is nothing new, you know, look through human history, this has been going on for thousands of years, just now we have a digital age, so it's moved to the digital realm, and by very, it's very nature, it's gone exponential. But back to your Chase Bank account, right? Same thing, right? Email comes in, wants you to act on this right away. And I believe we have some slides that we picked up. It kind of shows, you know, what happened, so you're directed to this website, and this website is something that is very common in terms of compromised websites. What happens is that criminals will go out and look for vulnerabilities in web content management systems, and the most popular one is WordPress, I'm sure you've heard the name. WordPress is constantly receiving updates, but if you don't update your website appropriately, there's a good chance that somebody can weasel their way in there, set up these landing pages that look just like this. Well, let's look at this page. The blue, and the white, and those lines, they look normal. See that all the time? Google has a, you know, a color scheme just like that. The background, I don't know, I feel a little funny about the background, but they have a nice looking background. It's a nice picture, it's well-selected, I suppose. And then, am I right, is that? What is going on below? Follow us with various social media icons? Well, this is Chase's login page. So if you do have a Chase account, and you try to log into it, this is what it looks like. So they just copied it. This is a copy of Chase's page. I went to Chase's page, and it looked pretty much the same. And the scams for Netflix look exactly the same way. Including the background and all that. Background, the whole thing, yeah. They put these pretty pictures that make you feel at ease, that kind of thing. I feel at ease just looking. Just looking, I feel at ease. OK, so what could I tell from this page that it's a phony? Well, once you're here, the only way that you're going to be able to see it is through the URL string. The URL string is at the very top. So if you have mismatched links in your email versus the website that you're expecting this from. So for instance, if the email that originally came in, the phishing email, was from help at chase.com. But then when you go to move your mouse down over to where it says, click here to access your account, it goes to abcplumbing.com slash git.php. Right, then you know that there's a mismatch. That's because the link, which looks one way as you see it on the screen, and the actual link address is different. Right, the roll over link doesn't match. You don't see it. So I guess the point is you have to check that. When you go to the page, and if it doesn't say Chase on there, it says ABC Plumbing or whatever it might say, that's already a big telltale sign. Big telltale sign. Another telltale sign inside the email itself is you want to look for anything that looks like it's suspicious wording, such as they use an S instead of a Z. Or somebody that's just speaking English like that. Like as well as they perhaps should. But they try. But it is always just something a little bit off. Yeah, a grammar maybe, or a preposition, or a plural, or something. Of course, if your English isn't all that good, it's not going to really help you because you're going to think it's OK anyway. But just be wary. I mean, I have four big tips, like the four big red flags of fishy emails. One is attachments. Remember those attachments that look kind of odd that maybe you shouldn't be paying this invoice, or if there's some sort of word attachment you shouldn't be doing. Strange wording. Mismatch links. We talked about that. So we want to make sure we don't do these things. These are the big red flags. And of course, that number four, which is the sense of urgency. Any of those four telltale signs, don't bother. But back to the chase scan. The way it's so much fun is that, yeah. Back to the chase. Back to the chase. So to speak. OK, so you suck in. You don't realize it. You don't see any one of those things. You don't put it together because you're not careful. You're vulnerable because it looks like a legitimate web page. All right. So what do you do to get to the next one now? How do you get to the next one? Right. I mean, to be fair, let's say you received 1,000 emails that day, you probably just run through it. Right, that's the problem. And you get to be knee-jerk on dealing with them, yeah. You get desensitized. So let's bring up that slide again. So on that slide, we were looking at this was the username and password page. So obviously, you try to put in your chase username and password. Bing, bing, bing, bing. Do you think it's going to work? Of course not. It's not real. So on the following slide, you'll see that it brings up an error, right? Now, mind you, at this point, you've put in what you think is your username and password. So now that they've got it now, they're like, oh, OK. Well, let's see what else they can get from you. So on the following slide. If you stop here, they already have something on you. Well, all they have is an email. Your username and password. All right. So now they have your email address, username and password. And they've hard to submit. You're already in trouble. Well, it gets worse. It gets worse. So let's take a look. So on this next one here, now they say, you know, it could be that your credit card number is out of date. Let's just put that in there. So they want the credit card number, social security number, ATM pin, mother's name and driver's license number. This is the height of you, Bruce. People are falling for this. I'm not making this stuff up. Let's see. Then what's on the next slide? They want more things. And they say, oh, you know, please confirm your ID for more secure. So this is a perfect example of some bad English, right? But what they're asking for now is your identification card and a selfie of you holding your ID, or one or the other. So the idea is, and now they want you to bring out your phone, take a selfie, and say, this is my picture, right? And take a picture maybe of your Hawaii driver's license. It's very creative. You don't see that every day. You just see selfies every day. And people take pictures of things every day, but not like this. This is different. Well, and if you think about it, what they're after is your picture and your identification. And what do they use it for? That's probably the big million dollar question, right? You have this, you know, you got the selfie, you got the pictures, now criminal, what can they do? I'm on a phony ID card. Exactly, they can make a phony ID card. You're absolutely right. They can go out and open up a cryptocurrency account. They can start doing money transfers, and they can start doing online gambling. You're scaring me until now. Well, this is, this is what it is. And online gambling has been around a long time. And cryptocurrency has been around for, I mean, we've had lots of people on the show talk about Bitcoin. So it's, these are what's needed in order to access those kinds of accounts. And so now they want to take your identity over and use you to go out and do their criminal efforts. So question though, on that last one, can we look at that last one again? So suppose, suppose I, I guess after that. Suppose I, yeah, I put in information on a given field, but I don't, I have not yet clicked on the submit, the blue submit button at the bottom. And I'm kind of thinking that, well, you're okay until you submit on the blue button at the bottom. That's not necessarily true, is it? Absolutely, you're absolutely correct, Jay. So there are lots of services out there. One of the ones that we use is called Lucky Orange. If you bring it up, luckyorange.com, it allows you to essentially put a little bit of code on your site and then it will record all activity that occurs on your site and you can watch it in real time. And there's lots of services out there that do this. But the idea is that even as you're typing things in before you've hit the next button, they already see that there's been some activity on the page, something's going on, they can harvest that information and. Sure, it's like so many programs. You type a single character in on a field, it's going somewhere and you get out of the field clearly it's going somewhere, it'll go to the next field. You don't have to wait to click the submit button. You know what some of the telltale signs are now? It's fascinating. I don't know if you've ever been to a website and you've kind of put your mouse over into a field and you notice it kind of like jumped like it wasn't a smooth motion. Like you moved it off to the side, that's telltale sign right there that it's recording. So now I'm getting suspicious. You should be. I should be buried by this time when they're asking me all this personal information. What do I do at this point? At this point where I've been suckered, I've given them some critical information about me. And I mean, I realize that I've already sent it even though I haven't clicked the submit button. What do I do? Turn off the computer. Take a shower, one, one, two. Well, taking a shower is probably good advice anyway. Yeah, so you don't have a heart attack when you're figuring it out, yeah? And of course, these are the basics of protecting your identity just in the modern age. I mean, you should have identity monitoring, right? So credit monitoring. And there's also dark web monitoring now too, which is interesting. Dark web monitoring. Oh, you can get an account or something to look at what you show on the dark web. That shows under your name at the dark web. And they do a reasonable job of this. I would worry though, wouldn't you worry? Okay, you're now entering the dark web. I was gonna show you stuff and maybe it's actually collecting stuff on you while you're looking for stuff. Well, sort of. So dark web is more like a place. So let's just call it a place for the sake of the conversation. And when the big experience breach came out, that was where the data went, was onto the dark web. And the idea was that they wanted to sell you on this dark web monitoring service that Experian was now selling in response to the breach. It didn't take long either, yeah? Yeah, except for $35 a year. We will monitor you on the dark web. Great, thanks guys. Cute. So whether it's not like you're entering the dark web, it's just your data ends up there. And you want to have some sort of service that can kind of at least keep an eye on those things. And then if something does show up, at least notifies you, you can do something about it. Okay, wait. We're gonna find out right after this break what you can do about it. Because at this point, your spouse has probably beaten you over the head for compromising family information. Okay, I know that. I do have some stories. I know that happens. I have some stories. We'll take a short break. Tell us a rest of SOS Tech Solutions. We'll be right back, you'll see. I mean it. Hey, loha, my name is Andrew Lanning. I'm the host of Security Matters Hawaii, airing every Wednesday here on Think Tech Hawaii, live from the studios. I'll bring you guests. I'll bring you information about the things in security that matter to keeping you safe, your coworkers safe, your family safe, to keep our community safe. We want to teach you about those things in our industry that may be a little outside of your experience. So please join me because Security Matters, aloha. Hi, I'm Rusty Komori, host of Beyond the Lines on Think Tech Hawaii. My show is based on my book also titled Beyond the Lines, and it's about creating a superior culture of excellence, leadership, and finding greatness. I interview guests who are successful in business, sports, and life, which is sure to inspire you in finding your greatness. Join me every Monday as we go Beyond the Lines at 11 a.m., aloha. Okay, so now you've realized you've been had. And you get this thing in the pit of your stomach, then your spouse, you know, you can't even tell your spouse because you know what your spouse is gonna do to you. What do you do? Well, I mean, there's nothing wrong with this. Especially sharing an instance like this with your friends. To find a good marriage. Sure. In fact, sometimes, and this is a little bit off topic, but, you know, I'll be talking casually with someone, you know, oh, about the scam, you know, we had a mixer or something like that. And they say, oh, you know, my wife or my grandma or my mother-in-law, you know, she had that happen and she just paid it off and that. Uh-oh, I think I have to call her right now and see if we can get that money back. So yeah, these things go on and they have been going on for some time. The monitoring is a good way to at least mitigate some of these issues. And there's some wipesites out there. One of them is HaveIBeenPond.com, P-W-N-E-D. And it's a guy out of Australia. He put together this database. He's been kind of assembling over and over for the past, I think, five or six years. And it's all these big breaches as they come out and feeds it into the database securely and allows you to search. And it'll tell you what happened, you know, as a result of that breach and what you can do about it. What can you do about it? I mean, if you find your own data on the dark web, for example, and you know it's, you know, it's really scary. I mean, let's give you a really bad feeling. What can you do? You can't get it off the dark web. What do you do? Go down to the state attorney general. You go to the prosecutor. Oh, don't do that. You go to the HP, what do you do? Well, there's lots to do. I can only, you know, maybe I can speak from my experience and that's an easily relatable story. So in 2016, LinkedIn had a major breach. These names and passwords for pretty much all the users were stolen and posted onto the dark web. At that time I was notified, hey, your info's popped up on the dark web. I'll do something about that. So it looked really quickly and sure enough there was username and password, but it had a password that I had recently changed. So I went and I changed my LinkedIn password and off we go. That was it. Now that data that's on the dark web, even though it's there, is irrelevant. However, however, you could be another site, it could be a password site where you put a lot of passwords in or other information beside the password and the bad guys have that. Now even though you change your password for access to that site, they still have the other information. They do. So this is really like a big headache. Now you have to figure back what was on there again and how do I, you know, how much danger am I really in and what do I do to reel that back or change it or make it irrelevant and make it hard for them to use? This is a hard project. Can I hire somebody to do that honestly because I don't have the time for that? Well, in terms of data mitigation, these are the kind of services that we do. Really, you do it. Yeah, so we do want to work with clients that have an invested interest in protecting their identity. It is important to note though that once your information is posted on the dark web, whether it's relevant or not, it is a target for marketing. Think about it. Email is still one of the best forms of marketing and if they have your email address, they can go out there and say like, for instance, I'll give you a good one. We saw these about six months ago. We've got these emails that were coming in and they said pretty much the following. We are a part of an international hacker group. We have jumped inside your computer. We've hacked it and we turned on your webcam and we recorded you doing not pretty things, right? Not pretty things. You are such a pervert. It says basically that. Really? Yeah, really. It's hilarious. And there's a lot of assumptions about John Doe, doesn't it? Well, you bring up a good point. The ladies who send us these scams are laughing. The guys who send us these scams they're not laughing so much. It's really hysterical. These are the times in which we live, yeah. And as adding further credibility to their claim, they list that out-of-date password, right? It's saying like, look, here's your password. You should pay us anywhere from $800 to $3,000 of Bitcoin. Otherwise, we're gonna release these videos to all of your contacts. But they don't show you the videos. They make you wonder in your imagination what might have happened here. Well, yeah, one of the problems about that is that a lot of these computers now today, the camera can be turned on and you don't know it. Including on Macs. Especially on a Mac. You know, it really, it's really frightening how it can be right there. And right in front of your face, a few feet away and on and reporting back to somebody and you don't know what's on. Don't you think they ought to have some kind of red light or something that tells you what's on? That's the first vector is to see if you can disable that little red light. And in fact, if you look at Mark Zuckerberg in some of his interviews where he's in his office, he has, you know, a piece of tape over his. I've seen that many times when people just tape over and they never use the camera. Yeah. It's a world in which we live, right? Yeah. Well, scary though. Okay, so they got all this stuff and you want to stop them. I mean, how do you do that? I mean, first of all, I suppose these days it's not a good idea to leave that camera on. I'm not saying anything personal here and I know you are not saying anything personal but you know, you should tape it or maybe do something and the manufacturers of Apple and PC computers should probably have a red light next to it. I mean, for your own safety, that wouldn't that be a good idea? I mean, it doesn't cost much to do that and certainly everybody benefits and you wouldn't be snooped on. I'm not assuming you've been snooped on. You do about it. It's somewhere else. Well, it's an ongoing educational piece. I mean, this is like, you know, once you first get your driver's license, you learn the rules of the road and after a while you kind of forget what those rules of the road are and maybe you slow to a stop at a stop sign and maybe go a little faster than you should and then every once in a while you'll get a little ticket to remind you that maybe you need to brush up on those basics and a lot of these basics are the ongoing training piece and we just need to be a little bit more conscious. I mean, in fact, Hawaii was rated as number one, number one in terms of vulnerability to scams. This was based on a recent report and so we were number one for cyber attacks and the biggest reason for that is that we're such a trusting community here. You know, we don't maybe take into account these kind of criminals that are out there and what the world is really like and how they want to get at our resources and they often do. The number, I believe on the rise was about 136% in terms of the number of cyber attacks reported to the FBI over 2018 versus the year before. That's dramatic. Yeah, it's a big difference and I think number two was like Pennsylvania, like 44% so that should kind of give you a difference. So we need to be less vulnerable but you know, part of that would be the machine itself, part of that would be the software, part of that would be public education for sure because right now, you know, these hacks, these phishing expeditions, I don't want to minimize them but you know, they're not gonna kill you. They're gonna make life hard for you but I think going forward, it could be worse and phishing guys and hackers can, you know, and ultimately I think will do much more insidious things against their targets, don't you think? Well, they're becoming much more targeted attacks. It's not like we're looking at these attacks and it's kind of like this barrage of random things. It's really highly targeted. They do their reconnaissance ahead of time and then they start spear phishing for specific attack vectors and then they get, that's how they're successful. Do they say, I want to go after Attila's arrest today. Can they do that? Well, they're more looking at how do we get after PII, PHI because that personal healthcare information and personal identifiable information is much more valuable than like a username and password to your email or even a credit card which goes between one and $2 on the dark web. I mean, it's very difficult for you to change your blood type or to be able to take in, you know, if you have a chronic illness. How do you, you can't get it back, yeah. Right, and what they're doing is they, you know, they do a very specific attack on like, let's say a clinic. They hold the data ransom and then they threaten to release it onto the dark web. It's essentially a blackmail. You should never pay a ransom, right? That's the general idea. Many people do because it's more cost effective than the remediation piece. Because they believe that paying a ransom will actually unlock their stuff. And about 40% of the time it does. 40%. Yeah, that's the sort of thing. That leaves 60% is my calculation. Yeah, not so good. You mentioned earlier, Attila, that sometimes you get, you get email, lots and lots of email, you know, 1,000 emails a day. And somebody has gotten your email address somewhere maybe that you didn't know or want and they're on you. This is a really big question. I'm so happy you're here so I can ask you this question. So let's assume it's more than an assumption. I get 1,000 emails a day. And they go, oh, walks a life in there, you know, selling me this and selling me that. A lot of political emails, a lot of, you know, retail emails. I mean it's just on and on and on and on and on. It takes me all day to delete them all. How do those guys get my emails? But worse, the second part of my question. Was it through some insidious thing or is it something that I knew about or should have known about? And the second part of the question is, what can I do in terms of dealing with my email, not, you know, to escape them? You know, I like to start a new email address and say, just use this one. But then I think, you know, my 1,000 emails will follow me in about 24 hours and I start getting them again. What do I do? Well, you asked first when, like how do they get your email address in the first place? And I can answer that with something that happened recently with Exactus, which you probably haven't heard of. They're actually a data binding company and they took everything about you. So such as your driving habits, number of children, date of birth, age, any sort of health conditions that create this overall profile. They did this for about 340 million Americans. And a few months ago. That's a lot of Americans. That's everybody. That's everybody, more than everybody. So they had all that information taken away. Now, if you think about it, that information ends up on the dark web and now legitimate organizations can go to the dark web and maybe even indirectly, maybe even through a middleman, not know that they're buying this information that was leaked accidentally by a mailing list. And so they want to sell you, let's say, flowers on Mother's Day. Well, let's buy a mailing list, spend a few thousand dollars, and get some good return. Not a bad thing except. That's pretty standard. I didn't agree to that. And that is absolutely correct. And so in your inbox, instead of you going through there and deleting a bunch of email messages, unsubscribing is a lot more effective. Now, you're not going to ever get away from the whole thing, right? So let's just be realistic about that. But I've been able to cut, just personally, about 90% of my emails out through unsubscribes. And, you know, I run a mailing list myself, I get it, right? So sometimes we get a little few unsubscribes, but the idea is that if you have a good mailing list yourself, where you're providing valuable content where it's personal, and it really does give value to that person, then they're gonna probably stick with you. But if you're sending trash and just the usual, hey, buy now, act now, do this now, those are the kind of things that you should unsubscribe from in general, and those are the kind of emails that you shouldn't send out to others. Pay to unsubscribe, does that really work when you click an unsubscribe button? Most of the time it does, yeah. And, you know, it's never gonna go away, you still will get, you know, a number of emails, but I've cut my emails down from hundreds per day to less than 15. You gotta talk. Let me ask you two more short questions because we're really out of time here. The first question is, if I go on a dark web, I'm gonna make me a dark bad guy, bad guy. I'm an insidious hacker person and all that. And I wanna buy a mailing list, how much is it cost? Is it real expensive or is it cheaper than you might expect? It's cheaper than you might expect, but let's talk about what you think that you are, which is you think you're an insidious lone gunman hacker. Over 92% of all hacks last year occurred through organized crime. So what we're talking about is criminals that are highly organized, highly well funded and often linked to, you know, larger organizations such as governments and other groups. Or state actors. Of course. And as you know with WannaCry, just January of last year, those things that locked up train stations and billboards all across the world, they were linked to North Korea. This is not a secret. They love doing that stuff. The other ones who brought Sony down, remember? Right, exactly, yeah. Because of that movie. Which we wanna talk about. Right, because of the movie it was that simple. We wanna talk about censorship, eh? So okay, my last question, which I'll answer it. I'll answer it for you. Yes, that's the answer. And the question is, will you come back and talk about, you know, social media, you know, Facebook and alike and how we can protect ourselves from being scammed, not scammed, but undermined, you know, and having information taken by them. What do you think? Well, there's a lot of answers to that question. And if we have some good audience engagement, then maybe we can make an episode about it. That's what the answer is generally, yes. We'll get there. You will come back. I'm always in the neighborhood. Thank you, Attila. Those are SOS, tech solutions. Thank you. All the best.