Cybersecurity Secrets Schools Never Teach Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

Cybersecurity Secrets Schools Never Teach

October 27, 2025 • Cyber Crime Junkies. Host David Mauro. • Season 7 • Episode 48

New Episode🔥We explore the often overlooked connection between a significant data breach and mental health, focusing on the resulting anxiety and cyber security concerns. We discuss how data security impacts identity theft and the rising rates of cyber attack. It's time we address the emotional fallout from these incidents.

Learn Cybersecurity Secrets Schools Never Teach. See how to unleash the best cybersecurity strategy to defeat hackers now and protect your digital fortress from cyber threats.

Chapters

00:00 Introduction to Cybercrime Awareness
02:18 The Personal Impact of Data Breaches
04:54 The Evolution of Cybercrime
07:49 Digital Transformation and Vulnerabilities
10:34 The Role of Personal Lives in Cybersecurity
13:31 Understanding the Cybercrime Ecosystem
16:14 Protecting Yourself from Cyber Threats
18:46 The Importance of Freezing Credit
21:28 The Reality of Phishing and Social Engineering
24:34 The Rise of Deepfakes and AI in Cybercrime
27:01 Best Practices for Cybersecurity
29:31 Conclusion and Final Thoughts
33:40 The Future of Cybercrime: Trends and Predictions

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Support the show

🔥New Special Offers! 🔥

Remove Your Private Data Online Risk Free Today. Try Optery Risk Free. Protect your privacy and remove your data from data brokers and more.
🔥No risk.🔥Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies
🔥Want to Try AI Translation, Audio Reader & Voice Cloning? Try Eleven Labs Today 🔥 Want Translator, Audio Reader or prefer a Custom AI Agent for your organization? Highest quality we found anywhere. You can try ELEVAN LABS here risk free: https://try.elevenlabs.io/gla58o32c6hq

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Dive Deeper:
🔗 Website: https://cybercrimejunkies.com

Engage with us on Socials:

✅ LinkedIn: https://www.linkedin.com/in/daviddmauro/
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Learn Cybersecurity Secrets Schools Never Teach. See how to unleash the best cybersecurity strategy to defeat hackers now and protect your digital fortress from cyber threats.

Chapters

00:00 Introduction to Cybercrime Awareness
02:18 The Personal Impact of Data Breaches
04:54 The Evolution of Cybercrime
07:49 Digital Transformation and Vulnerabilities
10:34 The Role of Personal Lives in Cybersecurity
13:31 Understanding the Cybercrime Ecosystem
16:14 Protecting Yourself from Cyber Threats
18:46 The Importance of Freezing Credit
21:28 The Reality of Phishing and Social Engineering
24:34 The Rise of Deepfakes and AI in Cybercrime
27:01 Best Practices for Cybersecurity
29:31 Conclusion and Final Thoughts
33:40 The Future of Cybercrime: Trends and Predictions

Speaker 1 (00:00.654)
Why is it that data breaches are always in the news? When in fact the real story, the real fallout of emotional personal wreckage, that fallout never is. We talk about stolen data, but not the lost jobs, bankrupted families, the emotional toll and chaos that follows. This isn't about fear and cybersecurity is far more

than just technology. It's about control and human behavior. How to protect your money, your identity, and the people you love from the world's third largest economy. Cybercrime. What you're about to see is a live session that's opened eyes across the country. Real stories, real tactics, and simple moves that keep you safe. So let's dive in.

This is Cybercrime Junkies and now the show.

Speaker 1 (01:08.696)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.

Speaker 1 (01:32.408)
Data breaches are always in the news, but something that's rarely reported on is the fallout from breaches isn't just corporate, it's personal. Jobs are lost, families file bankruptcy, and the line between our work lives and our personal lives, it's completely blurred. See, hackers don't need to break into your company anymore. They just need you. They need you to be distracted, busy, and trust them when they impersonate a trusted...

I run these sessions for over 16 years, often alongside FBI agents. When they come in, they scare the bejesus out of everybody and leave. It's cool, but it doesn't change behavior. Today, that's going to be different. We're giving everybody these invaluable take-home resources that have simple steps and explanations. If you follow them, everybody that has, they don't get identity theft.

They don't lose their life savings and their employers don't get breached. So raise your hand throughout this session and ask questions. It'll be as interactive as you want it to be. I know time is precious, so let's get started.

Speaker 1 (02:47.81)
So on the screen right now, if you're on Teams, there's a QR code. If you aren't safe, just scan that. You're not always safe to scan all QR codes. Generally, I think you've all seen that on social media. When you see QR codes at parking lots and near restaurants and stuff, you have to be careful. But if the QR code is safe, you will be able to download all of the tape-only sources. There's a packet there.

None of it costs any money. It takes maybe half an hour to go through the packet, if that. And if you follow the steps, if you want to go over some of it, this is the 867th session of the speech that I've been doing. I've done it for 16 years. I'm part of the FBI's informer, my name is David. I want you guys to ask me any question whatsoever. There's no such thing as a dumb question.

when it comes to cyber security. Cyber security is a matter of not only national security, but also a way for you to protect your lives. The point of that initial video is this. We get involved, I work for NetGames, IT, cyber security, we've been in business since 1984.

Really the reason I joined that game, I was at a big security firm in Canter because they're first responders. When there's a data breach, even if we're not doing the IT and we don't know the client, other IT companies don't know what to do. They don't know how to negotiate with a Russian ransom marketing who's very good at the job. And they call us. We get calls on the 4th July, holidays, not by accident.

that most breaches occur on holidays and weekends and late nights. It's because the attackers know the IT people are asleep or not wanting to work, right? Here's the thing. What's not reported in the news, media breaches are more in the news now than they ever have. And if you chart it out through, you guys probably know, you can pull up a lot of media trends.

Speaker 1 (05:15.342)
Um, you can see that right around 2011, 2013, before that you never saw a date. was one in like three years. Why is it matters? Right? The reason it's important is because it's my. It's all right. Otherwise I'm going to just be really weirded out. I'm going to be like, Hey, I hear myself.

not just in my eyes.

Thank

It's okay. It's all right. I can't get the TV to work, so don't worry about it. It's for a couple reasons. One, right around 2011, 2013, satify that really. You're the third largest economy in the world. The third largest. What the First largest. The first largest is the United States. We are the largest economy in the world.

We do more business than hundreds of other countries literally combined. Right? Second is China. And third is cybercrime. They generate more revenue every single year than all of Europe, all of the EU, Australia, and Canada combined. All of those countries combined with all those million people earning and generating revenue.

Speaker 1 (06:48.97)
All of that is less than a third of what cyber project is. It's very well funded. It operates just like legitimate businesses. And in fact, where they operate, they are legitimate businesses. See, you have to understand, they live in part of the world where they've grown up at their kitchen table, talking to their grandparents and their parents.

that we are the enemy. And I kid you not, they absolutely hate you. I've talked to an enemy, talked to them and they're well, I my entire life, you guys are the problem. If I take out a children's hospital, if I bankrupt you, not only do I not go to jail, I have fight five or nine village. That is the way it is.

Now the challenge is right around 2011, 2013, it started to make a lot of money and they started to productize. They started to advance. They started to figure out, wow, I just spent six weeks developing this ransomware code. I'm the one launching it. I don't want to have them to do money laundering. I'm going to having to encrypt having to deal with these Americans. have to do all this stuff, right? Why don't I organize? Right? I've seen the Godfather.

Looks pretty sweet, right? You're at the top. Why aren't I working on this? I have the code. I will get digital mercenaries split 50-50. I will have somebody do money laundering. They can take a cut. I will do all of this. And now I don't have to just attack the one that I'm attacking. I can attack thousands at a time. I will create a website. I will hire people. And that is the ecosystem that started.

What also happens...

Speaker 1 (08:48.014)
was things driven by vendors. You've all seen it. Digital transformation. Don't have files, right? That's a lawyer. So you guys have a lot of Right? And what happened? The vendors scanned and they said, we're gonna pull out the paper. That's archaic. Be more modern. Put it on servers. Right? Bars can't be hacked. Right? Put it where it's secure. Right?

And so digital transformation happened. And here's the result. When they go down, which they will, which I'll explain why in just a second. When they go down, it affects us more. Think about it. I don't think many of us, maybe a couple are in their 20s, but in general, most of us remember when we had big computers in the office and we also had paper in the office. When the computers went down,

Okay, we still had processes in place to conduct operations. Whatever our field, business, sales, medical, whatever it was, we could still function. Not today. I mean, when a hospital goes down, and I represent a lot of hospitals, when they go down, people have died. 62 in America since January 1st.

have died directly related to Rensen. Because we don't even have the processes in place. We've gotten away from it all. We digitized everything. The other thing that's occurred, which is why data breaches are in the news more, is this. Love speech. Huge fan. Loud and nice hit. You can't hear that apparently. But brilliant, brilliant device changed our whole life, right?

How many of us check email from home? They know you're Like we all do, right? Just know that like 62 % of all the data breaches did not occur from clicking a phishing email at work. It occurred when we're in our bedrooms or at the beach or at the gym. It's our personal lives that are causing data breaches everywhere.

Speaker 1 (11:13.902)
When I say everywhere, mean not just at work, but also our own identity. In the take-home resources, you're going to be able to put in your personal email, test your passwords, see if you've been breached. And I guarantee you, 100 % of you have, you've been involved in a breach. So, right, if you have a FICO score, you've been involved in a breach.

letting you know if you've ever borrowed money from a traditional institution, you've been involved in a breach. So you need to check those accounts. And we give real simple instructions. It's real simple. Like if the breach happened two years ago and you haven't checked that Yahoo accounts, right? Go change that password. Right. Or close out the account if you don't use it. We have a lot of archaic stuff.

And I'll get to the get to the model of cyber crime in just a second. But that's primarily the reason why data breaches are in the news. They're in the news because there are more news for people and they have more because when it happens, it literally shutters manufacturing down. It literally stops hospitals and stop the entire. guys don't practice in Kansas, but if you did in Kansas City, if you know any.

fellow lawyers out there, the court system was down. They weren't able to do anything. know, like the clerks, we got involved, we got called in afterward. The clerks were like, where's the carbon paper? And people were like in their 20s going, the what? Like we don't use faxins, we don't know those are, we don't have carbon paper because we're more advanced. We're like, yeah, you're also more vulnerable.

If you take nothing away from today, realize this, everything we do on social media, everything you do on your phone, you're not in Kentucky when you open this thing up. When you fire up that laptop from home or from work, you are not in Kentucky. You are on the global stage and there are people that absolutely despise you.

Speaker 1 (13:42.39)
and want to hurt you. There's zero empathy. We've had neuroscientists, FBI hostage negotiators discussed with these groups.

Our view is we're the good guys and they're sociopaths. Their view is I can go work in a factory for $110 a week for 80 bucks or I could do something that is not illegal and I will never get in trouble for and start making day one $15,000 a week and it goes up from there. And if you have to provide for a who needs kidney transplant.

And you have to provide for health insurance, simply that needs cancer treatment. What are you going to do? When you talk to these people, we still don't like them. Empathy doesn't mean sympathy. But there's definite empathy. You understand why they're doing it. We don't agree because they can still do productive things and make it. Instead, they're destroying it.

But the point is, that nobody is going to, if you know people that have had to engage the FBI after daily reach of something, they're not going to come in with white horses and save the day, right? We may get them. We may get them back. And if any of those guys ever travel outside of Moscow or Korea or Iran or places where they operate, right, and they take a connecting flight to Poland, we'll get it.

and we have, but that's about it. If they just stay in the CIS countries, the countries that are formerly the USSR, they will live a very wealthy, contained life and we will be hurt from it. So I don't wanna scare you because the good news is this, and I wanna use this analogy.

Speaker 1 (15:56.526)
Go swimming, you're in the ocean, and there's a bunch of people from a bunch of different companies there, you've got families, everything else, right? You can all imagine it, we all love being at the beach usually, right? And somebody sees things over there, right? It's a shark, it's a dolphin, I don't know, I'm from the city, I just know I'm not gonna sit around and figure out, I'm getting to shore, right? Now the truth and the reality is, you will not out swim that shark.

Never. You're never going to. Just like a hack. There's no way. is. One of the two truths that I'm about to show you is absolutely true and I will prove it. Every single thing is hackable. Somebody sells you a secure product, it is reducing the risk of it, but everything is hackable. Everything. Everything can be blown up.

I've literally had people scream at me and say, this is not hackable. And I say, join me in Las Vegas in the summer when we go to Debt Top. Because they have villages there and they blow it up. It's the same people that hacked into the Mars Rover lot when I was there. They're like, here, we're on the Mars Rover here. We're going to play God Save the Queen through the Mars Rover. And later on, you saw on CNN, Mars Rover was playing God Save the Queen.

Why? Because everything is hackable, right? But just because of that, you can still reduce the risk, right? So in that analogy, you're never going to be able to out swim the shark. Why? Mako's sharks can swim 40 to 45 miles an hour. The great white sharks, think Jaws, the movie, right? That thing swims 25 miles an What's the speed of the fastest recorded human swimming?

ever in the history of 8 miles, 8.2 foot long. We're never going to be able to out swim that ship, right? But the good news is that we don't have to. We literally just have to out swim that guy. Like literally just do a little bit to protect yourselves. Do it for yourself.

Speaker 1 (18:20.302)
I've done so many of these trainings and I'm like, want to protect the company, I want to protect the company. And the reason it falls flat sometimes is people are like, look, I don't even like my company. I'm gonna be here in a year. I don't know, I just started here. I don't know these guys yet, right? How, what, like they're not doing it for those, for the right reasons. But then we get back to the point of.

What's not in the news? What doesn't get reported in the news is the fact that the people involved in the data is also had their identities. Also wind up filing personal bankruptcies. Also wind up getting tied in with loss.

Sometimes we can judge others depending on how the region speaks. That's never in the news because it's not news. But we're involved all the time and we see it happen. That's why this is called awareness. Most people don't realize that. So what I want to do and what those take-home resources are about is for you to protect yourselves. Do it for yourself. Do it for your family. Do it for...

for no other reason than you've been working hard in your life and you have something that you have value of, so protect it. Because the people that will destroy it don't care about you. And if you do that, everybody benefits. You, your loved ones, and your employer. Because the lines between what you do at home and on social media and...

at the gym and all that are completely blurred with the effects at work because of these devices. The same accounts that we're logging into also have other accounts. How many people have TikTok on their personal phone? Right? How many people have Facebook, Instagram on their personal phone? Did you know that it records every single thing you ever

Speaker 1 (20:33.29)
on the phone and it sits on their servers and their servers have been breached more than seven times, which means it's for sale on the dark web.

The dark web is right there. The dark web is the internet. You just download a free browser and you're there. And it works just like Amazon. I want a dossier on this person. I want access to this company. You can do searches. You can find it. And it's 10 bucks, 50 bucks, 100 bucks. And while you're there, you'll be recruited to join a ransom market and offered tons of money.

This is the reality of cyber crime. And that's what we want to prepare for. So common myths, surprising reality, some myths. We're too small. We're too small of an organization or I'm just me. I have this role at this company. Why would they want me? And the truth is, is they don't necessarily want you or want your company, but they absolutely will get you. Right. Why? Because.

Picture yourself at Target. Move up into Target. Picture yourself in the car. When robbers want to break into cars and steal what's in a car or steal a car itself, they're not going to smash the windows and draw attention to them. What do they do? They walk around all of the cars and they just pull the door. Why? Because people leave their door handles unlocked. Either negligently because they forgot.

or intentionally because they trust too much, right? They do that. All I'm asking you to do is lock your doors. Literally cost nothing. In Take Home Resources, we talk about freezing your credit, okay? It's free. We show you exactly how to do it. And we've interviewed cyber criminals who say if Americans would just freeze their credit, we couldn't do 90 % of what we do today.

Speaker 1 (22:42.99)
It's free. Freeze your children's credit. Or if you're a grandparent, get your kids to freeze their kids' credit. 100 % do that. There's no cost. And the reason is because then they can't go and create loans on behalf of them. They love creating synthetic identities for children.

because parents don't check their kids' credit. I've interviewed so many young adults who are now in college or out of college and they want their first loan and they're like, have a foreclosed condo in Nevada. I have $185,000 that I'm liable for that I never had that medical treatment.

Speaker 1 (23:38.68)
Do you the vendors, the people that hold those notes care if you have an identity theft? No. Right? You have to go through years of process and filing forms and working all of that out. And then, after all that, repairing that child's credit. It can all be stopped for free if we know what to do. the credit. You freeze that credit, they can't do any of that.

And what are they going to do? They're not going to keep going on you. See, the whole good news here is we don't have to do that much. We just have to put up a little resistance. So they go after that. Because the number one password that Americans use is what? One, two, three, four, five. The number two password is what? Password. I kid you not, I can't make this stuff up. I've been doing this thing for 16 years. It's still the same.

Like Americans are brilliant engineering. I'm a major patriot and fan of this country, part of the FBI's InfraGuard. If I was young and in shape, I would enlist probably, but probably do the cyber defense maybe. But so I don't get shot plus it'd be cool. look, we trust too much. I do a lot of work and you can't.

And it's, it's answer. They're like, they can't, they think I'm talking with like two hemets. They're like, do like people want to do this. They don't. Come on. They don't believe this will happen to us. I'm like, yeah, they do. Like, yes, they do. Like we're the enemy to a lot of people just for existing, just because of our freedom. Right? All I want you to do is not be.

Jaded, don't be scared. There's nothing to be scared about. Just care enough to take a little bit of effort. It's not too much to ask to just lock your doors when you go to Target. Right? That's not hard. It doesn't cost anything. It takes a second. It's very similar to CyberStream. It's not that much you have to do. You just have to put up a little bit of effort. Hackers, when I say the word hackers, what do you guys think?

Speaker 1 (26:06.222)
What the heck? Don't you think like, kid in a hoodie, kind of autistic, like having like, Red Bulls, eating Hot Pockets, living in his mom's basement, very technical, cracking code all day? Think Tony Soprano instead. Because it's organized crime. They have call centers, they have people that are not technical whatsoever. They have really good salespeople.

Did you guys hear about the MGM breach? Remember the MGM breach? Like elevators weren't working, reservations were down, the car parking lot gates wouldn't function, all from a ransomware attempt. How did it get in? A kid in Florida who's 20 years old called and said, hey man, got a new iPhone, I worked there. He looked on LinkedIn, found somebody who worked at MGM.

and said, if I know iPhone, could you just help me to log in? And it's a help desk. It's help is baked into the name. Like they literally were like, no problem, buddy. It's a recorded conversation. No problem, here you go. Here's access. Once in, he was tied to lock and he went the Russian ransomware gang. They went in, they went in and tied. And then they actually handed it off to Black.

This

Speaker 1 (27:38.124)
another gang. Like all of these gangs are all basically from the same like 175 group. There's like 175 of them and they fold after one gets a bad reputation and they come up with like another name like Drunken Panda, Shadow Brokers. They have websites right there on the dark web. They recruit, they have mascots. They have little logos. Like they go to Canva, create a little logo like they...

It's like a business. It is. It operates just like a business. But that's really what it is. Are there still some highly technical people? Yes. But statistically speaking, it's about maybe 16, 17 percent. And that's it. Once the code is made, it's all in the sale of the code. Right. We created polymorphic ransomware work.

We're the new age of ransomware. have advertisements on the dark web. Like, get your ransomware here. Like, don't go to those guys. Those guys are outdated. This is, this, use AI. This is ours has got AI, man. Like everything has AI, right? Like use this. The other thing is security is not my job. It's an IT problem. Okay, well, TVs aren't my job, but it's my problem, right?

It's not in your job description, but you have an identity. You have savings. You have things that you work for. It's your problem. No one can save you from it. Every time you pick up that phone and log into that laptop, you are entering their world. And so just do a little bit. That's really all we're asking.

So two truths, everything is hackable and the internet never forgets. Has anybody raised kids?

Speaker 1 (29:45.878)
Any teenagers? Anybody with teenagers here?

I can't tell you how many times I argued with my son and daughter at the time. And I'm like, you know, you don't understand. It's Snapchat. It's leaks. See, look, I'll this text to Tommy. Boom. See, it's gone, Dad. Like, it's not gone. Like, yeah, it was really embarrassing. Maybe I'm a little nude, but I shouldn't really say it. But it's gone. Nobody can see it.

I'm like, no, Einstein, like it's gone from the device or your view, but it's sitting on a server that's gotten breached and it's now on the internet for sale.

Everything that's typed on that phone, even after it's deleted, sits somewhere and can be found. Right? Everything that is texted, everything that is posted on social media, even though it's immediately deleted, everything is still able to be found. Everything. They even have...

places like Social Catfish, Primise, and Maltego that are legitimate companies that will sell you complete dossiers. If you want to really get freaked out, order a dossier in yourself. You will see your entire life since the internet wasn't there. Everything. If want to see your AOL checks from 2001, they're there. They will send it to you in a package.

Speaker 1 (31:34.964)
everything. There are companies that package all this stuff.

Premise is a company that when, you know, did you see that meta just came out with the glasses so that you can have like a computer when you're walking around? Okay, don't get me started. Anyway, people that buy that will be able to hook it up to Premise so that everybody that they see, they don't have to know you. Everybody that they see, they can run a complete dossier on the person right next to

you'll be able, they will be able to walk and see absolutely everything. But that's what MED has been doing for years. They've been in the business of data collection. That's where they make their money. But that's the world that we live in. what happens, I promise I would talk about fishing, some boring stuff. What happens when you click on a fishing line? Your alarm's go off, the icy guy from running in, you're like, I can't believe you.

Why do they do that? No. Sometimes nothing is, you're not going to be able to see anything. But I'm going to show you, I'm going to take you to Las Vegas, to DEF CON, the hacking convention that's been going on for 26 years. And you're going to see exactly what happens. And for those sitting here without a computer, you'll be able to hear.

Speaker 2 (33:04.078)
DEF CON is the biggest hacker convention of the year. It's a where thousands of hackers come to hear talks to demonstrate their newest hacks. It's actually a place that's so dangerous to be on the internet that they tell you to turn off the wifi and the bluetooth on your phone. I think this is car hacking village. This car is locked. Can you get me in? I'll unlock it for you. This should be good.

is no longer like this fringe activity and if you are at DEF CON there's a good chance that you're here because you want to learn what could happen to you or your company.

We help people with human security issues by testing vulnerabilities for like a network test, but it's for the people network. We test those vulnerabilities, see where the holes are, and then help people learn so they can patch. We have our star visher here, make some phone calls as usual. do it.

Can we try some of this?

Speaker 2 (33:54.99)
Sure. Do you want to do a sample of phishing call? What's phishing? Phishing is voice solicitation and basically what you do is use the phone to extract information or data points that can be used in a later attack. Let's do it. Who are you going to call? Maybe I'll call your cell phone provider and see if I can get them to give me your email address. I bet they're good. I bet they have my back. But yeah, go for it. I'm going to spoof from your number. So it's going to look like it's calling from you. OK.

Speaker 2 (34:23.658)
I'm actually I'm so sorry. Can you hear me? Okay, I my baby. I'm sorry my My husband's like we're about to apply for a loan and we just had a baby and he's like get this done by Today, so I'm so sorry I can't I'm trying to log into our account for uses information and I can't remember what email address we use to log the account the baby's crying and Can you help me?

In just 30 seconds, Jessica gets my personal email address. Now if I needed to add our older daughter on our account so she could call in and make changes, how would I need to go about doing that? You would have to send me a secure PIN through a text message? Yeah, well the thing is I don't think I'll be able to receive a text message if I'm on the phone. Oh, I'm not on there either?

So I thought when we got married, he added me to the account. Okay, uses my girlfriend's name and a fake social security number. 5127. To set up her own personal access to my account. Wait, I'm sorry. So there's no password on my account right now? Can I set that up? He even gets the support person to change my password. Thank you so much for your help today. So she just basically blocked me out of my own account. Get her fed after this. Alright, thank you. Holy shit. So they just gave you access to my entire cell phone account.

She

Speaker 2 (35:42.166)
and change your password now because it's Jess, my name. And all it took was a crying baby and a phone call. Yes. I really thought that my cell phone company would protect me. I mean, like, this is the most basic stuff and they're not doing it. And if they're not doing it, you know all these other businesses aren't doing it either. But I was curious, what can a hacker with serious coding skills do? I did get into quite a number of things that I found. So what were the first things you did? How did you start hacking me? I quickly found your Squarespace.

blog and had an idea. Basically what I did was created a bogus Squarespace site and sent an email to you, a fish asking you to go to this website, run this certificate in Stalix. So once you ran that, it gave me access to computer and I created several fake pop-ups that looked like system pop-ups that would ask you for your credentials. So I stole your one password keychain.

And one password is where I store all my other passwords. effectively by... And your social security number and your AMAC stuff and all your stock trading and bank information. I can send email to everyone in this room as you. I am you right now if I want it to be. If my evilness is working correctly, it should actually be taking pictures of your desktop and pictures through your webcam every two minutes. And I have been watching you for about two days now in coffee shops at your mom's house on a plane.

Here's your editing stuff. Here's your- Oh my god, so this is literally- Every two minutes? my webcam. Yeah, through this guy. How badly could you have messed up my life? I could have made you homeless.

I could have made you homeless and penniless. How? How would you make me homeless? I have control of your digital life in its entirety. I have all your credentials, have all your access to all your financial information, all your work information, all your personal information. I can pay people with your bank account or your Amex account. I am you. I can fully impersonate. The only thing couldn't doctor would be like your fingerprints.

Speaker 2 (37:35.638)
This is like as bad as it gets. It's ridiculous, yeah. It's bad. He got everything. I mean, frankly, I want to take my computer and throw it into the deepest part of the ocean. And I want to never touch a piece of technology again.

So there's a lot to unpack there, but the key is this. Because of what I said in the beginning about we've gone through this digital transformation and we don't have the physical processes in place, Our entire worlds are digital. So one click on a phishing email may not mean ransom, but it might mean that they can take over your identity.

And think of what that means. Your identity in 1998 wasn't that big of a deal. Right? There was still so much more you could do outside of the digital realm. What do you do today that does not touch any technology? Think about it. And I don't mean going for a hike or going for a jog. I mean, what do you do today?

commerce-wise, purchasing something, communicating with friend, loved one, business. Think about it. If they can take over your identity, and we just saw it was that easy, right? They can be you. And when there's you, they can do everything you do. And most of what you do is tied to technology.

more so than before.

Speaker 1 (39:17.848)
Does it, is it kind of starting like, the, is it kind of, kind of, is the circle kind of connecting or the dots connecting? Like it kind of makes sense, right? We're more dependent on technology than ever before. We are still as a society and as a culture sloppy. And if they take over our, and I don't mean you guys, I just mean Americans in general.

Speaker 1 (39:48.13)
What they're able to do with our identities is make us homeless because they can't. Literally, they can spend your money. And why is this a risk to your employer, to your company, in fact? I'll tell you.

Because it's not a breach if you log in at work. It's not going to set off any alarms.

It's you. The only thing we don't know is, is it actually you? well, we've got multifactor authentication. We're protected. No, no. You have multifactor authentication that ties to that person's secondary device. Well, on the Amazon of dark web, they sell a ton of things that once you click on that link, it also sends the

prompt for the multifactor to their self, not to users. They become you. They can do everything you do. And if they gain access to work, the first thing they're going to do is look at your sent file and your email, because that's where everybody forgets what they sent. And they're going to look at all that stuff, and they're going to see vendors. If you're involved in accounting or payroll or accounts payable.

The first thing they're going to do is change the inbox. Right. Because they see, oh, it's what is today, you know, fourth of third of October. Right. So it's it's it's it's it's there's an invoice from Lexus Nexus coming or something. Then they're going to send an email to you. OK, well, they're going to change your inbox rules so that when the actual vendor that you trust and know

Speaker 1 (41:43.454)
emails you it's not going to hit your inbox you won't see it. What will happen is it'll hit their inbox and then they will copy that email and send it. But things will be changed either a link will be malicious or the wiring instructions will be changed or something else. Let's talk about cybercrime by the numbers. I know that we're running late because we got a late start. Is everybody still good going for maybe 10-15 more minutes? Okay.

This one. if you got to go, just go. We'll we'll record it and I'll send it out to everybody. Cybercrime by the numbers. We're too small to be breached. No, 63 percent of all the data breaches involve organizations with fewer than 100 companies. Why is that not on the news? Because you're not a household name. You're not Nike. When Nike gets breached, right, when Uber gets breached for the sixth time, right, you're going to you're going to.

hear about it because everybody knows Uber. They don't always know us. The number one tactic that they do is social engineering. We just saw an example of social engineering. It is manipulating a human to do something against their interests, knowingly or unknowingly. That means we let them in. They're not hacking. This isn't a kid with code and high technical skills. This is a person being able to persuade another person.

to do something against their interests without even knowing. 64 % of breaches involve ransomware, 62 % involve AI. We're gonna get into AI in just a second. But how are we doing? Well, we're protecting ourselves, we're smart people, right? Well, 79 % of us reuse a password.

Speaker 1 (43:36.408)
Reuse the password.

Speaker 1 (43:41.454)
reuse a password, 79 % of us. So I did this presentation at a group of like 1500 people 10 and 11 days ago. And I had everybody stand up. Who's got a really strong password? I had some things up on the board, right? And a bunch of people sat down, they had strong passwords. I said, okay, that's great. Who has a really good password? And they were there, go, who uses it on more than one app?

or more than one login and every button. 1500 people. We do that. We do. We're like, I've got a really good password. You gave me those take-home resources where there's a valid place you can go and check the strength of your password. That means if they're using brute force software, it won't be able to crack it. But if you reuse a password, what happens?

If you're using that password on Facebook, which gets breached all of them, or some app to order some product, right? And they get breached. Like, do you know their cybersecurity register? Do you know what they do? I don't. I don't know how strong of cybersecurity some of the vendors are that I do business with. Like, I don't. Right? And if you don't and they get breached,

Within an hour, it's for sale on the dark web. Your email and your password. It's a really good one. It's not password, but I have it now, which means I can log in as, right? As good as your password can be, you have to use a different one on every single one. Well, it's easy for you to say there's like a million passwords. The average American has like 60 now. Like that's, and that's probably a small number.

when you think of all the different things you log into. That's why password managers are real. There are free password managers. There are affordable ones like three, four dollars, maybe six bucks a month. And it'll generate a really hard password and save it for you. And you never have to remember it. It'll just pop it right in or be right up in your browser. Well, I use Google Chrome or I use Edge. Can I?

Speaker 1 (46:09.556)
use the password manager that's in Chrome.

The FBI says no. My personal opinion is no. Don't. Why? Because Google Chrome has a lot of vulnerabilities. Not because of Google. Google actually has one of the best cybersecurity divisions on the planet. It's not because of Google. It is because, look, this is a Mac. I love Macs. Just personally, I just love them. Right? Just love the ecosystem. I love it.

Is it more secure than a Windows device? No, not at all. Am I safer using it? Yes. Why? Because it's a business. Cybercrime is a business. If Macs are only 4 % of the workforce in America and I'm going to generate a product to go attack American workers, I'm not designing it for Mac. I'm not spending

$500,000 in resources to make a Mac one, you're make a Windows one, right? So when I'm creating malware to attack browser extensions and vulnerabilities in browsers, I'm gonna do Chrome and Edge. That's why there are private browsers like Brave and Island is an enterprise one now. It's not even that they're so much better.

Then Chrome, it's that they have a minute part of the market share. So the malware isn't designed for it, if that makes sense. The point is, is because of that, you can't save your passwords in it. Why? Because when you click on that link, or if you click, remember me, right? How many people ever have that on their software? have software and it says, here, just click this, remember me. You don't have to.

Speaker 1 (48:12.034)
Log in again. Like you don't have to your credentials in. We'll remember this for you. It's convenience. Convenience is here. Cyber security is here. I want you here. Okay. If something's really, really convenient, you know I'm screaming, right? If something's really secure and would disrupt business, we're screaming. That's too much, right? We just have to do a little. The reason is because

When that happens, when you click remember me, the FBI has a warning for Americans to not use remember me on any software. Don't don't do it. We don't care if a vendor gives it to you. We don't care if they see it's secure. It's not secure. Don't do it. Why? Because could you click a link or fall for social engineering? One of the things they're going to do is an info steal. Doesn't always have to be rancid.

An InfoStealer. InfoStealer is going to scrape your browser and take all those aspects. The other thing that could happen is when you click that link where they get access to your stuff on the dark web, they have all these marketplaces, right? It works just like Amazon. You buy something, you download it immediately. They have what's called Session Cookies. That is where they can log in as you. They give you the token.

And for the next 90 days, I can literally log in.

because that person clicked the remember me. If that person clicks the remember me and then they fall for any, any type of social engineering or whatever, that remember me token, that ability to log in as you is for sale on the dark web. That's why they say that's good. What else are we doing? Our personal lives are involved in 39 % of work breaches. 37 % of us.

Speaker 1 (50:11.938)
have leaked sensitive information, private information, intellectual property, attorney client work product, et cetera, either by email or through AI. We use unsafe browsers. 62 % of organizations and people at companies use shadow AI, right? Every organization today, unfortunately, needs to have an AI policy.

and to pick a safe AI that's compliant and say everybody use this. Provide a little prompt training so they know how to use this. What do I mean? I'm going to save you three slides. Here's what I mean. Can you put a turning work product in a secure AI? They're all secured. Vendors say they're all secure. Can you put a certified work product in a AI system? In a secure AI system.

The vendor will tell you yes, the American Bar Association will ultimately tell you no. And you have to anonymize it. It can't have Mary Johnson's name.

That's really it. That's really all you have to do. You just can't tie it to an individual person, right? Because oftentimes that data that you're feeding in there will reach the LLF. In simple terms, think of what happened to Samsung the moment OpenAI's chat GPT came. What happened to Samsung? Samsung had their new phone coming out. Their developers were...

finalizing it, was like three weeks. They just needed to work out some bugs. They threw it into Chia GPT, it fixed the bugs. The product came out. But before the product could come out, because it was fed into Chia GPT, China had all the source code for the new Samsung phone. And they came out with a new phone two weeks before Samsung's. And it had all of the features plus panel.

Speaker 1 (52:18.286)
And Samsung's phone was the worst commercial failure they've had when it happened. What we feed into AI is public. It's not like doing a Google search. When you do a Google search, yes, it's indexed, but it's only on Google servers. And if you get indicted by the feds or somebody, they're going to grab your hard drive, they'll be able to find it. But most of us are not going to experience that. So most of our Google searches don't go out to the public.

Everything we feed into an AI LLM is public. I can get it. Any of us can get it, right? If you wouldn't put it on a billboard, don't paste it into AI. Now, having said that, there's some ways around it. There are business associate agreements that like Microsoft has with Copilot, right? That is secure.

you can still put private information. It's good because the servers that they let you use are all US based. It is compliant. You can do it. It's safe to do that. In that instance, you can actually put the full attorney client work product in, because it's not going up. If you're using OpenAI, depending on what compliance framework you have, but for attorneys and just regular people,

Open AI is generally not safe, even if you pay for it, unless you do the Azure one, like the advanced enterprise one, which is crazy expensive. But there's still, if you're paying for open AI for chat GPT, there's still you go into the settings and say, don't let my information be used for training the LLF. If you do that, it stays within. OK, it may not be compliant for the ABA.

It may not be compliant for, I know it's not compliant for HIPAA, it's not compliant for in banking, you. It's not fully compliant, but in terms of you disclosing attorney client info or something like that, you're pretty safe. So I'm not gonna make a comment on the compliance aspect without seeing all the other settings, but in general, you're gonna be pretty safe. Questions?

Speaker 1 (54:45.59)
Any other questions? I just want to pause for a second.

Speaker 1 (55:02.882)
we possibly tell that, of course all of them say, they're containerized, it's not gonna go out, they all have a resource. How can we confirm that? Ask them where the servers are, ask them if they have a BAA, do they have a business associates agreement, meaning how does it reach it there? But there are some secure, like the one that we use with us is through hats.

That's AI and it'll pull from chat GPT, co-pilot Gemini, Claude, but they've designed it as SOC 2 compliant. So it is contained, meaning none of what you're doing will train their systems. If anything gets to those public systems, it is anonymized on your behalf. So that's good. Like so long as it is contained, that's all that matters.

There's no objective way of actually testing it. Like you can't get into their servers. That's their, that's their IP. Unfortunately, I would love to be able to do that and like have a scan where you're able to say, okay, that is safe, but ask them where the BAA is, ask them where their servers are and ask them if the data that we're using.

is going to be used for training and if they say no, which it sounds like they'll say no, then that's okay.

Business Associates.

Speaker 1 (56:41.962)
It transfers liability from you to them.

Which is good. I know it's a it's it's we just went through a at the title justice association in lecture. Can you say I can't open up chat? They gave similar answers to what you were saying as long as you check the box. This is not being trained right at the bar. Associates you general general thinks you're OK.

You

Speaker 1 (57:18.402)
for using it. Yeah. But what what advantage do those have?

I will tell you the, there are stark differences in the different types of AI, meaning the results that you get are, are different. Like I'll use an enterprise level chat GPT and it'll give me very well researched answers. Sometimes I'll use co-pilot and it's terrible. So it depends on what I'm prompting.

which is really why some prompt training, if you're going to roll out AI, they have prompt training available online. They've got people that'll do it. I know people that'll do it. It's pretty useful because then you can really hone in and there's ways you can prompt it to make sure it's safe. Be like, yeah, I'm doing this. And as always, don't disclose anything confidential. Don't feed your LLM with anything confidential. And you can actually prompt it upfront.

They have prompts up front where you could set it up. That's your first prompt. And everything after that, that machine will not do it to you, which is brilliant. But we just have to know to do that, right?

Speaker 1 (58:41.09)
Yeah, mean, yeah, I take it all the time, that is a good, and there's a lot of hype around AI and a lot of it's fake and not real, but there's a lot of very smart, good tool sets and LLMs that are really safe to use. I just wanted to raise that awareness because...

There's a lot of people that are like, I'm using the free version of chat. I mean, we've seen it from using the free version of chat GPT and I'm loading up attorney client stuff. Okay. It's like thinking like it's going to be safe. It's on my phone or it's whatever. It's like, no, you can't do that. Right. But if you pay and you have the setting set, that's pretty good, but there are even better ways of prompting it or even better solutions where you don't even have to worry.

and their their LLM will be trained on all the case law or in your field. If it's personal injury, it'll have all of the medical research. It'll have common trends. It'll have litigation plans, cross exams of certain types of experts for internal reduction, know, internal fixation, open reductions. Like there's a whole bunch of LLMs that are trained just in that, which would be great. Like if you're going to buy an LLM,

then don't do co-pilot because the price is almost going to be the same. Get one that is trained in what you guys do that is also secure. If that makes sense. It's slightly different. That's the best way to stop this family. Especially, and what's the purpose of the class for you to answer it? There's nothing. What is that? Okay. I'm going to get to that. Right.

I'm going to get to that next. So in terms of organizations, we're not doing much better. And in general, and I'm not blowing up your question, I'm just going to show you. I've got a video. Most organizations don't have what's called source security orchestration. It's visibility. What that means is this. If I click that link or if I'm an attacker and I have access to your system, what's going to happen? Are there alarms that are going to go off?

Speaker 1 (01:01:06.67)
Are you f***ing kidding

You're gonna know.

No. On average, hackers and attackers are inside your network 197 to 214 days before they launch. Here's the thing. Just because you click a link on a social engineering phishing email or something like that, that is not a data breach. That's an incident. We deal with thousands of incidents at our company every week. That means somebody unauthorized is there.

not a data breach. It's an incident. If you have detection, you have visibility, think of 24 seven eyes on glass, you will stop it within a minute or two, block them, kick them out. No harm, no damage. That's not a breach. What a breach is, is here's what happens. They go in, they look around, they'll go and they will, what's called escalating privileges.

Have you ever heard zero trust, the phrase zero trust? If you've ever heard of the phrase zero trust, it means stop people from escalating problems, right? You have to re-authenticate every time you move up. What they're gonna do is they're gonna move over from Mr. Buttermaker's computer over to another app, over to a server. They're going to be inside undetected. If you have IT support, IT support.

Speaker 1 (01:02:37.026)
where they're like, we're monitoring that network. No, you're not. You're monitoring the network, whether it's online or offline. You're not monitoring the network for hackers. Two different things, two different certifications, two different industries. Unfortunately, they both call themselves the same thing, but it's a different thing altogether. They are monitoring for whether it's been patched, whether it's got enough space in it.

whether it's healthy as a device, right? They're not monitoring it for behavior, right? What I mean by behavior is we take a road trip with buddies and we're driving out West and we're stopping at a gas station in Dubuque, Iowa, and we put our credit card in. What happens? I get a text from my bank that goes, dude, are you in Dubuque, Iowa? Like if you'd let us know and we'll decline the card.

I'm like, no, it's actually me. I'm on a trip with my buddies. Right. So it's good. How did they know that? I could be at home buying stuff from China all day long and no one's going to call me. It's because it's weird behavior. It's an anomaly. Right. Having detection in place is key there. But unfortunately, like over 76 percent of all organizations don't. And you don't have to. Yeah.

Speaker 1 (01:04:06.574)
not a real purchase other times. Right. Because they intercept that. They go buy a bunch of stuff online. Yeah, they have all of it. They create a baseline of your normal spending habits, your normal geography, and then they're doing it. intercept that text that's coming in for the verification. No, generally no. Generally no. Because the banks, I will tell you, of all the industries on the planet,

Banks are required because for them to get a good interest rate for the money they borrow, have to be all they have to be fully compliant. They have to have detection in place. They have to not only do it, but they have to test it. They have have everything that you're supposed to have. You have to have it. Even a small credit union has to have. I mean, it makes sense. Like America, follow the money like we're going to protect the money first for the people.

And what I was saying is you don't even have to believe me. You can literally Google it. How long are hackers inside my network undetected? And it'll tell you. Last time I checked a couple of weeks ago, it like 214 days. That's more than six months that they're inside before they do something. So the FBI came out with a law firm warning May 2025. It's called callback phishing. It's a fish with no malware. OK, and they use legitimate tools.

What they do is they send a phishing email and there's no malware in it. There's no code in it. There's nothing bad in email. It just says, hey, it's Microsoft. Could you please call us? We have to reset your security thing. And then you call them. But guess what? It's not Microsoft. It'll say Microsoft. They will answer it. They will sound American. Right? It might even say, you know, they'll do Washington. This is, and you can even ask them.

Let's see what they're like in Bellevue, Washington. They have the weather posted in all the call centers every single day in case somebody asks. But they've got it down. This is big business. They know what to say to get things done. Right? And so then when you call, they're going to ask information to verify your account and then steal your identities. Or they're going to say, yes, let us do something. We just need access, please. We're going to send you this safe link. You know, come over your system.

Speaker 1 (01:06:33.4)
from Microsoft, it'll have Microsoft's logo, you'll click it. They now have access to your system, but what they're doing to law firms, and there's 274 law firms in the United States since January 1st that have been affected by this. What they're doing is they're not launching ransomware. They're just exfiltrating data. Exfiltration is a fancy word. They're stealing confidential data of your clients.

or attorney work product. When they have it, in a week, you're to get a letter or an email that says, by the way, we're about to call all of your clients if you don't pay us.

And it's so bad that the FBI actually had issue a warning for law firms.

I mean, it's no different than anything else. Look, what do you do? If you get, it's the same advice we will give everybody. If there is a request for you to do anything that will involve sensitive information, use a legitimate channel of communication and go verify it first. What that means is if somebody says, we have to change wiring instructions. I need these attorney client privilege.

Microsoft needs to reset something. Oh, it came from Microsoft. It's got the logo. It's got the number, blah, blah, blah. No. Call for Google, open up a browser and look for the actual Microsoft thing. You can even Google or ask AI, ask somebody and say, is this, is there, there new security things that are coming out for my license? They'll be like, no. Right. Or call actual Microsoft. Right. Or if it's

Speaker 1 (01:08:24.654)
If it's Greg asking somebody to release something, right? Oh, I need all the W2s or I need all the financials for this something because it's some secret merger, whatever it is, right? Just walk down the hall. Like call verify through human ways or trusted ways first. If you guys use teams like literally just ping them on teams. We get them all the time. We ourselves.

are SOC 2 compliant. I get phished every single, if not every day, at least three times a week, and they're good. So one of the phishing samples to go over is the old red flags for phishing emails. In the boring security orders training, what are they talking about? It's like, look for bad grammar, look for odd syntax, right? Hover your mouse over the...

link, it might show a bad thing. Some of those might work. Most of those will not. Because of AI, they have trained and they sell fishing kits, you, they sell fishing kits on the dark web that will write an email like you are a customer that grew up in Louisville that speaks like local phrases. If there's a big game that's coming up, they may mention it like it's

really, really good. There's no grammatical errors. And even if you hover your mouse over it, it may say oracle.com, but the E is going to be the Russian E. And it's going to look the same to us, but online it's not the same. So you really just, again, it's the same advice. Before you give up what they want you to give up, go verify it. If it's saying it's from

some vendor, right, open up a web browser and just say, are you asking this or call on the number that you know your account manager is on and verify. It's the human element. I just want to show you one more video. AI, we've been talking about AI. Great rewards. I use AI every single day. It's phenomenal. Research content, time saving.

Speaker 1 (01:10:47.134)
And I'm just talking about generative AI, I'm not even getting into agentic. Agentic AI, when you build bots that can automate tasks, it's phenomenal. It really, it's not necessarily going to replace jobs, but people that use it will beat out people that don't use it. Because a lot of the stuff that used to take hours and hours and hours is now done in five minutes. And you're able to focus on the cool stuff. It's brilliant.

Best practices whenever doing AI have a policy and enforce it, right? You need to block out other non-compliant AI because even though if you pick an AI that's great and that's secure, but you don't have a policy that you're enforcing, someone else can still use a free version and still get around it, right? So you need to just in your content filtering and your DNS filter, whatever, block those other rules.

It's a simple setting, but it's that type of stuff. You have to enforce the policy because otherwise somebody might not even be, it might be two o'clock. We had it with a hospital where there was a nurse, it was two o'clock in the morning. She was exhausted and she just put a patient's chart in and needed it summarized. Like she was like a second shift after like 40 some hours of work. You can't even blame the human at that point. The hospital didn't have any safeguards.

No alarms went off. Nothing stopped her from doing it. One simple setting could have stopped them, right? So let's just put that in place so that even when people are just rushed, they can't even do it. Vendor selection is really key. Pick the right one that works the best for you and do some prompt training. The risks of AI, we just talked about social engineering, Shadow AI, we talked about that and configuring it right. But when I talk about social engineering, here's what I mean.

So deep fakes used to be President Obama, Tom Cruise, Taylor Swift just came out with a new album, I know, because my daughter told me all about it. Those are the celebrities that used to have their images and their voices mimicked. Why was that? I'll tell you why. There was actually a technology reason for that. It's because it used to take like

Speaker 1 (01:13:08.27)
8 to 12 hours of samples to train the AI to do it. 30 seconds is all they need right now. 30 seconds to know where they get 30 seconds by calling your phone number and your voicemail that answers. They will call that three or four times. And then they have your voice. If you get calls and they're asking you.

to answer yes or no to something, right? They're doing that for a reason. They're doing that because they want your voice to say yes, because then they can impersonate you and you, your voice, will actually approve this. The other scary thing is, and we saw this earlier, but there's apparently $214 million missing from US businesses since January 1st.

because of deepfakes internally. So what happens is this, we get a phishing email and it says, hey, wire over something sensitive. And we're like, no, no, Maro's gonna come and yell at me. I'm not doing it. I'm gonna go talk to somebody later on this afternoon. I'm busy right now. Right? But then what happens today is a calendar invite comes in and it's from the person. Let's say it's opposing counsel or it's a partner of Greg's.

Or it's somebody that you know, right? It's like a, counsel or somebody, a business partner, right? Maybe not him, but somebody that's really close, that's trusted. And all of a sudden they get on that team's call on video. And it sounds exactly like them. The lip syncing is exactly like them. And it's that. You're literally watching it on a team's call, right?

And then they explain the reasons for why you should release that sensitive information. That's what's really happening. We also saw, I don't know if you saw it in the news, but North Korea was actually had some four or 500 IT workers applying for remote work and they were using fake identities and they were getting hired and they weren't even trying to hack. They just wanted access.

Speaker 1 (01:15:36.44)
to the company. And then when they did, they were feeding it all to North Korea. A real thing, but I can describe it, but you need to see it. So hopefully this will work. There might be a little lag because of this stuff, but maybe not on there.

It's getting to the point where deepfakes are nearly impossible to decipher as computer generated, which is super exciting, but also kind of scary. Now my face is slowly morphing into something else, and it's basically pixel perfect. Look, it's like, amazing.

I was shot. It's a disturbed friend. Another of our. You know, as an entity. Into the wrong hands.

Speaker 2 (01:16:25.868)
I'm not me. I mean, I am me. But I'm not me to you. And that's kind of nuts.

Is it scary?

It's a real concern. It's a real concern. It's isabel from cnn i've just launched a new newsletter on how to get 10x returns on your crypto investments Just click on the that sounds like my voice. I mean, that's unbelievable. Yeah

That was within a few minutes.

Deepfake technology is getting faster, cheaper, and more realistic. In Louisville, it killed two in public figures that are so real, even they can't tell the difference. Making it easier than ever to create scams or spread misinformation. AI companies have created deepfake detectors, but this cybersecurity expert says they have serious limitations.

Speaker 2 (01:17:13.174)
Anyone that promises that one click type of answer is wrong. I can upload things that I know are deep fakes because I made them and they'll say that they're likely authentic.

The green, no deep fake detectives. What does that even mean? Same audio clip that was 100 % AI generated and that fooled it and it thinks it's real.

Probability 5.3.

Speaker 2 (01:17:34.574)
But I think somebody that's not thinking about this with nuance would go, it's probably.

Yeah, and that took no effort. Deep fakes are getting better and better, more believable, and the tools that maybe I thought would help me figure it out may not be so helpful.

Lawmakers and law enforcement are getting worried about this technology. Here's a letter from Congress to the Director of National Intelligence. 43-page report from the U.S. Department of Homeland Security. DHS says that deepfakes and the misuse of synthetic content pose a clear, present, and evolving threat to the public across national security, law enforcement, financial, and societal domains. The Pentagon is using its big research wing, the one that helped invent, I don't know,

the GPS and the literal internet, that one, to look into deep fakes and how to combat them. Like, they're taking this very seriously. And then of course, deep fakes are being used for good old fashioned cyber crime. Like this group of fraudsters who were able to clone the voice of a major bank director and then use it to steal $35 million in cold hard cash. $35 million. Just by deep faking this guy's voice.

That's a lot of money.

Speaker 2 (01:18:44.598)
and like using it to make a phone call to transfer a bunch of money. And it worked.

We've got you involved in a few different breaches that unfortunately almost every American is going to show up in. Rob, we're going to do a voice clone demo. So I took a clip of you speaking from a video on social media. I put it into my voice cloning tool that requires no consent. I spoof your phone number so I make it look like it's calling from you on caller ID. Your team member picks up the phone call. They answer it. They hear your voice.

Sorry, can you pass password?

It's very accurate. It's definitely my voice. So this is me wearing your face like a digital man. I took about two minutes of that video and I put it into this tool with no consent and I asked about the master password again. Imagine this is in a zoom or a Teams call. Okay.

Did your voice?

Speaker 2 (01:19:40.142)
We're in the kind of wild west phase where the lawmakers are kind of just trying to get their head around this stuff.

I mean, that's unbelievable.

There's a lot to unpack there, but look, here's the bottom line is deep fake detectors, right? Anybody trying to sell software about deep fake detecting that they don't just don't waste your time. Don't don't look at them yet. Like there's nobody if they were working, we'd be selling them. We've looked at over 100 of them. None of them work. Like I have a podcast. I'll create AI generated stuff. Run it, test it. It says it's real.

It's not real. I literally made it up, right? So they don't work. Catching a fish, we already kind of looked at this. Here's the reason why. Why do people fall for phishing emails and social engineering? Why is there a sense of urgency used oftentimes, right? It's because of amygdala hijack, right? When you think of we're still with the...

genetics and the biology and the physiology that we've had for thousands of years, right? We, they are able to trigger what's inside of us of there's a wooly mammoth in our village and we have to kill it or run, right? And it is that fight or flight that blocks, right? Our central mind takes over, right? And our more modern mind, our...

Speaker 1 (01:21:17.952)
outer layer, our neocortex, doesn't have the ability to work. That's the part that can understand vast amounts of data and remember our training and remember context and scenarios. But when they call and they sound exactly like our child and they say, I'm arrested, I need $2,000 wired and stuff like that, how do those work? like the people that fall for these are bright people. Like they're not idiots.

Why is this working? It's because they're tracking right to a migdala hijack. So what the neuroscientists say is pause. Pause, literally pause. As scared as you are, as worried as you are, pause. 45 seconds to a minute later, your cortisol level goes down and your neocortex kicks in and then you're able to go, oh, almost got me. Good one, right?

you're able that that light bulb will come on in your mind. So I wish I could give you better advice, but that's literally all the FBI has got is pause. So and that's after like interviewing 100 neuroscientists is pause. So that's all I've got for you. But this is an example of the stuff that's in the take home resources. What are we supposed to do? Don't you know, I usually start this off by everybody that has a phone.

Turn off your Bluetooth and your Wi-Fi. Keep it off. Not on. Keep it off. It's on by default. Keep them off unless you're using it with the headphones or unless you actually need the Wi-Fi. Keep it off. OK, there's a thousand reasons, but you may not think that there is a hacker or somebody that wants to take something from you, but there are

They sell this stuff, it's like Amazon and they sell it right on Telegram. They sell it right on Instagram. Like there's a bunch of kids. There's a bunch of stuff where they will just throw something on a wifi and it'll be a script. They don't have to know how the script works. It's just press this button and everything. Now you will start to get everybody's contact lists, everybody's phone numbers, all the stuff that's on your phone, all the keystrokes on your phone.

Speaker 1 (01:23:43.246)
are stored on that device and they can capture it. You go to Descon, you can actually see it where they're like, look, 2019, David Morrow, you typed in this password for this. In 2022, you typed in this password. Like how in the world were you able to get that? They said you turned on the wifi. What? I'm like, holy crap.

So just real simple, doesn't cost you anything. Just keep it off. Turn it on when you need it. If you've got AirPods, right, you wanna use your AirPods to work out, turn on Bluetooth and use that. But there's just a lot of non-technical but criminal people. And look, some of the gangs, you've heard of the phrase hacktivists. You have to understand, there's a whole bunch of people that do a lot of harm.

for what they call the loans. Just do it. They do it so that they can brag to their buddies on Discord that they were able to do it. got this lawyer's thing. I got all of his client stuff. Maybe should call him. I don't know I'm supposed to do with it. I'm 19. Like, that's all there. Like, that's a real thing. And they don't have to be kids in hoodies with real technical skills. They just have to be criminal. And last time I checked,

There's a lot more people that'll do stupid things, harmful things or criminal things than there are people with technical skills. And that's another thing that we have to be aware of. So keep the Wi-Fi off, right? Keep the Bluetooth off. Don't reuse passwords. We've already talked about that. Social media because of deepfakes. I don't know if anybody still goes to Facebook, but I got to say I looked at Facebook.

a week ago just to look and nine out of 10 of the posts I saw were wrong. They were wrong and people that I know that are physicians and attorneys and professors were resharing it. And I'm like, do you not know that's like, here's Meadow wants to make money. They don't care about anything else. Meadow wants to make money. They will sell ads to anybody.

Speaker 1 (01:26:09.268)
including China, Iran, you name it, who will just create narratives and fake things and put it on there. It won't even say it's sponsored. it's just there's so much misinformation. Just before you're going to reshare anything, just just Google it. Pull out Google and just Google like, did Trump really say this? Did Biden really say this? Did the hospital really do this? Like

Like you're going to find out it didn't do this. This stuff didn't happen. So don't be promoting the false narrative. It's not good for our society. So it's not a cybersecurity tip. That's me asking as a friend, can you please? Cause my feet is just a bunch of crap and I just want to at least have the truth on that. know, pictures with private data, really scary. don't, it's a whole presentation itself.

If you have children or elderly relatives and they are posting pictures, I'm telling you, we could find out where they go to school, where that picture was taken, even by the sand that they're standing on. There are these software that's so easy to use that you're able to do the telemetry and the angle of the sun and the

type of sand or blade of grass that it sees, it'll do it automatically and tell you within a block radius of where that picture was taken, when it was taken, what time, who was there, what type of device it was. Just from a picture, right? So just be a little careful with that. your kids. Remind them that just because it's Snapchat, it doesn't really disappear, right? And if you're gonna travel,

I know this is obvious, but if you're going to travel, don't tell social media you've been to travel. Just go take a vacation and come back and then blast your social media with all the cool pics. Right. Don't do it ahead of time. There's like so many calls that come in that are like we were robbed and we were this and this other stuff happened and even hackers get involved. AI we've already talked about. What should you do? Freeze your credit. Learn safe AI prompting.

Speaker 1 (01:28:34.574)
test your password in the take home resources. There's information for you to test your password. They absolutely recommend the NSA does, cause there's so much spyware out there. They just say, turn your phone off and turn it back on once a week. I do it now. And I've been doing it. And not only does my phone work better, but it clears out a lot of spyware and adware and stuff like that. Because we're like, you know, it's...

If you see an ad for a lawnmower that you've really wanted and it's normally 2400 bucks and it's like 600 bucks, too good to be true, right? But what you should do is just Google that place and see if that ad is actually there. Because if they do, they're going to advertise for it. Don't click on the image for the ad because you don't know what site it's actually bringing it to. It'll look legitimate, but it is not a legit site.

You will order it. And I'm talking to my father-in-law, who's like 84, who has ordered like five things and they never show up. And then his credit cards get hit. And I'm like, why are you not listening? I don't understand. But don't do that. OK, don't just order from an ad you see on social media. Like it's not real. Like if I was if I wanted to be you, what would I do? I would find out what you like. So you get a dossier, find out everything about it. And I'll be like, what do you want? I'll make sure your feed.

sees ads for stuff you're going to buy because I'll have your shopping history, right? And I'm going to create a fake website that's going to look identical to the actual website and put ads that are irresistible for you to click on. That's a click on. You're going to click on one of those ads and go to my site and enter in your credit card information. Have a put your email in right. And you reuse that really good password. And now I've got your password, right? That's social engineering.

That's basic and that's actually easy. A lot of people fall for that. Right? It doesn't mean we're dumb when we fall for this stuff. It just means we're too trusting. So pause before clicking, use a password manager. Still use multifactor authentication. I will leave you guys with this. Can you spot this is actually not me playing a game? This is actually Northwestern Universe Kellogg School.

Speaker 1 (01:30:58.38)
They did a sample of like 20,000 of these. Which two of these are real pictures?

Speaker 1 (01:31:08.536)
What do you guys think? Nobody has like six fingers or anything like that.

Speaker 1 (01:31:23.118)
What do you guys think? Just pick two, you don't have to say it, because there's a bunch of you. But I'll tell you which ones are actually real.

Speaker 1 (01:31:39.822)
Did you guys get it? You got it, Telly? Wow, that's impressive. Did you get one of them too? Did you guys guess one? One and six? Yeah, six is a relatively new one. I mean, that is, that's really good. Six is really good because it's like a, it's a selfie image with like messy stuff in the back. Like that is really detail oriented. Like when I first saw six, I thought.

It looks real. Three doesn't look real because it looks like the guy's arm is like big, but it's actually somebody else's arm in front of that guy.

But those one and three are actually the real ones. It's pretty frightening. So this is more boring stuff, but it's all, know, there's all these rules and regulations, compliance frameworks out there. But the truth is they all boiled down to five things and the same five things apply to an organization as they do in your private life. You have to know what your risks are. You have to be able to find them. You have to plan for the day, right? Which is why you freeze your credit.

You have to prioritize where you're vulnerable and you just have to stay aware and stay educated. I will leave you with images from the actual dark web. So everybody hears about the dark web and nobody goes on it. Please do not ever go on it because there's like anything you click. There's so much spyware and malware and info stealers on everything. I use a special program and if anybody wants to go on there, like for research for a case, I bet you'd be able to find some brilliant stuff on there.

for a case, but if you ever want to call me, I will show you how to do it. It's free. You can get on there, but there's two programs that you need to do to keep yourself safe by doing it. You can get on there with any computer and actually you don't touch the actual brains of your computer. You keep it all on a separate jump drive. But these are the marketplaces. Like this is what it looks like. It's like top and they advertise. They want your attention. It's like the top dark net market.

Speaker 1 (01:33:46.638)
Welcome to the dart net market MGM grand and there's thousands of these. What can you get? Name it murder for hire extortion. Fake IDs. I don't mean fake IDs to get into a bar. I mean, do you want to erase your life and start over? Do you want a new birth certificate 800 credit score and a new social security number all valid in a state like California or New York because they don't

need identities. Do you see the problem with that view is it kind of gets in the way of like our safety, right? But you can do all this and you can get them and it's like 800 bucks. You can literally start your life over. You can order a kilo of cocaine. Have it delivered. You can. There's murder for hire. There's crazy stuff. There's also ransomware, right? These are different. You know, you can get cards.

You can get different drivers licenses. You can get credit scores. All of this stuff. It's absolutely crazy. But this is where you can buy dossiers on people. You can get the cookies for the instant logins because people click on the remember me. And this is where the cybercrime gangs recruit. And I will say the cybercrime gangs, pretty generous people like.

They offer 401Ks, they offer health insurance, crazy high salaries. And if you move to Russia or the Ukraine or something like that, you're not going to jail. Like there's a, you know, I'm not doing it, you know, like I'm not, but I'm just telling you, like you can see why people that are living there, you can at least see the logic in them doing it. It's not like some.

weird like psychopath that's doing it. You hear them and you're like, yeah, but you could have still had a legitimate job. Like you didn't have to work in a factory. You could have actually used your skills and gone and got a legit job. Like, well, yeah, I could have done that, but I chose crime. Like, okay, well, that's really where the problem is. But you do at least understand how the bouncing ball went. This guy is Matt Cox. I'm going leave you with this. He is the number one mortgage fraud criminal in the United States. You can find him on LinkedIn.

Speaker 1 (01:36:08.748)
By the way, you could find the head of LockBit on Twitter and X. These guys are out there because nobody can touch them and they're very bold and brazen. Matt Cox talks on LinkedIn all the time. This was a post right on LinkedIn because he's served his time and now he's a consultant for banks and stuff. But he committed like four hundred some thousand dollars worth of mortgage fraud in 2008.

but he's really good at what he does and he kind of tells you what to watch for. So this is what happens if you get somebody's driver's license, right? Which they sell on the dark web or which they could get easily when we click on things or share too much.

I got a driver's license in this guy who lives under a bridge six states away who has no clue. And I can go immediately and I get a couple of secured credit cards in his name. And if I really want, go into, I go and I prepare a birth certificate and I get another social secure number issued in his name and I get driver's license. I get credit cards in that name.

And then I get a car loan in that name. open bank accounts in that name. Now I don't even have anything that's attached to this guy. And if you want to go a step further, I actually one time went and had a guy's name legally changed from... Stop. I'm amazed. Michael Eckert. His name was Michael Eckert. I changed it from Michael Eckert to Michael Johnson.

They can't come up with like a Smith would have just been, it would have been just a slap in the face, right? So Michael Johnson and went to a lawyer, paid him 1500 bucks and just, wanted to see what the process was. And then I go back and I get the driver's license reissued to Michael Johnson, get the social security number issued to drop Michael Johnson and get this guy hasn't got a prayer of figuring this out.

Speaker 1 (01:38:09.806)
How scary is that? So if somebody gets your driver's license and they have a criminal mind, right, they can do what he did. He didn't get caught for doing any of that. He got caught for like 400 million dollars with a bank fraud, which there was a long paper trail. But all of these crimes that he did, he's like, nobody ever caught me on this here in the United States. So you can see how easy we saw in that other video.

with that social engineering, how easy it is to manipulate people. And one of the best ways they do it is they just say, we just need help, right? Natural human nature, we want to help people. So I'm going to leave you with that. And I thank you guys for your time.

David Mauro

Host

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

Breaching the Boardroom

NetGain Technologies, LLC