Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here


Leaving Website

You are now leaving and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Rachel Tobac Hacks ‘The Perfect Scam’

A social engineering hacker scours our host Michelle Kosiniski’s social media for intel a hacker could use

spinner image Episode 68 of The Perfect Scam - Rachel Tobac Hacks the Perfect Scam

Subscribe:   Apple Podcasts | Google Play | Spotify | Stitcher | TuneIn

spinner image Graphic illustration of a quote card for Episode 68 of The Perfect Scam
Full Transcript


00:00:00] Michelle: This week on The Perfect Scam.

[00:00:03] You have to realize that in the age of COVID-19, phishing has increased 350%. There were 300,000 plus new suspicious COVID-19 websites spun up in March alone. So you might receive information from the CDC, air duct disinfecting, free COVID-19 tests, all of that stuff I need you to be politely paranoid about.


[00:00:28] Michelle: Welcome back to AARP's The Perfect Scam. I'm your host, Michelle Kosinski. This week, we take you inside a shadowy world, though one many of us have experienced one way or another, the world of the hacker; the people who travel with ease with invisible doorways, virtually undetectable openings into our most personal information, and even our wallets, who know how to get us to do things we wouldn't ordinarily do. These are the people who craft the perfect scams. They use what is called social engineering, simply examining all those details about us that are publicly known, easily obtainable to tailor make a scam they can be certain we are likely to fall victim to. But in this case, these sneakiest of skills are used for good. We even had a hacker try to get me, a surly, skeptical veteran journalist who basically trusts no one. You'll see how that worked out. And who better to get us started than the guy known as the Father of Social Engineering, Frank Abagnale. Have you seen the movie "Catch Me If You Can" by the way? Even if so, it's worth watching again on this subject just to remember how Frank mastered this art of finessing people and what is known to get right to the unknown. Welcome back, Frank.

[00:01:55] Frank Abagnale: Thank you, Michelle. While there are some who refer to me as the Father of Social Engineering, I don't really think that's true, but they do that because back when I was 16 years old, with only a device as of a telephone, I saw a Pan Am crew come out of a hotel, and I thought to myself, if I could get one of those pilot uniforms, then when I walked in a back to cash a check, it would add so much credibility to be in that uniform. So I placed a phone call to the executive headquarters of Pan Am. When the switchboard answered, I really didn't know what I was going to say, but when they did, I asked to speak to someone in the purchasing department. When the clerk came on, I said that I was a pilot with Pan Am, had been with the company for about 7 years, and that I've never had this happen before. I said, "Well we flew in here yesterday, we're going out tonight. Yesterday I sent my uniform out through the hotel to have it dry cleaned. Now the cleaner and the hotel said they can't find it. Here I am with a flight in several hours, and no uniform." So he said, "Hold on, I'll be right back." And he came back and said, "My supervisor said you need to go down to the Well Built Uniform Company on 5th Avenue, they're our supplier, I'll call them and let them know you're on their way." I went down to the uniform company, I was able to get the uniform, but I got all that information just over the telephone. Unfortunately, today there are many forms of communications enabled to social engineer people, and nothing's changed. People social engineer people constantly to get information from people.

[00:03:26] Michelle: It's true. Journalists do it too. It is extremely effective.

[00:03:30] Frank Abagnale: Yes, and I always remind people that there is no technology, there never will be any technology to defeat social engineering, including AI. The only way you defeat social engineering is you have to educate the individual that they are actually being socially engineered. So right now, the phone companies, the major phone companies have a big problem that people call the call center, they say they're you, they answer all the security questions, 'cause they were able to do that through social media information, and then they simply say, how can I help you? Well, the sim card in my phone is broken, I need to replace it. They give them a new sim card and now your phone is my phone, and everything on your phone is my information. That occurs because they socially engineered the person in the call center, and that person didn't realize they were being socially engineered. So, there's always going to be the human element, there's always going to be the weak link of the human element, and this is why only education can defeat people who are trying to social engineer other people.

[00:04:35] Michelle: For sure. All right, thanks, Frank.


[00:04:39] Michelle: So there's another interesting character you need to meet, and her name is Rachel Tobac.

[00:04:44] Rachel Tobac: Yep, based in San Francisco.

[00:04:45] Michelle: Where did you grow up?

[00:04:47] Rachel Tobac: I grew up in Pittsburgh, Pennsylvania. I'm a big fan of that too.

[00:04:51] Michelle: Rachel got her start at college studying none other than, the human mind.

[00:04:57] Rachel Tobac: I went to school for neuroscience and behavioral and cognitive psychology. So that means I was in a rat lab performing rat surgery trying to learn about the human brain. And when I was there, I learned a lot about how people think, how they make decisions.

[00:05:13] Michelle: Well that's not so far off from this.

[00:05:15] Rachel Tobac: It's not, but you know what, I had no idea that information security was going to be so similar.

[00:05:20] Michelle: So there she is, later on, working as a special needs’ educator, and always having a feeling that while it was rewarding, she wanted to do more to help people. One Friday night, her husband calls her from Las Vegas where he's attending DEF CON, the world's largest convention for hackers. And tells her, she's the one who would really enjoy this.

[00:05:44] Rachel Tobac:  He ended up seeing people compete in this glass booth in front of like 500 people, and they were calling people and hacking them live over the phone and getting points. He's like, "Oh my god, Rachel, you have to fly out to Vegas right now."  He's like, "You know how you call like our cable service provider and try and get a lower bill every month?" I'm like, "Yeah." And he's like, "They're doing that, but they're doing it for good. They're trying to show people how hacking works. So I ended up applying to compete the next year and then for the next three years in a row I won second place.

[00:06:15] Michelle: She was hooked on hacking, ethical hacking. This is the good guys to help people in companies improve their security, so they don't fall prey. Today, she has her own company that offers personalized social engineering training. So people now pay her, and I'm imagining it's a lot, to try to hack them so that they know where their weaknesses are and can seal them up.

[00:06:41] Michelle: What are you trying to do? You're just pretending to be somebody else and trying to convince them to do things?

[00:06:48] Rachel Tobac: Yeah, that's exactly right. I call them up on customer support or one of their in-person lines, and I pretend to be somebody else who works at the company, or somebody who's doing an audit. And I try and get information about their machine, what software they're running, so that we can demonstrate how easy it is to gain access to that information over the phone. That's called a vishing attack. A voice phishing.

[00:07:11] Michelle: Do you use a funny voice just for laughs?

[00:07:15] Rachel Tobac: I usually do not. Some people use accents. Um, I find that it's distracting for me when I'm hacking, so I either use a software voice changer or my natural voice that you're hearing right now.

[00:07:26] Michelle: Ooh, you have all the tools, don't you?

[00:07:28] Rachel Tobac: I do.

[00:07:29] Michelle: Do you have like this hacking dungeon in your house?

[00:07:33] Rachel Tobac: Uh, it's pretty well lit. But yeah.

[00:07:36] Michelle: Rachel's favorite kind of hack is when she has to deal with actual humans.

[00:07:40] Rachel Tobac: The way that I think about it is, we pretty much live in the dark ages over the phone, um,...

[00:07:44] Michelle: Yes.

[00:07:45] Rachel Tobac: ...and a lot of times if you call up a service provider, uh you need to give out things like your address, or your date of birth, and think about that information can be public.

[00:07:54] Michelle: I think about that every time I have to choose security questions to answer for a particular company or website, because it does seem, like it does go through your mind that that information is available online.

[00:08:08] Rachel Tobac: That's exactly right. I love that you're thinking like that, like an attacker. Um, what I do recommend for those KBA, knowledge-based authentication questions, first of all, I hope that companies stop using them and move to a more secure alternative, but if companies are still going to be using them, which many banks do, and I've even seen, as of yesterday, a bank is using date of birth as a password reset question. How easy you can find that on Facebook with birthday posts, right?

[00:08:35] Michelle: Yeah, that's amazing.

[00:08:36] Rachel Tobac: So what I, yeah, what I do recommend is that you use false pieces of information in those questions and you can store them in a password manager.

[00:08:43] Michelle: Exactly.

[00:08:44] Michelle: It doesn't take long to see that Rachel is passionate about this.

[00:08:49] Rachel Tobac: I love it because every single day is a challenge. I have a giant puzzle in front of me, and I need to find a way in. And I will find a way in, but it's going to take a little bit of time. My very favorite thing is when a company makes the puzzle so challenging that it makes it so difficult for me that I would basically give up and move onto an easier target. That's when I know that a company's doing really, really well, and that's really exciting whenever I can tell them that.

[00:09:13] Michelle: And about what percentage of the companies that you work with are like that?

[00:09:18] Rachel Tobac: Well, most companies, when they first do their first pen test, they are, it's challenging for them, I'm able to get that information pretty quickly.

[00:09:27] Michelle: What are their reactions like when they find out they're extremely easy to penetrate?

[00:09:32] Rachel Tobac: Mouth agape, staring at me like a deer in the headlights.

[00:09:36] Michelle: You must feel so smart when you get them.

[00:09:40] Rachel Tobac: Um, you know what, honestly, I don't. And this a really important point. Security's really, really hard to do well, and so it's sometimes stacked in the direction of the bad guys, and that's really tough for companies, and so I try and make it so that the lazy attackers cannot gain access as easy.

[00:09:58] Michelle: Do you, because you know of the risks that are out there, or has it made you kind of paranoid about risks everywhere in your own life?

[00:10:09] Rachel Tobac: (giggles) I would say that most people in information security are paranoid. The term that I like to use is politely paranoid.

[00:10:17] Michelle: Oh, okay.

[00:10:18] Rachel Tobac: Basically, basically that means that it's going to take me a lot of tries, um, to give out sensitive information, and if a company calls me, I'm going to call them back. I'm going to use two methods of communication to talk with people, to confirm they are who they say they are. Which, you might have noticed, Michelle, I did with you this morning.

[00:10:36] Michelle: Yeah, and it's funny, because I'm a, a news reporter, and I have been for many years, I don't trust anything or anyone. I'm paranoid, and maybe not even politely paranoid. Like when people call me, a company calls me for something, I'm like, really? How do I know this is you? Why would I give you that information?

[00:10:55] Michelle: So, enough back patting on my part, because Rachel, the good hacker, it turns out, sent me a phishing email. Now I, of course, think I'm impervious to such things, like I can spot them a mile away, because we all think of phishing emails, you know, as having that obviously suspicious email address, the bad grammar and misspellings. They just don't look right. In the past, I have been great at being the one not to click on them. I emphasize, in the past, because the email Rachel sent me appeared to be from a major airline, which it looked exactly like the email address it came from looked completely legit. This thing was immaculate in every way. And best of all, or in my case, worst, it was offering a fabulous deal saying that because of all the coronavirus travel disruption, this airline was now giving everybody at a certain frequent flyer level, 50,000 free points. Free points! And my brain went into some kind of airline miles excitement overdrive in, I would say, about one second. Seriously, I was all over this. There were literally zero of the usual trusty red flags. I was a goner. Rachel got me at free miles, and that, my friends, is how easy it is to scam those who fancy themselves unscamable. I was so annoyed at myself. It took one good deal to blind me. Ah, the eternal power of greed.

[00:12:26] Michelle: This was upsetting to me because there is no question that I would have clicked on there, and I would have entered my credentials. And it doesn't too good to be truth either.

[00:12:36] Rachel Tobac: Right, it's just a low enough number that it sounds legit. So, what would you do in this scenario? You wouldn't click this link. Instead you would... come on, come on.

[00:12:46] Michelle: I would go to their web--, their real website?

[00:12:48] Rachel Tobac: Yeah.

[00:12:49] Michelle: ...and try it through there.

[00:12:50] Exactly.

[00:12:50] Michelle: Okay, just to make sure that it's real.

[00:12:52] Rachel Tobac: That's exactly it. That's exactly it.

[00:12:54] Michelle: Because it's not like you can call them, you'll be on the phone for a week if you try to call them.

[00:12:59] Rachel Tobac: Right. Right, you'll be on the call for a week. So um, you have to make sure that instead you go directly to the real legitimate website.

[00:13:06] Michelle: That's smart.

[00:13:07] Michelle: I my case, just moments after Rachel phished me, and there I was drooling over it, planning to sign up for those miles, Rachel emailed me again telling me what she had just sent. So I hadn't yet entered any of my information, but now she's going to show us what happens on her end when you do, and when it's a real scam.

[00:13:28] Rachel Tobac: Are you ready, Michelle? I'm about to hack you.

[00:13:30] Michelle: Yeah.

[00:13:31] Rachel Tobac: Okay.

[00:13:33] Michelle: I would have clicked on this link in five seconds, okay, so now I'm clicking on it, and I see what looks exactly, precisely like this airline's format and their usual website. And I want to know, how long did it take you to build this fake link?

[00:13:50] Rachel Tobac: Oh, we just did it last night.

[00:13:51] Michelle: So it took like less than an hour?

[00:13:54] Rachel Tobac: Yeah. (chuckle) It's scary, right?

[00:13:59] Michelle: I would have been all over this.

[00:14:02] Rachel Tobac: I know.

[00:14:02] Michelle: And are they usually targeting people for some reason specifically, or are they sending these out by the billions?

[00:14:09] Rachel Tobac: They're likely sending it out 10,000 at a time.

[00:14:12] Michelle: Got it.

[00:14:12] Rachel Tobac: Okay, so I see that you clicked the link, and when I see that, I can see what operating system you're using and I can see what browser you're using, and I can see the versions of those. So...

[00:14:23] Michelle: So in your hacker dungeon, you're actually seeing my computer and you're seeing what I'm doing in real time.

[00:14:30] Rachel Tobac: Yes. I'm looking at that right now, and I'm able to understand um, if you're, let's say your OS was out of date. In that case, I could build a really easy attack for you, um just by checking out the known vulnerabilities for your out of date operating system, or out of date browser. Um, so right now I have that you clicked the link, and I'm just preparing myself to receive your credentials now.

[00:14:55] Michelle: I just sent them.

[00:14:57] Rachel Tobac: All right, let's see on my end here. Okay, it says that you submitted data, great. All right. I have your credentials. Are you ready?

[00:15:05] Michelle: I just can't believe that you can see this happening as I do this.

[00:15:09] Rachel Tobac: Okay, so your username is ABC123.

[00:15:13] Michelle: Yeah, which is fake, that's not really what I use.

[00:15:16] Rachel Tobac: Of course, of course, and Michelle, your password is, Michelle.

[00:15:21] Michelle: Yeah.

[00:15:22] Rachel Tobac: Unfortunately, and I know that's not real, we're, we're just pretending here, but um, you know, this really goes back to what I was saying, because can you imagine, if this were your real username and real ID, I now have it. I can go input that into your bank, and if you don't have two-factor on, if you don't use a password manager and you reuse your password, I can siphon the money out of your bank account. Imagine how scary that is, right?

[00:15:45] Michelle: Yeah. This is amazing. This is so disappointing. Just to, to know, there is no question in my mind that I would have fallen prey to this.

[00:15:54] Rachel Tobac: Yeah.

[00:15:55] Michelle: So much for that.

[00:15:56] Rachel Tobac: And the type of phishing email that I sent you is a reward-based phishing email.

[00:15:59] Michelle: Exactly.

[00:15:59] Rachel Tobac: And we're seeing those increase. So you might be used to seeing something like, this is the IRS. You owe money. You're in trouble. And you're like, ah, that's fake. Right?

[00:16:09] Michelle: Right.

[00:16:09] Rachel Tobac: But what about free airline miles during COVID-19? Ooh, that sounds great.

[00:16:14] Michelle: Yeah, or some kind of deal on something. Oh, how embarrassing. I was all over that.

[00:16:19] Rachel Tobac: Every social engineer, every hacker I know has been successfully phished.

[00:16:23] Michelle: Have you been successfully phished?

[00:16:26] Rachel Tobac: Yes.

[00:16:26] Michelle: How did they get you?

[00:16:28] Rachel Tobac: I can't tell you that.

[00:16:31] Michelle: Rachel could really be an evil genius here, so thank goodness she's using her knowledge to help us. And one of the biggest vulnerabilities she sees for most of us out there, is the old using the same password for everything.

[00:16:44] Rachel Tobac: We have a big issue, because I'm going to do, as an attacker, I'm just going to spray that password everywhere into every service, every bank, every telephone company, um, every airline, and I'm just trying to, going to try and gain access to your sensitive data, your points, your systems, your money, and really siphon that out. And so the best thing that you can do is use unique passwords everywhere and use a password manager.

[00:17:09] Michelle: It's funny that you say, no password reuse because who honestly, unless you're working in the CIA, I don't know anybody who's doing that. It just seems so cumbersome.

[00:17:20] Rachel Tobac: Passwords are really inconvenient, right? A lot of people in information security are working hard to help us move away from passwords so we can get away from this problem, but right now it still exists.

[00:17:31] Michelle: And is a password manager something that you can download, like it's on your computer?

[00:17:36] Rachel Tobac: That's right. You can download it, and you can sync it between your phone and computer.

[00:17:40] Michelle: Well what if the password manager gets breached?

[00:17:43] Rachel Tobac: Okay, so that's a really good point. If a password manager gets breached, which is very, very unlikely and they likely wouldn’t get information out of it because it is completely encrypted.

[00:17:53] Michelle: That's what I figured, okay.

[00:17:54] Rachel Tobac: Yes, completely encrypted. But let's say something goes completely haywire.  We have a, a breached password manager; for some reason the encryption didn't work, or someone was able to get around that encryption. You can do what's called salting your passwords, which means that you put a little secret code, maybe a couple of letters or digits somewhere in every single password that you know about but don't store in your password manager. So it's really simple. Let's say you put all of those passwords into your password manager, and you want to salt it at the beginning, middle, after three characters, at the very end, you could put 123 or something that you know, right, and now even if your password manager is breached, and the worst catastrophic thing happens, I won't be able to gain access.

[00:18:37] Michelle: Rachel says big vulnerability number two is clicking on websites that aren't real, like the phishing email she sent me. So you want to always try to verify the information that's in the email from some source other than clicking on the link, especially if it wants you to enter any personal details.

[00:18:55] Rachel Tobac: And what's really interesting is, if you have a password manager and let's say you make a mistake, and you click a link in an email and it's not legitimate, your password manager will look at that website and say, hmm, this looks like the airline you think it is, but it's not. It is a credential harvesting phishing website. Watch out. I'm not putting your credentials in. So you have another one of those mitigations where a password manager can support you and keep you safe if you make a mistake.

[00:19:25] Michelle: Looks like I'll be setting up one of those soon, and honestly, it's about time.

[00:19:30] Rachel Tobac: So there's another way that I can do an attack and it's over the phone.

[00:19:34] Michelle: Okay.

[00:19:35] Rachel Tobac: So I can call you and I can make your caller ID say anything that I want it to.

[00:19:40] Michelle: How?

[00:19:40] Rachel Tobac: Okay. I use what's called spoofing software.

[00:19:44] Michelle: Oh.

[00:19:45] Rachel Tobac: And spoofing software basically allows your caller ID to think that I'm calling from somewhere else, and combined with that, I can use a voice changer to make my voice sound different and make you think that I'm someone that I'm not.

[00:19:57] Michelle: Okay.

[00:19:58] Michelle: So, Rachel tries it, pretending to be Apple Support calling my cell phones. On one of my phones, it immediately sensed something sinister, and just completely blocked her. Good phone. But on my other cell, the call did go through that would show this random weird looking phone number, so if I didn't know it was Rachel ahead of time, I just wouldn't have even answered it.

(phone ring)

[00:20:23] Michelle: Hello. Whoever could this be?

[00:20:26] Rachel Tobac: Michelle?

[00:20:27] Michelle: Yes.

[00:20:28] Can you hear me? This is Kevin over at Apple Support. How's it going today?

[00:20:33] Michelle: Uh, okay, Rachel.

[00:20:36] Michelle: She tries it again, this time with a different spoofing method. She wants the caller ID on my phone to say that it's Dell Support.

(phone ring)

[00:20:47] Michelle: Hello.

[00:20:50] Rachel Tobac: Hey, there, Michelle. This is Alex from Dell Support. Can you see that on your end? How're 'ya doing?

[00:20:56] Michelle: Well guess what it says on the top of my phone for your number.

[00:20:59] Rachel Tobac: Ooh, I'm excited. What does it say?

[00:21:00] Michelle: It says, SPAM RISK yo!

[00:21:04] Rachel Tobac: Oh great job, you have additional spam protection.

[00:21:09] Michelle: I do like the voice though, it's very effective.

[00:21:12] Rachel Tobac: That's awesome. Yeah, what's really exciting is there's new spam protection to protect consumers. I'm so glad that you have that.

[00:21:20] Michelle: Oh, that's something new?

[00:21:22] Rachel Tobac: That's new, yes.

[00:21:23] Michelle: Okay, cool. So, but I like the way you've done this, and you've been able to alter your voice completely. I would not have known this was you.

[00:21:32] Rachel Tobac: Yeah, it's pretty wild.

[00:21:33] Rachel Tobac: Michelle: I think I would like this technology to use for making various calls from home.

[00:21:38] Michelle: Spoofing is pretty scary. It can make people think a legit organization or even a government office is calling you.

[00:21:46] Rachel Tobac: If I called you from your best friend's number, and that was in your phone, it would also show your best friend's name. So I could pretend to be anyone you know that's in your phone or that's something that's widely available online.

[00:21:57] Michelle: Luckily, there's all kinds of anti-vishing and spoofing technology now to protect us, and both of my phones were definitely on guard, but there are just so many scams, too many for phone service providers to weed out every one, which is why so many of us get them daily. Some scams are still just plain obvious, but the skilled hacker, like Rachel, or someone that is targeting you specifically, can use all the stuff you put online about yourself to craft the perfect swindle just for you. Rachel took a look at my social media presence and publicly available information to see where my vulnerabilities might lie, in addition to my love of great deals, and of course, my embarrassing obsession with my cat.

[00:22:43] Rachel Tobac: So what I did is I looked up everything that I could find about you. Don't read everything out loud, and don't freak out.

[00:22:49] Michelle: Oh no. Oh no.

[00:22:50] Rachel Tobac: But these are basically the steps that I take to determine how I'm going to attack you.

[00:22:55] Michelle: All right, okay.

[00:22:55] Rachel Tobac: So you can look through here.

[00:22:56] Michelle: So I'm opening it up now. There shouldn't be anything bad about me out there.

[00:23:01] Rachel Tobac: (chuckles) Now, they don't need to be bad for me to be able to use them to build a spearfish for you. If I know what sorority you were in, for example, I can phish you from that and give information um, to confirm sensitive details about you, or get you to tell me things, um, that I shouldn't know.

[00:23:21] Michelle: Okay, so I'm not finding anything that I would be weirded out by, yet... um, how would you describe what you found about me online?

[00:23:31] Rachel Tobac: Yes. You do not have a whole lot of information about you online, which is really good to see, Michelle. You have...

[00:23:36] Michelle: I, I am careful about that stuff, yeah, even with locations and stuff. I don't like people to know exactly where I am at a particular minute.

[00:23:45] Rachel Tobac: You'll see this one tweet that I have here, it's all about a tax return, you see that there?

[00:23:49] Michelle: Yeah.

[00:23:50] Rachel Tobac: So I could pretend to be from the government of the District of Columbia, Office of the Chief Financial Officer, Tax Revenue...

[00:23:55] Michelle: Yeah, true.

[00:23:56] Rachel Tobac: ...and reference information from this tweet that makes it more likely that you’re going to believe I really am who I say I am.

[00:24:01] Michelle: That's true. And when I tweeted that, making fun of the DC tax office, I, you could see that I took pangs to be really careful and not show any actual...

[00:24:12] Rachel Tobac: Exactly.

[00:24:12] Michelle: ...information. But I see what you’re saying. Now you know that I have an issue with them, so you could very well pretend to be them.

[00:24:21] Rachel Tobac: Exactly. And so it's really not about things that are scary and, it's really understanding how someone will try and build rapport with you. Like your ballet tweet here. You said in February that you went to see the TW Ballet's Romeo and Juliet. Which is awesome, and that's not actually bad to share, but it does mean that you have to be politely paranoid because if I say something like, hey, we had a data breach, click here to see what was breached, now I, I know that you're likely to click it because I know that you went there. Maybe it wouldn't be a data breach. Maybe it would be a free Romeo and Juliet...

[00:24:55] Michelle: Yeah, and emphasis on the "free."

[00:24:58] Rachel Tobac: Exactly. So does that make sense about how...

[00:25:01] Michelle: Totally.

[00:25:01] Rachel Tobac:'s not always scary, yeah.

[00:25:03] Michelle: Yeah, see so what you're finding are things that I might like and might be, I might be more likely to click on because I like them. Are people more likely to click on the emails about topics that they like than something like the IRS or you know...

[00:25:19] Rachel Tobac: Yes. Right now, we're seeing that they are, because they're so sick of these fake IRS scams, that all they want to do is try and do something fun, especially during COVID-19, they're looking for an escape. And so, let's say I had children, and I was tweeting about their school or complaining about something from the school board. If the school were to email me and say, "Hey, we're reopening after COVID-19." I probably would be likely to click that, right?

[00:25:46] Michelle: That's very interesting. And so, when you looked at my profiles online, did you see holes? Did you see things that I shouldn't be doing, any advice you would give me?

[00:25:59] Rachel Tobac: Um, you were doing really, really well, Michelle. I think your time...

[00:26:02] Michelle: Oh okay, thanks.

[00:26:03] Rachel Tobac: ...yeah, you're time working in journalism has really just prepared you to avoid sharing. Yeah, too much information.

[00:26:09] Michelle: And so the biggest mistakes you would say a lot of people make on social media in terms of security?

[00:26:15] Rachel Tobac: Unfortunately, people post about their children, their schools, where they spend their time, the hotels that they stay at. And when they know that information, if I can just call your hotel, pretend to be you, gain access to the room you're in, that's a big problem, right?

[00:26:27] Michelle: Yeah, that, that's a problem. So what about companies? They have access to the latest technology and training. How are they doing?

[00:26:35] Rachel Tobac: When I'm hired to hack a company, I can usually get in in about 30 seconds.

[00:26:40] Michelle: Ah.

[00:26:41] Rachel Tobac: And it's, it's scary, it's scary, but over time when they learn exactly the methods that I use, like the ballet method that I just mentioned a second ago, um, they're more likely to...

[00:26:51] Michelle: The infamous ballet method.

[00:26:53] Rachel Tobac: paranoid, yes, and over time it becomes harder and harder and harder for me to attack. Where they increase technical controls, like multi-factor authentication, no password reuse, and they use two methods of communication to confirm who I am, now my job is so obnoxious, and that's a really good thing.

[00:27:10] Michelle: Yeah. That's, that's incredible. And how long, when you said that you have been phished successfully, how long ago was that?

[00:27:19] Rachel Tobac: Um, I was phished successfully about five or so years ago. Um, and the other thing about being phished is, I could have been phished 30 seconds ago, and I might not know it. Just like that email um, that I sent you today, that had all that information for your airline, you could have gone through, given me your credentials, and not even realized that you had a security incident.

[00:27:39] Michelle: Oh, absolutely.

[00:27:40] Rachel Tobac: You have to realize that in the age of COVID-19, phishing has increased 350%. We know this from Google's transparency report about phishing. And there were 300,000 plus new suspicious COVID-19 websites spun up in March alone. So you might receive information from Apple Care, um, the fake CDC, information about uh air duct disinfecting, free COVID-19 tests, all of that stuff I need you to be politely paranoid about. And you've got to go directly to the real site that you already use, and that's why security is so hard. Um, people, a lot of times don't know that they've been attacked or that they've been successfully attacked.

[00:28:20] Michelle: I'm really happy you're on this side of the good guys.

[00:28:22] Rachel Tobac: Me too.

[00:28:23] Michelle: 'Cause you would be a really good bad guy.

[00:28:26] Rachel Tobac: I hope my job becomes really, really hard one day.


[00:28:30] Michelle: Until then, though, we have experts like her and Frank Abagnale to help us navigate the vast and dark scammerverse.

[00:28:38] Frank Abagnale: Absolutely, and again, you know, you can take an email and make it very, very sophisticated, for example, in this case, an airline logo offering you 50,000 free miles. Who wouldn't say, wow, I'm very interested in that. And then you read on further, and then if you have to respond, or you have to uh give me a credit card number 'cause there is a fee associated, a small fee associated with it for taxes or whatever line they may give you, uh that's the red flag. So it, it wasn't free, they were trying to get information from you, so uh you have to make sure that the source it's coming from is, is legitimate.

[00:29:18] Michelle: You can see how through social engineering, all they need to do is go on your social media and they can see all the things that you like, all of the things that get you excited.

[00:29:28] Frank Abagnale: Exactly.

[00:29:28] Michelle: And, so there's phishing emails, which is a tale as old as email itself.

[00:29:33] Frank Abagnale: Right.

[00:29:34] Michelle: Now there's vishing, which is faking a voice call from customer service or somewhere else, and I've also just heard about smishing, which is using SMS texts to send these kinds of, of scam through...

[00:29:50] Frank Abagnale: Exactly.

[00:29:50] Michelle: ...through that medium.

[00:29:51] Frank Abagnale: People started really watching out for robocalls, but now we've got robotexts, and it's the same thing. As soon as people start to really understand the scam, uh they change the scam, or they move to a different type of a scam. And think about now how many potential victims there are, because how many people are sitting home on their computer? Never in, in the history, has there been so many people sitting at home on their computer doing something, so they're kind of bored to begin with, so these things come across, they sound great, and they're not aware of it because they don't understand the scam, so I think you see a lot more of that now under this environment of stay home than you would even see in a normal day.

[00:30:32] Michelle: Now they've become so sophisticated that it's pretty easy to replicate logos and things like that.

[00:30:39] Frank Abagnale: Yeah, I mean it's the simplest thing in the world. I always go back to when uh you know 50 years ago when I forged checks; it wasn't that easy to replicate a logo or duplicate something. You had to a lot of stuff with copy machines and learn to understand how to operate a printing press and all those things. Today, you know, you just go, and you scan a logo off the computer, and the companies have their logos everywhere, same way for banks or any other uh business. So technology certain has made it a lot, lot easier than it was 50 years ago.

[00:31:12] Michelle: Thanks, as always, Frank.

[00:31:14] Frank Abagnale: Thank you, Michelle. Enjoyed it.

[00:31:16] Michelle: If you or someone you know has been the victim of a scam or fraud, the AARP Fraud Watch Network Helpline is a free resource available to anyone. For nearly 20 years, trained staff and volunteers have helped thousands of individuals and their family members report and recover from fraud. Call 877-908-3360. Thank you to our team of scambusters; Executive Producer, Julie Getz; Producer, Brook Ellis; Associate Producer and Researcher, Megan DeMagnus; our Audio Engineer, Julio Gonzalez; and of course, Fraud Expert, Frank Abagnale. Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts. For AARP's The Perfect Scam, I'm Michelle Kosinski.



White-hat hacker Rachel Tobac takes on “The Perfect Scam,” scouring the internet and gathering intel about host Michelle Kosinski, that a hacker could use in a real-life scenario. Rachel, a three-time DEF CON conference capture-the-flag second place winner, is the CEO and cofounder of SocialProof Security, which helps people and companies keep their data safe. Rachel shares her knowledge of social engineering and walks Michelle through a "live" phishing scam.

spinner image Image Alt Attribute

AARP Membership


Flash Sale! Join AARP today for $16 per year. Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine.

Join Now

AARP’s Fraud Watch Network can help you spot and avoid scams. Sign up for free “watchdog alerts," review our scam-tracking map, or call our toll-free fraud helpline at 877-908-3360 if you or a loved one suspect you’ve been a victim.

The Perfect ScamSM is a project of the AARP Fraud Watch Network, which equips consumers like you with the knowledge to give you power over scams.


How to listen and subscribe to AARP's podcasts

Are you new to podcasts? Learn how to subscribe to AARP Podcasts on any device.

Discover AARP Members Only Access

Join AARP to Continue

Already a Member?