Episodes

  • The delusional side of AI therapy.

    The delusional side of AI therapy.
    Jul 24 2025
    This week, our hosts⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠Dave Bittner⁠⁠⁠⁠⁠, ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Space Daily show) are back sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We've got some follow-up from listener Kajetan, who recalled a run-in with a scammer in Paris posing as a mute fundraiser—and says he performed a "miracle" by crossing out his name, prompting the supposedly mute woman to suddenly start yelling at him. Maria has the story on how small businesses in Toronto, like the family-run Souvlaki Hut and Pippins Tea Company, were shocked to discover that thieves exploited vulnerabilities in their point of sale terminals to issue themselves thousands in fraudulent refunds—exposing serious flaws in how these machines are secured. Dave's story is on a Stanford-led study that found popular AI therapy bots, including ChatGPT and commercial mental health platforms, often respond inappropriately to serious mental health issues—fueling delusions, validating harmful thoughts, and failing to follow basic therapeutic guidelines—raising urgent concerns about their use as replacements for human therapists. Joe follows the story on a sweeping federal investigation into Minnesota's Housing Stabilization Services program, where agents raided homes and businesses tied to an alleged multi-million-dollar Medicaid fraud scheme that exploited vulnerable residents and billed taxpayers for housing support services that were never provided. Our catch of the day is on a patient scammer who spent five months building trust before claiming to send a $700K inheritance payout locked in a lawsuit—complete with a fake video of a safe and a shady tracking number—only to demand €15,000 in "customs fees," a scam the Redditor thankfully saw through before handing over any money. Complete our annual ⁠⁠⁠audience survey⁠⁠⁠ before August 31. Resources and links to stories: ⁠AI therapy bots fuel delusions and give dangerous advice, Stanford study finds ‘It was a shock’: Toronto business owner says customer used point of sale terminal to issue himself $2,000 refund KARE 11 Investigates: Federal agents raid homes & businesses seizing evidence in housing fraud investigation ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠.
    Show More Show Less
    52 mins
  • Software Assurance Maturity Model (SAMM) (noun) [Word Notes]

    Software Assurance Maturity Model (SAMM) (noun) [Word Notes]
    Jul 22 2025
    Please enjoy this encore of Word Notes. A prescriptive open source software security maturity model designed to guide strategies tailored to an organization’s specific risks. Audio reference link: "⁠⁠OWASPMSP - Pravir Chandra: Software Assurance Maturity Model (OpenSAMM)⁠⁠." by Pravir Chandra, OWASP MSP, 2009.
    Show More Show Less
    6 mins
  • It’s all glitter, no gold.

    It’s all glitter, no gold.
    Jul 17 2025
    This week, our hosts⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠Dave Bittner⁠⁠⁠⁠, ⁠⁠⁠⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠⁠⁠⁠ Space Daily show) are back sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. Our hosts share some follow-up, including a Rick Roll after the last episode. They also highlight a listener note from Evaldas in Lithuania, who explains that companies often use alternate domains for marketing emails to protect their main domain’s reputation—so marking them as spam is actually expected. Joe’s got a story of a billion-dollar AI-fueled scam where criminals impersonate celebrities like Keanu Reeves and Kevin Costner to exploit lonely fans—convincing them to send money, fall in love, and keep the relationship secret, all while Hollywood scrambles to fight back. Maria has the story of how a federal court blocked the FTC’s new “click-to-cancel” rule—meant to make canceling subscriptions easier—due to a procedural misstep, just days before it was set to take effect. Dave shares a story from Reddit about a disturbing extortion scam where a victim received a fake photo of their car outside a strip club—with their real license plate—demanding $1,000 to keep it quiet, raising questions about data scraping and AI manipulation. Our catch of the day comes from the scams subreddit, where a user shares a tale of a scammer promising big returns for investing in gold and diamonds—spoiler alert: it’s all glitter, no gold. Complete our annual ⁠⁠audience survey⁠⁠ before August 31. Resources and links to stories: This Is Not Keanu: Inside the Billion-Dollar Celebrity Impersonation Bitcoin Scam A ‘click-to-cancel’ rule, intended to make canceling subscriptions easier, is blocked [US] Extortion text message with fake strip club photo but real license plate – how did they get my info? ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠.
    Show More Show Less
    47 mins
  • Universal 2nd Factor (U2F) (noun) [Word Notes]

    Universal 2nd Factor (U2F) (noun) [Word Notes]
    Jul 15 2025
    Please enjoy this encore of Word Notes. An open standard for hardware authentication tokens that use the universal serial bus, or USB, near-field communications, or NFCs, or Bluetooth to communicate one factor in a two-factor authentication exchange. Cyberwire Glossary link: ⁠⁠https://thecyberwire.com/glossary/u2f⁠⁠ Audio reference link: “⁠⁠Rise of the Machines: A Cybernetic History⁠⁠,” by Thomas Rid, Published by W. W. Norton Company, 21 November 2017.
    Show More Show Less
    7 mins
  • Convinced, compromised, and confirmed.

    Convinced, compromised, and confirmed.
    Jul 10 2025
    This week, our hosts⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠Dave Bittner⁠⁠⁠, ⁠⁠⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠⁠⁠ Space Daily show) are back sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start with a ton of follow-up—from a sextortion scam that triggered a bot frenzy on Facebook, to sandboxed scam-baiting with fake credit cards, to a surprise magazine subscription that may or may not involve chicken gods. Plus, one listener wonders: do people really know what a strong password is? Dave’s story is on a massive China-linked scam where hackers are spoofing big-name retail websites—like Apple, PayPal, and Hermes—to trick shoppers into handing over their payment info on convincing fake storefronts, with thousands of fraudulent sites still live and targeting victims worldwide. Joe's got the story of a sneaky spear-phishing campaign targeting financial execs with fake job offers that ultimately install a legit remote access tool, NetBird, to gain stealthy, persistent access—part of a growing trend where attackers use real software and clever social engineering to fly under the radar. Maria's got the story of a young homebuyer who lost $109,000 to a payment redirection scam, prompting Australian banks to finally roll out a “Confirmation of Payee” system to prevent similar fraud—though critics say the fix still puts too much blame on victims. Our catch of the day comes from the Scams sub-Reddit, where we hear about a scam getting people to click on a fake job that's too good to be true. Complete our annual ⁠audience survey⁠ before August 31. Resources and links to stories: ⁠China-linked hackers spoof big-name brand websites to steal shoppers' payment info Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Across 6 Global Regions After Louis lost $109k to scammers, banks are finally combatting the 'flaw' the scammers used ⁠⁠⁠⁠⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠.
    Show More Show Less
    51 mins
  • adversary group naming (noun) [Word Notes]

    adversary group naming (noun) [Word Notes]
    Jul 8 2025
    Please enjoy this encore of Word Notes. A cyber threat intelligence best practice of assigning arbitrary labels to collections of hacker activity across the intrusion kill chain.
    Show More Show Less
    10 mins
  • Brushed aside: The subtle scam you didn't order.

    Brushed aside: The subtle scam you didn't order.
    Jul 3 2025
    This week, our hosts⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠Dave Bittner⁠⁠, ⁠⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠⁠, and ⁠⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠⁠ (also host of the ⁠⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠⁠ Space Daily show) are back sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start with some follow up, as Joe shares with us a complaint he has with Vanguard. Maria’s story is on McAfee’s latest research revealing that one in five Americans has fallen for a travel scam—often losing hundreds of dollars—despite many trying to stay vigilant, as scammers use fake websites, AI-altered photos, and phishing links to exploit deal-seeking travelers. Joe’s got two stories this week: the first one is from Rachel Tobac on LinkedIn, breaking down how attackers like Scattered Spider are using phone-based impersonation, fake domains, and social engineering to breach insurance companies, and the second is on Aflac confirming it was hit in a cyberattack believed to be part of a broader campaign targeting the insurance sector, likely tied to the same threat group. Dave’s story is on brushing scams, a scheme the United States Postal Service is warning about, where scammers send unordered packages—often low-cost items—to people’s addresses so they can fraudulently post fake “verified” reviews online using the recipient’s name and address to boost product rankings. Our catch of the day is from the scams sub-Reddit, where someone shared text messages from a scammer asking for only a small favor. Complete our annual audience survey before August 31. Resources and links to stories: New McAfee Report Finds Young Adults Fall for Travel Scams More Often Than Older Generations Rachel Tobac LinkedIn Aflac Latest Insurer to Suffer Cyberattack and Data Breach Brushing Scam - Unexpected Package US Postal Inspection Service ⁠⁠⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠⁠⁠.
    Show More Show Less
    44 mins
  • BSIMM (noun) [Word Notes]

    BSIMM (noun) [Word Notes]
    Jul 1 2025
    Please enjoy this encore of Word Notes. A descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops. CyberWire Glossary link: ⁠https://thecyberwire.com/glossary/bsimm⁠ Audio reference link: “⁠OWASP AppSecUSA 2014 - Keynote: Gary McGraw - BSIMM: A Decade of Software Security⁠.” YouTube Video. YouTube, September 19, 2014.
    Show More Show Less
    6 mins