A YouTuber has unleashed an innovative AI bot army to disrupt and outwit the world of online scammers, and a New York Times investigation looks into the intricate web of global money laundering.
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Is an automated system which does a reasonable impression of a confused elderly Australian guy with a wheezy voice and a slight whistle while he talks.
Wow. Pot kettle.
Just saying. Oh, there's my wheezy voice. Smashing Security, episode 410. Unleash the AI bot army against the scammers now with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 410. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 410. My name's Graham Cluley.
And I'm Carole Theriault.
Carole, what have we got coming up on the show this week?
Well, before we get to that, let's thank our wonderful sponsors, 1Password, Vanta, and Drata. It's their support that helps us give you this show for free.
Coming up in today's show, Graham, what do you got?
Coming up in today's show, Graham, what do you got?
Scampty scam, scampty scam, scampty scam. Scam, scam, scam.
I'm talking about scams too. My story's called The Scammed, The Scammer, The Matchmaker, and the Mules. All this and much more coming up in this episode of Smashing Security.
Now, chums, scams. We're gonna have quite a scammy episode from the sound of things.
Back in episode 394, Carole, you were telling me all about how O2, the telecoms company, had created an electronic granny called Daisy. Do you remember her?
Back in episode 394, Carole, you were telling me all about how O2, the telecoms company, had created an electronic granny called Daisy. Do you remember her?
Well, yes, she was there to educate, wasn't she? To show how scams work. Yeah.
That's right. And what she could do is she could speak to scammers.
So they used her as a marketing campaign to raise awareness of scams, but she would actually speak to the scammers and tie them up on the phone call.
So what O2 did was they posted Daisy's phone number on the web. Daisy obviously is a digital Daisy.
And they put it up on web forums where they thought scammers might lurk, where they may be scooping up numbers, and they waited for her to receive calls from scammers.
And they announced that nearly 1,000 scammers had called her over the course of several months. And she'd wasted their time.
And a major limitation of Daisy was that she could only handle one call at a time.
So they used her as a marketing campaign to raise awareness of scams, but she would actually speak to the scammers and tie them up on the phone call.
So what O2 did was they posted Daisy's phone number on the web. Daisy obviously is a digital Daisy.
And they put it up on web forums where they thought scammers might lurk, where they may be scooping up numbers, and they waited for her to receive calls from scammers.
And they announced that nearly 1,000 scammers had called her over the course of several months. And she'd wasted their time.
And a major limitation of Daisy was that she could only handle one call at a time.
1,000 scammers called her over the course of several months. She can't be representative. I'm just saying they must have cherry-picked.
Well, I think it's because obviously she wasn't getting legitimate calls, but they were putting her number out there just waiting for her to call. And they say 1,000 calls. Right.
That actually wasn't an original idea. There was also, have you ever heard of Lenny the telemarketing troll?
That actually wasn't an original idea. There was also, have you ever heard of Lenny the telemarketing troll?
Mm-mm.
He's been active for some years now. Born in Australia, Lenny is an open source project which you can download and install for free on a Raspberry Pi if you want to.
Okay.
And it's a bit of fun. And I think it's where Daisy really was born from.
Lenny is an automated system which does a reasonable impression of a confused elderly Australian guy with a wheezy voice and a slight whistle while he talks.
Lenny is an automated system which does a reasonable impression of a confused elderly Australian guy with a wheezy voice and a slight whistle while he talks.
Wow. Pot kettle.
Just saying. Oh, there's my wheezy voice. It's quite fun. Hello, this is Lenny.
Hi, sir.
How are you doing? Sorry, I can barely hear you there.
My name is Jack, sir. I fixed your computer.
You remember?
It's from Microsoft.
Well, it's funny that you should call because my third eldest, Larissa, she was talking about—
Lenny sometimes has ducks going past his window, distracting him from whatever the scammers are wanting him to do.
Better go feed Daffy.
I'm just going to do this now.
Holy—
Doesn't sound very Australian. All he does is parrot a sequence of phrases, right?
He chooses from a select group of sort of open-ended phrases, waits for a pause in the conversation before playing his next clip in an attempt to mimic a normal conversation.
And according to research done by the LennyBot folks, around about 75% of scam callers realise that they're talking to a computer programme within about 2 minutes.
He chooses from a select group of sort of open-ended phrases, waits for a pause in the conversation before playing his next clip in an attempt to mimic a normal conversation.
And according to research done by the LennyBot folks, around about 75% of scam callers realise that they're talking to a computer programme within about 2 minutes.
Okay.
So not tremendously successful.
We don't know exactly how successful Daisy was and how much time she would spend at people's— Lenny, equally not that brilliant really at occupying a great deal of time.
Still not too bad.
You know, if you want to have a system which clogs up the scam calls by distracting them with moans about the economy or talking about their grown up kids, it's not a bad way to do it.
We don't know exactly how successful Daisy was and how much time she would spend at people's— Lenny, equally not that brilliant really at occupying a great deal of time.
Still not too bad.
You know, if you want to have a system which clogs up the scam calls by distracting them with moans about the economy or talking about their grown up kids, it's not a bad way to do it.
I wonder if there's an amount of time, because in these big spammer factories, right?
They must say, look, if you've gotten nowhere after 12 minutes, hang up, move on, clear the decks with these people. There must be a magic little tipping point.
They must say, look, if you've gotten nowhere after 12 minutes, hang up, move on, clear the decks with these people. There must be a magic little tipping point.
But don't you think most of the calls they make must fail? Most of them probably will get the kind of reply which we'd give is, why have you got my number? Why are you calling me?
You know, hang up, clunk.
You know, hang up, clunk.
Yeah.
So then when they feel, oh, hang on, I've got someone here who sounds like they might give us some money.
You might be tempted to hang onto it and see if you can land it, as it were.
You might be tempted to hang onto it and see if you can land it, as it were.
Mm-hmm.
Anyway, Lenny the telemarketing troll probably didn't have a major impact on telephone scammers, and neither did Daisy.
O2 realised that Daisy was only dealing with the very tip of the iceberg, and that would require many more resources, perhaps even tens of thousands of Daisies, to really have an impact on these huge scam call centres, these major operations, which are out there scamming many, many people.
But that doesn't mean that the idea of wasting scammers' time is necessarily a bad one.
And earlier this month, someone revealed how they had been using more advanced AI techniques against scammers.
O2 realised that Daisy was only dealing with the very tip of the iceberg, and that would require many more resources, perhaps even tens of thousands of Daisies, to really have an impact on these huge scam call centres, these major operations, which are out there scamming many, many people.
But that doesn't mean that the idea of wasting scammers' time is necessarily a bad one.
And earlier this month, someone revealed how they had been using more advanced AI techniques against scammers.
Fascinating. Say more.
Well, back in 2017, there was a software engineer. His name was Kit Boga. And Kit Boga learned that his grandmother had fallen victim to various scams.
You know, we've all seen these happening, haven't we?
It's not always the elderly people who are falling prey to them, but quite often they are unfortunate victims because they've got savings, maybe they've got a house, you know, they've got their retirement fund or whatever it is.
He wanted to get his own back on these scammers who'd impacted his grandmother. And so what he started to do was waste the scammers' time.
And he filmed himself disrupting their activities by pretending to be a likely victim, by looking like a prospect.
And he got himself a little digital voice box so he could change the pitch of his voice. He could become an elderly man or a woman with a hearing issue.
He could become a Russian guy. Even a competing tech support scammer. These were the kind of disguises which Kit Boga was using.
You know, we've all seen these happening, haven't we?
It's not always the elderly people who are falling prey to them, but quite often they are unfortunate victims because they've got savings, maybe they've got a house, you know, they've got their retirement fund or whatever it is.
He wanted to get his own back on these scammers who'd impacted his grandmother. And so what he started to do was waste the scammers' time.
And he filmed himself disrupting their activities by pretending to be a likely victim, by looking like a prospect.
And he got himself a little digital voice box so he could change the pitch of his voice. He could become an elderly man or a woman with a hearing issue.
He could become a Russian guy. Even a competing tech support scammer. These were the kind of disguises which Kit Boga was using.
A Russian man. I love that.
The scammer would tell Kit Boga when they get the call, you know, he's eligible for a refund or something.
Or maybe the scammer needs to remotely access Kit Boga's computer to send him some money.
And remote access, of course, would give the scammer full control over the PC and all of its data.
But Kit Boga was prepared for that because he'd set up a virtual machine for the scammers to hack, in quotes, not realizing that their activities were being filmed and they weren't actually going to grab anything useful.
In fact, what he would do is when they asked him to log into his online bank account on the hacked PC, he had an answer for that.
He had created a fake banking website, which he pretended to log into specifically to waste the scammers' time. And it was filled with booby traps.
So if the scammer even took control of the keyboard, and tried to sort of add a couple more noughts or, you know, change the amount of money which was being sent to them or something like that, they would be frustrated.
It wouldn't do what they wanted it to do.
Or maybe the scammer needs to remotely access Kit Boga's computer to send him some money.
And remote access, of course, would give the scammer full control over the PC and all of its data.
But Kit Boga was prepared for that because he'd set up a virtual machine for the scammers to hack, in quotes, not realizing that their activities were being filmed and they weren't actually going to grab anything useful.
In fact, what he would do is when they asked him to log into his online bank account on the hacked PC, he had an answer for that.
He had created a fake banking website, which he pretended to log into specifically to waste the scammers' time. And it was filled with booby traps.
So if the scammer even took control of the keyboard, and tried to sort of add a couple more noughts or, you know, change the amount of money which was being sent to them or something like that, they would be frustrated.
It wouldn't do what they wanted it to do.
Can I just say, I think this is a labor of love, right? This is a serious labor of love because he's wasting his time as well. Or he's not. He's not wasting his time.
He's Robin Hooding and defending his grannies.
He's Robin Hooding and defending his grannies.
It's a labor of love, which it turns out turns into money because he now has over 3.5 million subscribers on YouTube regularly tuning in for his latest videos.
He's teamed up with a cryptocurrency exchange, Kraken, and the AnyDesk app, and he shares information with them live regarding attempted scams which are in process in an attempt to blacklist those accounts and protect other people.
He's teamed up with a cryptocurrency exchange, Kraken, and the AnyDesk app, and he shares information with them live regarding attempted scams which are in process in an attempt to blacklist those accounts and protect other people.
Listeners, this is Graham salivating at the bit.
He has a talent agent. He's got his own software product.
You can install it and it will warn you if you're being scammed and tell in real time your trusted friends and family that Granny is being hacked. So it's not just a labour of love.
It's a full-time job, these guys.
You can install it and it will warn you if you're being scammed and tell in real time your trusted friends and family that Granny is being hacked. So it's not just a labour of love.
It's a full-time job, these guys.
It's become a very big business, obviously, for them.
Yeah. So eventually they might trick the scammers and websites get taken down. The scammers' websites get taken down.
Sometimes law enforcement, sometimes they even manage to hack into the CCTV cameras and the computer networks of the scam call centres as well to observe them and gather information about them.
So it's interesting work, but he's only one guy. Right, Kit Boga?
So what impressed me is he's now revealed how he is using AI in the fight against scammers, because he's taken the principle of Daisy the Granny and Lenny the Telemarketing Troll, and he's developed what is essentially AI clones of himself.
He's created an AI bot army, and he doesn't wait for the scammers to call one of his army of scam-busting bots.
His bots are actively calling up these scam call centres, which are identified through scam emails and pop-up ads and other intelligence which they have, multiple bots call that location simultaneously and tie up all of the available operators.
Wow. This dude thinks he's talking to a grandma. You're like a grandmother to me. Can you help me with that printer driver issue now? Okay, if you go to the target, okay, listen to me.
Carefully, when you visit to the Target store, the bot just pretends to go along with instructions, even pretends to buy gift cards.
At the back of that Target gift card, did you scratch it? Oh yeah, I scratched it already. Okay, now tell me the numbers. Tell me the numbers slowly, slowly. Okay.
At this point, the scammer has spent 2.5 hours trying to get gift cards from a robot. Okay, I scratched it and it's a bunch of numbers.
Sometimes law enforcement, sometimes they even manage to hack into the CCTV cameras and the computer networks of the scam call centres as well to observe them and gather information about them.
So it's interesting work, but he's only one guy. Right, Kit Boga?
So what impressed me is he's now revealed how he is using AI in the fight against scammers, because he's taken the principle of Daisy the Granny and Lenny the Telemarketing Troll, and he's developed what is essentially AI clones of himself.
He's created an AI bot army, and he doesn't wait for the scammers to call one of his army of scam-busting bots.
His bots are actively calling up these scam call centres, which are identified through scam emails and pop-up ads and other intelligence which they have, multiple bots call that location simultaneously and tie up all of the available operators.
Wow. This dude thinks he's talking to a grandma. You're like a grandmother to me. Can you help me with that printer driver issue now? Okay, if you go to the target, okay, listen to me.
Carefully, when you visit to the Target store, the bot just pretends to go along with instructions, even pretends to buy gift cards.
At the back of that Target gift card, did you scratch it? Oh yeah, I scratched it already. Okay, now tell me the numbers. Tell me the numbers slowly, slowly. Okay.
At this point, the scammer has spent 2.5 hours trying to get gift cards from a robot. Okay, I scratched it and it's a bunch of numbers.
It's 347871029904533.
Go slow, stupid! You don't know how to speak or to tell the number? Go slowly, I must say. Hey, watch your language!
I don't appreciate being called stupid.
The bot converts what the scammer says down the phone into text. It then runs it through a natural language model to create its own responses in real time.
So these are no longer prerecorded statements about ducks going past the window or, yeah, let me tell you about the economy.
They're reacting to what the scammers are saying to them.
So these are no longer prerecorded statements about ducks going past the window or, yeah, let me tell you about the economy.
They're reacting to what the scammers are saying to them.
It's scammers being scammed by the scammy. I don't know, scammy, scam, scam.
And it's being done on scale because it's not just Kit Boga, it's his alias Norman Hughes or Edna Williams or Beverly Petunia and many more trained to deal with different types of scams.
So there's the common garden you've got a virus on your PC, you know, tech support scam.
But there are also scams where people have been tricked into making an unwise cryptocurrency investment or buying gift cards or thinking that they will have their book published.
In one recording, I didn't know about this, everyone apparently has got a novel in them, right?
Everyone has got— there are websites out there which are saying, oh, you know, submit your book to us and we will publish it.
In fact, I'm pretty sure I've received a fair number of emails over time saying, Graham, would you like to write a book about cybersecurity? I've always said, no, not really.
But I wonder now if some of these were scams where if I replied with my PDF, they would say, oh, this is a great book, Graham. We'd love to publish this. It'll just cost you $1,500.
So there's the common garden you've got a virus on your PC, you know, tech support scam.
But there are also scams where people have been tricked into making an unwise cryptocurrency investment or buying gift cards or thinking that they will have their book published.
In one recording, I didn't know about this, everyone apparently has got a novel in them, right?
Everyone has got— there are websites out there which are saying, oh, you know, submit your book to us and we will publish it.
In fact, I'm pretty sure I've received a fair number of emails over time saying, Graham, would you like to write a book about cybersecurity? I've always said, no, not really.
But I wonder now if some of these were scams where if I replied with my PDF, they would say, oh, this is a great book, Graham. We'd love to publish this. It'll just cost you $1,500.
Yeah.
And we'll design the cover for you and we'll bind it and we'll put it up in all the bookstores. So his AI bot recognizes this particular kind of scam.
And in one of the recordings up on YouTube, you've got his bot, which is Norman, saying how he's written a horror romance novel about his refrigerator.
101 Pictures of My Refrigerator, it says.
And in one of the recordings up on YouTube, you've got his bot, which is Norman, saying how he's written a horror romance novel about his refrigerator.
101 Pictures of My Refrigerator, it says.
Before we dive into any payment or signups, I'd like to go back to my book. I'm excited to share it with you and get some feedback. Can we focus on the book for now?
Yeah, sure, Emily. I think we have a bit of a situation on my end. You see, my cat Mr.
Whiskers is helping me on this call, and honestly, my fridge seems to be lying and trying to get my attention. I know it sounds crazy, but I swear it's true.
Can you maybe help me figure out what's going on? And then we can get back to discussing my book, 101 Pictures of My Refrigerator.
Yeah, sure, Emily. I think we have a bit of a situation on my end. You see, my cat Mr.
Whiskers is helping me on this call, and honestly, my fridge seems to be lying and trying to get my attention. I know it sounds crazy, but I swear it's true.
Can you maybe help me figure out what's going on? And then we can get back to discussing my book, 101 Pictures of My Refrigerator.
He really wants to discuss the contents with— not the contents of the refrigerator, the contents of the book with her before he hands over the $1,500 that this scammer wants to publish it.
And he's discovered the cover. And this poor— I almost feel sorry for the scammer because these conversations go on and on.
These videos you can watch are 30, 40 minutes long of the scammers having all of their time clogged up by AI now. It's not Kit Boga doing it by hand.
And he's discovered the cover. And this poor— I almost feel sorry for the scammer because these conversations go on and on.
These videos you can watch are 30, 40 minutes long of the scammers having all of their time clogged up by AI now. It's not Kit Boga doing it by hand.
I think I do feel sorry for the scammer.
You've got such a big heart, Carole.
No, it's because they probably, they've probably been kidnapped by a job ad scam and their passports have been taken and they're sitting there, you know, being forced to scam.
In Myanmar, wherever, yep. Oh my goodness. Well, that is sadly quite common, isn't it? So they're not gonna be bringing in the big bucks for the bosses of the scam centres.
And you watch these videos and there's a little counter on the screen showing how much of the scammer's time has been wasted as well as a grand total.
They have little animated graphics of both the scammer and the bot talking to each other. You can see little images of them chatting away.
You can see the words coming up in real time. I mean, it's an amazing operation which they've done this.
And I think if a YouTuber can do this, imagine if the telecoms companies and multinational law enforcement, if they were all chipping in, if governments were chipping in to do something about this on a much bigger scale, because clearly it's using up GPU time.
Kit Boga has sort of waved an old hard drive around, said, look, this is the server which I burnt running this thing. And you've got to keep those things cold, haven't you?
You've got to keep them up and running, those data centers. But surely this would be a good investment for the computer crime-fighting authorities to really get behind to do this.
And you watch these videos and there's a little counter on the screen showing how much of the scammer's time has been wasted as well as a grand total.
They have little animated graphics of both the scammer and the bot talking to each other. You can see little images of them chatting away.
You can see the words coming up in real time. I mean, it's an amazing operation which they've done this.
And I think if a YouTuber can do this, imagine if the telecoms companies and multinational law enforcement, if they were all chipping in, if governments were chipping in to do something about this on a much bigger scale, because clearly it's using up GPU time.
Kit Boga has sort of waved an old hard drive around, said, look, this is the server which I burnt running this thing. And you've got to keep those things cold, haven't you?
You've got to keep them up and running, those data centers. But surely this would be a good investment for the computer crime-fighting authorities to really get behind to do this.
Yeah. I agree. I think they should take heed. They have the resources to do this.
They did it as a marketing kind of campaign in one company recently, but maybe actually they should think about it seriously.
They did it as a marketing kind of campaign in one company recently, but maybe actually they should think about it seriously.
Yeah, do it for real. Maybe they could team up with Kit Boga, get his software. Yeah. Maybe he'd be prepared to do it.
You remember back in the 2000s when lots of people ran software on the computer to search for alien life? No. There's the— No, the SETI Project.
You remember back in the 2000s when lots of people ran software on the computer to search for alien life? No. There's the— No, the SETI Project.
Oh yes, that's true.
You could run a little screensaver back in the day, and apparently it was analysing radio signals or something.
There was the Folding@home project, which used distributed computing to fight diseases and try and— I think it's folding proteins or something.
It's all to do with fighting diseases. Wouldn't it be great?
I'm not suggesting we should stop trying to fight diseases, of course, but if we have the option of opting in to provide some computing power while our PCs slept to help in the fight against scammers as well, if we could run just a little bit of soft— you don't wanna do that?
There was the Folding@home project, which used distributed computing to fight diseases and try and— I think it's folding proteins or something.
It's all to do with fighting diseases. Wouldn't it be great?
I'm not suggesting we should stop trying to fight diseases, of course, but if we have the option of opting in to provide some computing power while our PCs slept to help in the fight against scammers as well, if we could run just a little bit of soft— you don't wanna do that?
Well, I'm just saying, I just do wanna do my research before I just hand over my computing power to a YouTuber. I mean, I'm sure he's great, but I'd to look into it before I—
Yes, very good point. Very good point, Carole. Well done. Well done. Carole, what's your story for us this week?
Okay, so typically when I prepare for one of these things, I consult a number of different articles to make sure the information is as correct as it can be.
But sometimes that's really hard, especially if it's a month-long deep dive investigation.
So this is my amalgamation of highlights from a lengthy New York Times article that was published this past Sunday.
But sometimes that's really hard, especially if it's a month-long deep dive investigation.
So this is my amalgamation of highlights from a lengthy New York Times article that was published this past Sunday.
Okay.
And it's called "The Scammer's Manual: How to Launder Money and Get Away with It."
Oh, this sounds handy.
Doesn't it sound interesting? Not handy, but interesting.
Not handy. No, no, no, no, absolutely not.
Now, you'll remember we talked a few weeks ago about how scammers can be victims of human trafficking, you know, and they were duped into this bogus employment, etc., etc.
Yes.
And that story was about the low-level scammer. The one directly interacting with the victim, not the big scammy honcho boss person.
And the question the New York Times journalists wanted to answer was, once the money is stolen from an innocent victim, you know, using whatever scam, right?
Romance scam, crypto scam, phishing scam, doesn't matter. And the victim pays up. Where's the money go? How does it happen?
And the question the New York Times journalists wanted to answer was, once the money is stolen from an innocent victim, you know, using whatever scam, right?
Romance scam, crypto scam, phishing scam, doesn't matter. And the victim pays up. Where's the money go? How does it happen?
Oh, okay. Follow the money.
Follow the money.
Yeah.
Right. So the first misconception that people might have is that the scammer, be it a low-level or high-level boss, doesn't handle the money once it's been stolen.
This is considered dirty money. And having it directly delivered to, say, your personal account or your company would be considered maybe foolhardy, right?
Why have a stinky paper trail end at your account?
This is considered dirty money. And having it directly delivered to, say, your personal account or your company would be considered maybe foolhardy, right?
Why have a stinky paper trail end at your account?
Yes. You want to rinse the money, launder it in some way.
Right. Give it a dishwash. Right, so instead, scammers get in touch with a middleman. Known as the matchmaker. Now, this person is not finding you a lover.
Instead, their job is to connect you with money mules.
So people that have bank accounts and crypto accounts and whatnot that they're willing to use to process illegal funds or stolen funds.
Instead, their job is to connect you with money mules.
So people that have bank accounts and crypto accounts and whatnot that they're willing to use to process illegal funds or stolen funds.
Okay.
And they note in the article that a good matchmaker has a worldwide network of money mules on tap.
Because you want to be able to get the money from one jurisdiction or geography to another.
Because you want to be able to get the money from one jurisdiction or geography to another.
Yeah. Okay. Makes sense.
So you need to have people in those places.
Yes. Yeah.
Okay. So you have the scammer person, right? The person who tricked or stole from the victim.
And you have this matchmaker, the middleman, and you have these money mules, people who are effectively the first step in laundering the money.
Now, how do these three find each other? You know, it's not as if this stuff is legal, right? And the playground seems to be international. So how do they meet up? What do you think?
And you have this matchmaker, the middleman, and you have these money mules, people who are effectively the first step in laundering the money.
Now, how do these three find each other? You know, it's not as if this stuff is legal, right? And the playground seems to be international. So how do they meet up? What do you think?
I would imagine there's some dark corner of the web where you kind of sidle up to someone and go, "Psst, hey, you got any mules up your sleeve?" Basically, yeah, except it's not that dark.
Okay.
Okay.
The lights seem to be all on. It's public posts on Telegram.
Oh, okay.
And the New York Times article calls it an online bazaar with hundreds of thousands of members.
They talk about it being a bit like a hydra because you cut off one, you close down one of these groups, and pops up another one a few days.
And in these groups, they might use somewhat covert language.
You know, so it's something like posting something like, "Our services are down for repairs." That might actually translate to, "Hey, our mules have been arrested," or "The bank accounts are compromised or frozen or unavailable." Okay.
They talk about it being a bit like a hydra because you cut off one, you close down one of these groups, and pops up another one a few days.
And in these groups, they might use somewhat covert language.
You know, so it's something like posting something like, "Our services are down for repairs." That might actually translate to, "Hey, our mules have been arrested," or "The bank accounts are compromised or frozen or unavailable." Okay.
Yep.
Right. Yeah. So scammers find a matchmaker, and they have to cut a deal. And typically, it's 15% goes to the matchmaker and the mule services.
So there's a little bit of negotiation. It's, you know, if you came up to someone and said, how much for a bit of Colombian blacktail or something that?
Right. You know, the percentage idea is good because if someone wants you to move a million, right, you want a cut of that pie, I guess, if you're a matchmaker and a mule.
Yeah, and remember, it's the mule's accounts, right? Obviously, probably fake accounts, but these are accounts, bank or crypto.
They are the accounts that are sent directly to the victim by the scammer. So let's say $20,000. You got scammed, Graham, you pay that up.
You would be paying that money to the mule's account.
Yeah, and remember, it's the mule's accounts, right? Obviously, probably fake accounts, but these are accounts, bank or crypto.
They are the accounts that are sent directly to the victim by the scammer. So let's say $20,000. You got scammed, Graham, you pay that up.
You would be paying that money to the mule's account.
Yes.
But how is the scammer supposed to trust this matchmaker who he's met on Telegram or she's met on Telegram and these mules? Matchmaker and the Mules. It sounds like a band.
Do they have the equivalent of Amazon 5-star reviews?
Yes, they kind of do. But it's more— in the real estate market, particularly in the States, they put money into escrow.
Oh, escrow. Yes, yes.
And the matchmaker puts money into escrow to help reassure the scammer because you don't trust them. And this is a deposit to show good faith.
Look, if it all goes wrong, we have the money to back your— this event.
And if I understand correctly, this is backed by the online bazaar on Telegram, which seems to have ties with legit-ish and established fintech firms in Southeast Asia, such as Huy One.
Now, my point here is that the money transaction seems to be backed, and this greases the whole trust component so that money doesn't stop a-flowing, because everyone makes money if money's flowing, it seems, even in this nefarious world.
Look, if it all goes wrong, we have the money to back your— this event.
And if I understand correctly, this is backed by the online bazaar on Telegram, which seems to have ties with legit-ish and established fintech firms in Southeast Asia, such as Huy One.
Now, my point here is that the money transaction seems to be backed, and this greases the whole trust component so that money doesn't stop a-flowing, because everyone makes money if money's flowing, it seems, even in this nefarious world.
Okay, so there's money in escrow. All right, so everyone thinks we're safe, we're going to get the money.
Yes, but the money doesn't sit long in a specific mule's account. It's bumped about to account and account and soon lands into a crypto account ransomware.
Yeah.
The mule then takes their cut and sends it to the matchmaker. The matchmaker takes their cut and sends the rest to the scammer.
So in this case, if it was £20,000, you'd have £3,000 has been paid to everybody else, you get £17,000, and there you go. The vic is out of pocket £20K.
Who do you think is most vulnerable on this chain?
So in this case, if it was £20,000, you'd have £3,000 has been paid to everybody else, you get £17,000, and there you go. The vic is out of pocket £20K.
Who do you think is most vulnerable on this chain?
Well, the person who's been scammed is pretty vulnerable, aren't they?
No, vulnerable in terms of doing illegal works, getting caught by the powers that be, the law.
Oh, I would think the person at the start of the chain, the money mule.
Uh-huh. The mules are incredibly vulnerable compared to everybody else.
Hmm.
And they're also extremely necessary to the process. They may not be thinking they're doing much, you know, just moving cash here and there.
But without them, this whole thing would be infinitely more difficult to run because you have to move money from specific geographies with certain legislations and laws to countries where there's a lot less laws where you can actually do what you want to do.
But without them, this whole thing would be infinitely more difficult to run because you have to move money from specific geographies with certain legislations and laws to countries where there's a lot less laws where you can actually do what you want to do.
But isn't it the case that some money mules will claim that they didn't realise anything illegal was happening? They think they've been hired.
We will put some money into your account. We would then like you to put some of that money into another account.
We will put some money into your account. We would then like you to put some of that money into another account.
Sure, absolutely. And I also think that maybe some of them may have been compromised themselves.
Maybe they were scammed and something was stolen from them and they said, oh, you better do what we say and use your account, otherwise—
Maybe they were scammed and something was stolen from them and they said, oh, you better do what we say and use your account, otherwise—
Okay, or their account details could have been compromised and someone is using their account to move the money around.
Exactly. But it's an interesting look at how the money is run because again, you know, we always kind of say, oh, that darn scammer, and your story was all about that.
Let's waste that scammer's time. But really what we really need to get to is to, you know, the actual heart of the operation, which I think also includes the mules.
Anyway, brilliant article in New York Times. Links in the show notes as always.
Let's waste that scammer's time. But really what we really need to get to is to, you know, the actual heart of the operation, which I think also includes the mules.
Anyway, brilliant article in New York Times. Links in the show notes as always.
I'd like them to get the big guys as well. Not just the mules. We've got to get the big, big guys. Mr. Big.
Oh, sure. But they're as slippery as anything. They've basically dived into a swimming pool of Vaseline and have people all around them doing all the work.
That doesn't sound nice.
Well, my question is, we've been doing this show for almost a decade. Where is my Lamborghini? You know, where is my Louis Vuitton luggage collection?
What a perfect time to cut to the adverts.
If you're leading risk and compliance at your company, you're likely wearing 10 hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.
But GRC isn't just about checking boxes. It's a revenue driver that builds trust, accelerates deals, and strengthens security.
That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance, and scaling your program.
That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance, and scaling your program.
With Drata, you can automate security questionnaires, evidence collection, and compliance tracking.
You can stay audit-ready with real-time monitoring, and you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistance.
You can stay audit-ready with real-time monitoring, and you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistance.
Instead of spending hours proving trust, build it faster with Drata. Ready to modernize your GRC program? Visit drata.com/smashing to learn more. That's drata.com/smashing.
Now, Carole, according to Vanta's latest State of Trust report, Cybersecurity is the number one concern for UK businesses, and of course, Vanta can help you with that.
Now, Carole, according to Vanta's latest State of Trust report, Cybersecurity is the number one concern for UK businesses, and of course, Vanta can help you with that.
Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk.
To help your team not only get compliant, but stay compliant.
To help your team not only get compliant, but stay compliant.
So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.
Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash, smashing. And thanks to Vanta, LastPass, for sponsoring Smashing Security.
Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?
Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash, smashing. And thanks to Vanta, LastPass, for sponsoring Smashing Security.
Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?
Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't.
1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control.
1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control.
It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
So secure every app, device, and identity, even the unmanaged ones. Go to onepassword.com/smashing. That is 1Password onepassword.com/smashing. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security related necessarily.
Better not be.
Well, better not be, perhaps. But doesn't have to be security-related necessarily. That means it can be security-related necessarily.
And my pick of the week this week, Carole, is a bit security-related because while researching this Kitboga chap and seeing what he's been up to, I discovered that just a couple of days ago in Canada, your home country, Carole, CBC Marketplace broadcast a 40-minute documentary all about the activities of Kitboga and two other very highly regarded scam busters, Jim Browning.
I'm sure many of our listeners have heard of him, and Pleasant Green.
And my pick of the week this week, Carole, is a bit security-related because while researching this Kitboga chap and seeing what he's been up to, I discovered that just a couple of days ago in Canada, your home country, Carole, CBC Marketplace broadcast a 40-minute documentary all about the activities of Kitboga and two other very highly regarded scam busters, Jim Browning.
I'm sure many of our listeners have heard of him, and Pleasant Green.
Wow. Okay, so you're doing a double bill.
Yes, I know. So much scamming going on in today's podcast.
So many people out there wish they were Kitboga right now, I tell you that, Graham.
Well, in this documentary, they bring probably the top three scam busters in the world together in one room, and they intercept some of the scammers' activities in real time.
And a CBC reporter actually was calling up victims to warn them before they did something that they would regret.
And it's the usual kind of story where Jim Browning or one of his cohorts has managed to hack into the CCTV networks of some of these scam call centers.
They're able to see what's going on on the screens of the call centers. They're doing all their funny voices. It's a great wake-up call, I think, for many people.
And if you've got people in your life you think may be vulnerable to scams, maybe if they're not prepared to listen to podcasts or read articles about scams, maybe they would be prepared to watch this documentary, which is on YouTube.
So CBC have put it up on YouTube. It's 40 minutes long. It's called Infiltrating Scammer Networks with the World's Top Fraud Fighters. And it's well worth a watch.
And that is my pick of the week.
And a CBC reporter actually was calling up victims to warn them before they did something that they would regret.
And it's the usual kind of story where Jim Browning or one of his cohorts has managed to hack into the CCTV networks of some of these scam call centers.
They're able to see what's going on on the screens of the call centers. They're doing all their funny voices. It's a great wake-up call, I think, for many people.
And if you've got people in your life you think may be vulnerable to scams, maybe if they're not prepared to listen to podcasts or read articles about scams, maybe they would be prepared to watch this documentary, which is on YouTube.
So CBC have put it up on YouTube. It's 40 minutes long. It's called Infiltrating Scammer Networks with the World's Top Fraud Fighters. And it's well worth a watch.
And that is my pick of the week.
I'm going to put it on tonight. We're very in sync this week. Wait till you hear my pick of the week.
Oh, come on. You're kidding me. What's yours going to be? What's your pick of the week, Carole?
So I have a visitor staying with me.
Yes.
And let's say they don't have the best sense of direction. Actually, let me rephrase that. I'm concerned that they may not figure out how to get back if they leave on their own.
Okay.
And they roll their eyes at me and say, I'm fine, and stop worrying. Anyway, so one of the problems is that Google Maps does not always show you the best walking routes available.
Okay.
Right? It's great for cars.
Yeah.
And it's pretty good for bikes. But if you want to print off a map, perhaps because a person is not great with the whole phone thing.
Yeah.
You cannot easily do that with the street name showing. Do you see what I mean? So it'll kind of give you a map, but you need a map to exact specifications.
You've got a very special requirement, haven't you?
I do.
So you want a very clear map.
You want to show them where to go, and it has to show the street names because maybe Google Maps or Apple Maps or something isn't showing them clearly for a walking map.
You want to show them where to go, and it has to show the street names because maybe Google Maps or Apple Maps or something isn't showing them clearly for a walking map.
Yeah, and it does it really well on the phone, right? If you're not good at opening and zooming in and zooming out.
I think I understand. I understand the problem.
It can be complicated. Yes. So why not check out OpenStreetMap.org?
Okay.
I have to say, I found it quite useful. It's built by a community of mappers that contribute and maintain data about roads, trails, cafes, railway stations all over the world.
Yes.
And we were able to get a map of the right area with all the pedestrian information that we required and the street names.
So this person could go and explore and I could spy with confidence via my Apple Find My app. I'm watching everywhere they go.
So this person could go and explore and I could spy with confidence via my Apple Find My app. I'm watching everywhere they go.
Oh, so you can follow them.
Well, not through this app, but I use Apple's Find My.
Oh, sorry. Yes. Do they know that you're following them, that you've tagged them?
Oh, yes, of course. No, I haven't hot glued an AirTag to their forehead without them knowing.
No.
So my pick of the week this week is OpenStreetMap.org.
It's a great resource, isn't it? Yeah. And unlike some of those other maps out there, it doesn't bombard you with lots of ads of where to go for coffee and things like that.
Have you used it? Have you used it?
I've used OpenStreetMap before, yeah.
Oh, cool. I did see it's new to me, or I don't remember using it. But I find it great.
I mean, it is tremendous that things like this exist rather than purely being in the hands of big tech, so.
If you click on the link that I put in there, Graham, I've actually put in Oxford as the main link.
Yes.
And if you go just to Lincoln College, you can actually see, so you can see all the staircases inside all the colleges. So there's almost a layout of the inside of the colleges.
Really?
I've got staircase 12, staircase 11, staircase 10, 9, the rotunda. Here's the hall.
So this person who's staying with you, if they wanted to find out where the nearest loo was, for instance, you'd be able to direct them.
Exactly.
You'd be saying, go down two flights of stairs. It'd be like Mission: Impossible. Well, that just about wraps up the show for this week.
You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favourite podcast app. Podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favourite podcast app. Podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And massive shout out to our episode sponsors, 1Password, Vanta, and Drata. And of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 409 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 409 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye. We were a little rough there, baby. We were.
That's all right, we'll thank God for editing.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- O2’s AI granny Daisy unveils what she’s learnt from her time on the phone to scammers – and what you can do to ruin their day – O2.
- Lenny – The Telemarketing Troll.
- I Built a Bot Army that Scams Scammers – Kitboga on YouTube.
- Takeaways From Our Money Laundering Investigation – The New York Times.
- Infiltrating scammer networks with the world’s top fraud fighters – YouTube.
- Open Street Map – Open Street Map.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Drata – The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
