Smashing Security podcast #449: How to scam someone in seven days

It feels a little bit like one of those choose-your-own-adventure books where you're told, you know, if your victim mentions a promotion, turn to page 47. If they seem sad about their cat, go back to page 23. Deploy emergency empathy.

Smashing Security, episode 449: How to Scam Someone in 7 Days with Graham Cluley and special guest Lesley Carhart. Hello, hello, and welcome to Smashing Security episode 449. My name is Graham Cluley.

And I'm Lesley Carhart.

Lesley, thanks for coming on the show. First time on the pod, of course. Hey, you're a well-known name in the world of cybersecurity. If people aren't familiar with Lesley Carhart, they should at least be familiar with Hacks for Pancakes. Which is your— what is that? Is it your pseudonym? Is that what we'd be right to call it?

I'm well known. This is very exciting. Somebody tell my dad. It's self-deprecating humor. My handle refers to— it's "move sofas for pizza," something that.

Oh, I see.

I do a lot of volunteer work in the community, and I never get remunerated for it. I just do that now, you know, I do it 'cause it's fun and I care about people and things. So I kind of get paid in food for a lot of stuff.

You are being self-deprecating here because you are a known name in the world of cybersecurity. You give talks, you're an online presence. I see you popping up on my social feeds all of the time as well. And you've been working in cybersecurity for some years now, haven't you?

Since dinosaurs walked the earth, yes. I've been in cybersecurity for about 20 years now.

And what particular area of cybersecurity do you work in?

I do critical infrastructure investigations, so digital forensics and incident response on things planes and trains and factories and ships and all kinds of industrial stuff that's part of critical infrastructure.

Well, before we kick off today's podcast, let's thank this week's wonderful sponsors, Meta, Vanta, and ThreatLocker. We'll be hearing about them later on in the show. This week on Smashing Security, we won't be talking about how hackers are hunting for Android-powered smart TVs to build a denial-of-service botnet. You'll hear no discussion of how the Trump administration has released early a hacker who stole $10 billion in cryptocurrency. And we won't even mention how fake blue screens of death delivered via booby-trapped Booking.com emails are the latest tactic being used by hackers targeting hotels. So Lesley, what are you going to be talking about this week?

Well, I'm not gonna be talking about critical infrastructure cyber today. I want to talk about something that's near and dear to my heart, and that is the dire strait of the cybersecurity hiring and jobs market, especially for young people and what they can potentially do about it.

And I'm gonna be telling you what star sign is the best if you are a romance scammer. Plus, we have a featured interview with Danny Jenkins from ThreatLocker. All this and much more coming up on this episode of Smashing Security. Before we go any further, I want to say a few words about one of our sponsors this week, ThreatLocker. Most cyberattacks don't start with some genius hacker writing custom malware. They start with something much simpler. Like a misconfigured setting, an exposed service, or a security policy that quickly drifted out of line. And in large complex IT environments, those misconfigurations are everywhere and almost impossible to track manually. And that's why ThreatLocker built Defense Against Configurations, or DAC. ThreatLocker DAC gives you a real-time view of configuration weaknesses across your entire environment. It runs deep checks across every endpoint, not just your ThreatLocker policies, but your operating systems and application settings too. All of it appears in one clean dashboard showing what's misconfigured, how risky it is, and exactly how to fix it. So no more discovering problems after the attackers do. With DAC, you see configuration drift as it happens. You can also check alignment with major security frameworks and see which endpoints don't make the grade. If you want to stop firefighting, harden your environment, and catch hidden risks before they turn into breaches, you need DAC. Try it for free for 30 days at threatlocker.com and find out what's misconfigured before it costs you. Right, Lesley, I've got a question for you, a quick question. When you think about your ideal romantic partner, what star sign springs to mind? Gemini? Sexy Scorpio? What do you fancy?

But I'm a very unique individual. So who is it for everyone else?

Who is it for everybody else? I'm not sure. I've always heard Scorpios are meant to be the sexy ones, aren't they? Isn't that the marketing department? Isn't that what the PR people say for Scorpio?

Perhaps. I can tell you about Mr. Spark. And I can tell you about Captain Picard. And I can tell you about Jadzia Dax. You're gonna have to throw me a bone here.

Okay, okay, you've gone truly interplanetary. I suppose this is what you've gone. You've gone Alpha Centauri when we're talking stars here. You've gone Betelgeuse on me. Well, apparently, back down to Earth, Lesley, for a moment. Get your feet on the ground. Apparently, the correct answer is Taurus. Because according to professional romance scammers, Taurus is the most compatible with other signs. So if you want to lure someone in with a, "Oh, you might be the right match for me," then saying you're a Taurus is apparently the best thing. Now, I'm not sure what astrological expert they consult on this. Presumably not Mystic Meg, but there we are.

Probably ChatGPT.

Yeah, well, who goes to any legitimate experts these days anymore? They just go to AI, don't they? But this revelation about Taurus comes from a recent Reuters investigation that describes how police in the Philippines raided a couple of scam compounds north of Manila and found something rather interesting. What they uncovered were actual written instruction manuals for conducting romance fraud. The actual working manuals. And these things, these manuals, these were detailed. They had scripts, they had personality assessments, they had day-by-day timelines. It's they had commercialized and written an operations manual for heartbreak, effectively. You know, they'd be, "Well, we're gonna grab them, and then we're gonna rip them apart." That's what these books were telling you how to do.

Graham, I think we should step back for a moment and talk about these compounds and the kind of people who end up in these compounds conducting the scams that we receive through our social media and phones and things.

Well, this is a really good point because the thing which many people don't realise, you tend to think all scammers are bad guys, but often the scammers are actually victims themselves because these aren't lonely individuals in basements. These are people who are victims often of human trafficking. They've been lured to compounds in Southeast Asia, often with promises of legitimate jobs. They've had their passports confiscated. They're often forced to work on these scams. And there are videos online of some of the conditions and the way in which governments and law enforcement is trying to shut down these huge compounds with sometimes thousands of people who are working effectively as slaves for the scammers. It's really heartbreaking, isn't it?

And that seems like— it's horrible. And that's a really good explanation for why they would make a manual like that, because these people never thought about being scammers. They thought they were going to go become a cook or a cleaner in another country. And all of a sudden, they're being told they have a quota of scams to make. So yeah, I guess the guidebook makes a lot of sense. So if we look at one of these handbooks like Reuters have done, here's the opening line from one of them, because it really sets the tone. It says, "A woman's IQ is zero when in love."

But, you know, it's— but what? Isn't that charming? They've got a real guidebook to romance. It's like, well, when she's in love, she's not going to have any intelligence at all. It's a horrendous thing to say. I mean, where do you even begin with that?

But they had some more statistics. It had a little bit more to it, though.

Yeah, there's more to it. So they say, as long as the emotions are in place, the client's money will naturally follow. And yes, they actually call them clients, not victims. And the thefts which occur as a result of the scam— those are described as sales. So even the romance scammers, they've sort of embraced corporate jargon. And these handbooks, they go into real detail about building a fake persona. And this is where it gets weirdly specific. So if you are a romance scammer, according to these handbooks, apparently you should claim that you work for Sinopec, which is China's state oil company, but that you're stationed overseas. Your birthday makes you a Taurus. You say that you were divorced 6 years ago and you have a daughter who lives with your ex-wife. So I think the intention is to say, look, I'm an accomplished personality that I have managed to have a relationship with somebody in the past. I have managed to consummate my relationship and have a child. So I'm clearly capable of having a relationship. But don't worry, because they're not going to be hanging around very much. So I'm available. I am a father, but at the same time, there's not a daughter who's going to cramp our style. It's really oddly specific, isn't it? It's like if you added, and my favourite biscuit is the Hobnob, but I will eat a Digestive if pushed. I wonder if there's somewhere a scammer who accidentally sometimes says, oh, I was divorced 7 years ago, and they think, oh, I've blown it. I've said 7 years rather than 6 years. We're gonna have to start again all from scratch finding a new victim.

I'm fascinated by those catfish scams. I've been watching a lot of the Catfish UK show recently, and you see a lot of those parallels, even when it's somebody local in the same country that's saying, "I work for a remote company and out of town." And they'll push along for a year or two or three just saying, "Oh, we'll meet up. Oh, I got delayed. I have to work another month overseas." So it's a really good way to say, "Oh, I've got a stable job in our country and someday I'll come back and buy a house and settle down. But right now I have to be just far enough that we can't have reliable FaceTime, we can't have reliable video calls, and I'm working different hours and I have an excuse so I can keep pushing it along and keep saying I'm not available, I can't come home, I can't do a video call." And it's amazing to me in some of these scams that I've read about and seen on TV and things, how long they go on with these people able to continue making excuses for why they never talk on the phone or never show up on video.

Yes.

But it's really effective, the things that you're talking about in this guidebook. Yeah, I'm a stable person. I'm parental. I have a good job, but there's just this nagging reason why I can't commit right now. So you're gonna have to send me some money and we're gonna have to wait a while. It's very much other scams. It's not so much the pressure of "oh my gosh, you're gonna be in trouble," a lot of phishing emails. It's more you've got this emotional tie to this person who just seems the ideal person for you, and they're just making you wait a little bit longer and give a little money and just wait a little bit longer. And you've invested so much emotionally that you come back to it and you fall for it and you stay there for a year or many months or something. It's kind of crazy.

And some of these scams, as you said, they can go on for years collecting money over time. And you think, hang on, hang on, if you really are in a relationship with Brad Pitt online or Jason Statham, isn't it likely they would've fixed their webcam by now? Isn't it likely they would've gone into a Starbucks and got a decent Wi-Fi connection in order to actually chat to you? But just that slight, slight glimmer of hope that it might be true is what keeps people hooked for so long. And so you're right, sometimes these things go on for ages. This particular handbook lays out a seven-day plan. And I thought, "Come on, you can't surely pull off a scam this within seven days." But according to the handbook, it reckons you can. So you have a lot of churn in this particular model. And apparently it goes from seven days from saying "hello, nice to meet you" to stealing your money. So this is how they describe it is done. Day one. Day one, first contact. There you go, I've given you a Star Trek reference. First contact. The script literally starts with, "Hello, my name is," I don't know, Graham. Not the sexiest name in the world, let's be honest. "My name is Graham, nice to meet you."

Day two.

Day two, you're already talking about investments because that's great day flirting in my experience. Let's go straight to the cryptocurrency.

Day five.

Day five, you're in a proper relationship. I guess you've bombarded them with so many messages, they haven't got any room for common sense in their head anymore. Not that you've met each other, of course. That's just old-fashioned. If you have chatted online, then maybe you've been speaking to a deepfake rather than a genuine person.

Day seven.

Day 7, according to the timeline, lay down these handbooks is when your victim is putting money into a fake investment platform. One week. That is the timeline laid out in this handbook, which Reuters has got its paws on. And if someone isn't responding quickly enough, according to this particular group of scammers, the handbook says, well, drop them after day 3, move on, don't waste your time. There are other victims to find. So there are people who can fall for these things very quickly. And the manual includes this corporate mission statement, which boils down to basically, don't chat awkwardly. Our mission is to share life and work happily with our customers. Again, they're describing the victims as their customers.

I think there are two very important lessons in that. And the first lesson there that's really significant is they are playing on two things there: desire to get rich quick and the desire to find true love without too much effort. If either of those things is being offered to you way too quickly, there's probably a red flag there. If anybody's going to tell you that you can instantly get a lot of money or you can instantly get love in 7 days, something is really wrong. Let's just say that. And that's the same kind of pressure that's used in all kinds of scams, phishing emails, things like that, that pressure to do things really fast, especially to make a bunch of money or get rewarded somehow. And there are two rewards there. So they're really doubling down on the carrot there. And the other thing is that moving on to another target, that's true in a lot of scams too. A lot of people talk about, you know, oh, it's so hard to defend against adversaries because they only have to be right once. A lot of adversary groups, they try to a certain threshold, and sometimes that's a very well-established organizational threshold. And if you are too hard of a target up to that level, they move on to the next group. And so even having some defenses is a great deterrent for those types of criminal actors.

Yep. It's a good point. So, looking at one of these handbooks, it gives specific advice for targeting different groups of people. For instance, middle-aged women. Middle-aged women, it says, are in fact the group carrying the heaviest burden. They say husbands often don't listen patiently. Children are too young to understand the intricacies and difficulties within the family. So if you want to build a relationship with middle-aged women, chat with them about trivial matters is what this says, which is a pretty horrible thing to say, isn't it? Not least because maybe it's not actually wrong. There are plenty of people who find themselves stretched, people who find there's an emotional gap in their life, and these scammers are finding it and they're exploiting it. And in the guidebook, it gives advice to the scammers. It says, look, if your target is quite a cold-hearted sort of personality, tease them a little bit, undermine them slightly, then sweet-talk them afterwards. It says that's the best approach. They say if they're career-oriented, mirror their positive energy, appear reliable. If they're a bit conservative, you offer excitement and an escape from daily life. Apparently, that is the trick. It feels a little bit like one of those choose-your-own-adventure books where you're told, you know, if your victim mentions a promotion, turn to page 47. If they seem sad about their cat, go back to page 23. Deploy emergency empathy at this point. It's bizarre, isn't it? But it kind of makes sense. It's the industrialization of scamming.

And we all think we're immune to this. We all think that, oh, we would never fall for that phishing or that scam or anything. We all have emotional needs. And we just talked about in that list, a bunch of different things that play on our insecurities and our hurts and our trauma as we get older. And any of those could work on anyone.

So there are all kinds of techniques which they're using. They give descriptions of what to do if their victim has had a traumatic childhood or has had breakups, for instance, or if people have been pampered or spoiled in the past, different ways to behave with these different kinds of people. It's really kind of behavioral conditioning, all with the intention of getting money out of them. And I know we're having a bit of a laugh at some of the absurdity of all of this, but this is genuinely horrendous stuff that can ruin lives because they exploit very human needs for connection, as you said, for validation, for love. And I think that's why it's important we talk about these things openly, because anyone can fall for this. And if they catch you at a vulnerable moment, that's a problem. So one of these handbooks targets men, and it's full of banal conversational prompts. You know, it's like, how are you this afternoon? Or remember to eat on time when you're busy at work. It's like something that's been generated by an AI that's been trained exclusively on texts from your mum. You know, have you eaten? Are you warm enough? Are you wearing your jumper? Don't forget to call your nan. And one of the conversational gambits they use with men is to do with sport. So, according to the handbook, what men really want is they want a romantic partner who is also into basketball. And so, they're saying, talk to them about basketball. Say that you've always been a fan of the Lakers, but since Kobe left, they've been unable to watch any Lakers games. Now, for those of you who don't follow American sport, and I include myself in that, I had no idea that the Lakers were a basketball team until I looked it up just now. This Kobe chap apparently was a star player, died a few years ago. So essentially they're instructing scammers to pretend that they're still emotionally processing this guy's death. It's like if they said to me, I've never been the same since they cancelled Ceefax and turned off teletext on the television. Because, yeah, I would identify with that. That was a similar emotional impact on me when that sort of thing happened. There's an FAQ, Lesley, as well. Questions victims might ask when they start getting suspicious. So I wanted to run some of these questions by you, and I'm surprised there isn't one which says, "Question: Are you a scammer?" And the answer would be, "Darling, if I was a scammer, would I have told you about my vulnerable elderly mother, my dreams of opening an artisan bakery?" Yes, actually. What?

Gentlemen, gentlemen.

Yes.

Here's the advice for the gentlemen. It's not the money and the true love thing. It's if somebody offers to be your mother and your bro in a relationship immediately within 7 days, there's a big problem. That's a red flag.

But if they dream of opening a bakery, I'm in there, right? I'm saying, fantastic, we've got sausage rolls, we've got some decent sourdough. Yes, let's do this. Let's get together. So here are some of the genuine entries from the FAQ. Question from the victim: Why can't I withdraw the money? Answer: Because the platform has a detection mechanism. Frequent withdrawals might attract customer service attention. So, darling, you must listen to me and follow my lead. Next question: Why is the account frozen? And this is verbatim answer which they suggest. They say: Why don't you listen to me? Didn't I tell you whether to withdraw or not? Your random operations led to the account being frozen. And this is extraordinary, that the victim's money is frozen in a fake platform, and the scripted response is to blame them for not following instructions. It's real proper gaslighting which we're seeing here. And you saw them shift from calling them darling to suddenly blaming them for what they've done wrong. It's narcissist-level manipulation. It's absolutely psychologically brilliant, and it's horrible. It's horrible. It's horrible. And there was a bit of me reading this article and indeed talking about it on the podcast, which thought, are we giving a little bit of a blueprint for other scammers now to follow in these footsteps? I guess it wouldn't take them too long to work this out, but you have to think when you're reading these things.

I think they know because these scams are nothing new. I was just watching the old TV shows about scams like this, and they'd gone on for years. Romance scams haven't changed a whole bunch. It's just, again, that element of the internet being connected to everything. They're still manipulating the same emotions in the same ways to do similar stuff.

So some people are losing tens of thousands of dollars. Some people are losing, well, their life savings. You know, it could be hundreds of thousands which they're losing as a result of some of these scams. And they can go on for a long time as people, once they've given some money, they almost want to give more. They can't accept the fact that it may have gone terribly, terribly wrong. So a few things spring to mind, right? These scams are industrialized. They're not some lonely individual in a basement anymore. These are operations with handbooks and training and quotas and style guides as to how to behave. Somewhere there's probably a middle manager who's looking at the KPIs to find out how much money each individual scammer is bringing in. Secondly, no one is immune from this. Thirdly, if you know someone or if you indeed are someone in an online relationship and the other person starts talking about investments or crypto or amazing opportunities, that should be a red flag. However deep you are in, be extremely cautious and careful right there because real romantic partners, they talk to you about what's on Netflix, right? They're not talking about cryptocurrency yield strategies. That's what you should be talking about with your roommate. Actually, maybe it'd be better to be talking about the poems of Gerard Manley Hopkins or Elizabeth Barrett Browning instead. I don't know. But, you know, talk about something that you can both get into rather than cryptocurrency. So, Lesley, you haven't told me, are you a Taurus or not?

No, I'm not. I'm a Leo.

Ah, okay. Can you tell? Can you tell? Well, let's take a moment now to thank one of this week's sponsors, Meta. Now, if you've ever worked in IT and especially networking, you'll know when the network's working, nobody notices. When it isn't, everybody notices. The problem is that most business networks are a mess of different providers, tools, dashboards, contracts, and crossed fingers. And somehow, despite all that complexity, they're expected to be fast, secure, reliable, and magically fix themselves. And that's where Meta comes in. Meta builds networks from the ground up. They deliver a complete full-stack networking solution— wired, wireless, and cellular— all as one integrated service. And this is genuinely full-stack. Meta designs the hardware, writes the firmware, builds the software, manages the deployment, and runs the support. They even take care of things like ISP procurement, routing, switching, firewalls, VPNs, DNS security, SD-WAN, and multi-site networking. In other words, fewer vendors, fewer dashboards, fewer "who owns this problem" conversations, and far fewer late-night panic attacks. Meta's approach is about real control, proper visibility, and networks that behave themselves. And for IT leadership, it means something almost mythical in networking: predictability. If you are responsible for keeping the business online, you really should check out Meta. So go to meta.com/smashing to book a demo now. That's M-E-T-E-R.com/smashing. And thanks to Meta for supporting the show. Lesley, what do you want to talk to us about today?

I want to talk about the job market 'cause I'm terminally online and I talk to a lot of young people. I have free mentorship sessions. I let people everywhere on the planet talk to me about their career plans in cybersecurity, and I run career clinics, and I mentor uni students, and so I work with a lot of young people, and there's just some things people aren't getting, both hiring managers and students, and it's ending kind of catastrophically right now. So, here's the deal. It's not great economic times globally right now, and there's been a lot of layoffs in tech recently, so that compounds this problem of the cybersecurity job market being poor right now. It's poor for a multitude of reasons. The economy is one. The rise of AI is a big buzzword to replace human beings, probably not that effectively, but it's being sold well to senior leadership and investors, has not helped.

Yeah.

And also for a while, cybersecurity is marketed as this huge, awesome, well-paying space where they needed millions of people around the world and you were gonna get paid six figures and everybody about 4 years ago went into a university program or a bootcamp for cybersecurity. Obscene number of people, post-pandemic, and they all just graduated over the last couple of years. And there's too many. There's too many. There's more applicants than jobs in most countries right now. And what that has resulted in is a catastrophic collapse of the cybersecurity junior jobs market. And I'm not trying to oversell this. You can go on Reddit, you can go on hiring forums and career boards and see just how bad it is. And I'm not trying to be doom and gloom, but if you want to get into cybersecurity right now, you need to have a really good plan. It's not the Wild West anymore. There are very clear academic credentials you need to get in right now, and I don't that. I'm not endorsing it. I don't want everybody to have the same degree, but right now, the people who are making it into junior jobs, the lowest-level, entry-level cybersecurity jobs in, let's say, blue team, SOC analyst jobs, they have a 4-year computer science degree, they have a couple years working in full-time general IT, they have their usually trifecta of basic IT certifications, and then a higher-tier SOC analyst credible certification as well.

Because you need that level of qualification to poke your head up above all the rest of the people out there when you're applying for a job?

My peers who hire for SOCs are seeing 150 to 300 qualified candidates who meet those qualifications applying for every position right now. It's pretty dire. So, it's not like, don't get into the field. It's just like, if you wanted to be a doctor or a lawyer or something, there's now going to be much more serious qualifications. You need mentorship. You should build a network of like-minded professionals, and there's lots of good community resources for that. We have the BSides conferences. We have Discords. We have Slack, you have wonderful podcasts like this one. You have lots of ways to network and meet people like professional groups like ISSA. There's options, but you can't just fling your way into cybersecurity anymore, and the jobs aren't nearly as high paying as they used to be at entry level. So it has to be something you genuinely care about and want to do, and you have to have a good strategy for how you're going to complete adequate academics to get through HR screening. Right now, HR screening, automated screening, is blocking a lot of people's path into cybersecurity. So mentorship, networking, understanding the market around you and what is being asked for in job positions, understanding that you might really need some general IT work. You might have to go work in a help desk for a while before you can qualify for a cybersecurity job. And you might need a degree at this point. It's going to be tough to get in without one. So, all those things are considerations. Please don't jump into this field right now unless you understand what you're getting into. It's hard out there. It's really tough for young people right now. And as for us who are senior professionals in the field, I hope you are mentoring like me. I hope you're meeting with young people because I see a couple people in tears every week right now. Please talk to young people around you, volunteer at programs, help young people get into this field because it's so much harder for them than it was for us. It's really important. We need people. We would like to retire someday, so we have to pipeline people in. I live on a beach now. Someday I just want to sit on that beach all day. So, I need young people to get into this field successfully. And if we make their lives impossible, they're not going to do that, and I won't get to sit on my beach.

Well, I think you make a very fair point, and it certainly has changed enormously from... Well, I just fell into this industry completely by accident. I didn't get any cybersecurity qualifications to get my first job working in cybersecurity. I got in through someone liking one of my video games.

Same.

But it also means that I, as a veteran in this industry, and I'm sure we've got some other veterans who are listening here as well, I sometimes feel ill-qualified to give advice to young people because the world is so different from my day. You know, when they say, well, what areas of cybersecurity should I be looking into? It's difficult to know where I should point people if there are particular niches which they should follow. Do you have any advice on that?

Sometimes they just need somebody to talk to because it's so hard out there. I will sit on calls sometimes where I'll just listen to somebody rant and cry for a while, and they know what they need to do. It's like, oh, I'm going to have to go back to another two years of school to get a bachelor's. The two-year degree isn't enough. It's something that. Or, I really need to quit this toxic job where I'm being treated horribly, but I'm scared to do it. Sometimes they just need to hear an unbiased person say, yes, you're correct, you need to do that. So you'd be surprised how much you can help just listening to somebody for 30 minutes. And you don't have to be an expert at every area of cybersecurity. You just have to be an ear who's done this for a while. You can definitely help them tune down possibilities for programs, for learning, for self-study. That's all helpful. Anything that you do right now to motivate them and encourage them and be there for them is important because they're getting really bad advice from other people.

And one of the pieces of advice which I've heard people using recently, and I don't know how I feel about this, is you mentioned how CVs and resumes are getting prescreened by HR departments, maybe by automated processes. And a lot of people are now saying, well, there are hacks which you can use, maybe inside the PDF of your resume, to hide keywords, which maybe an AI which is scanning the resumes en masse will say, oh, this matches our job advert. You know, this is the right candidate to put forward. Do you advocate that sort of thing? So changing your resume to try and get past the pre-screening specific to each job application which they're making?

I tell people to think about ATS, is that automated applicant tracking systems. I tell people it's a game, treat it a game. You've gotta play the game. I didn't make the game. You have to play the game right now. And ATS is not usually AI. It's usually string searches for exact keywords by percentile. It's not that smart yet. And so, yes, if you need to stick a bunch of extra keywords in white text in the margin to get more into your CV or your resume, fine. As long as you're not lying, don't lie. Never lie on your CV or your resume. Something that's very important is every time you're applying for a job, make sure that you're matching those keywords, the ones you actually have exactly, and they're spelling in their format.

Yes.

Their computer is basically doing a percentile keyword match against your skills section in your resume and your certifications and what's in that posting. And if you're not getting a certain percentile, you're just getting tossed out. So if you're getting almost immediate rejections, that's the problem. It's not you, it's your document. And again, understand it's a bit of a game right now, but the thing that really sucks about that is people are using AI to rebuild their resumes and then send them automatically to all these postings in specific formats, and it's bogging down the systems because they're sending them out to everything. So, we've got this horrible applicant screening automation that people are trying to defeat through horrible LLM mass emailing and mass submissions, and everything is grinding to a halt. So networking, personal networking, referrals, things that, also incredibly important right now. You need to be at meetups, you need to be at conferences, and you need to get referrals for jobs.

So another thought, excuse my conspiratorial mind at this point, another thought occurs to me. If we've got this huge mass of people who have an interest in cybersecurity, have learned about cybersecurity, cannot get compensated through legitimate means for their cybersecurity skills by forging a conventional career, is there a danger that those skills could be misapplied? Because there's certainly plenty of news about other people with cybersecurity skills who appear to be stealing millions of dollars.

I mean, that's been happening since the early VPN days, you know, cybercrime back in the '90s and early 2000s, people who had computer science degrees and just had no prospects for a job going into cybercrime for various desperate reasons. And it still happens today. And there's, it's not just job hunting, it's also immigration. Boy, immigrating as an IT person right now is incredibly hard. Again, if the job market is saturated, the immigration market is saturated.

Yeah.

So, for people who are trying to get out of very bad situations in lower resource countries in the world who counted on immigration to get out, and thought IT was gonna be their way, you're competing with all of them and they're competing with each other. And if they can't make it out, that's a bad situation for them from that perspective. So, lots of people are really good and they won't do bad things unless they're absolutely desperate to eat, to support their families, and then it's a question mark. So, yeah, I think that is a possibility. And this surge of young people, it's just such a mess 'cause again, we need to pipeline them. There's open jobs at senior levels and at certain niches mine, in OT legacy. We can't hire people fast enough 'cause nobody knows how to use Windows 95. And then there's regulatory areas where we can't hire anybody, and there's senior positions we can't hire anybody. And then other things are going unfilled, and then they're competing with each other. People are giving up, people are going to crime. It's a huge mess right now. Everybody needs to be aware of that, and we all need to be doing our part to try to help with it.

Well, Lesley, I'm actually a little bit comforted by what you said on a personal level because you said you can't hire anyone who still knows how to use Windows 95, because I think I know how to use Windows 95. Windows 11, I'd be completely lost on. But Windows 95, I'd know my way around.

You can support all the power plants in the world. Don't worry.

Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. You know how everyone's got an AI assistant these days? Well, imagine one that doesn't just write haikus about zero-day vulnerabilities, but actually does your audit work for you. That is Vanta. It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that, yes, you do take security seriously. Vanta automates all of that. It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time. Which means no last-minute panic for screenshots and policies. It also plugs into the tools you're already using and flags up issues before they become a right old mess. So if that sounds something that might save you from a few sleepless nights, check out vanta.com/smashing. And if you use that link, you'll get $1,000 off. So don't forget, vanta.com/smashing. Smashingsecurity.com. And thanks to Vanta for sponsoring this week's episode. And welcome back, and you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.

Pick of the Week?

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily. Now, my pick of the week this week is not security related. I was lucky enough to receive a marvelous woolen scarf for Christmas, knitted by my stepson, Joe. It was a work of art. Now, a scarf is not my pick of the week. Instead, what I can tell you is it could not have been more perfectly timed because I have been devouring episodes of a TV show called Game of Wool. And this is a TV show hosted by Olympic diver and knitting evangelist Thom Daley. He's a fine young man. And I've been watching this recently, where amateur knitters knock needles to impress judges. So they are given just hours to tackle everything from Fair Isle tank tops to full-sized knitted sofas, right? And they have to produce these things, click clackety click clackety on the old knitting needles. Now this is where my life has got to, the point where I'm watching not so much rock and roll, I'm watching programs about knitting. Now I should warn you, there's been some outrage and some online criticism of Game of Wool, this TV show, specifically from the fundamentalist fringe parts of the knitting community. Some of that angry mob have said that the tasks given to the knitters are ridiculous, particularly the swimwear round, which isn't really practical knitwear, I have to say. They also reckon that the skill range of some of the contestants is too broad. So there's one contestant, he's actually my favourite, Holger. Holger is a marvellous knitter, but it turns out he's a professional fashion designer. And he's competing against hobbyists. So some controversy in the programme hasn't ruined my enjoyment. But if you are a militant knitter, you are very, very upset. Oh, and you're also upset that it's supposed to be about knitting, but apparently there's a fair amount of crochet. And crochet and knitting, never the twain shall meet, apparently. So anyway, I've enjoyed the show. It's called Game of Wool. It's filmed in a remote Scottish barn. But it's gentle, it's perfect for dark winter evenings, which we're having up in the Northern Hemisphere, at least, Lesley. And I watch it on Channel 4 here in the UK. And maybe if you're really into knitting or think it would be up your street, maybe you'll be able to find it online as well. So that is it. My pick of the week is Game of Wool. Lesley, are you into knitting at all? This is something you've never been asked on a cybersecurity podcast before, I suspect.

I feel I really need to be now. This sounds incredibly intense. I mean, I have always loved The Great British Bake Off. So I guess I'm going to need to finish all those episodes and then move on to fabulous Scottish knitting.

This is clearly a rip-off of The Great British Bake Off. There are a number of these shows. There's another one where there's a Great British Pottery Throwdown. I also do the pottery show. Maybe that'll be a future Pick of the Week. But yes, this is the knitting one, which I have been particularly enjoying. But yes. Game of Wool. Go and check it out if you are able and if you are so enticed. And Lesley, what's your pick of the week?

My pick of the week is local to Melbourne, Australia, but I'm hoping it spreads out across the world.

Okay.

Yesterday I did an escape room here. It's called Earthrise One, and they have two escape rooms. One is called Earthrise and one is called Star Crew. And we did Star Crew, which is advertised as command a spaceship bridge in Star Trek-inspired escape rooms complete with real-time flight simulation. So they've actually used a video game engine to render space so that you can fly your spaceship around from a completely constructed starship bridge in your uniforms. There are a bunch of scenarios including rewiring the bridge. And everybody has a job. Somebody's the navigator. Somebody's flying the ship. Somebody's the captain. And interacting with AI-based characters who they can speak to in natural language. And it was just such an amazing augmented reality experience. I'm not a huge fan of AI, but this was brilliant. I'm not paid or anything to promote them, but it was just such a cool experience. And it was one of the most brilliant augmented reality science fiction experiences I've done in my entire life. So check them out online.

So in this escape room, you are in some kind of space station and something's gone wrong. There's some sort of dilemma which you have to solve.

They have two different episodes. And one, I believe, is rescuing the captain. And the one that we did is a first contact with an alien species that goes wrong. And you're on a model spaceship bridge. And it's wired up. It's got screens. It's got special effects. You're all in costume. And again, you're interacting with—

You're in costume? You're in costume. They hand you a costume when you come in for your specific role on the bridge. You weren't wearing a red shirt, I hope, because that always is quite dangerous in those Star Trek scenarios, isn't it?

I think they avoided the red one for that reason. I think they were other colours. So, but it was brilliant. And it feels like something that maybe if they do well enough, they can export to the rest of the world. Yeah. So, well, that sounds like lots of fun. Very, very cool concept. I hope to see more escape rooms that are high-tech and use Unity Engine and stuff.

Okay, well, let's now have a quick word from another guest. I am delighted to be joined today by Danny Jenkins. He's the CEO and co-founder of ThreatLocker. They're a company that takes a fairly firm view on what software should and shouldn't be allowed to run in your environment and how systems ought to be configured in the first place. Danny, welcome to the show.

Thank you for inviting me today, Graham.

Well, it's a real pleasure to have you here. Now, when organizations come to ThreatLocker, what kind of problem are they usually trying to fix? Is there something that's just gone wrong that's made them pick up the phone?

Well, hopefully not. So I think probably 20% of people that we onboard in ThreatLocker are in the middle of a cyberattack or just experienced a cyberattack and want to make sure it doesn't happen again. Most people we try to get to and educate beforehand, and they just wanted to make sure that they don't get hit by ransomware, they don't get hit by a cyberattack, and they know that they're seeing issues like users are clicking on GoToMeeting links or users are downloading TeamViewer, and they're just scared about what this could ultimately mean in the future. And what we're here to do is make sure that those tools don't run unless you want them to.

Right.

And more importantly, ransomware and reverse shells don't run in your environment.

Now, is that mostly an SMB problem or does everyone get bitten the same kind of way?

It's pretty much everybody. I mean, if we think about some of the major cyberattacks that happen, we see MGM and Colonial Pipeline and Marks & Spencer's. It's not just SMB. SMB is obviously a much easier challenge because there's less change control, there's less culture to deal with. A company can come in and say, well, you've got 200 employees. This is our new policy. This is what we're going to do. But our customers range from some of the biggest companies in the world right down to small companies through their MSPs.

And ThreatLocker, what do you do differently from the tools organizations already think are protecting them?

What we're essentially doing is saying security is really about defining what is allowed and what isn't allowed. People often think ThreatLocker is saying, no, you can't do anything, and zero trust means nothing can happen. It's not really. It's about saying what's needed to do your job, what software is needed, what does software need access to in your environment, and if we give it that, and then we just don't give it any more. And when you do that, you're saying, I'm not just going to stop known ransomware or known cyberattacks, but I'm going to stop the unknown from happening. And what most security is trying to do is detect post-breach. And we do have endpoint detection response, and we do have a cloud detection response. But the reality is that's after something happened. What we want to do is say, you don't need to run TeamViewer, or you don't need to run software on your machine. Maybe you run Office and Chrome and Zoom and Sage and QuickBooks and SAP. But outside of that, what you really run that you didn't know about the day before. So let's just define the policy that allows all of those things to run and let's define a policy that defines what they can do in your environment. So 7-Zip doesn't need access to all your network shares and PowerShell doesn't need access to the internet or your files. It certainly doesn't need access to the whole internet. And then anything else that tries to happen outside of that, it's going to get blocked. Now, and in the world of detection and response, what you do is you say, well, this is what we consider abnormal behavior. And if it happens, we're going to create an alert. And they're trying to constantly outsmart the bad guys on what abnormal behavior is. They're trying to say, oh, this is a new type of attack. Perfect example, the MSHTA. A year ago, I hadn't seen any attacks with it. It basically is attackers now emailing users saying, copy and paste this into the run box. It will use MSHTA to create fileless malware. And what ThreatLocker will do is by default we said, well, MSHTA doesn't need access to the internet, it doesn't need access to your files, so therefore it doesn't have it. We don't care whether it's going to be used for good or bad. It just doesn't need that. Therefore, we're going to stop it. An EDR will now say, oh, we just saw suspicious behavior on MSHTA. Let's try and lock down your machine. It's much better to just block it to begin with.

Right.

Okay. So this is for some customers a bit of a mindset shift because this isn't necessarily the way in which they've been approaching security in the past.

It is and it isn't. So it is in the terms of software because people aren't really thinking about software in that way, but they are thinking about firewalls in that way. Since the 1990s, early 2000s, every firewall had a default deny policy at the bottom. And if you wanted to open up a port, so you wanted to host a web server, you'd open up the web server port.

Right.

That's essentially what we're doing. We're doing it in a bit of an automated way because typically you have five ports open at most if you're really hosting a lot of services. With software, we're going to push an agent out. We're going to figure out all of the allow policies at the top, and then we're going to put a deny policy at the bottom. But we'll do that through an automatic learning, onboarding, discovery process. And it takes a few hours of your time, maybe a few days of your time. It takes maybe a month or two to onboard, but it's really hours of your investment. Most of it is automatic learning.

Feels to me like there are more attacks happening now than ever before, and many of them are actually succeeding right now. Do you have any sense as to where attackers are getting the most leverage at the moment? What sort of attacks are working the best?

So I think it's such a large scope, but I guess the biggest change we've seen in the last two years is from where they're getting leverage is data.

Hmm.

So it used to be a couple of years ago, they'd encrypt your files and they'd demand decryption keys to get your files back. Now they're doing that kind of double extortion that they're encrypting your files, but they're also extracting all of your files. And then if you refuse to pay them, they're going to release that data onto the dark web, they're going to use it against you, they're going to send it to your customers, and that could obviously cause massive reputation damage. So I think they're being very successful in getting paid to stop data getting out there. But also ransomware is still very popular, spear phishing is very popular. All of these other attack methods are still happening. And also what's happening is they're getting not just bigger targets, but I suppose bigger ransoms. If we go back to 2017, when we think about WannaCry, most of the ransoms were $500. Now, to get a ransom payment of less than $200,000 is pretty rare.

Do you think organizations are making the same mistakes over and over again? And if they are, is it that they're suffering because of the sheer complexity of their networks, or is it bad defaults? Is it poor visibility? What's the cause of all of this?

So I think there's a couple of things. I think, yes, they're making the same mistakes. And we often hear on the news, "a sophisticated cyberattack took down a supermarket chain or a pipeline or a casino." The reality is these are never sophisticated attacks. There's somebody downloaded GoToAssist or a reverse shell. They clicked on an email link, a piece of software ran, they left the port open, their firewall wasn't patched, they had a poorly configured VPN. But those words are often used because it almost justifies the defense. Well, we're the victim because these were sophisticated. Whereas if somebody says to you, "I left my front door unlocked and someone walked in my house and stole my TV," you go, "well, you're a fool." But if someone says, "well, I had my door locked and I had a house alarm and someone broke in," then they're more of a victim. And I think we hear this word sophisticated because it paints the company as a victim and they are victims and it's not right what's happening. The reality is though, it's normally a poor configuration. It's normally, they don't block untrusted software. They have ports open on the internet that shouldn't be open. And a part of this is because they just didn't know. And also, we're expecting IT professionals who have been in the same job for 20 years to suddenly know that the world is very, very different to what it was 20 years ago. We're no longer dealing with viruses that show you pop-ups on your machine and say they love you. We're dealing with ransomware and coordinated crime gangs. So you've got to be willing to defend. And if you've got the same IT guy or girl sitting in the basement updating the servers like they were in 2005 and expecting the same result, then you're not doing enough. So that's one of the bigger areas, just not knowing what they should do. And we've put a lot of effort into this in the last year, making sure that almost giving our customers checklists like, "this is 2025." So then these guys and girls know what they should be doing.

You mentioned misconfigurations. They are really behind an uncomfortable number of breaches today. Why is that such a hard problem to sort out, even for organizations who believe that they're well defended?

I think part of it is you make exceptions, and the bigger the organization, the more exceptions that get made, and people aren't aware of them. And even actually in ThreatLocker, so we released a feature in our product, we don't charge extra for it, it's called Defense Against Configuration. And we do, it's 200-something checks on every endpoint every day, and now we're doing Office 365 as well. And we're really quite good in security when it comes to insider threat. We're very strict on policies. We have a lot of monitoring, we have a lot of controls. No one can run untrusted software, all ports are shut down. And now and again we make temporary exceptions. And when we actually deployed this, we realized that even in our own environment, after we'd gone through a full FedRAMP audit, and if you think about how difficult a FedRAMP audit is and what they're looking at, these auditors, there were still configurations that were not right. And there's a lot happening and it's very, very easy to say one day the CEO calls or somebody calls, they're doing an event. We need to open up this VPN. We need to publish a server on the internet. We need to install this software so we can gain access over the weekend. There's a hurricane happening, or there's a wildfire, or the government shut down, or COVID's happening, and people are just adding exceptions temporarily. And they don't realize that those temporary exceptions are now suddenly permanent. And when you start compiling them together and you end up with quite a weak system. So having that constant review of your configuration is really important. And I can see how it happens because it happened right here in ThreatLocker, not to a bad state, but I was pretty mad that when we got our first DAC report, so we print this nice PDF, it's got charts, it shows where you are to your peers. You know, I had veins popping out the side of my head. Why is there an elevation policy on command prompt on this person's machine? And it was, oh, because 8 months ago there was this ticket and there was diagnostics of this and they needed to do this and it wasn't set up temporarily like it should have been, and no one turned it off. And it's very easy to do. And especially if you go back years and years and years and you think through pandemics and hurricanes, before you know it, you've got gaping holes in your system that you didn't even know about.

So DAC, this is the Defense Against Configurations technology which you have. Is that something which teams can adopt gradually? I'm just thinking of how many blood vessels are going to be popping out of people's foreheads if they roll it out across their entire enterprise.

So the idea of Defense Code Configuration is not to actually do something, but to tell you where your weaknesses are. And essentially any of our modules, just include it free. And it will say things like you've got 14 machines that are allowing untrusted software. You've got 25 machines that don't have a lock policy on their screen saver. And it will tell you why that's a problem, why a lock policy might not seem important in a locked office, but if someone was to gain remote access, it would allow them in overnight and things that. And then it'll give you easy fixes for them. So it'll say, here, click on this policy to stop MSHDA going out to the internet, or click on this policy to create a screensaver. But it's not necessarily saying put them all in place, but it almost becomes a risk register. And we've had customers saying, well, how good do I accept this risk? And so we can accept the risk, but you shouldn't bury your head and pretend it's not there. You just say, I'm accepting the risk. And you know, every quarter I'm going to review that risk and say that I still accept that risk. Because it makes sense. For example, I've got two monitors in my office that are on the wall. It doesn't have any major sensitive data, doesn't have access to systems, but it does tell me what our average wait times are on support, what our average ticket time or approval times are on our approvals. And those machines can't lock after 15 minutes because I wouldn't be able to see them anymore. If you're in an airport, you're not going to lock them, but you should know that this machine doesn't lock. So what are the risks and what are the compensating factors have I taken? And if you have that report, you now get to see one is where your weaknesses are, just review them every quarter. And two, how you compare to your peers, because we'll actually show you what percentile you are to other companies in the industry. So if you think, well, I'm doing a great job and you say, well, actually you're 15th percentile, maybe you should do a better job because you are right at the weakest of the weak right now, or you're 90th percentile. So you're actually doing really well. You've got a good score.

Oh, which would be a good thing to be able to take back to the bosses, wouldn't it? And say, actually, we're doing pretty well.

Yeah, go back to the bosses, but also it'll tell you how well you've improved every month. So you can do an executive report that says in the last 3 months we've improved by, you know, you want to show the percentile when you're asking for money and you want to show the improvements when you're asking for a pay rise. So, but you can get those executive reports and we'll even give you a justification page on every check. We'll say, these are real-world attacks that happened, and this weakness was used in this attack. So this is why you probably should do this, and we'll even tell you what the risks are of doing it. So we won't just say, disable macros in Office. We'll say, disabling macros in Office will reduce 25% of ransomware initial access because it comes from macros. However, if you have a finance team that's regularly using macros, you should carve them out because the risk is somebody's using macros and it might break something. But 90% of your company can probably disable them. Your score's going to go up. You're going to be 90% more secure than you were in that one area. We'll give real-world examples and we'll let you know the risks of doing it and the risks of not doing it.

Fantastic stuff. Well, I'm sure plenty of organizations listening will be interested. Maybe they're worried about misconfigurations. Maybe they want a clearer picture of what's really going on in their environment. What's the sensible next step for them? What's your recommendation?

So I would say everyone has weaknesses in their security and there's no such thing as achieving zero trust. People often say that to me, but it's really about a mission of we're going to reduce privileges where they're not needed. You can probably reduce your risk by 90% with very little work. And what I would say is to find out how, come to us. We'll talk about how we can block untrusted software really easily, how we can show you your configuration weaknesses. You can do a free trial. You can do a free demo of ThreatLocker and you can just go to threatlocker.com and schedule a call with one of our engineers directly from the homepage.

Well, thank you very much, Danny, for spending some time with us today. And listeners, you can check it out for yourself just as Danny's described by going to threatlocker.com to find out more.

Thank you very much, Graham.

Fantastic stuff. Well, that just about wraps up the show for this week. Thank you so much, Lesley, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?

I'm on almost all social media, including Reddit, as @Hacks4Pancakes, the number 4, Hacks for Pancakes. Say hi, I'm pretty friendly when I'm not exhausted, and I'd love to be friends.

Ah, and of course, Smashing Security is on social media as well. You can find me, Graham Cluley, on LinkedIn, or follow Smashing Security on Bluesky or Mastodon. And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

Like and subscribe.

Yes, exactly. Give us 5 stars, all that stuff. Until next time, cheerio. Bye-bye.

Bye.

You've been listening to Smashing Security with me, Graham Cluley, and I'm grateful to Lesley Carhart and Danny Jenkins for joining us this week on this episode, as well as its sponsors Meta, ThreatLocker, and Vanta. And to all of those chums who've signed up for Smashing Security Plus over on Patreon. They include Darryl Green, Vladimir Jiracek, Bobby Hendrix, Dave and Pam— oh, it was a package deal— Mike Hallett, Marvin71, Sean, Just Nate Please, which is also good life advice, Ragnar Karlsson, which sounds like he owns a very large axe, Mark Norman, Adina Bogut O'Brien, and Projurier. Almost nailed it. Would you like to hear your name read out, perhaps rather badly, at the end of the show from time to time? Well, if so, consider joining Smashing Security Plus. For as little as $5 a month, you'll become part of our merry band and get early access to episodes without the annoying ads. Just head over to smashingsecurity.com/plus for all of the details. Now, of course, I know not everyone can stretch to $5 a month, and maybe you've got better things to spend your money on than Smashing Security, and that's absolutely fine. There's no pressure at all to become a patron. However, if you're finding yourself a bit chilly this winter, you may want to go and check out the Smashing Security merchandise store, which has recently been spruced up with shiny new t-shirts and mugs and other tempting goodies. But there are also ways in which you can support the show which don't involve you spending a penny, as it were. You can like, you can subscribe, you can leave a 5-star review wherever you listen. Just tell your friends about the show or simply spread the word. All of that is gratefully received. So thanks to each and every one of you for your ongoing support. I hope you're having a great new year and are looking forward to plenty more episodes of Smashing Security. It's certainly good to be back. So until next time, cheerio, bye-bye.