Hacking Humans

Please enjoy this encore of Word Notes. A descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops.  CyberWire Glossary link: ⁠https://thecyberwire.com/glossary/bsimm⁠ [https://thecyberwire.com/glossary/bsimm] Audio reference link: “⁠OWASP AppSecUSA 2014 - Keynote: Gary McGraw - BSIMM: A Decade of Software Security⁠ [https://www.youtube.com/watch?v=GnlFrXPb4Qw].” YouTube Video. YouTube, September 19, 2014.

This week, our hosts⁠⁠⁠⁠⁠⁠⁠ [https://www.linkedin.com/in/dave-bittner-27231a4/] ⁠Dave Bittner⁠ [https://www.linkedin.com/in/dave-bittner-27231a4/], ⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠ [https://www.linkedin.com/in/joecarrigan/], and ⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠ [https://www.linkedin.com/in/varmazis/] (also host of the ⁠⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠⁠ [https://space.n2k.com/podcasts/t-minus?__hstc=223811332.a636bba53840b4700c929fe67723a129.1721054632698.1747145009569.1747159962459.413&__hssc=223811332.2.1747159962459&__hsfp=3690629108] Space Daily show) are back sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start with some follow-up from listener Abdussobur, who wonders if a pair of suspicious text messages—one sent to his wife and another to him with a nearby address—could be the result of a data breach. Joe's story is on a surge of financial aid fraud where identity thieves, often using AI chatbots as “ghost students,” are enrolling in online college courses to steal federal funds—leaving real people like Heather Brady and Wayne Chaw with fake loans and months of bureaucratic cleanup. Dave's got the story on how the FIN6 cybercriminal group is posing as job seekers on LinkedIn to trick recruiters into opening malware-laced resumes, using deceptive tactics like fake portfolio sites and the MoreEggs backdoor to steal credentials and launch ransomware attacks. Maria's story is on a Pennsylvania woman who scammed over $800,000—nearly $466,000 from a Cedar Rapids church—by hacking emails and rerouting payments, claiming she did it under the direction of a famous British actor she was allegedly dating. Our catch of the day is on a convincing but bogus text claiming an overdue traffic fine under a fake regulation—complete with threats of license suspension and credit damage—all designed to trick recipients into clicking a malicious link. Resources and links to stories: * ⁠⁠⁠⁠⁠ [https://www.cnbc.com/2025/05/19/tariff-scams-red-flags.html]⁠ [https://spacecoastdaily.com/2025/06/alert-brevard-based-health-first-health-plans-joins-fbi-to-expose-medical-insurance-scam/]How scammers are using AI to steal college financial aid [https://apnews.com/article/ai-scam-college-financial-aid-identity-theft-aa1bc8bcb4c368ee6bafcf6a523c5fb2] * FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters [https://therecord.media/fin6-recruitment-scam-malware-campaign] * Woman scams church out of over $450,000, says famous British actor told her to do it [https://www.kcrg.com/2025/06/11/woman-scams-cedar-rapids-church-out-over-450000-says-famous-british-actor-told-her-do-it/] ⁠⁠ [https://therecord.media/fin6-recruitment-scam-malware-campaign]⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠ [https://therecord.media/fin6-recruitment-scam-malware-campaign]⁠⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠⁠ [hackinghumans@n2k.com].

Please enjoy this encore of Word Notes. Software libraries, frameworks, packages, and other components, and their dependencies (third-party code that each component uses) that have inherent security weaknesses, either through newly discovered vulnerabilities or because newer versions have superseded the deployed version.  Audio reference Link: "⁠The Panama Papers: A Closer Look⁠ [https://www.youtube.com/watch?v=CdvZ4mV31Ic]," Late Night with Seth Meyers, YouTube, 12 April 2016

Please enjoy this encore of Hacking Humans. On Hacking Humans, ⁠Dave Bittner⁠ [https://www.linkedin.com/in/dave-bittner-27231a4/], ⁠Joe Carrigan⁠ [https://www.linkedin.com/in/joecarrigan/], and ⁠Maria Varmazis⁠ [https://www.linkedin.com/in/varmazis/] (also host of N2K's daily space podcast, T-Minus), are once again sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines to help our audience become aware of what is out there. First we start off with some follow up, our hosts share some more information on VIN swapping, and a clarification on bank participation in FinCEN. Maria shares a telling tale about a Bethesda couple loosing $367,000 in gold bars to a sophisticated scam involving fake officials and elaborate deceptions, but a police sting led to the arrest of a suspect, highlighting a growing nationwide trend of elderly victims targeted by gold bar fraud. Joe's story comes from KnowBe4 and is on DavidB, their VP of Asia Pacific, thwarting a sophisticated social engineering attack via WhatsApp by recognizing inconsistencies in the impersonator’s behavior and verifying directly with the colleague they claimed to be. Dave's story comes from the FBI on how criminals are exploiting generative AI to enhance fraud schemes, including using AI-generated text, images, audio, and video to create convincing social engineering attacks, phishing scams, and identity fraud, while offering tips to protect against these threats. Our catch of the day comes from a listener who received an urgent email from someone claiming to be an FBI agent with a rather dramatic tale about intercepted consignment boxes, missing documents, and a ticking clock—but let's just say this "agent" might need some better training in both law enforcement and grammar. Resources and links to stories: * ⁠“VIN swap scam costs Las Vegas man $50K, new truck"⁠ [https://www.8newsnow.com/news/local-news/vin-swap-scam-costs-las-vegas-man-50k-new-truck/] * ⁠FinCEN⁠ [https://infosec.exchange/@lippard/113602552863611173] * ⁠Gold bar scammers claimed hackers could fund Russian missiles, police say⁠ [https://www.washingtonpost.com/dc-md-va/2024/12/09/gold-bar-scam-maryland-russia/] * ⁠Real Social Engineering Attack on KnowBe4 Employee Foiled⁠ [https://blog.knowbe4.com/real-social-engineering-attack-on-knowbe4-employee-foiled] * ⁠Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud⁠ [https://www.ic3.gov/PSA/2024/PSA241203] You can hear more from the T-Minus space daily show ⁠here⁠ [https://space.n2k.com/podcasts/t-minus]. Have a Catch of the Day you'd like to share? Email it to us at ⁠hackinghumans@n2k.com⁠ [hackinghumans@n2k.com].

This week, our hosts⁠⁠⁠⁠⁠ [https://www.linkedin.com/in/dave-bittner-27231a4/] Dave Bittner [https://www.linkedin.com/in/dave-bittner-27231a4/], ⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠ [https://www.linkedin.com/in/joecarrigan/], and ⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠ [https://www.linkedin.com/in/varmazis/] (also host of the ⁠⁠⁠⁠⁠T-Minus⁠⁠⁠⁠⁠ [https://space.n2k.com/podcasts/t-minus?__hstc=223811332.a636bba53840b4700c929fe67723a129.1721054632698.1747145009569.1747159962459.413&__hssc=223811332.2.1747159962459&__hsfp=3690629108] Space Daily show) are sharing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. We start off with some more chicken follow up, this week, delving into malware-related chicken names. Dave’s got the story of Brevard-based Health First Health Plans teaming up with the FBI to warn consumers about a nationwide medical insurance scam where victims pay upfront for fake coverage and end up stuck with huge medical bills. Maria shares the story on how a recent April 2025 survey reveals that while most US consumers feel confident identifying scams and rely on traditional security measures like strong passwords and two-factor authentication, many still experience scam attempts and data breaches, with real-time threat detection emerging as the most valued feature in security products. Joe shares a personal story about how he was mildly got, got—tricked, that is—he thought he was filling out a quick survey for a waiter, but it actually ended up as a Google review. It's a reminder of how AI and tech are blurring the lines in everyday interactions, and how easily people can get tripped up by these evolving processes. The catch of the day this week is from the Scams sub-Reddit, and Dave reads a text from a scammer claiming to have information on his doing drugs at his old work place. Resources and links to stories: * ⁠⁠⁠ [https://www.cnbc.com/2025/05/19/tariff-scams-red-flags.html]ALERT! Brevard-Based Health First Health Plans Joins FBI to Expose Medical Insurance Scam [https://spacecoastdaily.com/2025/06/alert-brevard-based-health-first-health-plans-joins-fbi-to-expose-medical-insurance-scam/] * Scams and Protections US Report: April 2025 [https://pro-assets.morningconsult.com/wp-uploads/2025/06/Google-x-Morning-Consult-US-Consumer-Scams-and-Protections-Blog-Report.pdf] * We make building an app so easy, anyone can do it [https://www.builder.ai/] * '700 Indian engineers posed as AI': The London startup that took Microsoft for a ride [https://www.businesstoday.in/technology/news/story/700-indian-engineers-posed-as-ai-the-london-startup-that-took-microsoft-for-a-ride-478514-2025-05-31] * Artificial Intelligence stories [https://sifted.eu/] ⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠ [https://x.com/javilopen/status/1925495026903380358]⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠ [hackinghumans@n2k.com].