Don’t talk to strangers 

It was 1987. I was a junior in high school. And one of my best friends lived over an hour away. If I had owned a car that is. It was 1987 and I had no job and no car. But I really wanted to see my friend. So, I did what any other kid in high school in 1987 would do. I hitchhiked.  

For high school kids in the ’80s that wasn’t too big of a deal. It still wasn’t as safe as it had been during the 60’s and 70’s. But still the risk was low. It wouldn’t be the first time I’d hitchhiked either. I had been doing it for over a year. And I met some interesting people along the way.  

So not only did I talk to strangers, I got into their car with them. I heard their stories, and they heard mine. Then they dropped me off and we promptly forgot about each other. Now, I knew about stranger danger. Every kid who grew up in the 80’s and 90’s knew this. But that didn’t really seem to apply to me. And after all, it always turned out fine. Except for the time I got shot. With a fire extinguisher. From the passenger of a would-be free ride. 

These days the story is different. People mostly don’t hitchhike any more. But sadly, the warning to shun conversations with strangers is still ignored. Because we’re nice. 

If you have ever received a text message from a “wrong number” you’ve been had. They aren’t wrong numbers. They are shotgun blasting messages to thousands of potential good numbers and waiting for a response. So, let’s look at the anatomy of a “wrong number” text message. We’ll use the experience of a real victim but change the name for privacy’s sake.  

“Robert” receives a text message from a number not in his contact list. “Hi, did you enjoy the movie?” the message begins. “Who is this?” Robert replies. This is his first mistake. By responding, Robert has confirmed his number is valid. “This is Annie. Is this Frank?” Here is “Annies” first bait. By picking a random name, “she” is playing on Robert’s urge to correct her. So, he does, “no, this is Robert.” Now the scammer knows 2 things, the number is valid and that his name is Robert. At this point “Annie” can do a reverse lookup on the phone number and get Robert’s last name. With that she can look him up on social media. 

With the frightening amount of data, we willingly post to social media, “Annie” can get enough info to encourage Robert to continue the conversation. At some point, “Annie” will take the photos she gets from Robert’s social media account, alter them with Generative AI and potentially use them to blackmail Robert.  

It sounds far-fetched. But this happens thousands of times per day. All over the world. So, listen to your mother. Don’t talk to strangers. Set your phone to silence calls from those not in your contact list. Let the calls go to voicemail. And for texts, swipe left then select delete and block. Answering a call or text from a “wrong number” is like hitchhiking. Don’t do it. We don’t live in 1987 anymore. 

The Cyber Guys: Swatting customers, cyber hackers’ new extortion method

What you are about to read is fiction, but the scenario is feasible and, in a few months, may be likely.

Bob was sitting on the couch watching the Chiefs play the Bills. The Bills had just made a touchdown, bringing the score to Bills 17, Chiefs 10. Suddenly the front door burst open and a heavily armed group of people flowed into his home. In moments Bob was on the floor face down, arms behind him zip tied. Bob was under arrest.

Bob wasn’t guilty of a crime. He was the victim of a horrible extreme prank called “swatting.” Someone had accused Bob of posting extreme anti-government threats on social media. Bob’s social media account had been compromised, then filled with anti-government rants. Enough evidence to justify the temporary chaos you just witnessed.

Why was Bob targeted? Unfortunately, he was the client of a medical center that recently had fallen victim to a cyber-extortion group. The patient information was stolen (including Bob’s) and the threat group promised that if the ransom wasn’t paid, the threat group would make life a literal hell for the patients.

Because Bob had the bad habit of reusing his passwords it was trivial for the threat group to take over Bob’s social media account using his stolen credentials and make those false posts. Bob became the first of many to endure such humiliation.

The story is fictitious. But the threat is real. Swatting as a service is the latest tactic threat actors are using to coerce businesses into paying cyber ransom. You are truly just a pawn. Because cyberattack reports are so common today, we’ve become overwhelmed and desensitized to the implications of the threat. But now the implications are physical. Visits from actual police to your home. So far, the police visits have resulted in only momentary inconvenience for the victim and a waste of police resources. But it is conceivable this will escalate.

You are probably thinking, “There’s no way this could happen. Who would ever go to such an extent just to get money?”

The reason you think this is because you are not evil. But there are truly evil people who absolutely don’t care about the pain this causes innocent people. The effort it would take to conduct such a campaign as described above is very little on the part of the threat actor, especially in the age of artificial intelligence.

An AI bot can easily craft the content for social media posts at scale. The level of effort on the part of the human is then as little as copying and pasting the content into a compromised social media account.

But you can do something to make sure it isn’t you who suffers. First, if you don’t absolutely need social media, you can cancel your accounts. One principle of cybersecurity is “if you don’t need it, remove it.” If you do use your social media accounts, make sure you use a password manager like Bitwarden to create and securely store your passwords.

Lastly, you do have a right to ensure your data is secure. The tactic described above has been used against medical centers. Your protected health information is governed by the Health Information Portability Accountability Act. You have the right to ensure your medical provider is protecting you. Ask it to provide you with evidence it is doing more than the bare minimum. If it refuses to show you, then you may consider changing doctors.

I know this sounds extreme, but so is “swatting.”

Original article was featured in the Sierra Vista Herald and can be found here.