July 14, 2025 • 27 mins
It looks like you. It sounds like you. But it’s not you. In this eye-opening episode, Liz and Fab dive into how AI is supercharging scams, making it easier than ever for cybercriminals to spoof your email, clone your voice, and trick your team or customers. From real tourism industry examples to practical cybersecurity tips, we explore what every operator needs to know about email spoofing, voice cloning, and how to secure your digital doorway.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Liz Ward (00:01):
Hi, welcome to tourism tribes, untangling tourism tech
podcast. Hi, fab.
Fabienne Wintle (00:08):
Hi. Liz, how you going? Well? Thank
Liz Ward (00:10):
you. Well, we're at episode 14. Welcome to our
listeners, and we have preparedfor our listeners today a topic
that don't, don't turn off thesound. Now, when I say this,
we're talking about a topic thatcan be a bit dry, but it's
really important, which is cybersecurity. But this is cyber
(00:32):
security on AI steroids, interms of what we are seeing with
our clients, in terms of theimpacts of improved technology,
tools for cyber scammers, andwhat that means for your
business. And unfortunately,we've got some real stories to
share, but fab fortunately,you're able to shed some light
(00:56):
on the approaches that peopleneed to be taking so and don't
Fabienne Wintle (01:02):
think, for our listeners, I want to say, don't
think that it might not happento you, because it's actually
happened to Liz and I both, andwe live and breathe tech every
day, and in my case, especially,it took me about two months to
realise what had happened. Solistening to this episode would
really arm you with thatcritical thinking of when it
(01:25):
strikes next time. Hopefullyyou'll have that one second of
remembering this podcast and go.Could it be do I have to be
extra cautious here?
Liz Ward (01:38):
Thanks, fab. So we're going to have a chat, first of
all, about that doorway to yourbusiness, of your email
accounts, and the risks there.And we're also going to have a
chat about just improvedtechnologies, things like voice
(01:58):
and what that means to the riskof your business. So let's kick
off with the email story fab,because this one is close to our
hearts on behalf of a client ofours. Would you like to lead in
with that in terms of theirexperience? Yeah,
Fabienne Wintle (02:16):
well, it's happened to actually quite a few
clients of mine. I wrote aLinkedIn post about it, episode
three, a if anyone's interestedin reading the story, but
basically email and spoofing. Sowhat does it mean? It means that
you can actually be sendingemail to people in your contacts
(02:37):
list or to anyone, but it mightnot actually be you. However,
when the person receives theemail, they see it will be from
Fabienne at tourism tribe.com sounless you put things in place
in your domain name, this couldhappen, and it's got some really
(03:00):
bad implications, because if youknow someone well, and this is
how scammers use AI, I guess,Liz, to define the know someone
well, the person who receivedyour email is going to believe
you. So have you got a story toshare? Lives here I
Liz Ward (03:18):
have, and I think it's a perfect example of how AI is
making it easier and faster forscammers, and they can bring a
lot more automation, thereforespeed into finding the
vulnerable businesses. And theexample is where a client is
running an organisation andpeople with members within that
(03:41):
organisation. So an example, ifyou think of a similar example
in our industry, it could be aregional Tourism Organisation
where members are receivingemails, and these are people
that have a close relationshipwith the CEO. So it could be a
member of their committee orboard, like the treasurer, for
(04:03):
example, receiving a spoof,spoofed email from the CEO
saying, Can you please authorisethat payment? We need to do it
urgently to this company. Andthe email was almost perfect.
The tone of voice, thereferences to this person,
knowing their first name,knowing what their role was in
(04:23):
the organisation, because all ofthis is available online on the
website, because we want to betransparent and talk about who's
in our organisation now thatfortunately was caught because
of a manual practice of checkingand having two signatories On
the bank account for anypayments, and one checking with
the other, because it was anextraordinary payment. That same
(04:46):
organisation, before they tookyour advice, Fabi, in terms of
what they needed to do, had twoother occurrences. The second
one went to a member an emailasking them to make a payment.
For the CEO, a very trustedrelationship between the two.
They were working on a projecttogether. They roughly had the
(05:07):
project name correct, becauseonce again, this had been in the
public domain, this information,and unfortunately, that person
did make that payment, and thenI'm trying to get the payment,
the money back through theirbank. The third one was caught,
and that was going to a member.It was a weird request, because
that member wouldn't normally beinvolved in financial
(05:29):
transactions, and she flaggedit. So this to me, in the space
of about a fortnight period,just demonstrated how smart the
relationship connection hasbecome where that kind of
spoofing exercise required somemanual fishing, maybe before
(05:51):
now, they can just create astory, put it over email, spoof
the emails, and it can be, itcould Be even to a staff member
that that could happen. So thenyou went through the exercise
fab of advising on thisparticular one, which appears to
have arrested the problem. Andso could you just share with our
(06:15):
listeners what they need to lookout for in terms okay?
Fabienne Wintle (06:19):
So I guess the first thing is to actually have
a proper email platform. So ifyou use email attached to your
host, you know the old schoolway of doing emails, so attached
to your host, you might createone or two inbox that is not
going to send the same alarmbells in your inbox. Then, if
(06:41):
you actually had a system likeGoogle workspace or office 365
unless you would know when welook at our emails, actually,
we'll we're very online. It'sgoing to be very unlikely that
we see an email that is spoofedfrom a client, because it would
have gone straight to spam,because Google would have
already read that there was amismatch between things. So
(07:03):
that's the first thing, is havea proper email platform, and
email attached to your host isnot the way to go. So that's
going to already save you,possibly a lot of issues, not
even just, you know, not lookingat your spam daily. I have
clients that still tell us, Oh,I don't mind. I just delete the
spam. And we're like, Oh, mygoodness, maybe you are. But
(07:25):
imagine your staff, they mightknow, not know. So set up a
proper system to do email in2025 then you need to actually
access your domain name and setup some records. So I'm already
probably speaking Chinese hereto many of you, and this is
where it gets quite technical,because most of people we often
(07:48):
talk to don't actually have ahandy, handy access to the
domain admin platform. So evenjust accessing that information
is very important. And in theshow notes, I'm going to link
you to a blog post that I havewritten a few weeks ago to tell
you what admin access you needand how to fight, fight for it.
(08:09):
So with your heck guy or girlthat may not want to give it to
you, right? So basically, ifsomeone's getting emails from
you that pretend in the fromfields that it is from you, but
it's not you. It means thatthere's a problem inside your
domain name, that you aremissing some records or some
(08:30):
pieces of information that youneed to go and add. And
basically there's always there'sabout three records you might
have heard. SPF, record, DK, i,m, and D, M, A, R, C, and it
will likely the culprit willlikely be that you're missing
one of those. So in the shownotes, we're going to put a link
for you to how to test if you'remissing these records. Of
(08:55):
course, you can go to yourdomain name or host or web
developer, but you should bechecking this and remedying that
problem right away, because itsounds complex, but there is so
many steps that are writteneverywhere on the internet about
this, because it is such acommon problem that it's not
(09:16):
easy, it's not hard to fix. Thehard bit is just making sure
you've got the right login andfind the right buttons in your
domain name. But don't expectthat to be done for you. We're
talking about this earlier. Liz,that lots of people think, Oh,
I've got a domain name. I've gota some someone looking after
this. You know, where you payyour bill, $40 a year for your
(09:39):
domain name? No, that's that'sjust like, I guess paying for
your rates or the title of yourland, the council is not going
to put cameras on your land andbuild your fence. You have to
instigate that. So having adomain name doesn't mean that
these protections are in place.
Liz Ward (09:58):
Yeah, I've found generally, that. People aren't
aware of this safeguard. So I doabsolutely commend everyone to
run that test. Go to the shownotes and get that link to run
the test on their own domain, orlet us know. Come and ask us,
and we can do a quick consultfor you to be able to do that
(10:20):
for you and point you in theright direction, because it is
quite a technical area, and ifyou are a small business without
good IT support, you can feelquite vulnerable. What about
some other ways in whichscammers are getting smarter, or
using AI technology fab, orcould use AI technology? Let's
(10:42):
talk about voice, because thatis one of the biggest changes,
is people would be starting tosee that they can have their
voice built into an avatar, forexample. So what are you
imagining? Are going to be thevulnerabilities or and the
opportunities, but abilities. Doyou
Fabienne Wintle (11:02):
remember this text message going around? Was
it six months ago that peoplewere receiving saying from their
daughter or their son? Saying,Oh, Mom, I'm stuck, you know?
And that was $1,000
Liz Ward (11:15):
I'm desperate.
Fabienne Wintle (11:16):
Yes, yeah, so with and that was just a text
message, but for AI textmessage, what you have to
realise is text message, email,voice is just a different
medium, but it's it's the same,it's the same thing where,
whether they send it to you viaWhatsApp, via chat that we're
(11:37):
used to chatting now, or viavoice, the mechanisms behind it
are the same. It's just the endpoint of how they make that last
connection between the scam andyou is, is text or voice or chat
or email, right? So we're kindof familiar with email and text
messages, but we're not reallysuper superbly familiar with
(12:01):
scammers calling you andpotentially pretending they are
your daughter or, you know,we're quite familiar with
pretending you're there yourbank or the tax office, but
let's think about it. Liz, youand I have a podcast. We have
tonnes of videos with our voicerecorded online. You might think
(12:22):
you don't have anything withyour voice recorded, but think
about your answering machine,right? That might be your voice.
How easy would it be for AI toactually spoof your voice and
call someone saying, Hey, I'mI'm fab, I'm Liz, you know, I'm
the president of my localTourism Organisation. Have you
(12:45):
made that payment? Well, we'velearned that you should always,
you know, call someonepotentially. We've been telling
people for years, if you get anemail, just call. Call them to
check right? And it's reallyimportant. Here's the
differentiation between youcalled them and they call you
because they could call you andpretend that the phone number
(13:09):
you see on your phone is theirphone number, just like they are
emailing you and pretending theemail address is the person. So
I went and did a bit of digging.And I did a bit of digging after
after a specific thing thathappened to me, but I'll tell
you that in five minutes. So Iwent and did a bit of digging
(13:30):
and go, Okay, so in email, wecan actually put some records in
place on our domain to preventthat from happening. How do we
do that on our phone number? Andthe thing is, is there is
nothing in Australia yet that'sstopping people from being able
to do that. They have somethingin mistakes, and
Liz Ward (13:52):
that's what I wrote about dying. Isn't it that it's
terrifying. Definitely spoofmask the phone number. Mm, hmm.
So I could
Fabienne Wintle (14:01):
be calling you, and it literally could be my
bot. And I had, I was chattingto someone on our website the
other day, and I said, Fabi, isthat really you? And what would
I say, yes, my bots would sayyes. It's really me, right. But
do we actually need to create areal password between people to
(14:21):
say, yeah, a safe word. Soanyway, think about it. What
would you do if I called you andI was someone you know on a
board of a Tourism Organisation,to give you an example, and told
you to pay this invoice as permy email, you'd be like, Oh,
that's double authentication ofsecurity. I've got an email. I
(14:43):
got a phone call from fabby.Well, what do you do if someone
calls you and it sounds a littlebit fishy or out of the
ordinary, you do what you didwith the tax office. You say,
Hang on. Do you mind? Becausewhen the tax office calls you,
it's actually written. You know,no numbers, but that's kind of a
sign. But what I'm saying hereis no it could be my number. So
(15:06):
what do you do? You call themback, but you don't ask them for
their number. People make thatmistake, or you don't, or
they'll tell you go and check mywebsite address, blah, blah,
blah. No, you go to Google,right? And you Google the main
phone number for that business,the one that is in the Google
business profile, and you ask tospeak to that person, even
(15:29):
though they might see theirnumber.
Liz Ward (15:31):
Fab. Why do you not rely on the number on their
website?
Fabienne Wintle (15:35):
Well, because they could have spoofed a
website. They could have changedsomething depending on people's
security levels on theirwebsite. So you all know how
hard it is to get somethingimproved in Google Business
Profile these days and how theyneed that video verification
that it's used. So go to anofficial phone number and I
would trust Google BusinessListing over your people's own
(15:59):
website these days, especiallyif it's a small business or not
a government entity, that mightnot have to have all the right
security in place. It's scary,but
Liz Ward (16:09):
that doesn't exist. The other thing is, we've got to
rely on the approved you know,we've got to implement dual
Payment Authorization withinbusinesses, and we've got to
rely on those manual processesas well, and having a trusted
(16:29):
partner in that is so important,and you know their phone number,
so hanging up, ringing them, andthat's basically how it was
captured in that client. Exampleis they actually had an exchange
between the two people going,No, that wasn't me.
Fabienne Wintle (16:47):
So the other thing to mention Liz that's
really important is scammers.Obviously, you know, in the old
days, pre AI would have taken along time to find all that
information. But now you canwrite a script. It's very easy.
People not can find everythingabout me. If I have dogs or
cats, what I prefer? The tone ofvoice, how right things my voice
(17:13):
is going to sound, not robotic,because Gone are the days where
AI sounds robotic. I don't knowif you've tried the Advanced
Mode on chat. GPT, it doesn'tsound robotic at all, but it's
going to actually sound like me.My personality is going to be
the same. You be. You might beasking me how my cat is going,
(17:33):
and I might be answering youwith the right information,
because they found informationabout me. My cat's online. So
it's not just the voice thatyou've got to worry about. It's
the story and their personalitythat's for me, on the safe time,
hang up, call them
Liz Ward (17:49):
back, and what was your experience, recent
experience? So it was a
Fabienne Wintle (17:54):
bit of a mix of AI and normal. So I got an email
in my personal inbox that didn'tcut the spam filter, didn't
catch it. So that was actuallyreally interesting. And it is an
app. It is, um, a cyber, cyberbitcoin wallet that I use that
sent it to me. And it was a bitlike, if you send someone an
(18:16):
email nowadays, you can actuallytrack if they click on a link,
right? So it was like, hey,blah, blah, blah, click here for
the latest update or something,right? It didn't say click here
to log in, because that wouldhave given me warning bells. And
I clicked, and then I saw itwent and I saw, like, it went to
dodgy URL that wasn't really thebank name. So I'm like, okay,
(18:37):
something's gonna happen, right?I'd figure that one out. Nothing
happened. It wasn't an email,but two weeks ago, on a Sunday,
which is very interesting, Iremember I wasn't actually at
home, I got a phone call saying,hey, it's such and such, blah,
blah, blah from such and suchonline wallet. We just wanted to
(18:59):
check something that's happenedto your account. And I said, Oh,
I'm sorry. And when I get dodgyphone calls, even though it's on
my mobile, I'll pretend I'm myPA. So I said, I'm sorry, Fabian
isn't available. Can I take amessage? And they were very
arrogant and very stern, andthey told me, No, we recognise
(19:20):
it's you, Fabian, we have yourvoice file on file, your voice
on file, you know, like, how thebig banks get you to actually
confirm it is you with yourvoice? Like, how scary is this?
And to me, obviously that thenjust started for one second. I
thought, huh, as if, as if youdo. But then I started thinking
(19:45):
about my mother and going, oh mygoodness, she would go, Oh yes,
of course, my voice is on filewith the bank. It must be the
bank, right? Yes. So I start,kept going with the
conversation. Now, just, youknow, okay. Not not she's not
there. Oh yes, she is. And Iended up hanging up after one
minute of talking to them, and Iknew in my mind that was from me
(20:08):
clicking that email, right? Buttwo months after, I realised I
must have been talking to a bot,and it had a it had a British
accent, but which I thought wasodd in a way, because I was in
Australia, and I think it's anAmerican tool, but yeah, I
thought I must have been talkingto a book, so could have been a
(20:32):
bog. But what triggered it wasthe fact that I clicked
somewhere on an email that theymust have had all the security
in place, and plus, because itactually landed in my inbox in
my Gmail, and I almost gotcaught, because they use
something I'm really familiarwith, which is voice identity in
(20:55):
Australian
Liz Ward (20:56):
banks. Yes, yes. So this, we're experiencing this.
I'm sure our listeners cancontribute, and I'd love to hear
from them with some of theirstories, because we have to keep
educating the industry ourcommunities about this, and to
be super vigilant, to be able torespond by hanging up, bringing
(21:22):
back the company. If you don't
Fabienne Wintle (21:23):
be scared to hang up, that's the thing, yes,
at the at the time that you'reon the phone, it might sound a
little bit rude to you to hangup, because they are using all
the right scripts. Andobviously, if it's AI, it's
automatically based on what youanswer, it's automatically
creating the next logicalquestion. And remember, it might
(21:46):
know about you, your kids, whatyou're doing, even where you are
presently, because you mighthave shared that information
somehow. So you'll be you'll befeeling like, I know I should
hang up, but, but maybe it's notright. So if you've got that
inkling, just hang
Liz Ward (22:00):
up. That's right. If there's anything stirring for
you, hang up. It can't be thatgreat an opportunity. We might
ask people if you can share withus in the comments some
experiences that would befantastic to know about that.
And has anyone had any calls,like proactive calls, cold calls
(22:27):
to you that you believe could bea bot. I had one just a few
weeks ago. Let me set the scenefor you. His voice was the voice
of a tall, dark, handsomeAustralian male, probably in his
early 30s. That's exactly thepicture that came to mind when
(22:48):
he started to speak with me. Hehad the most beautiful, flowing
voice, and in fact, the flow wasso perfect that it that's what
started. My subconscious startedto go, what, okay? Is there
something not quite right? Andthere were some interesting
(23:10):
pauses after I spoke thatsounded it there was, there was
some kind of automationhappening. It was not, it was
after I spoke that there was alittle pause. So it's like,
almost like a chatbot waiting tolike, digesting and then knowing
how to respond. So by the time,I tweaked that this is and there
(23:34):
was nothing wrong with theoffer, as far as I know, but it
was the it was an example ofwhat's to come in terms of cold
calls coming from bots. What howthe call ended was, I gave some
information that the botcouldn't deal with. I kept the
(23:57):
conversation going, and I saidsomething like, I said, The only
reason I picked up this call,even though I didn't recognise
the phone number, is that I wasexpecting, you know, maybe some
calls from some clients, andbefore I could finish that
phrase, they hung up on me. Soit was a very interesting
(24:20):
conversation, which I've neverexperienced that kind of pausing
before, or where they hung up.It's like the bot couldn't deal
with what I said. Back to it,but I let it go, because I
thought this is so interestingto see how this going to go. But
yes, that beautiful male voicenailed, absolutely nailed, for
(24:42):
the Australian target market ofthe woman that that I, you know,
I represented that targetmarket,
Fabienne Wintle (24:50):
yes. So, like everything, I guess that would
have been, you know, for thebusiness having a bot calling,
cold calling, that would be costsaving. So that's going to go
ahead. It exists. Already. Sodon't think that all the phone
calls that you're going to get,just like all the emails that
you're going to get, are goingto be scammers. But I think in
Australia, based on what I'veread, the authentication
(25:13):
connected to your phone number,actually our telco networks
don't support it yet. It'scalled stir slash shaken. Funny
name, isn't it? Like a goodMartin shaken, which
corresponds, I guess, to thesame records that you'd be
adding to your domain name, isnot supported by the telcos, so
(25:35):
we've got to be so vigilant. Andif we already almost get called
by emails. Imagine if someonethat knows you well, and as
we're saying, they'll scan yourwebsite. They'll scan they'll
understand the relationships.It's all about SEO, AI
optimization. We're all workingreally hard on our About Us page
to make sure everything'sconnected well, so AI can
(25:57):
understand who we are. Well,guess who's using that as well.
So just talk with your team aswell. If you're listening to
this podcast, maybe bring it upin your next staff meeting to
bring that awareness to voice
Liz Ward (26:10):
absolutely so just to recap, before we close out FAB
in the in the notes with thispodcast, you'll provide a link
to a blog post with moreinformation about the email
spoofing and the protectionsteps that you can take, as well
as the test, the link to thetest that you can run to check
(26:34):
whether you have theidentification or protection
tools like DMARC in place, andthen to be super vigilant, if
you're getting calls or emailsthat are requesting money,
particularly or disclosuredetails, hang up finish that
(26:59):
conversation. You go look up thephone number yourself, use the
Google Business Profile phonenumber, and ring them to verify
Fabienne Wintle (27:08):
and it might be they'll get very clever. It
might be three steps away. Itmight just be a normal
conversation that you have aboutsomething, and then they're
gathering that information overthree emails. So if something
sounds fishy. That hasn'tchanged, right? Liz, if you're
not quite sure about somethingand sounds too good to be true
or sounds fishy, yeah, supervigilant,
Liz Ward (27:30):
correct, correct. I think that's it fab. All right.
Happy, secure. Ai, work, please,everybody.
Unknown (27:41):
Bye, Liz, bye, you.
Hi, welcome to tourism tribes, untangling tourism tech
podcast. Hi, fab.
Fabienne Wintle (00:08):
Hi. Liz, how you going? Well? Thank
Liz Ward (00:10):
you. Well, we're at episode 14. Welcome to our
listeners, and we have preparedfor our listeners today a topic
that don't, don't turn off thesound. Now, when I say this,
we're talking about a topic thatcan be a bit dry, but it's
really important, which is cybersecurity. But this is cyber
(00:32):
security on AI steroids, interms of what we are seeing with
our clients, in terms of theimpacts of improved technology,
tools for cyber scammers, andwhat that means for your
business. And unfortunately,we've got some real stories to
share, but fab fortunately,you're able to shed some light
(00:56):
on the approaches that peopleneed to be taking so and don't
Fabienne Wintle (01:02):
think, for our listeners, I want to say, don't
think that it might not happento you, because it's actually
happened to Liz and I both, andwe live and breathe tech every
day, and in my case, especially,it took me about two months to
realise what had happened. Solistening to this episode would
really arm you with thatcritical thinking of when it
(01:25):
strikes next time. Hopefullyyou'll have that one second of
remembering this podcast and go.Could it be do I have to be
extra cautious here?
Liz Ward (01:38):
Thanks, fab. So we're going to have a chat, first of
all, about that doorway to yourbusiness, of your email
accounts, and the risks there.And we're also going to have a
chat about just improvedtechnologies, things like voice
(01:58):
and what that means to the riskof your business. So let's kick
off with the email story fab,because this one is close to our
hearts on behalf of a client ofours. Would you like to lead in
with that in terms of theirexperience? Yeah,
Fabienne Wintle (02:16):
well, it's happened to actually quite a few
clients of mine. I wrote aLinkedIn post about it, episode
three, a if anyone's interestedin reading the story, but
basically email and spoofing. Sowhat does it mean? It means that
you can actually be sendingemail to people in your contacts
(02:37):
list or to anyone, but it mightnot actually be you. However,
when the person receives theemail, they see it will be from
Fabienne at tourism tribe.com sounless you put things in place
in your domain name, this couldhappen, and it's got some really
(03:00):
bad implications, because if youknow someone well, and this is
how scammers use AI, I guess,Liz, to define the know someone
well, the person who receivedyour email is going to believe
you. So have you got a story toshare? Lives here I
Liz Ward (03:18):
have, and I think it's a perfect example of how AI is
making it easier and faster forscammers, and they can bring a
lot more automation, thereforespeed into finding the
vulnerable businesses. And theexample is where a client is
running an organisation andpeople with members within that
(03:41):
organisation. So an example, ifyou think of a similar example
in our industry, it could be aregional Tourism Organisation
where members are receivingemails, and these are people
that have a close relationshipwith the CEO. So it could be a
member of their committee orboard, like the treasurer, for
(04:03):
example, receiving a spoof,spoofed email from the CEO
saying, Can you please authorisethat payment? We need to do it
urgently to this company. Andthe email was almost perfect.
The tone of voice, thereferences to this person,
knowing their first name,knowing what their role was in
(04:23):
the organisation, because all ofthis is available online on the
website, because we want to betransparent and talk about who's
in our organisation now thatfortunately was caught because
of a manual practice of checkingand having two signatories On
the bank account for anypayments, and one checking with
the other, because it was anextraordinary payment. That same
(04:46):
organisation, before they tookyour advice, Fabi, in terms of
what they needed to do, had twoother occurrences. The second
one went to a member an emailasking them to make a payment.
For the CEO, a very trustedrelationship between the two.
They were working on a projecttogether. They roughly had the
(05:07):
project name correct, becauseonce again, this had been in the
public domain, this information,and unfortunately, that person
did make that payment, and thenI'm trying to get the payment,
the money back through theirbank. The third one was caught,
and that was going to a member.It was a weird request, because
that member wouldn't normally beinvolved in financial
(05:29):
transactions, and she flaggedit. So this to me, in the space
of about a fortnight period,just demonstrated how smart the
relationship connection hasbecome where that kind of
spoofing exercise required somemanual fishing, maybe before
(05:51):
now, they can just create astory, put it over email, spoof
the emails, and it can be, itcould Be even to a staff member
that that could happen. So thenyou went through the exercise
fab of advising on thisparticular one, which appears to
have arrested the problem. Andso could you just share with our
(06:15):
listeners what they need to lookout for in terms okay?
Fabienne Wintle (06:19):
So I guess the first thing is to actually have
a proper email platform. So ifyou use email attached to your
host, you know the old schoolway of doing emails, so attached
to your host, you might createone or two inbox that is not
going to send the same alarmbells in your inbox. Then, if
(06:41):
you actually had a system likeGoogle workspace or office 365
unless you would know when welook at our emails, actually,
we'll we're very online. It'sgoing to be very unlikely that
we see an email that is spoofedfrom a client, because it would
have gone straight to spam,because Google would have
already read that there was amismatch between things. So
(07:03):
that's the first thing, is havea proper email platform, and
email attached to your host isnot the way to go. So that's
going to already save you,possibly a lot of issues, not
even just, you know, not lookingat your spam daily. I have
clients that still tell us, Oh,I don't mind. I just delete the
spam. And we're like, Oh, mygoodness, maybe you are. But
(07:25):
imagine your staff, they mightknow, not know. So set up a
proper system to do email in2025 then you need to actually
access your domain name and setup some records. So I'm already
probably speaking Chinese hereto many of you, and this is
where it gets quite technical,because most of people we often
(07:48):
talk to don't actually have ahandy, handy access to the
domain admin platform. So evenjust accessing that information
is very important. And in theshow notes, I'm going to link
you to a blog post that I havewritten a few weeks ago to tell
you what admin access you needand how to fight, fight for it.
(08:09):
So with your heck guy or girlthat may not want to give it to
you, right? So basically, ifsomeone's getting emails from
you that pretend in the fromfields that it is from you, but
it's not you. It means thatthere's a problem inside your
domain name, that you aremissing some records or some
(08:30):
pieces of information that youneed to go and add. And
basically there's always there'sabout three records you might
have heard. SPF, record, DK, i,m, and D, M, A, R, C, and it
will likely the culprit willlikely be that you're missing
one of those. So in the shownotes, we're going to put a link
for you to how to test if you'remissing these records. Of
(08:55):
course, you can go to yourdomain name or host or web
developer, but you should bechecking this and remedying that
problem right away, because itsounds complex, but there is so
many steps that are writteneverywhere on the internet about
this, because it is such acommon problem that it's not
(09:16):
easy, it's not hard to fix. Thehard bit is just making sure
you've got the right login andfind the right buttons in your
domain name. But don't expectthat to be done for you. We're
talking about this earlier. Liz,that lots of people think, Oh,
I've got a domain name. I've gota some someone looking after
this. You know, where you payyour bill, $40 a year for your
(09:39):
domain name? No, that's that'sjust like, I guess paying for
your rates or the title of yourland, the council is not going
to put cameras on your land andbuild your fence. You have to
instigate that. So having adomain name doesn't mean that
these protections are in place.
Liz Ward (09:58):
Yeah, I've found generally, that. People aren't
aware of this safeguard. So I doabsolutely commend everyone to
run that test. Go to the shownotes and get that link to run
the test on their own domain, orlet us know. Come and ask us,
and we can do a quick consultfor you to be able to do that
(10:20):
for you and point you in theright direction, because it is
quite a technical area, and ifyou are a small business without
good IT support, you can feelquite vulnerable. What about
some other ways in whichscammers are getting smarter, or
using AI technology fab, orcould use AI technology? Let's
(10:42):
talk about voice, because thatis one of the biggest changes,
is people would be starting tosee that they can have their
voice built into an avatar, forexample. So what are you
imagining? Are going to be thevulnerabilities or and the
opportunities, but abilities. Doyou
Fabienne Wintle (11:02):
remember this text message going around? Was
it six months ago that peoplewere receiving saying from their
daughter or their son? Saying,Oh, Mom, I'm stuck, you know?
And that was $1,000
Liz Ward (11:15):
I'm desperate.
Fabienne Wintle (11:16):
Yes, yeah, so with and that was just a text
message, but for AI textmessage, what you have to
realise is text message, email,voice is just a different
medium, but it's it's the same,it's the same thing where,
whether they send it to you viaWhatsApp, via chat that we're
(11:37):
used to chatting now, or viavoice, the mechanisms behind it
are the same. It's just the endpoint of how they make that last
connection between the scam andyou is, is text or voice or chat
or email, right? So we're kindof familiar with email and text
messages, but we're not reallysuper superbly familiar with
(12:01):
scammers calling you andpotentially pretending they are
your daughter or, you know,we're quite familiar with
pretending you're there yourbank or the tax office, but
let's think about it. Liz, youand I have a podcast. We have
tonnes of videos with our voicerecorded online. You might think
(12:22):
you don't have anything withyour voice recorded, but think
about your answering machine,right? That might be your voice.
How easy would it be for AI toactually spoof your voice and
call someone saying, Hey, I'mI'm fab, I'm Liz, you know, I'm
the president of my localTourism Organisation. Have you
(12:45):
made that payment? Well, we'velearned that you should always,
you know, call someonepotentially. We've been telling
people for years, if you get anemail, just call. Call them to
check right? And it's reallyimportant. Here's the
differentiation between youcalled them and they call you
because they could call you andpretend that the phone number
(13:09):
you see on your phone is theirphone number, just like they are
emailing you and pretending theemail address is the person. So
I went and did a bit of digging.And I did a bit of digging after
after a specific thing thathappened to me, but I'll tell
you that in five minutes. So Iwent and did a bit of digging
(13:30):
and go, Okay, so in email, wecan actually put some records in
place on our domain to preventthat from happening. How do we
do that on our phone number? Andthe thing is, is there is
nothing in Australia yet that'sstopping people from being able
to do that. They have somethingin mistakes, and
Liz Ward (13:52):
that's what I wrote about dying. Isn't it that it's
terrifying. Definitely spoofmask the phone number. Mm, hmm.
So I could
Fabienne Wintle (14:01):
be calling you, and it literally could be my
bot. And I had, I was chattingto someone on our website the
other day, and I said, Fabi, isthat really you? And what would
I say, yes, my bots would sayyes. It's really me, right. But
do we actually need to create areal password between people to
(14:21):
say, yeah, a safe word. Soanyway, think about it. What
would you do if I called you andI was someone you know on a
board of a Tourism Organisation,to give you an example, and told
you to pay this invoice as permy email, you'd be like, Oh,
that's double authentication ofsecurity. I've got an email. I
(14:43):
got a phone call from fabby.Well, what do you do if someone
calls you and it sounds a littlebit fishy or out of the
ordinary, you do what you didwith the tax office. You say,
Hang on. Do you mind? Becausewhen the tax office calls you,
it's actually written. You know,no numbers, but that's kind of a
sign. But what I'm saying hereis no it could be my number. So
(15:06):
what do you do? You call themback, but you don't ask them for
their number. People make thatmistake, or you don't, or
they'll tell you go and check mywebsite address, blah, blah,
blah. No, you go to Google,right? And you Google the main
phone number for that business,the one that is in the Google
business profile, and you ask tospeak to that person, even
(15:29):
though they might see theirnumber.
Liz Ward (15:31):
Fab. Why do you not rely on the number on their
website?
Fabienne Wintle (15:35):
Well, because they could have spoofed a
website. They could have changedsomething depending on people's
security levels on theirwebsite. So you all know how
hard it is to get somethingimproved in Google Business
Profile these days and how theyneed that video verification
that it's used. So go to anofficial phone number and I
would trust Google BusinessListing over your people's own
(15:59):
website these days, especiallyif it's a small business or not
a government entity, that mightnot have to have all the right
security in place. It's scary,but
Liz Ward (16:09):
that doesn't exist. The other thing is, we've got to
rely on the approved you know,we've got to implement dual
Payment Authorization withinbusinesses, and we've got to
rely on those manual processesas well, and having a trusted
(16:29):
partner in that is so important,and you know their phone number,
so hanging up, ringing them, andthat's basically how it was
captured in that client. Exampleis they actually had an exchange
between the two people going,No, that wasn't me.
Fabienne Wintle (16:47):
So the other thing to mention Liz that's
really important is scammers.Obviously, you know, in the old
days, pre AI would have taken along time to find all that
information. But now you canwrite a script. It's very easy.
People not can find everythingabout me. If I have dogs or
cats, what I prefer? The tone ofvoice, how right things my voice
(17:13):
is going to sound, not robotic,because Gone are the days where
AI sounds robotic. I don't knowif you've tried the Advanced
Mode on chat. GPT, it doesn'tsound robotic at all, but it's
going to actually sound like me.My personality is going to be
the same. You be. You might beasking me how my cat is going,
(17:33):
and I might be answering youwith the right information,
because they found informationabout me. My cat's online. So
it's not just the voice thatyou've got to worry about. It's
the story and their personalitythat's for me, on the safe time,
hang up, call them
Liz Ward (17:49):
back, and what was your experience, recent
experience? So it was a
Fabienne Wintle (17:54):
bit of a mix of AI and normal. So I got an email
in my personal inbox that didn'tcut the spam filter, didn't
catch it. So that was actuallyreally interesting. And it is an
app. It is, um, a cyber, cyberbitcoin wallet that I use that
sent it to me. And it was a bitlike, if you send someone an
(18:16):
email nowadays, you can actuallytrack if they click on a link,
right? So it was like, hey,blah, blah, blah, click here for
the latest update or something,right? It didn't say click here
to log in, because that wouldhave given me warning bells. And
I clicked, and then I saw itwent and I saw, like, it went to
dodgy URL that wasn't really thebank name. So I'm like, okay,
(18:37):
something's gonna happen, right?I'd figure that one out. Nothing
happened. It wasn't an email,but two weeks ago, on a Sunday,
which is very interesting, Iremember I wasn't actually at
home, I got a phone call saying,hey, it's such and such, blah,
blah, blah from such and suchonline wallet. We just wanted to
(18:59):
check something that's happenedto your account. And I said, Oh,
I'm sorry. And when I get dodgyphone calls, even though it's on
my mobile, I'll pretend I'm myPA. So I said, I'm sorry, Fabian
isn't available. Can I take amessage? And they were very
arrogant and very stern, andthey told me, No, we recognise
(19:20):
it's you, Fabian, we have yourvoice file on file, your voice
on file, you know, like, how thebig banks get you to actually
confirm it is you with yourvoice? Like, how scary is this?
And to me, obviously that thenjust started for one second. I
thought, huh, as if, as if youdo. But then I started thinking
(19:45):
about my mother and going, oh mygoodness, she would go, Oh yes,
of course, my voice is on filewith the bank. It must be the
bank, right? Yes. So I start,kept going with the
conversation. Now, just, youknow, okay. Not not she's not
there. Oh yes, she is. And Iended up hanging up after one
minute of talking to them, and Iknew in my mind that was from me
(20:08):
clicking that email, right? Buttwo months after, I realised I
must have been talking to a bot,and it had a it had a British
accent, but which I thought wasodd in a way, because I was in
Australia, and I think it's anAmerican tool, but yeah, I
thought I must have been talkingto a book, so could have been a
(20:32):
bog. But what triggered it wasthe fact that I clicked
somewhere on an email that theymust have had all the security
in place, and plus, because itactually landed in my inbox in
my Gmail, and I almost gotcaught, because they use
something I'm really familiarwith, which is voice identity in
(20:55):
Australian
Liz Ward (20:56):
banks. Yes, yes. So this, we're experiencing this.
I'm sure our listeners cancontribute, and I'd love to hear
from them with some of theirstories, because we have to keep
educating the industry ourcommunities about this, and to
be super vigilant, to be able torespond by hanging up, bringing
(21:22):
back the company. If you don't
Fabienne Wintle (21:23):
be scared to hang up, that's the thing, yes,
at the at the time that you'reon the phone, it might sound a
little bit rude to you to hangup, because they are using all
the right scripts. Andobviously, if it's AI, it's
automatically based on what youanswer, it's automatically
creating the next logicalquestion. And remember, it might
(21:46):
know about you, your kids, whatyou're doing, even where you are
presently, because you mighthave shared that information
somehow. So you'll be you'll befeeling like, I know I should
hang up, but, but maybe it's notright. So if you've got that
inkling, just hang
Liz Ward (22:00):
up. That's right. If there's anything stirring for
you, hang up. It can't be thatgreat an opportunity. We might
ask people if you can share withus in the comments some
experiences that would befantastic to know about that.
And has anyone had any calls,like proactive calls, cold calls
(22:27):
to you that you believe could bea bot. I had one just a few
weeks ago. Let me set the scenefor you. His voice was the voice
of a tall, dark, handsomeAustralian male, probably in his
early 30s. That's exactly thepicture that came to mind when
(22:48):
he started to speak with me. Hehad the most beautiful, flowing
voice, and in fact, the flow wasso perfect that it that's what
started. My subconscious startedto go, what, okay? Is there
something not quite right? Andthere were some interesting
(23:10):
pauses after I spoke thatsounded it there was, there was
some kind of automationhappening. It was not, it was
after I spoke that there was alittle pause. So it's like,
almost like a chatbot waiting tolike, digesting and then knowing
how to respond. So by the time,I tweaked that this is and there
(23:34):
was nothing wrong with theoffer, as far as I know, but it
was the it was an example ofwhat's to come in terms of cold
calls coming from bots. What howthe call ended was, I gave some
information that the botcouldn't deal with. I kept the
(23:57):
conversation going, and I saidsomething like, I said, The only
reason I picked up this call,even though I didn't recognise
the phone number, is that I wasexpecting, you know, maybe some
calls from some clients, andbefore I could finish that
phrase, they hung up on me. Soit was a very interesting
(24:20):
conversation, which I've neverexperienced that kind of pausing
before, or where they hung up.It's like the bot couldn't deal
with what I said. Back to it,but I let it go, because I
thought this is so interestingto see how this going to go. But
yes, that beautiful male voicenailed, absolutely nailed, for
(24:42):
the Australian target market ofthe woman that that I, you know,
I represented that targetmarket,
Fabienne Wintle (24:50):
yes. So, like everything, I guess that would
have been, you know, for thebusiness having a bot calling,
cold calling, that would be costsaving. So that's going to go
ahead. It exists. Already. Sodon't think that all the phone
calls that you're going to get,just like all the emails that
you're going to get, are goingto be scammers. But I think in
Australia, based on what I'veread, the authentication
(25:13):
connected to your phone number,actually our telco networks
don't support it yet. It'scalled stir slash shaken. Funny
name, isn't it? Like a goodMartin shaken, which
corresponds, I guess, to thesame records that you'd be
adding to your domain name, isnot supported by the telcos, so
(25:35):
we've got to be so vigilant. Andif we already almost get called
by emails. Imagine if someonethat knows you well, and as
we're saying, they'll scan yourwebsite. They'll scan they'll
understand the relationships.It's all about SEO, AI
optimization. We're all workingreally hard on our About Us page
to make sure everything'sconnected well, so AI can
(25:57):
understand who we are. Well,guess who's using that as well.
So just talk with your team aswell. If you're listening to
this podcast, maybe bring it upin your next staff meeting to
bring that awareness to voice
Liz Ward (26:10):
absolutely so just to recap, before we close out FAB
in the in the notes with thispodcast, you'll provide a link
to a blog post with moreinformation about the email
spoofing and the protectionsteps that you can take, as well
as the test, the link to thetest that you can run to check
(26:34):
whether you have theidentification or protection
tools like DMARC in place, andthen to be super vigilant, if
you're getting calls or emailsthat are requesting money,
particularly or disclosuredetails, hang up finish that
(26:59):
conversation. You go look up thephone number yourself, use the
Google Business Profile phonenumber, and ring them to verify
Fabienne Wintle (27:08):
and it might be they'll get very clever. It
might be three steps away. Itmight just be a normal
conversation that you have aboutsomething, and then they're
gathering that information overthree emails. So if something
sounds fishy. That hasn'tchanged, right? Liz, if you're
not quite sure about somethingand sounds too good to be true
or sounds fishy, yeah, supervigilant,
Liz Ward (27:30):
correct, correct. I think that's it fab. All right.
Happy, secure. Ai, work, please,everybody.
Unknown (27:41):
Bye, Liz, bye, you.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.