July 28, 2025 • 22 mins
Dallas Turner's $240,000 fraud loss isn't just celebrity news—it's a wake-up call for anyone with a bank account. When even NFL linebackers fall victim to social engineering, what does that mean for the rest of us?
In this episode of The Audit, co-hosts Joshua Schmidt, Eric Brown, and Nick Mellem break down the sophisticated tactics behind this massive financial fraud and reveal why help desk vulnerabilities are becoming cybercriminals' favorite attack vector. From Scattered Spider's multi-industry campaigns to the unexpected cybersecurity challenges facing Formula 1 racing, this episode covers the evolving threats that no security professional can afford to ignore.
- 🎯 Key Topics Covered:
- How banking impersonation scams work and red flags to watch for
- Why Scattered Spider targets help desks and how to defend against it
- The surprising cybersecurity risks in high-speed Formula 1 racing
- Practical steps to protect yourself from social engineering attacks
- Why MFA fatigue is becoming a serious security vulnerability
Don't let social engineering catch you off guard. The tactics that fooled a professional athlete could easily target your organization next.
#cybersecurity #socialengineering #scatteredspider #financialfraud #infosec
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
We are going live.
You are listening to the Auditpresented by IT Audit Labs.
My name is Joshua Schmidt, yourco-host and producer Today.
We're joined by the usualsuspects Eric Brown and Nick
Mellum.
How are you guys doing today?
Fantastic, eric, you don't looklike you're in the office today
.
Are you at an undisclosedlocation?
Speaker 2 (00:23):
I am at an undisclosed location up north
getting ready for a little laketime.
Speaker 1 (00:27):
Nice.
Well, let's jump right into itso Eric can get back out to
sunbathing on the dock.
We're doing a news episode.
Obviously, we've got the firstarticle pulled up here, coming
straight from the VikingsLinebacker, dallas Turner.
Call him Diamond.
Dallas Turner lost $240K infinancial fraud scheme.
That's no small amount.
We've all heard about friendsand family and grandparents
(00:48):
losing tens of thousands ofdollars, but a quarter mil is
nothing to slouch at.
So let's see what it says here.
Egan, minnesota, minnesotaVikings outside linebacker
Dallas Turner was targeted in analleged financial fraud scheme
that cost him about $240,000,according to local authorities,
sergeant Rich Evans confirmedThursday that Eagan Police
(01:08):
Department was activelyinvestigating the case.
Speaker 2 (01:11):
Josh, I hate to see these things.
This is happening all over theplace, at larger amounts and
smaller amounts, to this, but itreally comes down to,
unfortunately, the individualsjust maybe being unaware that
this attack could happen.
We've seen these types ofthings happen in the
(01:33):
professional space, where you'llhave malicious actors that
they're just out there, they'rewaiting, they're watching, they
have access to open sourceintelligence gathering,
information, so things that arepublicly available, like
contract dates and vendors thatare awarded contracts, and then
it's easy to just slip in andsocially engineer one side of
(01:58):
that transaction, so the sidewhere the money is going to be
transferred from.
And there's a couple of recentexamples in Minnesota, a really
large deal a couple of yearsback with the city of Cottage
Grove, where the city of CottageGrove I think it was a sewage
contract over $1 million, Ibelieve was socially engineered.
(02:22):
But you really hate to seethese things.
Speaker 3 (02:25):
I think one of the most unfortunate things when I
see this and I saw this pop upon my ESPN app a couple of
nights ago and just right awayyou feel for him.
But one of the most unfortunatethings is you choose a bank and
you do business with this bankand you think it's somebody you
can trust.
So I'm assuming they figuredout who his bank was right and
(02:45):
they call him and they try togive friendly advice.
So it's tough when you thinkyou can trust somebody but
you're deceived by a bad actorthat's posing as them.
Speaker 2 (02:55):
It takes me back to the work we were doing with the
executives.
So the service offering thatwe've got, where we'll help
executives and high net worthindividuals with education
around something like this,where we come in, do an
assessment with their family andbeing that point of contact,
(03:15):
because, as you know, this sortof thing is just continues to
happen.
And then when you introduce thegrandparent scheme, where
little Johnny is on vacation inMexico and then allegedly gets
kidnapped and calls thegrandmother for money, all of
those sort of things of how doindividuals protect themselves
(03:40):
and their family, and largelyit's with knowledge of what do
we do in a scenario like this, Iwould think that level of
education.
If I'm investing millions ofdollars in a bank, I want that
banker to sit me down and havethat cyber conversation.
Speaker 1 (03:56):
What would be some other red flags, eric, that
might jump out at you if you'veall of a sudden get a call from
your bank and they're like hey,eric, we got to switch this
money, we got to send this overhere.
You know, here's the route,what's the routing number, and
blah, blah, blah.
Speaker 2 (04:08):
If I get any sort of call that seems time sensitive
or financially sensitive, I'mnot going to react to that call,
Probably just going to hang upRight and I'm not going to deal
with it because there there isnothing going on that is that
time sensitive from atransaction standpoint.
Speaker 1 (04:28):
Slowing down.
Don't hit the panic button.
Speaker 3 (04:30):
You took the words right out of my mouth, Josh.
We need to encourage people totake a beat, Slow it down and if
this person's calling, youjudge their sense of urgency.
If they're calling and they'refrantic you got to do this, you
got to do that Don't miss thisopportunity feeding you this
line.
Like Eric said, nothing's thaturgent.
(04:50):
You can call them back, thinkabout it, talk to your spouse or
, whatever the case is, callyour financial advisor, et
cetera, et cetera.
Before anything else, beforeyou proceed, especially with
this, I mean with any sum ofmoney, but we're talking big
numbers here.
Speaker 1 (05:04):
Phone a friend.
Ask someone like your spouse orsomething like does this make
sense?
Speaker 3 (05:08):
When we see it too, in the space too.
When we worked on a case anumber of years ago, a specific
organization, their controller,was sending money to an overseas
organization, thinking that theowner of the organization was
investing in these organizationsand she had full control,
(05:29):
obviously, as the controller.
She was social engineer.
Turns out it was a half amillion dollars she had sent
over and you know we had to workwith the fbi on that.
But another situation wheresomebody that should be trusted
within the organization hadworked there for almost 30 years
and you know couldn't doanything about it.
Speaker 2 (05:50):
The malicious actors are always watching, no matter
who you are, what you're doing,the size of your company and
looking for that opportunity.
So it comes down to education.
Right, having that conversationas somebody comes on board of
like these are the things thatcould happen, and I'll never ask
you for a gift card.
If it comes up, then we need totalk about it.
(06:14):
If you don't hear from medirectly, then it didn't happen
at the family level to where youcould have certain words or
phrases that in this particularcase, it could have been
something that he set up withhis banker.
When we go into the homes andthe lives of these high net
(06:34):
worth individuals sitting downand talking with their children
about you're playing online.
You're playing Minecraft.
You're playing an online gamewhere you're interacting with
people.
Those people that you'reinteracting Minecraft, you're
playing an online game whereyou're interacting with people.
Those people that you'reinteracting with could be
malicious actors.
Right, they can use voicechangers.
They can impersonate differentpeople of different ages, and
(06:57):
it's really unfortunate to haveto tell children that not
everybody you meet is honest andpeople could be trying to
deceive you to get to yourfamily member for social or
economic reasons or politicalreasons or whatever
conversations, and letting thefamilies know that, yes, your
(07:21):
mother, father, whatever, is inthis high profile position and
you could absolutely be a target.
Speaker 1 (07:28):
I think the takeaway here is regardless of whether
you're a Diamond Dallas Turner,a linebacker for the Vikings, or
you're just Joe Smith fromMinnesota, take a beat and make
sure you know.
Lock your credit.
You're taking your time.
If you do get suspicious calls,slow down, talk to your bank.
Speaker 2 (07:46):
I'm going to just say one of because this is one of
my favorite topics here of thepersonal information security
regardless.
Right, it doesn't matter ifyou're a high net worth
individual or you're just theguy or gal down the street.
There are things that you canabsolutely do to protect
yourself and make it moredifficult for the malicious
actors to attack you.
(08:06):
Right, if you're posting onsocial media, don't post that
you're.
You know you're in Mexico forthe next two weeks and make it
make your home a target.
Don't put your address in thesocial media posts.
Speaker 3 (08:21):
So make sure you're using.
You know you don't think onFacebook you need MFA.
You absolutely do.
Secondly, when you're postingto social media, maybe wait
until you get back from yourtrip.
I know everybody's got to do itright now, like they want
everybody to see they're on thebeach in Jamaica, right, they
just did whatever, had a greatday and that's awesome, like
share that stuff.
Wait till the week you got home, so you're they know your house
(08:43):
isn't vacant whatever the caseis, so wait till you get home.
Speaker 1 (08:47):
Yeah, my wife and I went to Hawaii in 2018 and there
was some great pictures andwe'd refrain from posting
anything online and you knowwhat, everything was fine when I
got back.
You know, no one cares.
It's actually kind ofliberating because, you know, I
just those were for us, you know, and I still haven't shared
them and yeah, that's whatthey're for.
Then we don't need to haveeveryone checking those out.
(09:07):
Yeah, let's pivot over to thisnext article, because it is part
of the same conversation aroundsocial engineering phishing
phishing this is coming fromCybersecurity Dive Scatter
Spider poses serious risk toseveral hundred major companies.
A new report shows that aselect group of large companies
use technologies that the hackergroup often targets the
cybercrime group.
(09:28):
Scattered Spider's tactics puta group of roughly 300 major
companies at heightened risk ofattack, according to a new
report from security firmCybercube.
So I wanted to kick it over toyou guys and ask with you know,
why is the help desk such anapproachable vector for this
type of campaign?
Speaker 3 (09:44):
There's so many things we could dig in on this.
I think, especially for theselarge organizations, the help
desk is always going to be atarget because of the volume
that they're dealing with.
They're getting so many ticketsevery day from so many people
and you know this is notnecessarily a bad thing.
But when you work at theselarge organizations we've talked
(10:05):
about before you know this isnot necessarily a bad thing.
But when you work at theselarge organizations we've talked
about before you you know youkind of become a barcode, but
they're always going to be bigtargets for those reasons social
engineering because they'reeasy targets to get information
from.
You know you could even call thehelp desk and ask how long does
my password need to be?
Do I need special characters,right?
You start to like fine tune andfunnel this information out.
But I also want to just shine alight on how important it is
not only to train the servicedesk with the people at the
organization that might becalling.
You know the phone call can goboth ways, right, if you're
(10:26):
calling to a help desk or helpdesk is calling you.
I've been a part of hundreds ofsocial engineering exercises
and I think the numbers probablytipped at probably 70% I've
used.
I act as a service desk.
I call them as a service deskextracting information.
Hey, we're operating to.
(10:47):
Windows 11, whatever yourpretext is, and we also see that
your password hasn't beenupdated in over 90 days.
We're having an issue there.
Whatever you decide, these arethings that are happening, that
you need to train your people inyour organization that you know
.
If that's really the case, youdon't need to answer that
information.
You could.
(11:08):
Hey, let's hang up, I'll callyou back.
I'm going to call my servicedesk and who answers that I'm
going to verify this information.
The training goes both ways.
Here they're mainly targetingactual service desks to get
information, but to my point, itgoes both ways.
We need to train the servicedesk, but train our individuals
that are going to either receivea call from a service desk or
(11:29):
calling into a service desk.
Speaker 2 (11:30):
keep hitting that prompt and then on your phone
you get the notification ofaccept or decline from the MFA
prompt and normally that wouldbe a red flag where you get that
notification and if you didn'trequest to log in somewhere,
(11:55):
then there's somethingfraudulent happening.
Somebody has your creds and istrying to use your account to
gain access.
Some people are just hittingaccept because they're just
getting so many notificationsand they want the notifications
to stop.
You're out to dinner orwhatever.
It is just like, yeah, accept,stop, which is, of know, of
(12:15):
course, the wrong thing to do,but it obviously works because
it's an attack vector that theyuse.
And the modern authenticationwith MFA you've probably seen it
where it asks you to input anumber.
So you get sent a number andyou have to put the number in,
and the purpose of that was tostop the MFA fatigue.
Speaker 1 (12:41):
So one of the things I found interesting about
Scattered Spire and this makes awhole lot of sense they're
bouncing between industries andI would assume that's because
there's an awareness within eachindustry.
If it's airlines, by the timethe airline, other companies
catch up hey, this is happeningto Delta or American Airlines.
There's some little bit oftalking going on there about
(13:01):
what's happening in thatindustry, that they're already
onto the insurance company orthe next thing.
So if only 2% of these majorcompanies made the high risk
list, what are the 98% doingright, and what should those 2%
be doing to kind of fortifytheir security, to prevent being
attacked by a major operationlike Scattered Spider?
Speaker 3 (13:20):
To me it's because it hasn't been reported yet.
The problem's on the way.
It's banging up against thedoorstep right now.
The problem is we're always soreactive and defensive.
We need to be offensive.
We need to get out in front ofthese problems, start talking in
front of these problems.
Start talking, you know andwe've talked about it many
episodes ago about getting yoursecurity team, getting your IT
(13:40):
team out of that back room,educating the staff walking
around the facility.
Like you know you were, let'ssay, you work at a manufacturing
plant.
You know, pick a day of theweek and have one of your guys
walking around talking to people.
They should know who the ITpeople are so they can go talk
to them about these issues.
Like there's so many differentways we could solve these
problems besides just sendingout a newsletter, which is great
(14:01):
we do highly recommend usingtactics like that.
But get you know.
Don't just have one of yourguys.
Send your even your most juniorservice desk guy out there.
Start shaking hands, educatingpeople on things that they're
seeing around the industry,cause a lot of people are
generally interested, right,cause they see this at home.
They want to know andunderstand.
Um, but not only that.
(14:22):
You could have turn around andeducate people about their home
life and, in return, if theycare about that, they're going
to care about what's happeningat work, right, because they
don't want to be the problemthat f1 movies out with brad
pitt, summertime best movie inamerica, biggest movie in
america.
Speaker 1 (14:37):
So I thought we'd bring this into the conversation
today and and just talk aboutsomething fun.
For you know, instead of allthe serious stuff, we uh like to
doom and gloom.
In a fast-paced, tech,technologically advanced world
of formula one racing, whereevery millisecond counts.
The competition is fierce.
The latest tech collaborationbetween williams f1 team and
keeper highlights the criticalrole of cyber security and
safeguarding top race teamsoperations and strategies.
(14:59):
So there's a lot of telemetrydata happening.
Ostensibly, they're collectingtons of info and there's a team
of people, you know, analyzingthat in real time to help make
decisions about.
Well, you take it from there,nick.
What would you?
You're a Formula One fan.
What would the data be used for?
Speaker 3 (15:21):
These big organizations that are having
these problems that we talkedabout in the last article.
Same thing your spotlight'scoming on, there's more
technology going to these cars.
Every year New standards comeinto the cars.
There's thousands of sensors inthere and they're getting the
data right away and that couldallow another team to get a leg
up on them.
But it could all allow a threatactor maybe to get into the
comms.
It doesn't necessarily make itany different than what we're
(15:41):
dealing with our organizations.
They're dealing with the samekind of problem social
engineering and everything elsethat we're looking at.
But the ecosystems of theseraces I think one of the
problems is always going to beis the logistical nightmare of
the sport.
When I first started watchingFormula One way long time ago,
(16:01):
there was maybe 10, 12 races ayear.
There were a couple of weeksspread out, so you might have
one or two races a month.
Now you have 22, 23, 24 raceswhere they're going somewhere
new every year, and these racesaren't close.
They're in different countries,so they've got to get two cars,
their whole team, theirinfrastructure moved within a
week.
Formula One has the FIA, whichis their governing body, and
(16:26):
they are having issues.
I think they had a ransomwareattack three years ago, so it's
a big problem.
Speaker 2 (16:33):
I was going to ask you what's the fastest way to
become a millionaire in FormulaOne?
Win baby.
Start out as a billionaire.
That's fair.
Speaker 1 (16:44):
That's fair.
So you mentioned Nick.
There's like tons of races.
I think there's 22 countries,24 races annually.
So how do they keep continuityin their cybersecurity posture
when they're moving?
Speaker 3 (16:56):
So good standard, constant training and rinse and
repeat, but pushing the envelopeon what they're doing, best
practices, bringing in thirdparties to do those audits and
exercises against these systems,and it's similar thing to the
FIA, which is overseeing allthese teams.
It's probably coming to a pointnow where they need to step in
and implement standards forcybersecurity because of all the
(17:19):
technology and money that'scoming into the space.
Right, you need to have agoverning body.
We have governing bodies foreverything that we do, whether
it's local government, federalgovernment, smaller big
organizations.
They are all followingguidelines to something they do
within their industry.
Your original question, josh.
Yeah, I think it's partneringwith strong people, using third
(17:39):
parties to do tabletop exercises, to do audits, to do
penetration, testing and rinseand repeat and make sure that
you set those standards from theFIA because of the logistics.
Speaker 1 (17:50):
I'll kick this one over to Eric.
The article mentions that OTIT,convergence or F1 cyber attacks
could potentially lead tophysical harm, like Nick would
just mention, and driver safetyissues.
What kind of attack wouldcreate something?
Speaker 2 (18:04):
like that.
It really just comes down tothe basics, and F1, no different
than another type oforganization that's going to be
moving protected data in asecure way.
Um and their teams know, knowwhat they're doing and and if
not, give us a call, we'll sendnick over.
Speaker 3 (18:22):
It sounds like he's he's ready to go you know, if I,
if I could you know, make surethey call me around the may time
frame, because that's whatmonaco is, and you know see, I
don't like the monaco track.
Speaker 2 (18:32):
I'm gonna have a real problem with it.
Speaker 3 (18:34):
It's a it's most legendary right.
I will under the lights atBahrain.
Speaker 2 (18:39):
Okay, I'm with you on Bahrain, monaco.
It's like I don't know.
Everybody get in line, nobodypasses.
Speaker 3 (18:44):
It's the historic track.
You got the yachts pulling upright.
The street's this tight.
You know you got no.
Speaker 1 (18:50):
What ESPN or cable package do you guys have to
watch Formula 1?
Speaker 3 (18:54):
It's on espn right now okay, I mean always it was
on uh you, or going forward,rather, uh, you're gonna have to
buy f1 tv, for my understanding, because espn is not going to
re-up the contract, because Ithink sky network overseas um
owns the rights to f1, is myunderstanding I had to buy about
(19:14):
three different subscriptionsjust to watch the timber, the
timber wolves play, play theplayoffs.
Speaker 1 (19:19):
It was a nightmare.
And then I had like Fubo and Ihad like ESPN and HBO Max and
then I'm like still can't watchthe game.
Speaker 3 (19:27):
And I think the Formula One races might be on
HBO Max right now too.
I watch them on ESPN, sowhatever package.
Speaker 1 (19:33):
And just like that we're back to cable packages.
Speaker 3 (19:36):
F1 TV.
People want to come herebecause they like this, josh.
They want to know about F1,right, they're getting into it.
They watch the series.
Speaker 1 (19:45):
Speaking of race driving, I know you're expecting
, nick.
Have you plotted out your pathto the fastest path to the
hospital?
Are you going to do a little F1?
Speaker 3 (19:52):
It's funny you bring that up.
Yeah, I'm ready to go.
Uh, I've practiced the track tothe, to the hospital.
I'm ready to go using theshoulders, jumping the.
You know all getting over thereTexas style.
Speaker 1 (20:03):
Yeah, so right across the mid, the median.
Speaker 3 (20:05):
Oh man, we're in for it, we're in for it.
Yep, we're good, and I thinktoo.
Just what gets me to that?
The most luxurious couch in thecountry, those hospital couches
that you sleep on for doublenights.
I'm looking forward to it.
It's like a vacation, all right.
Speaker 1 (20:22):
We're rooting for you , buddy, and congratulations
again, and, eric, hope you enjoythe rest of your time at your
undisclosed location.
So thanks so much for joiningus live today.
We will be publishing this fulllength episode and some shorts
and some snippets from this onour YouTube channel.
If you haven't yet, please like, subscribe and share.
Also got video on Spotify andyou can source us wherever the
(20:43):
audio, wherever you get yourpodcasts.
So unless you guys haveanything else to add about
Formula One, I will leave itthere.
Speaker 2 (20:51):
Well, I was just wondering, Nick, did we hit the
numbers for the party?
Otherwise, is there a shavingevent that's happening?
Speaker 3 (20:58):
Oh well, just as long as we've got the 10 people
there, we're good.
Speaker 1 (21:02):
We can have a little burnout party.
After a little burn some tireslight, some fires.
Speaker 3 (21:07):
But get some Motley Crue going and we're ready to go
.
Speaker 1 (21:11):
All right guys.
Well, thanks for your timetoday.
You've been listening to theaudit presented by IT Audit Labs
.
I'm Joshua Schmidt.
You've been joined by EricBrown and Nick Mellum.
Please like, share andsubscribe, and we'll see you in
the next one.
Speaker 2 (21:23):
You have been listening to the audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Where all our security controlassessments rank the level of
(21:45):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, Joshua J Schmidt, andour audio-video editor, Cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, Spotify or wherever you
(22:08):
source your security content.
We are going live.
You are listening to the Auditpresented by IT Audit Labs.
My name is Joshua Schmidt, yourco-host and producer Today.
We're joined by the usualsuspects Eric Brown and Nick
Mellum.
How are you guys doing today?
Fantastic, eric, you don't looklike you're in the office today
.
Are you at an undisclosedlocation?
Speaker 2 (00:23):
I am at an undisclosed location up north
getting ready for a little laketime.
Speaker 1 (00:27):
Nice.
Well, let's jump right into itso Eric can get back out to
sunbathing on the dock.
We're doing a news episode.
Obviously, we've got the firstarticle pulled up here, coming
straight from the VikingsLinebacker, dallas Turner.
Call him Diamond.
Dallas Turner lost $240K infinancial fraud scheme.
That's no small amount.
We've all heard about friendsand family and grandparents
(00:48):
losing tens of thousands ofdollars, but a quarter mil is
nothing to slouch at.
So let's see what it says here.
Egan, minnesota, minnesotaVikings outside linebacker
Dallas Turner was targeted in analleged financial fraud scheme
that cost him about $240,000,according to local authorities,
sergeant Rich Evans confirmedThursday that Eagan Police
(01:08):
Department was activelyinvestigating the case.
Speaker 2 (01:11):
Josh, I hate to see these things.
This is happening all over theplace, at larger amounts and
smaller amounts, to this, but itreally comes down to,
unfortunately, the individualsjust maybe being unaware that
this attack could happen.
We've seen these types ofthings happen in the
(01:33):
professional space, where you'llhave malicious actors that
they're just out there, they'rewaiting, they're watching, they
have access to open sourceintelligence gathering,
information, so things that arepublicly available, like
contract dates and vendors thatare awarded contracts, and then
it's easy to just slip in andsocially engineer one side of
(01:58):
that transaction, so the sidewhere the money is going to be
transferred from.
And there's a couple of recentexamples in Minnesota, a really
large deal a couple of yearsback with the city of Cottage
Grove, where the city of CottageGrove I think it was a sewage
contract over $1 million, Ibelieve was socially engineered.
(02:22):
But you really hate to seethese things.
Speaker 3 (02:25):
I think one of the most unfortunate things when I
see this and I saw this pop upon my ESPN app a couple of
nights ago and just right awayyou feel for him.
But one of the most unfortunatethings is you choose a bank and
you do business with this bankand you think it's somebody you
can trust.
So I'm assuming they figuredout who his bank was right and
(02:45):
they call him and they try togive friendly advice.
So it's tough when you thinkyou can trust somebody but
you're deceived by a bad actorthat's posing as them.
Speaker 2 (02:55):
It takes me back to the work we were doing with the
executives.
So the service offering thatwe've got, where we'll help
executives and high net worthindividuals with education
around something like this,where we come in, do an
assessment with their family andbeing that point of contact,
(03:15):
because, as you know, this sortof thing is just continues to
happen.
And then when you introduce thegrandparent scheme, where
little Johnny is on vacation inMexico and then allegedly gets
kidnapped and calls thegrandmother for money, all of
those sort of things of how doindividuals protect themselves
(03:40):
and their family, and largelyit's with knowledge of what do
we do in a scenario like this, Iwould think that level of
education.
If I'm investing millions ofdollars in a bank, I want that
banker to sit me down and havethat cyber conversation.
Speaker 1 (03:56):
What would be some other red flags, eric, that
might jump out at you if you'veall of a sudden get a call from
your bank and they're like hey,eric, we got to switch this
money, we got to send this overhere.
You know, here's the route,what's the routing number, and
blah, blah, blah.
Speaker 2 (04:08):
If I get any sort of call that seems time sensitive
or financially sensitive, I'mnot going to react to that call,
Probably just going to hang upRight and I'm not going to deal
with it because there there isnothing going on that is that
time sensitive from atransaction standpoint.
Speaker 1 (04:28):
Slowing down.
Don't hit the panic button.
Speaker 3 (04:30):
You took the words right out of my mouth, Josh.
We need to encourage people totake a beat, Slow it down and if
this person's calling, youjudge their sense of urgency.
If they're calling and they'refrantic you got to do this, you
got to do that Don't miss thisopportunity feeding you this
line.
Like Eric said, nothing's thaturgent.
(04:50):
You can call them back, thinkabout it, talk to your spouse or
, whatever the case is, callyour financial advisor, et
cetera, et cetera.
Before anything else, beforeyou proceed, especially with
this, I mean with any sum ofmoney, but we're talking big
numbers here.
Speaker 1 (05:04):
Phone a friend.
Ask someone like your spouse orsomething like does this make
sense?
Speaker 3 (05:08):
When we see it too, in the space too.
When we worked on a case anumber of years ago, a specific
organization, their controller,was sending money to an overseas
organization, thinking that theowner of the organization was
investing in these organizationsand she had full control,
(05:29):
obviously, as the controller.
She was social engineer.
Turns out it was a half amillion dollars she had sent
over and you know we had to workwith the fbi on that.
But another situation wheresomebody that should be trusted
within the organization hadworked there for almost 30 years
and you know couldn't doanything about it.
Speaker 2 (05:50):
The malicious actors are always watching, no matter
who you are, what you're doing,the size of your company and
looking for that opportunity.
So it comes down to education.
Right, having that conversationas somebody comes on board of
like these are the things thatcould happen, and I'll never ask
you for a gift card.
If it comes up, then we need totalk about it.
(06:14):
If you don't hear from medirectly, then it didn't happen
at the family level to where youcould have certain words or
phrases that in this particularcase, it could have been
something that he set up withhis banker.
When we go into the homes andthe lives of these high net
(06:34):
worth individuals sitting downand talking with their children
about you're playing online.
You're playing Minecraft.
You're playing an online gamewhere you're interacting with
people.
Those people that you'reinteracting Minecraft, you're
playing an online game whereyou're interacting with people.
Those people that you'reinteracting with could be
malicious actors.
Right, they can use voicechangers.
They can impersonate differentpeople of different ages, and
(06:57):
it's really unfortunate to haveto tell children that not
everybody you meet is honest andpeople could be trying to
deceive you to get to yourfamily member for social or
economic reasons or politicalreasons or whatever
conversations, and letting thefamilies know that, yes, your
(07:21):
mother, father, whatever, is inthis high profile position and
you could absolutely be a target.
Speaker 1 (07:28):
I think the takeaway here is regardless of whether
you're a Diamond Dallas Turner,a linebacker for the Vikings, or
you're just Joe Smith fromMinnesota, take a beat and make
sure you know.
Lock your credit.
You're taking your time.
If you do get suspicious calls,slow down, talk to your bank.
Speaker 2 (07:46):
I'm going to just say one of because this is one of
my favorite topics here of thepersonal information security
regardless.
Right, it doesn't matter ifyou're a high net worth
individual or you're just theguy or gal down the street.
There are things that you canabsolutely do to protect
yourself and make it moredifficult for the malicious
actors to attack you.
(08:06):
Right, if you're posting onsocial media, don't post that
you're.
You know you're in Mexico forthe next two weeks and make it
make your home a target.
Don't put your address in thesocial media posts.
Speaker 3 (08:21):
So make sure you're using.
You know you don't think onFacebook you need MFA.
You absolutely do.
Secondly, when you're postingto social media, maybe wait
until you get back from yourtrip.
I know everybody's got to do itright now, like they want
everybody to see they're on thebeach in Jamaica, right, they
just did whatever, had a greatday and that's awesome, like
share that stuff.
Wait till the week you got home, so you're they know your house
(08:43):
isn't vacant whatever the caseis, so wait till you get home.
Speaker 1 (08:47):
Yeah, my wife and I went to Hawaii in 2018 and there
was some great pictures andwe'd refrain from posting
anything online and you knowwhat, everything was fine when I
got back.
You know, no one cares.
It's actually kind ofliberating because, you know, I
just those were for us, you know, and I still haven't shared
them and yeah, that's whatthey're for.
Then we don't need to haveeveryone checking those out.
(09:07):
Yeah, let's pivot over to thisnext article, because it is part
of the same conversation aroundsocial engineering phishing
phishing this is coming fromCybersecurity Dive Scatter
Spider poses serious risk toseveral hundred major companies.
A new report shows that aselect group of large companies
use technologies that the hackergroup often targets the
cybercrime group.
(09:28):
Scattered Spider's tactics puta group of roughly 300 major
companies at heightened risk ofattack, according to a new
report from security firmCybercube.
So I wanted to kick it over toyou guys and ask with you know,
why is the help desk such anapproachable vector for this
type of campaign?
Speaker 3 (09:44):
There's so many things we could dig in on this.
I think, especially for theselarge organizations, the help
desk is always going to be atarget because of the volume
that they're dealing with.
They're getting so many ticketsevery day from so many people
and you know this is notnecessarily a bad thing.
But when you work at theselarge organizations we've talked
(10:05):
about before you know this isnot necessarily a bad thing.
But when you work at theselarge organizations we've talked
about before you you know youkind of become a barcode, but
they're always going to be bigtargets for those reasons social
engineering because they'reeasy targets to get information
from.
You know you could even call thehelp desk and ask how long does
my password need to be?
Do I need special characters,right?
You start to like fine tune andfunnel this information out.
But I also want to just shine alight on how important it is
not only to train the servicedesk with the people at the
organization that might becalling.
You know the phone call can goboth ways, right, if you're
(10:26):
calling to a help desk or helpdesk is calling you.
I've been a part of hundreds ofsocial engineering exercises
and I think the numbers probablytipped at probably 70% I've
used.
I act as a service desk.
I call them as a service deskextracting information.
Hey, we're operating to.
(10:47):
Windows 11, whatever yourpretext is, and we also see that
your password hasn't beenupdated in over 90 days.
We're having an issue there.
Whatever you decide, these arethings that are happening, that
you need to train your people inyour organization that you know
.
If that's really the case, youdon't need to answer that
information.
You could.
(11:08):
Hey, let's hang up, I'll callyou back.
I'm going to call my servicedesk and who answers that I'm
going to verify this information.
The training goes both ways.
Here they're mainly targetingactual service desks to get
information, but to my point, itgoes both ways.
We need to train the servicedesk, but train our individuals
that are going to either receivea call from a service desk or
(11:29):
calling into a service desk.
Speaker 2 (11:30):
keep hitting that prompt and then on your phone
you get the notification ofaccept or decline from the MFA
prompt and normally that wouldbe a red flag where you get that
notification and if you didn'trequest to log in somewhere,
(11:55):
then there's somethingfraudulent happening.
Somebody has your creds and istrying to use your account to
gain access.
Some people are just hittingaccept because they're just
getting so many notificationsand they want the notifications
to stop.
You're out to dinner orwhatever.
It is just like, yeah, accept,stop, which is, of know, of
(12:15):
course, the wrong thing to do,but it obviously works because
it's an attack vector that theyuse.
And the modern authenticationwith MFA you've probably seen it
where it asks you to input anumber.
So you get sent a number andyou have to put the number in,
and the purpose of that was tostop the MFA fatigue.
Speaker 1 (12:41):
So one of the things I found interesting about
Scattered Spire and this makes awhole lot of sense they're
bouncing between industries andI would assume that's because
there's an awareness within eachindustry.
If it's airlines, by the timethe airline, other companies
catch up hey, this is happeningto Delta or American Airlines.
There's some little bit oftalking going on there about
(13:01):
what's happening in thatindustry, that they're already
onto the insurance company orthe next thing.
So if only 2% of these majorcompanies made the high risk
list, what are the 98% doingright, and what should those 2%
be doing to kind of fortifytheir security, to prevent being
attacked by a major operationlike Scattered Spider?
Speaker 3 (13:20):
To me it's because it hasn't been reported yet.
The problem's on the way.
It's banging up against thedoorstep right now.
The problem is we're always soreactive and defensive.
We need to be offensive.
We need to get out in front ofthese problems, start talking in
front of these problems.
Start talking, you know andwe've talked about it many
episodes ago about getting yoursecurity team, getting your IT
(13:40):
team out of that back room,educating the staff walking
around the facility.
Like you know you were, let'ssay, you work at a manufacturing
plant.
You know, pick a day of theweek and have one of your guys
walking around talking to people.
They should know who the ITpeople are so they can go talk
to them about these issues.
Like there's so many differentways we could solve these
problems besides just sendingout a newsletter, which is great
(14:01):
we do highly recommend usingtactics like that.
But get you know.
Don't just have one of yourguys.
Send your even your most juniorservice desk guy out there.
Start shaking hands, educatingpeople on things that they're
seeing around the industry,cause a lot of people are
generally interested, right,cause they see this at home.
They want to know andunderstand.
Um, but not only that.
(14:22):
You could have turn around andeducate people about their home
life and, in return, if theycare about that, they're going
to care about what's happeningat work, right, because they
don't want to be the problemthat f1 movies out with brad
pitt, summertime best movie inamerica, biggest movie in
america.
Speaker 1 (14:37):
So I thought we'd bring this into the conversation
today and and just talk aboutsomething fun.
For you know, instead of allthe serious stuff, we uh like to
doom and gloom.
In a fast-paced, tech,technologically advanced world
of formula one racing, whereevery millisecond counts.
The competition is fierce.
The latest tech collaborationbetween williams f1 team and
keeper highlights the criticalrole of cyber security and
safeguarding top race teamsoperations and strategies.
(14:59):
So there's a lot of telemetrydata happening.
Ostensibly, they're collectingtons of info and there's a team
of people, you know, analyzingthat in real time to help make
decisions about.
Well, you take it from there,nick.
What would you?
You're a Formula One fan.
What would the data be used for?
Speaker 3 (15:21):
These big organizations that are having
these problems that we talkedabout in the last article.
Same thing your spotlight'scoming on, there's more
technology going to these cars.
Every year New standards comeinto the cars.
There's thousands of sensors inthere and they're getting the
data right away and that couldallow another team to get a leg
up on them.
But it could all allow a threatactor maybe to get into the
comms.
It doesn't necessarily make itany different than what we're
(15:41):
dealing with our organizations.
They're dealing with the samekind of problem social
engineering and everything elsethat we're looking at.
But the ecosystems of theseraces I think one of the
problems is always going to beis the logistical nightmare of
the sport.
When I first started watchingFormula One way long time ago,
(16:01):
there was maybe 10, 12 races ayear.
There were a couple of weeksspread out, so you might have
one or two races a month.
Now you have 22, 23, 24 raceswhere they're going somewhere
new every year, and these racesaren't close.
They're in different countries,so they've got to get two cars,
their whole team, theirinfrastructure moved within a
week.
Formula One has the FIA, whichis their governing body, and
(16:26):
they are having issues.
I think they had a ransomwareattack three years ago, so it's
a big problem.
Speaker 2 (16:33):
I was going to ask you what's the fastest way to
become a millionaire in FormulaOne?
Win baby.
Start out as a billionaire.
That's fair.
Speaker 1 (16:44):
That's fair.
So you mentioned Nick.
There's like tons of races.
I think there's 22 countries,24 races annually.
So how do they keep continuityin their cybersecurity posture
when they're moving?
Speaker 3 (16:56):
So good standard, constant training and rinse and
repeat, but pushing the envelopeon what they're doing, best
practices, bringing in thirdparties to do those audits and
exercises against these systems,and it's similar thing to the
FIA, which is overseeing allthese teams.
It's probably coming to a pointnow where they need to step in
and implement standards forcybersecurity because of all the
(17:19):
technology and money that'scoming into the space.
Right, you need to have agoverning body.
We have governing bodies foreverything that we do, whether
it's local government, federalgovernment, smaller big
organizations.
They are all followingguidelines to something they do
within their industry.
Your original question, josh.
Yeah, I think it's partneringwith strong people, using third
(17:39):
parties to do tabletop exercises, to do audits, to do
penetration, testing and rinseand repeat and make sure that
you set those standards from theFIA because of the logistics.
Speaker 1 (17:50):
I'll kick this one over to Eric.
The article mentions that OTIT,convergence or F1 cyber attacks
could potentially lead tophysical harm, like Nick would
just mention, and driver safetyissues.
What kind of attack wouldcreate something?
Speaker 2 (18:04):
like that.
It really just comes down tothe basics, and F1, no different
than another type oforganization that's going to be
moving protected data in asecure way.
Um and their teams know, knowwhat they're doing and and if
not, give us a call, we'll sendnick over.
Speaker 3 (18:22):
It sounds like he's he's ready to go you know, if I,
if I could you know, make surethey call me around the may time
frame, because that's whatmonaco is, and you know see, I
don't like the monaco track.
Speaker 2 (18:32):
I'm gonna have a real problem with it.
Speaker 3 (18:34):
It's a it's most legendary right.
I will under the lights atBahrain.
Speaker 2 (18:39):
Okay, I'm with you on Bahrain, monaco.
It's like I don't know.
Everybody get in line, nobodypasses.
Speaker 3 (18:44):
It's the historic track.
You got the yachts pulling upright.
The street's this tight.
You know you got no.
Speaker 1 (18:50):
What ESPN or cable package do you guys have to
watch Formula 1?
Speaker 3 (18:54):
It's on espn right now okay, I mean always it was
on uh you, or going forward,rather, uh, you're gonna have to
buy f1 tv, for my understanding, because espn is not going to
re-up the contract, because Ithink sky network overseas um
owns the rights to f1, is myunderstanding I had to buy about
(19:14):
three different subscriptionsjust to watch the timber, the
timber wolves play, play theplayoffs.
Speaker 1 (19:19):
It was a nightmare.
And then I had like Fubo and Ihad like ESPN and HBO Max and
then I'm like still can't watchthe game.
Speaker 3 (19:27):
And I think the Formula One races might be on
HBO Max right now too.
I watch them on ESPN, sowhatever package.
Speaker 1 (19:33):
And just like that we're back to cable packages.
Speaker 3 (19:36):
F1 TV.
People want to come herebecause they like this, josh.
They want to know about F1,right, they're getting into it.
They watch the series.
Speaker 1 (19:45):
Speaking of race driving, I know you're expecting
, nick.
Have you plotted out your pathto the fastest path to the
hospital?
Are you going to do a little F1?
Speaker 3 (19:52):
It's funny you bring that up.
Yeah, I'm ready to go.
Uh, I've practiced the track tothe, to the hospital.
I'm ready to go using theshoulders, jumping the.
You know all getting over thereTexas style.
Speaker 1 (20:03):
Yeah, so right across the mid, the median.
Speaker 3 (20:05):
Oh man, we're in for it, we're in for it.
Yep, we're good, and I thinktoo.
Just what gets me to that?
The most luxurious couch in thecountry, those hospital couches
that you sleep on for doublenights.
I'm looking forward to it.
It's like a vacation, all right.
Speaker 1 (20:22):
We're rooting for you , buddy, and congratulations
again, and, eric, hope you enjoythe rest of your time at your
undisclosed location.
So thanks so much for joiningus live today.
We will be publishing this fulllength episode and some shorts
and some snippets from this onour YouTube channel.
If you haven't yet, please like, subscribe and share.
Also got video on Spotify andyou can source us wherever the
(20:43):
audio, wherever you get yourpodcasts.
So unless you guys haveanything else to add about
Formula One, I will leave itthere.
Speaker 2 (20:51):
Well, I was just wondering, Nick, did we hit the
numbers for the party?
Otherwise, is there a shavingevent that's happening?
Speaker 3 (20:58):
Oh well, just as long as we've got the 10 people
there, we're good.
Speaker 1 (21:02):
We can have a little burnout party.
After a little burn some tireslight, some fires.
Speaker 3 (21:07):
But get some Motley Crue going and we're ready to go
.
Speaker 1 (21:11):
All right guys.
Well, thanks for your timetoday.
You've been listening to theaudit presented by IT Audit Labs
.
I'm Joshua Schmidt.
You've been joined by EricBrown and Nick Mellum.
Please like, share andsubscribe, and we'll see you in
the next one.
Speaker 2 (21:23):
You have been listening to the audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Where all our security controlassessments rank the level of
(21:45):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, Joshua J Schmidt, andour audio-video editor, Cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, Spotify or wherever you
(22:08):
source your security content.
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!