Site icon Easy Prey Podcast

Consumer Education for Fraud Protection with Doug Shadel

Easy Prey
“Anytime you get any call from anyone who is threatening you with something, the chances are very high that it is a scam call.” - Doug Shadel Share on X

Some scammers love the challenge of deceiving those they target while others are forced to scam. Those that thrive off of destroying others try to heighten your emotions very quickly. Both excited and angry responses can get you into making irrational decisions.

Today’s guest is Doug Shadel. Doug is a former fraud investigator and special assistant to the Attorney General at the Washington State Attorney General’s office. He served as state director for AARP Washington and Strategy Director for AARP’s national anti-fraud efforts. Doug has collaborated on numerous educational videos and academic studies and co-authored five books about fraud. He also co-authored the AARP Fraud Frontier 2021 Report. He is currently Managing Director of Fraud Prevention Strategies LLC, a Seattle-based consulting firm.

“Anyone can use AI, which means that scammers can, too.” - Doug Shadel Share on X

Show Notes:

“It still is very dangerous to answer these phone calls because a lot of them are really persuasive and really good at what they do.” - Doug Shadel Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Doug, thank you so much for coming on the Easy Prey Podcast today.

My pleasure. Great to be here.

I’m glad you’re here. Can you give myself and the audience a little bit of background about who you are and what you do?

I’ve spent most of my professional life in the fraud-fighting world. I was an investigator back in the 80s for the State Attorney General’s Office here in Seattle. I did that for about 10 years and got frustrated with the—I could just never really catch anyone. Or if we did, we drove them out of town but couldn’t get their money back.

I basically went to the AG and said, “Is there any way I could start doing some consumer ed and get to the people before the scammer does?” And I’ve been doing that ever since. I went from there to AARP, and I spent 30 years at AARP, the last 20 as a State Director in Washington State but also developing a lot of fraud prevention educational materials. I retired at the end of 2022, and now I just do consulting, but very similar type of work, going around giving talks about fraud prevention.

I know that you do some work in the robocall space as well. What got you interested in that space? Or is that just because it’s the beginning portion of scams?

That’s part of the reason I was interested in it. About five years ago, I got a call from this producer I used to work with who said, “Have you heard about this kid up at Long Island, New York, who has invented a way to stop robocalls?” I’m like, “No, I haven’t heard of this.” She introduced me to Aaron Foss, who is the founder of Nomorobo.

This is how far back the robocall problem goes. In 2013, the Federal Trade Commission issued a design challenge for the person who could come up with the best solution to block robocalls. Aaron won that challenge and started his company with the—I don’t know—$20,000 that they gave him.

His idea, which has been copied by many other companies now, is he went to the phone companies and said, “Well, first of all, how do we identify these calls? We can’t block them until we identify them.” He went to the phone company and said, “Do you have any old mothballed phone lines I could buy?” And they’re like, “Yeah, we have tons of them. We’ll give them to you for next to nothing.”

He buys 350,000 phone lines, and he runs them all into a computer. Then when he sees a phone number that has a point of origin and is calling more than, say, 10 numbers in his—they call it the honeypot—he puts that into a blacklist database as a robocall.

So when I call you, Chris, if you have this app on your phone, before the phone rings, it’ll compare my number to the blacklist database. If there’s a match, it’ll block it. That’s how he blocks the calls.

My interest was, when I started talking to Aaron and actually went up there and visited him in his world headquarters, which at the time was the second bedroom in his house on Long Island, he not only blocks all the calls, he records them all and transcribes them all, millions of them.

As a fraud researcher and somebody who’s always trying to figure out how they do it and tracking persuasion methods and everything, this just seemed like a gold mine to me. Even while I was still at AARP, we partnered with Nomorobo to start tracking these calls as they come in.

We did a bunch of speeches during the pandemic, Zoom calls with people. We’re calling Bellingham, Washington, or name the city, Orange County, and he can pinpoint the calls coming into Orange County right now in real time. It’s current and local. We did that for quite a while.

Then when I retired, I said, I’m not sure what I’m going to do now. He goes, “Well, why don’t you come to work for Nomorobo?” I’ve been sitting here at my house in Seattle monitoring these thousand phone calls, and it’s interesting. There are a lot of interesting things we could say about it.

One thing that I noticed back about 15 years ago, I did a study with a guy named Anthony Pratkanis, University of California, who is an expert in persuasion tactics, influence. He’s written a number of books, and we got ahold of a database that the Ohio AG’s office gave us, of these types of calls where the investigator goes to a senior—typically a senior who’s got tons of calls coming in—and says, “Will you mind if we forward your phone line to my desk? I’ll take the calls and pretend to be the victim, and we’ll record all those calls.”

We had 500 or 600 of these tapes that they gave us, and we analyzed them. The overwhelming most common tactic used is—back then we called it phantom fixation. I’m calling it a promise of financial gain. “You’ve won Publishers Clearing House. You could get a 10:1 return on an investment for no risk.” Financial gain promises. That was 99% of the scam calls.

Now, what we’re finding is when we monitor those same calls, there are still those Publishers Clearing House imposters still out there, but almost half of them are what I would call the threat of loss.

There are these two buckets. There’s the promise of gain, and there’s the threat of loss. Almost 50% of the calls now are someone charged $1200 on your Amazon account right away, or you’ve got a virus on your computer. -Doug Shadel Share on X

There are these two buckets. There’s the promise of gain, and there’s the threat of loss. Almost 50% of the calls now are someone charged $1200 on your Amazon account right away, or you’ve got a virus on your computer. They’re going to eliminate everything on your computer. Things that put you into this space of being scared.

We’ve interviewed probably two dozen scammers, I have over the years. When you ask these scammers, what is your primary strategy to hook these people, what’s the first thing you’re trying to do, and they all give you the same answer. That answer is to get the victim under the ether.

At first we’re going, “Well, that’s not a very scientific term. We’re going to call it something else. What do you mean by ether?” Ether is a heightened emotional state where you’re no longer thinking logically with the neocortex, but you’re reacting emotionally with the amygdala part of your brain. You get them, and it doesn’t matter if the emotion is a negative emotion or a positive emotion. Either one distorts your thinking enough that they can more easily manipulate you.

When you think of these two buckets with the robocalls—“I’ve won $8 million and $5000 today, and a Mercedes”—that gets me into that heightened emotional state. Or, “I’m going to lose everything on my computer,” that gets me into a negative emotional state.

We did a study with Stanford about 10 years ago, testing this ether theory. I don’t know how to do this, but people in white lab coats at Stanford were able to help us with this. They bring 200 people in and they give them a rigged game that puts them artificially into one of these conditions.

I forget what it is. It’s the monetary incentive delay game or something. Anyway, in one condition, you start out winning a bunch of money, and then you gradually lose all of it. That puts you in a negative state. In another condition, you start out losing and then you gradually gain it all back, and that puts you into a positive state.

They’re taking their pulse and saliva tests. I don’t know however else you might want to measure this. But then once they’re in that state, we had them review advertisements from the Federal Trade Commission cases where they’d use deceptive ads.

The hypothesis was that the people in the heightened emotional state are more likely to say they’d go for these deceptive ads than a group that we didn’t do it to. It was just under no emotion. Of course, that’s exactly what we found. There didn’t seem to be any difference whether you were in an emotionally high state, happy or sad.

I think that’s part of what’s underlying all of this fraud business, whether it’s robocalls, email, texts, or popups; those are the four big channels. It’s all designed in the short run to get you into this heightened emotional state so that you’re reacting intuitively and based on your gut, which is always a bad move if you’re talking to a scammer.

It’s all designed in the short run to get you into this heightened emotional state so that you’re reacting intuitively and based on your gut, which is always a bad move if you’re talking to a scammer. -Doug Shadel Share on X

Are there—pardon the phrase—prophylactics to prevent us from getting into an emotional state?

This is an interesting thing, and a lot of the conversation in my world—and probably your world, so this is your world too, Chris—in the fraud space is, “Oh my God. AI is just going to annihilate us. It’s already hard to tell what’s real and what isn’t. AI is going to make it even more difficult.” Well, yeah, it is going to make it more difficult. But the technology can also help us get out of it.

I have been suggesting lately that we do this thing called hardening the target. If it’s really hard to tell whether someone’s legit or not, or if you’re somebody who’s prone to getting into that heightened emotional state anyway when you’re in response, just block the incoming attacks to begin with. Get a robocall blocking app on your phone. Or if you don’t want to do that, go to your phone company and see what better way they have to block it.

Make sure you’re updating your computer software, freeze your credit, monitor your bank account, all the things that these identity theft companies try to sell you for $29.95 monitoring services they’ll do. There’s nothing wrong with those companies. I liken it to some people who like to cook their own meals, save a few bucks, and do it themselves. Others go out to a restaurant. That’s the way this is. The technology exists now for relatively inexpensively.

Bank monitoring, if you have online access to your bank accounts and you have alerts that alert you. I have a credit card where anytime anyone, including me, uses it, I get an email saying, “You used it above your limit of zero.” It’s free. The banks don’t want anybody messing with your account any more than you do.

So there are technological tools that I think can block the incoming. The difficulty for our people—I say our people, meaning the seniors because I’m a senior now—I used to think, “Why do people answer the phone at all?” When I was working, I was trying to run away from the phone call. Get away from me, 200 emails a day?

But you know what happens, Chris? When you retire, the phone stops ringing. I can go a whole day here without the phone ringing once except four o’clock in the afternoon. I’m like, “Yeah, I wonder who that is.” I’m picking them up. Now I get it. You have to put yourself in the shoes of someone.

The problem is that it’s still really dangerous to answer those phone calls because a lot of them are really persuasive and really good. -Doug Shadel Share on X

The problem is that it’s still really dangerous to answer those phone calls because a lot of them are really persuasive and really good. You think, “Well, what’s the harm? I’ve been taking these phone calls to set them up and make recordings of the bad guys. I’m as cynical as they get. Plus I know going in I’m not going to do it. There’s zero chance that I’m going to do what they say.”

You don’t want to try that at home. It may sound fun, but it’s like those ads where you see the race car going up a steep hill, and there’s a little thing that says, “Don’t try this. Professional driver on a closed course.” You don’t want to do that. Those are some of the ways.

I think with the emotion thing, another study we did—this was the last study I did when I was at AARP—we surveyed 3000 people who had encountered fraud. This was with, I think, NORC. We did this with NORC. Two thousand of them were able to resist and not lose money. One thousand of them lost money. What’s the difference between those two groups? That’s what we wanted to know.

For years we’d done surveys and, oh my God, trying to find out the demographic profile of who is most vulnerable to these types of scams. Is it older people? For a long time it was just all older people are the most vulnerable to all scams. Well, we know that’s not true now.

In fact, younger people overall, in general, have a higher incidence of victimization overall than older people do. -Doug Shadel Share on X

In fact, younger people overall, in general, have a higher incidence of victimization overall than older people do. Older people are more susceptible to sweepstakes and certain scans, but we just couldn’t find a demographic profile. It wasn’t education, it wasn’t race, it wasn’t age.

What we found in this study is that the people who lost money had experienced twice as many stressful life events in the months preceding the encounter compared to the people who are able to resist.

The idea there, I think, is that when you’re caring for a loved one, when you’re a caregiver or you’re sick yourself, or you just got divorced, managing those stressful events takes up a lot of cognitive capacity that might otherwise allow you to defend against these things, or at least see them coming, and you get blindsided by them.

You’re also much more inclined to get emotional in response to a pitch because you’re already on the edge anyway. And there’s nothing you can do about that. Everybody has these moments.

Older people tend to have more of them just because they get sick more and people are dying and so forth. Everybody has these moments. If you’re experiencing a lot of stress, that’s time to be especially vigilant, I would say, about not answering the phone or not responding.

Interesting. I was thinking back to when you were talking about AI, and this fear of AI is going to be pouring fuel on the fire of every scam, fraud, and cybersecurity incident. It’s going to go crazy. If you can’t tell me, that’s fine. Has Nomorobo started to use AI in their honeypot and talking to the scammers in order to, rather than having a bank of people on the phone talking to these scammers, trying to figure out what the scammer is, can they scale up AI to be the recipient of the scam calls, to draw out and see the profile, to see what the stories are?

It’s funny you should say that, because this started several years ago, because the landscape has changed in the robodial world where the FCC is cracking down on them. There’s a 50-state coalition trying to sue all these bad guys. They’re getting better at hiding.

We used to see one phone number call a thousand numbers. But that’s too easy to identify. Now, they just buy these direct inward dial numbers (DID). I think they’re called by the millions, and one number calls one number. Then, done. One number calls one number.

Before, we used to say, “Oh, look. There’s this guy right over here in Buffalo, New York, and he’s pulling the grandparent scam. Every call he makes, send them to me, and I’ll set up the grandparent. That worked beautifully. We got all kinds of…but that stopped.

What we ended up doing was creating several different bots that answer the phone in different ways. Aaron has an uncle, and he literally engaged him in recording different responses, like a soundboard.

I don’t know if your audience […] what soundboard technology is like, but the soundboard is a pet peeve of mine. I ask an audience, how many of you have gotten a call in the last week asking to donate money to a fireman’s fund, or the police guild, or the national police force, like there is such a thing. Every hand goes up. Everybody gets these calls.

The calls always sound like a deep voice, a guy who sounds like a sheriff from somewhere in the Midwest. “Oh, this is John Smith, and I’m here to…” The reality is that you’re probably talking to a boiler room somewhere in Indonesia or in India. What they do is they record 35 or 40 different messages, response messages, and they have this board that just has little buttons on it that says, “Thanks.” You press that and the deep voice says thanks.

You’re not really talking to that sheriff who sounds like from the Midwest. In fact, the person you’re talking to may not speak English very well, even. Well, we started doing that with the honeypot just to try because we were getting a lot of calls where if it wasn’t really a live person picking up, they’d just hang up and you’d lose them. We tried different versions of that.

Aaron’s uncle’s voice did the best, and all of a sudden we started getting […] because he would go on. It was very cleverly designed to not say yes and not say no, but just, “Oh, wait a minute. Let me get a pencil and paper.” It allowed us to find out more about what was going on. Now, we have the ability to see these calls coming in, and if we want to, we can barge in and take over those calls and play them out.

Another thing that we’ve been learning about—I mentioned the change from promises of wealth to threats of loss. I did this analysis a couple of months ago in the honeypot calls. You have 100,000 calls coming in in a day. We did this analysis where we tried to separate spam calls from scam calls.

We would define a spam call as admittedly an unwanted phone sales message, but it’s someone selling an actual product or service. It’s like Medigap insurance or funeral insurance or solar panels. I don’t want a salesman to come out to your house to sell you solar panels.

They’re not frauds. They’re just sales calls from the fraud calls. When you divide them into those two buckets, 95% of the spam calls are promises of financial gain. You’re going to get some financial gain from it, and only 5% are these threats of loss.

Whereas when you analyze the scam calls, it’s 50/50. That means anytime you get any call from anyone who is threatening you with something, the chances are very high that it’s a scam call. This becomes the number one red flag, I think, out there for it, because if there really is a crisis like that, you’re not going to get them calling you with a robocall voice. It’s going to be the bank sending you a certified letter or maybe an email to independently call back.

That has become something we’ve built into our consumer education now, that if you get a call and it’s threatening you at all, you can independently check it out, but do not respond.

One of the most insidious ones is these tech support pop-ups that people get. I ask the audience that, and they’re like, “Oh my God.” Every single time there’s at least one person who’s gotten that pop-up. You’re on your computer, you’re minding your own business. A popup comes saying, “Oh my God, it’s Microsoft. You have a virus on your computer, and if you don’t call this number right away, it’s going to erase everything on your computer.”

If you don’t know better—let’s skip to the right advice—the first thing to know is if that happens, unplug your computer, just press the power button down for five seconds and reboot it and it’ll go away. Why? Because that’s really just a little piece of JavaScript that probably got downloaded when you were on some website. You clicked on an ad, and embedded in that ad is a little piece of JavaScript. A week later, a popup happens.

It’s benign, unless you call the number. If you don’t know that, though, you freak out. And by the way, the message is saying, “Whatever you do, don’t turn off your computer.” Then you’re now talking to a boiler room in India that claims to be a Windows support team or whatever. That’s a really important tip. Again, it’s a threat of loss approach. People freak out. They go into the ether.

Probably the most convincing call I got was from someone claiming to be from my power company. They had forged the caller ID of the power company. Normally, I wouldn’t have known it, but I had just called it the day prior for some legitimate issue.

I recognized it as the phone number and this, “Hey, we’re calling from the power company. We’re on the way to shut off the power right now if you don’t pay with gift cards.” Ultimately where it got. I was in some sense surprised that they had actually forged the caller ID of the organization that they were claiming to be.

That actually happened to a friend of mine just recently. He got a phone call from what he thought was his bank with the caller ID being the 800 number of his bank. “Oh, we need you to do this and this, and log into your account, and OK, give us this. To make sure you’re the right person on the line, we’re going to send you the six-digit security code and just read it back to us.”

At some point he’s like, “Well, no, no, no, no.” At some point in the process, he realized, “There is something wrong here.” Called the bank, changed the username, changed the password, changed all of his account numbers and everything. The caller ID was one of the things that would’ve been a red flag to him, but because the caller ID was right, it was that reinforcement that it was a legitimate call.

Absolutely. This is another big thing I try to tell people is, how many of you in the audience believe that caller ID will tell you who is calling? And every single hand goes up. I’m like, “Don’t do that.” “Why?” “Because it’s so easy to spoof.”

I gave them the example of, I have this thing called spoof card, which is just an app that’s on my phone. I think I paid $5 to download it, download some amount of calls, and there are a ton of these. This is just one example. On this app, it has a line that says the number you want to call, so I could put your number in. Right below it, it has a line that says the number you want to appear when the phone rings. You can put any number you want in there, and that’s the number that will appear.

Now, again, the FCC is clamped down a little bit, and they have this new law or this new list called the Do Not Originate List. Certain government agencies like the Social Security Administration number, the IRS number, FTC, some of these government agencies that have been spoofed are on that.

All it really means is if you get caught using it, spoofing the Social Security number and they catch you, there are more penalties. But they still do it. How do I know that? Because we get caller ID on almost 350,000 phone lines. The Medicare 1-800 number is on the Do Not Originate call list, and I get that showing up all the time.

What I don’t understand, and you’re more familiar with the system, is why Caller ID can even be spoofed. If I am a business and I own this block of DID numbers, why can’t I say, “Phone calls from my organization will only come from this provider”? “Don’t ever allow someone to use a caller ID from a different provider pretending to be my organization.”

I think it’s a matter of how difficult it’s to Whac-A-Mole. It’s hard to enforce.

Well, I mean like a technical solution, like the call just won’t even connect.

Yeah, but who does that? Who would use it? They are going after these telephone companies that are the middlemen, that are facilitating all of these scam operations, but there are so many of them and they’re global. They’re all over the world, so it’s really a challenge.

Some people have asked me before, “Why is it legal to spoof a number at all to begin with?” I guess that’s what you’re asking, too.

And I work for a company that made a bunch of phone calls, and I think I know the answer to it, but I’ll let you answer it.

Well, there are some legitimate ones, like if you’re a psychotherapist, you’re a therapist, you’re a medical person, or you’re a doctor, maybe, and you want to call your patient because there’s a prearrangement for a call. My doctor does this all the time. I’ll make an arrangement and she’s calling me from her personal cell phone, but I don’t think that’s the number. I think she has a number that she can use to disguise. She doesn’t want her personal cell phone out there, so I think there’s probably legitimate usage.

This is true for all technological developments. There are always legitimate uses for all of it. It’s just the clever scammers who figure out, “Well, if they could do that for that reason, then I can do it too.”

One of the challenges with the built-in call blocking on phones where it’s, “Don’t accept calls that aren’t in my contact list; just send those ones straight to voicemail.” Well, if my doctor’s office has 16 outbound lines and they’re not faking the caller ID on it, those other 15 numbers aren’t in my contacts list.

Exactly. You might miss a call that’s important.

And those are the calls that are important saying, “Here’s the results of your test,” or whatever the case is; that’s the call that you want. Or if it’s your kid’s school or these sorts of things where the outbound call might not be coming from the same number as the inbound call uses.

It’s really true. I’ve gotten to the point where I just try and tell people any contact, any incoming I get, whether it’s an email, a text, a pop-up, or a robocall that I did not initiate, I assume as a scam. I just assume it is. If it bothers me because it’s my bank and my money’s in my bank, I can always independently log onto my bank account and find out if everything’s fine.

The most frequently spoofed brands right now are Medicare, Amazon, and Spectrum, which is a phone provider. -Doug Shadel Share on X

The most frequently spoofed brands right now are Medicare, Amazon, and Spectrum, which is a phone provider. Do you have Comcast down where you are?

Yeah, Cox, Comcast, Spectrum. They’re all available in various places down here.

I got a call a couple of weeks ago, and I actually played this. I actually recorded this call. I noticed in the honeypot that we were just getting bombarded with, “Hi, this is Comcast, and you can get 90% off on your bill.” When this happens, there are thousands of them at a time, tens of thousands of them. I said, “I’m going to start taking those calls.”

I took one and the guy answers. What’s amazing is they’ve copied Comcast’s intake system. It sounds just like you would hear if you were calling Comcast. That part’s really spooky. “Press one if you want to talk to a technician. Press two if….” So I press three to talk to somebody and I say, “Well, I’m calling you about the 90% discount,” and the guy goes, “The what? Ninety?”

I think he was onto me, because then he goes, “Maybe I’m mistaken.” And he goes, “Maybe you were mistaken. Who do you think you are? Barack Obama?” For some reason, he said, “Who do you think you are? Barack Obama?” So I finally said, “OK, well how long have you been scamming people?” And he goes, “Oh, for years.” He just admitted that he was scamming people.

I’m like, “Well, do you enjoy it?” And he goes, “Oh, very much so. I very much enjoy it.” I go, “Well, how do you make money off of this? How much do you suck a lot of people into this?” He goes, “I’m not going to talk to you about it.” I’m like, “I just want to know how you make money.” He goes, “I’m not going to tell you. Scamming is my art. If you can’t figure out how I make money, then you’re bleepity bleepity.”

Usually, when you confront somebody like that, they just hang up. But he was very feisty and argumentative, and just perfectly willing to say, “I’ve been scamming people for years. Love it. It’s my art. It’s my profession.”

I can understand that if you’re running a scam call center out of Bangalore, you’re not super worried about the guy in Southern California or the Pacific Southwest. You’re not concerned about whether or not they really know you’re a scammer. Joe Consumer’s not going to come flying halfway across the world.

No, they’re not. There’s some debate about this. There are examples you were talking off camera where the workers are being exploited, some cases murdered. By and large, it’s been my belief that the scammers don’t do that violence.

For example, years ago there was a woman. This Jamaican left a message saying, “Do you want me to come over there and burn your house down?” This really scared her, legitimately scared her. All I could say was, “They’re not going to do that. Maybe I’m wrong and maybe it’s gotten worse, but I haven’t seen the evidence of it because these scammers follow the path of least resistance. They are lazy. It takes a lot of work to kill someone. You’ve got to go over there, you’ve got to find a gun.”

I’m being facetious about it, but really I’ve interviewed enough of these guys where they’re like, “Look, if they don’t want to go for it right away, I’m onto the next. I just want the money. I don’t really want to kill people. I just want money, and I don’t want to work very hard for it.” Don’t feel like resisting or hanging up is going to put you necessarily in harm’s way. It’s best to just not deal with them.

Are there any new, emerging trends that you’re seeing? Like the Amazon one has been, “Hey, someone bought something on your Amazon account that you didn’t buy.” That one’s been around for years, along with the Social Security and the “We’re going to shut your power off, and you’ve got a virus.” Any new, interesting ones or ones that have surprised you?

Well, speaking of AI, I do have a recording of the Publishers Clearing House imposters. I would call them early adopters of AI. I got a recording off of the honeypot three years ago now.

It’s a recording like, “This is Joe Biden, the president of the United States, calling to tell you you’ve won Publishers Clearing House.” It was a rough recording. It was him. It was definitely him. I remember thinking at the time, this is the canary in the coal mine here, because then fast forward to the night before the New Hampshire primary—you may have heard the story about—and there was a really good recording of him calling Democrats, telling them not to turn out to vote. It was a voter suppression strategy.

It was done by the other side to try and get Democrats to not vote for, I believe Nicki Haley, so that Trump would get more votes. Everybody made a big deal out of that because they thought, “OK, on the eve of the real election, we’re going to see more and more of that.”

One of the things I do in my workshops is I have some software called Descript. I think I paid $25 a month for this, and it helps me edit videos, sound files, and so forth. It also has a pretty sophisticated AI. What I did was I wrote a paragraph about how to avoid identity theft. I read it into a microphone just like we would normally record a message.

But then I also had Descript trained to my voice. They gave me a 15-minute script. I read this 15-minute script into the app, and then applied that technology to the paragraph I had written and pressed a button. It’s me talking, and it sounds just like me.

They go in front of audiences with these two examples, the old way and the new way, and they cannot tell the difference. It’s not uncommon for the AI-generated version to have 75% of the people think that’s the real me. If there’s anything new, I think that’s the frontier. It's going to be harder and harder to tell who’s real and who isn’t.

As the technology gets better, you probably saw those fakes of Tom Cruise online. Up until now, it’s just been people where their face and voice are out online a lot. If now you only need 15 seconds of a voice to do it, now you could envision a time when someone could take one of my kid's recordings on TikTok, imitate the voice, and call the grandparents scam. Something like that. The real fear is that anybody can use AI. That means all the scammers can use it, and it’s going to get dicey.

Are you seeing any of the grandparent scams come in on the honeypots? Or are those just so spear fishy that they don’t really surface to the top?

Well, like I said before, before they started this business where they were just using one number to call one number, I’ve got all kinds of recordings of grandparent scammers calling. It was unbelievable. There was one day where I talked to five different fake lawyers.

The first call is, “Grandpa, I got in an accident. I was at a wedding and I got pulled over for drunk driving. I hit my nose, which is why you can’t tell that it’s not really me because my voice is different. But I’m in jail and I can’t talk any longer. Here’s the number of my lawyer. Call my lawyer right away.”

That’s how they all roll, because they realize they don’t really sound like Johnny or Chaney or whatever. Then now you’re talking to the lawyer and the lawyer is just giving you the same story, and, “It’s going to take $5000 in bail money, but you’ll get the money back. By the way, can you wire it to me right now?”

We have all kinds of recordings like that of the grandparent scam alive and well, when you think about this whole business of ether. Now I’ve interviewed grandparent scam victims where they said, “Later we looked, and why did we do that? That’s not like us. When Johnny, my grandson, calls, we act first and ask questions later. It’s my grandson. I will do.”

I have two grandchildren now too. I get this. If I thought they were in trouble, maybe I’d sniff around a little more than that guy did, but not much. Not if I think they’re in danger.

And I think that’s the challenge. From the outside, it’s easy to look at someone and say, “I don’t understand logically how you got there and why you did the things that you did.” The issue is, well, that’s right because it’s not about logic. It’s about putting enough pressure on someone to get them to act emotionally and not out of logic. Then once you think that someone’s acting emotionally, of course the process makes sense of why they did what they did.

That’s right. This is why a big challenge in the fraud prevention world is there’s this thing called the illusion of invulnerability. In the health sciences for years, this has been true. People say, “I understand that people get cancer, but I never will.” The illusion of invulnerability. Well, if you never think you’re going to get cancer, then you’re never going to do anything to prevent yourself from getting cancer, you’re more likely to paradoxically get cancer.

The same is true with the fraud space. People want to think they’re smart enough to not fall for it. You reminded me of my colleague, Anthony Pratkanis, who taught right down there where you are in Santa Cruz, University of California. I think he’s retired now. He used to say about this….When people say, “I can’t believe you fell for that,” think of the Pirates of the Caribbean ride. This is his story, so I don’t want to take credit for it. You go into that boat and you suspend your disbelief, and you believe all the things. “That’s really the pirate. That’s really Johnny Depp.” Or no, ‘That’s the pirate.”

If you’re in that restaurant right across from watching all these crazy people in the boat going, “Hey, pirate, pirate,” ignore these crazy people. How can they believe any of that? Well, that’s because you’re not having your emotions manipulated. You’re not suspending your belief for that short amount of time. You want to be in that fantasy world.

It’s just really hard to convince people that this could happen to them for all of those reasons, and we’ve had that challenge for a long time. Thankfully now, fraud is a bigger problem that we no longer have to convince law enforcement to make it a priority. Everybody thinks it’s a threat now.

Do you generally find that law enforcement is more responsive now than they were, let’s just say, 10 years ago?

Yes, they are. It’s no fault of theirs that they weren’t as much 10 years ago if all kinds of crime and their jobs are really hard. I used to be one of them. My wife still is. My wife’s an investigator now, even to this day. So I sympathize with it.

Now it’s such a direct threat to, not just to consumers, but to every business. In some ways it’s more threatening to the business community because there are these things called business email compromises that you’ve heard of.

What you’re trying to do is there’s a lot more money to be made by scamming an employee of a big company to hand over the HR list or something, than there is just you or individuals. That’s where all of the energy is being placed now. Almost every company I know sends out fake phishing emails to try and test their employees, to see if they’re going to fall for them or not.

It’s funny because some of the fraud fighters, I fell for one a couple of times. It looks so real. It’s embarrassing.

Yeah, but I think it’s important. Like you were talking earlier about once you’re in this position of, “I don’t think I can fall for this stuff,” you’re actually at a disadvantage. I think it’s important if people like you or I say, “Hey, we didn’t catch it 100% of the time.” If you and I who have been in this space for years, or in your case, decades, can’t get it 100% of the time, a consumer who this isn’t their occupation, this isn’t their interest, shouldn’t feel bad about themselves for getting it wrong once.

I’ll give you an example. During the pandemic, I was very freaked out early on. Remember how there was a shortage of everything? Shortage of masks. I went onto Facebook, I saw this display out on Facebook that said you could get three masks for—I don’t know—$30. You could get them in two days. I went for it, and it was a total scan. I got nothing. Thirty dollars goodbye.

What was going on there? Sure, I’m a fraud fighter, but we’re right in the middle of a pandemic. I’m afraid my family is all going to get COVID. At that point, getting COVID meant you’re really sick, and if you’re elderly you might even die. I’m in the ether. Everyone in the whole country, everyone in the whole world was under the ether. The number of COVID-related scams that went on was just unbelievable.

And then all the COVID relief scams. The challenging thing is that the scammers will absolutely take advantage of world events and politics to make it relevant in the moment, or at least the introduction to the scam is relevant in the moment.

I had a guy—shall remain nameless—that I interviewed who was a former scammer. When the pandemic started, he called me in a panic. This is in June of 2020. “What’s the problem?” And he goes, “I’m really worried that I’m going to go back to the scamming business.” I’m like, “Why is that?” And he goes, “Because if this had been any other time when I was active, this would be a career-ending moment.” “Why? Explain that to me.”

He goes, “Because the government is about to give away more money than they’ve ever given away, and they’re not going to ask many questions. I could literally make $10 million in the next 12 months, but I’d be doing it the old way and I’d be scamming people. I don’t want to, so talk me out of it. Talk me off the lid.”

That was a real wake-up call about what we were facing. On the one hand, you had to stimulate the economy and you had to put this money out there. When the government does that too often, there’s an awful lot of waste that comes with it.

All the bureaucracy and all the friction disappears because of the urgency. Therefore, the ability to catch the fraudsters at the beginning of these things goes away.

I’ll tell you another example of it. This is not AARP talking, my former employee. This is me, Doug Shadel, talking. Since I’ve been monitoring these robocalls, the number of Medicare-related scammers that are out there and the durable medical equipment, like you could get a back brace or you could get pain meds or you could get a knee brace or you could get a free genetic test, I started looking into this going, “What is all of that about, and why are these people getting away with it?”

It turns out that part of the reason Medicare is vulnerable is because when it was created back in the 60s, in order to get it passed, the medical community—basically the doctors—had to agree to pay every bill that comes in within 30 or 60 days. I don’t know which, one or the other, and ask questions later. That is enough of a window.

If you’re somebody who’s selling these bogus genetic tests, DNA tests, these kits, you call somebody out. I took a bunch of these calls so I know how they do it. There was a boiler room in Florida doing it. They had a doctor standing by willing to ask me two questions to qualify me for this genetic kit that Medicare’s going to pay for.

It’s not going to cost you anything. If you agree to do it and you answer all their questions, you just talk to the doctor, you might actually get one of these kits, but then they’re going to bill Medicare $10,000 for it. You only have so many of these durable medical equipment allotments as a Medicare beneficiary. You’re using one up doing this, plus it’s just bilking the system. Because Medicare has to pay within a short amount of time, they are handcuffed to be able to prophylactically see if these are scams or not. Billions of dollars.

And the sure thing that the recipient of the call wouldn’t report it as a scam because they got the back brace.

Yeah, where’s the crime?

It’s taking advantage of a system that’s reimbursing an organization well beyond the cost of what they provided.

Exactly. Plenty of challenges out there.

Are there resources that people can go to to find out what the latest threats are, the latest scams, and what they can do about it? I know AARP has put a ton of resources available.

AARP has this thing called the AARP helpline, and I’ll look the number up while we’re talking here so we can read it. Or you, maybe you can give it to people online. Basically it’s a group of volunteers that we train, and I’ve been involved in training them.

If you think you got a call from a scam or you’ve been victimized and you want some counseling, or you want to know where to go for help, you can call this number, and it’s free. They get something like 2000 calls a week now. This all started back in Orange County where you are. Let me give you that number while we’re talking about it. It’s 877-908-3360.

This helpline started back in the late 90s. I was involved in this thing called the bat tax force in Orange County. Law Enforcement had this coalition of law enforcement people that were busting boiler rooms in Orange County. They’d go in and would arrest all the people in the room. They’d seize everything in the room, including the call sheets where they were about to call. The victim list, basically.

Somebody got the bright idea, and it wasn’t me, but it was a great idea. “Why don’t we get our coalition of law enforcement together. We’ll call those people and we’ll warn them because those are the most vulnerable people out there.” Those are the people the scammers were about to call. It was called a reverse boiler room.

We did this for, I don’t know, a couple of years. It felt good, but nobody knew whether it really worked or not. Again, we did the study where we had a control group and we had a group that got called.

Then we hired a convicted scammer, who I found in Texas—used to sell oil wells—to call both groups two weeks after the intervention, to see whether the group that got counseling responded at the same rate or less. They responded 50% less. These lottery victims—elderly lottery—we weren’t even sure they were going to remember the call, frankly. Not only did they remember the call, but they were responding at a rate of 50% less.

One thing led to another and eventually that got funded into these helplines that now no longer do outbound calls. They are inbound calls. You can call there and get help. Also, just contacting your local AG if you’ve been victimized is always a good idea to report these things if you get those types of calls.

Always report, please report even if your case doesn’t get solved. At least it helps law enforcement to understand the scope and what’s going on.

Exactly.

Is there any other advice that you have for the audience as we wrap up here today?

No, I think we covered it. That’s pretty much the whole landscape.

Doug, thank you so much for coming on the podcast today.

My pleasure.

 

 

 

Exit mobile version