Data is continuously being collected and this information can lead to misleading conclusions about an individual. Without proper context, behavior can be misinterpreted. This underscores the need for data privacy laws and stronger protections against data brokers.
Today’s guest is Jeff Jockisch. Jeff is a passionate data privacy researcher dedicated to exploring the evolution of technology, our search behaviors, trust dynamics, and safeguarding of our information. As Managing Partner at ObscureIQ, he specializes in advanced data removal and privacy risk mitigation for enterprises and government organizations.
“In addition to deleting your digital footprint, you have to stop leaking the data. You have to change your behavior.” - Jeff Jockisch Share on XShow Notes:
- [0:58] – Jeff describes his career and what he does in the field at ObscureIQ.
- [3:35] – Instead of taking his career into the compliance field, he took his expertise to the intersection of data privacy and data science.
- [4:40] – Jeff explains what a data broker does and breaks down a recent data breach.
- [5:40] – The legal definition of what a data broker is is very narrow.
- [6:42] – The data that is collected by data brokers can literally be anything, like health care data, drivers licenses, and viewing habits online.
- [7:32] – One of the worst types of data that is collected is cell phone location data.
- [8:46] – Data tells a story, but pieces might be missing. Data can paint an inaccurate picture of someone.
- [10:18] – Data can be interpreted in different ways.
- [12:41] – Your digital footprint can be deleted. But in addition to deleting it, your behavior needs to change.
- [13:50] – Apps track data automatically for ads.
- [16:31] – All of these companies are collecting our data, but they’re not securing it.
- [19:42] – What can someone do with collected data? The possibilities are endless.
- [21:38] – Data that is collected can also show other people who are connected to you.
- [23:10] – Some things can be deleted, including public records.
- [25:09] – The problem is that the data brokers are massively powerful.
- [27:15] – Check out the links below for resources that Jeff recommends on the steps to take in order to delete the data you are leaking.
- [29:57] – Jeff shares an experience of almost being a victim of a scam.
- [33:10] – Scammers sound totally reasonable in the moment, even when we reflect and feel stupid for making a decision.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- 7 Steps to Reduce Your Digital Dust by 90%
- Tactical Privacy Wire
- Jeff Jockisch on LinkedIn
- A Tactical Privacy Wire on the Creation of Secure Sock Puppets
- Empowering Digital Citizenship with Privacy Video
- Empowering Digital Citizenship with Privacy PDF
Transcript:
John, thank you so much for coming on the Easy Prey Podcast.
Thank you very much.
Can you give myself and the audience a little bit of background about who you are and what you do?
I'm John Sidoti. I've been in IT since what feels like the Stone Age at this point. I started in 1991 just as a tech, and I've worked my way up through desktop, help desk, network design, integration, all the way up through currently an IT director at a small non-profit. It's based in Milwaukee, Wisconsin.
Nice. What got you interested in going into IT?
That's fun. I graduated college in 1991 with a degree in music performance and education.
That's a little bit away from IT.
It is. When I got out, I found that there were no teaching jobs, so I had to do something for a living. I had a friend who worked at a little computer store in New York. They needed a sales guy. I said, “I just need money.” So I started working. I lasted two weeks in sales and the owner of the store said, “You're really bad at this. Do you want to learn how to fix computers instead?”
That's nice of him to give you an option.
It is, but it's that little mom-and-pop shop. I wish it was still there because I would plug the software link. Bob Siner, who owned it at the time, was a wonderful man and a great mentor. I worked there on and off until I moved to Wisconsin. For about 10 years, even when I was working other jobs, I would still go on weekends and work.
It was one of those put me in front of a machine. I found that I enjoyed it and I was good at it. We were building desktops, repairs, and then office setups. You get to learn wiring, networking, servers, you name it. We did it at the time because in the late 90s, you had to learn everything. There weren't the specializations that there are today. I have stuck with it and moved all the way up to the director level.
Nice. That's a very similar story to me. We were talking a little bit before. I was in sales and computers for quite a while before moving on to other things because sales was not my forte, but playing with the machines and playing with networking was always much more interesting. The hands-on stuff was always a lot more fun for me.
It still is today. Even as a director, I keep a couple of pet projects that are just mine. My help desk system, I built it from the ground up. That's mine. If it needs an update, you guys can go do something else. I'm going to work on this one, but I definitely missed that day-to-day hands-on.
I totally get it. This is going to be a slightly different episode than normal, because I'm going to ask you the question that I've asked most of my guests, but I think your answer is going to be a little bit longer, and that's going to be our conversation.
One of the things the audience knows is I really want to de-stigmatize those that have fallen victim to scams, fraud, cybersecurity incidents, because if the experts in the field can't get it right 100% of the time, how can the audience expect to get it right 100% of the time? They shouldn't feel embarrassed or humiliated, but I think the more that we share these incidents, the more we can all learn from it. Hopefully, it'll be less prone to happen. Have you ever had something like that happen to you?
Yes. Previously, tragically, unfortunately yes. End of 2019 into 2020, just before the pandemic shut everything down, as we sometimes do in IT, I made a bad career decision. I left a stable position and took a job at a startup that looked really great on paper. I walk in the door. Monday, I went through my orientation and training. On my way into work on Friday, I got a phone call that said, “We don't think this is a great fit.”
I abruptly found myself out of work. Then the pandemic hit and everything shut down. Finding manager/director roles was becoming increasingly difficult and there was high competition. Lo and behold, I get a message on LinkedIn that I have actually up in front of me. I've saved it for all these years.
This is March of 2020. It says, “I hope this message finds you well. My name is Insert-a-Made-Up-Name. I'm a senior recruiting specialist at a reputable global recruitment firm, and they are recruiting for directors and VPs.” I went, “OK. Awesome. This is exactly what I'm looking for.” I immediately sent a message back and said, “Let's talk.” They wanted my resume. You see where this is going, don't you?
Yup. In another conversation that might be going somewhere else, but this is the Easy Prey Podcast, so we know it's not going in a good direction.
No, it's not going in a good direction. It has an OK ending, though. I promise. I sent him my resume. “OK, this looks great. We have this position that's ready.” They want to interview as soon as possible. “We need to get your resume into their HRIS system, but it's not importing well. We need you to tweak a couple of things.” I'm like, “OK.” I actually understand that because every system's a little different.
I took out some carriage returns, tightened it up, pulled out my bullet points, shifted them over, and sent essentially a text file. They said, “OK, it's still not importing well. Here's what we would like you to do. Send your resume over to this resume format company. For $99, they will make your resume fit into the HRIS system.” At that point, I said, “You want me to do what now?” Up until then, everything felt fine and I'm like, “This doesn't feel right.”
I started to search around a little bit for resume formatting, not thinking it was a complete scam yet. I figured I would try it one more time. I reformatted my resume again and sent it to him. He said, “No, we really need you to go to this company.” I pulled up the company website, and I'm looking at it. Yeah, for $99, they'll reformat my resume. For $249, they will rewrite it for me, which is what they really encourage. I'm like, “I don't like this.”
At that point, I actually stopped. The good part of the story is I did not actually give them any money. But when you're out of work for three months, I jumped on it; my expectation was high. At that point, I went and just did some simple searches. I went to Whois to see how long that website had been there. Each path I went down, I fell for it. Head on the desk; I fell for it.
The good part of the story is I did not actually give them any money. But when you're out of work for three months, I jumped on it; my expectation was high. -John Sidoti Share on XI found an article on Techalicious by Josh Kirshner that he wrote in 2019 that's how to avoid fake recruiting scams. After reading and going through all the information there, I wrote my own posts on LinkedIn. It's beware the executive recruiter scam because there are a ton of these.
After I stopped talking to this original company, I continued to get emails that were exactly the same and different URLs. In some cases, they were using the same names and the same stock photos. As I'm reading my post, I forgot about the executive recruiting fee, the $1000 that they wanted for an executive recruiting fee.
I wrote this post after falling for it because I figured, you know what? I'm going to share my pain with LinkedIn. I got some responses immediately with people who have gone through the same thing or were going through the same thing with the same company.
Interesting.
Here I am four years later. On the same post, I still get maybe about 20 comments a month, it feels like. They'll either ask, “Does this look like a scam?” Or, “I got a similar scam. They changed the name of the company. Here's the new name of the company.”
Everybody's jumping on this to share information with everybody else, but it's a lot of IT professionals. We’ve all been in the game for a long time, and we're falling for the same scam. You have to know what to look for and actually go and do the work and look for it.
We'll get there in a moment of what we should be looking for. Do you think that you were more inclined to engage with this person because you were in a position of needing a job than if you were already working, you would have just brushed it off?
Not necessarily. They're very well-written and it looks legitimate. A New York City address right in downtown Manhattan in one of the office buildings. If you look up the address, the pictures look professional. Of course they do because they're stock. The copy on the website is well-written and organized. There's no indication that it is written by anybody who is not a college graduate in English.
Interesting.
It looks incredibly legitimate.
Let's go through and talk about some things we should look for. To me, one of those things is contrary to what you just said. It's a wacky address, or the address doesn't really exist, but let's go through what to look for.
A couple of weeks ago—and I alluded to this earlier—I got a LinkedIn message from someone who's retired military and asked me did this email he got look legitimate. The first thing I did was I went to Whois and looked up the domain. How long have they been in business? And how long has the domain been registered? It was three months. I'm like, that's a huge indicator right there.
When you look at their website and read the copy, it's like, “Oh, we've been in executive recruiting for 30 years.” It all looks legit. But when you go in, look at the underlying data, it is absolutely not. If I get one that is from a specific recruiter, can I name names of scammers?
Sure.
The current one going around is Rachel Moore from Synergy Executive Recruiting. The website has a very nice professional picture taken of her. If you search for that, she's got about 35 different names. It's a stock photo. Granted, everybody's headshot looks the same anyway, but when you see it in several different websites with different names, it's not awesome.
Do they have a LinkedIn? Synergy Executive Recruiting doesn't exist. There are several people named Rachel Moore. None of them have that picture. It feels like it's almost—we need to do the due diligence on our end when stuff like this comes in.
In the last week, I've gotten two text messages from obviously people I don't know. “Hey, we're recruiting for a very vague, top-level job or something like that, something that doesn't specify an industry. We think you'd be a great candidate. Can we talk?” It's like, “Yeah, I don't think so.”
I have never, with the legitimate recruiters that I know—I have some friends who are recruiters—they will never text you. They're either going to call you, send you an email, or send you a message on LinkedIn. If you get something on LinkedIn, I'd still do my due diligence and check their websites.
I think a lot of it comes down to if it looks too good to be true, it probably isn't. -John Sidoti Share on XI think a lot of it comes down to if it looks too good to be true, it probably isn't. I feel horrible for the people who actually fall for this because a thousand dollars for a recruiting fee, $99 for your resume, $249 to rewrite it. In the grand scheme of things, it may not feel like a lot of money, but when you're not working, it's a lot of money.
Every penny counts.
And if you are looking for your next big gig. We're all looking for our next big gig. I'm at the director level now. Would I love to be a VP or a CIO? Absolutely at some stage in the next, before I retire. When you're looking at your next big gig, to see something that comes in and starts to get your hopes up, it's like it's designed to make you feel horrible after they take all your money.
When you're looking at your next big gig, to see something that comes in and starts to get your hopes up, it's like it's designed to make you feel horrible after they take all your money. -John Sidoti Share on XI don't think they care about how you feel at all.
I bet that there could be somebody out there who enjoys making other people miserable.
Yes, there are people that are like that. We'll leave it at that. We don't need to go into that. Have you been approached often on LinkedIn with scam recruiters, or is it mostly just email and other platforms?
It's mostly been email. Not so much on LinkedIn; a little more on Indeed. I do see it. I'm not necessarily in the game right now, but I still have all my resumes out there. We all have them. A lot of it is email. It could look legitimate.
I've gotten a couple on LinkedIn where they'll ask if they can email me. I'm like, “Sure. There's an email button right in LinkedIn, what are you asking for?” But I think those are mostly bots. It's hard to tell on LinkedIn, but a lot by email. They spend so much time in social engineering that they know exactly the right words to put in the subject line to make you actually read it and email addresses that look legitimate. I could buy a domain for $1.99 and fire it up for opening a WordPress site.
I forget the name of the company, but I think I got five separate emails over the course of a year from five different companies that all had the exact same website. They set the website up; they just point different domains at it. They don't change anything.
I've seen that a lot with the pig-butchering scams. You get a lot of people who contact me saying, “Hey, I was investing on XYZ platform, and now I can't get my money out. As soon as I try to get my money out, it says that I'm locked out of my account because of some made-up reason.” They'll say, “Here's the website.”
The first thing I'll do is just grab a block of text, do a search for a copy-and-paste on two or three sentences. It's like, “Oh, here's four other websites with the exact same paragraphs on them, on a different domain name, slight variations, they're all three months old or one month old.” It's like, “OK, this is clearly a scam because legitimate organizations are not going to be copying word for word their competitors.”
It got to a point where it was laughable. Once you learn what the markers are, you can see it coming in. A lot of the time, I'll ignore the email, but I'll go check out the website just out of morbid curiosity.
I admit I do that as well, but I'm not clicking on a link in the email. I'm going to copy and paste. I'm going to use a VPN while I do it.
I don't know about you, but I actually have a VMware box that's a Linux system I throw up just to check out garbage.
That's a good, safe way to do it. If something bad happens, you just reset it.
Yeah.
You were talking about markers. You've talked about doing the Whois search and looking at how old the domain name is. I used to tell people like, “Heck, if the domain registration information is private, then you should always be questionable.” I won't go into details, but nowadays there are a lot of good reasons for why people will actually keep that information private to protect themselves. That's not a good marker.
Obviously, if they're claiming to be in business for 30 years and the domain name was registered a couple of months ago, that's a red flag. You talked about doing reverse image searches on the people. What else?
If the domain is less than six months old, because even if you can't see the registrar information or you can't see the actual ownership record, you still know what the date is. For me, that's a big one. If it's three-to-six months old, I'm like, “Yeah, they just put this up.”
If they don't have a direct phone number, which is one of the ones I missed in my original email and on the initial website that I went to, they had no phone numbers. No phone, no fax.
Interesting.
I'm like, “OK, it's an email world.” I don't know about you. I've never gotten a position where I didn't actually phone interview for at least in person. But yeah, no phone numbers.
Interesting. Even if most of the communication was email, at least probably call at some point to confirm something.
Email and any kind of IM lacks inflection. You can't get to know someone's personality over an email. Every recruiter I talked to, they want to get a feel for who you are. I think they have to have a LinkedIn. I don't know any recruiter now who doesn't have a LinkedIn.
How would you go about verifying a LinkedIn account?
LinkedIn does have little checkboxes. Is there a person? Are they tied to the company they say they are? Does that company have a profile? Are there enough posts there to say that yes, they have? The longevity.
A recruiting firm isn't just going to put up a placeholder page. They're going to have posts in there. “We're looking for So-and-So.” “We just hired a new recruiter.” “We got somebody hired at this high-level company.” They want to play themselves up to get people to use them as a service. If there's not a history that you can actually identify, that's another flag for me.
I'm trying to think if I know a couple of people who have worked in recruiting. I tried to figure out a way to say this politely. Recruiting is like the mortgage industry. People work at a firm for a couple of years, then they work at another firm for a couple of years. It's very cyclical, but I don't know anyone who's in recruiting that hasn't worked for five or six different entities in the last 10 years. If they had no history in any recruiting firm other than the one they're at, that would be a red flag for me.
I think I know one recruiter who's been at the same company for about a decade as long as I've been working with him, but he had a couple before that. I guess he's found somebody and settled in. If there's only one entry on their LinkedIn—any junior recruiter isn't going to be recruiting executives anyway. Anything that makes you scratch your head and go, “What?”
If this is a senior position at an organization, it should be a senior recruiter doing the recruiting.
Yeah. We all fall into complacency. It happens. You ignore that part of your gut. If I wasn't out of work then, my gut check would have said, “This is a scam. This is bull. This is somebody trying to get my information.”
I think that's the challenge with a lot of scams. Ninety percent of the time, it doesn't ring true to us. We were talking earlier. If I'm not expecting a package to be coming through customs and I get an email saying, “Hey, this is Bob from the Customs department; we've got a package for you.” I'm not expecting anything. Why would I even respond to that?
But if I happen to have something coming through customs, that biggest thing of all the red flags of why they are getting ahold of me suddenly just aren't there at that moment. If we're looking for a job, a recruiter reaches out to us, even if we haven't been looking for recruiters, it just seems appropriate to the circumstance in life.
Absolutely. Actually, I just had one pop in my head because I was going through what people have asked me over the past couple of years. If the recruiter immediately starts asking for additional information—things like your driver's license—they want to do their background check. They need your Social Security number. Things like this are absolutely red flags. It's one of those thinking back on it.
A recruiter never asked me for my socials, not unless I was a contractor and working for the recruiter. That situation is a different story because they're actually giving me a paycheck. The recruiter doesn't run the background checks; the company does. If they ask for your driver's license, your social, what was the name of your first pet as a child…
If they're asking you any of the typical security questions, it's a red flag.
Or trying to get the information that does that. I try to mask it, but I have an East Coast accent. I live in the Midwest. I've had people ask me where I grew up. I don't necessarily want to tell them because that's just one more bit of information to…
I hate being that paranoid. I really do, but that's the reality of modern compute. People will get any little piece of information they can and try to get ahold of your stuff. They will tell you what you want to hear to be able to get your money, and then they move on to the next person.
I wonder if it's part of us having a certain amount of self-awareness to know what we're looking for in life, so to speak. Is that cynical? That seems really cynical of me as I'm saying that loud.
Yeah, there are things that sound really good in your head. But then when they come out, it's like, “Wow, I sound really jaded when I do that.”
The more people I talk to that are a victim of a scam, that is almost always part of the story.
“My spouse had passed away six months earlier or a year prior, and I was just starting to figure out how to rebuild relationships. This just seemed to be a really nice person that was easy to talk to, that I could start figuring out how to build relationships with.”
It's not that the person was—I’m going to be irresponsibly looking for relationships. It was when these scammers strike an area in our life where we have a need or perceived need, it rings fortuitous to us in our psyches. It's like, “Oh, perfect timing. The universe is conspiring to help me.”
Even though it sounds overly cynical, I think it's the way we need to be. It's not just diligent, maybe it's overly diligent. I'll talk about the recruiter in this case. Instead of the recruiter interviewing us, we need to interview them.
Yeah. “How long have you been recruiting?” Again, if they're doing it over an email,”Hey, let's jump on a call.”
Absolutely.
“Let's jump on a Zoom call where I can see your face.”
There you go.
Yes, it could be an AI deepfake. I know, but at least it's one mitigation step.
You have to do whatever you can to protect yourself. You need to know that you're not talking to some call center in the middle of nowhere with 100 people in a room. I guess the bottom line with all of this is I fell for it. Sharing my story I'm hoping makes it so that other people don't fall for it. Maybe some of what you're trying to do is to destigmatize it.
We all make mistakes. We all want to believe the best, but sharing stories like this helps. I was telling you before, one of my C-suite people got scammed and jumped on a call with me. One of my texts was going through to try and see what the scope of the damage is. She said she felt horrible, she felt dumb. I'm like, “Don't. Let me tell you a story.” Then my story or this story. There's a similar one because you can't just fall for something once.
Facebook message. You can see I play and someone was having a going-out-of-business sale. Looking through the comments looked completely legitimate. I sent them my money and then as soon as I sent it, I'm like, “That was dumb.” PayPal was able to retract it, but still, it was an attractive thing.
Again, to me, the complexity of that of you’re a musician and you got something on Facebook about something that's of interest to you. If someone came to me and was promoting great deals on bass guitars, I'd be like, “OK, sure.” I don't know anything about bass guitar. I have no desire to buy a bass guitar. It wouldn't even register as a second thought into my head as to whether or not it's a scam or whether I should even figure out if it's a scam because it's just noise in the background, so to speak.
This one was the Facebook algorithm because Facebook knows I'm a musician, and it was a sponsored ad, not realizing at that time that Facebook didn't vet their sponsored ads.
I know multiple people who own businesses who have a Facebook page and have done some advertising on Facebook where something happened and the scammer got control of their business page or their ad page. Once you have an account that's set up to do ads, you can do ads for something that's not your page. It doesn't take very long to run ads before people click on them.
I'll see some of these scams come through. Once I figure out what they are, I'll go, “If you could only use your power for good instead of evil.”
I know. The cleverness and the expertise that it takes to have one of these scams be effective to me is if you just applied that somewhere else, you could do remarkably well.
It's the Facebook scam. You get the ad and you look at the hundred or so comments. “Oh, I ordered mine. It arrived in great condition.” You see a bunch of those. As you start looking into it, you realize that all those comments are bots. The time, the creativeness to come up with this, use it for something good. But no, they just want your $99.
Because if I can get $99 from 10,000 people, then it's a lot easier than working for a year or two.
This is true.
As we're wrapping up here, any parting advice for the listeners?
Be careful. If something feels wonky, it probably is. If you have any questions, don't be afraid to ask somebody. If you fall for it, share your experience, because four years later, people are still benefiting from an error I made. If you can have someone benefit from your experience, then maybe at some point it becomes worth it.
It makes the world a better place.
If I can get through with that, I'll take it.
That's the whole reason why the podcast exists. If I can get one person a year not to lose their life savings, that is a remarkable ROI. I'm not getting the ROI, but someone else is getting that ROI. I'm sure multiple people have not lost that $99, that $249, that $999 deal because of your article.
It's a silly little article with 300 reposts, 150+ comments. Granted, the grand scheme of social media, it's small, but those are people that benefited from my experience.
Absolutely. If people want to find that post on LinkedIn, is there an easy way for them to find it? Or should they just go to your LinkedIn account?
Actually, it's really funny. If you google executive recruiter scam, it's the second or third link.
Nice.
But yeah, the easiest thing to do is to find me on LinkedIn. You are more than welcome to send me a request, send me a message, or comment on that post. I will answer any questions you have if you want help trying to figure out, “Is this a scam?” I'd be glad to throw whatever information I can at you.
That's cool, John. I super appreciate you coming on the podcast. We'll make sure to link to your story in the show notes, and we'll also make sure to link to Josh's story as well.
Excellent.
John, thank you so much for coming on the podcast.
All right. I appreciate it. You have a good day.
Thank you.
Leave a Reply