Back to Index

Cybersecurity Hacks in 2022 | All The Hacks Podcast


Transcript

If you get a notification from what appears to be an organization of authority, you have to think about it. First, the IRS doesn't email anybody. Police departments wouldn't normally send you an email and go, "Hey, by the way, we think you've committed a crime, so notify us here." What you should do, even if you get one that looks really, really official, contact the specific agency and independently confirm the contact information and then reach out to them and say, "I got the strangest thing.

Did you send me something?" Now, most people don't like to red flag themselves with the IRS, but at the same point, you need to make sure that you're dealing with the IRS and, of course, generally, the only way they deal with you initially is you get a letter. Maybe not a letter you want to receive, but you will get a letter.

They don't call you unless you owe them money. You've owed them money for a very long time. They've sent you notice after notice after notice. You didn't respond, and then you might, might get a call from a legitimate debt collector. There are about three or four that have been designated by the IRS, but again, generally, it's never something where you're asked to do something urgently.

Hello, and welcome to another episode of All The Hacks, a show about upgrading your life, money, and travel all while spending less and saving more. If you're new here, I'm your host, Chris Hutchins, and I'm excited to have you on my journey to optimize my own life by sitting down each week with the world's best experts to learn the strategies, tactics, and frameworks they use for their own lives and their success.

Today, I'm talking with Adam Levin, who's an absolute expert on cybersecurity, privacy, identity theft, and fraud. At 27, he became the youngest director in the history of the New Jersey Division of Consumer Affairs. He later went on to found at least two companies, Credit.com, which focused on consumer credit building and was acquired in 2015, and CyberScout, a global identity and data protection company that helped pioneer the cyber insurance business and was acquired in 2021.

On top of all that, he's the author of the critically acclaimed book, Swiped, How to Protect Yourself in a World Full of Scammers, Fishers, and Identity Thieves, and he hosts the weekly cybersecurity podcast, What the Hack? For many months, I've been wanting to do an episode on everything you need to know about cybersecurity identity theft, so I'm really excited that I got connected with Adam.

We're going to talk about how to protect yourself from all these threats, what kind of tools and services like VPNs or security keys or credit monitoring are actually worth using. Basically, I want to leave you with everything you need to know to protect yourself online. Adam, welcome to the show.

Chris, thanks so much for inviting me. Yeah. So just to kick us off, I want to know, what do you think is the most common thing you see most people doing wrong when it comes to protecting themselves online? Password protocol is terrible with most people. Most people pick a easily decipherable simple password because that's what they can remember, and they use it everywhere.

And unfortunately, what you have to understand is that even assuming that you had the most indecipherable, sophisticated password possible, if it's been exposed as a result of a leak or a breach, then it's discovered, and a discovered password is no good to you anymore. And if it's through your entire universe of websites, it's going to come back and be a nightmare for you.

So you really have to think hard about the kinds of passwords you're going to use. In fact, that's why most people use password managers that want to simplify their lives. But you need to do that because one ubiquitous password in your life is guaranteed to create a problem for you.

I know that in the past, you know, password managers often will tell you this password's been in a breach is there was a site that was like, have I been pawned? Is that still like the gold standard of finding out what passwords of yours have been in a breach or what is it?

It pretty much is. Yeah. Yeah. Have I been pawned? And it's not a happy place by any means. And you can also now track your phone number too. Oh, cool. Because, you know, the issue is that, you know, for years we've been told that the, the ultimate skeleton key to your life is your social security number.

And that's pretty much true. But if you think about it now, everybody gives their cell phone number out to everybody. And on top of which it's not something because they're now portable, nobody's going to change their cell phone number. So this is a number that's going to stick with you most of your life.

And it is everywhere. So that that's an issue as well. What's the risk of your phone number being out there? Obviously people can call you, but is it that they could know your number and spoof your number calling customer service and pretend to be you with automated systems or why is having your number out there, you know, as, as bad or dangerous as maybe your email password, which makes more sense to me why that would be a bad thing.

Well, the reason why having your number out there is a problem is because if you think about it, most people who use multi-factor authentication, the second factor tends to be they a code sent to their phone number. But so if your, if your phone number is stolen as a result of a SIM swap, which is not as difficult as one would think is for a few bucks, unfortunately, people call people at mobile providers and get them to switch things based on the fact that they go, I'm sorry that I forgot my password and this is my phone number and I just got a new device by the way.

So can you please transfer to my new device? And then all of a sudden you don't get the code. We've had cases where people have lost millions in cryptocurrency because the code was sent to the phone number that had been stolen by a hacker. Now I know in five, 10 years ago, SIM swapping kind of hit all the news and it was a big thing.

Is that still happening as much as it was, or have the carriers gotten better about requiring more information to switch a phone number or is it still a really big concern? Well, again, if you pay somebody off, it doesn't matter, you know, what kind of protocols you have in place the carriers are getting better.

And of course, now you have the opportunity to use a pin number as an additional layer of security for someone calling to find out more about your phone. The only problem is that a lot of people, just like we tend to use simple passwords, people use codes like 0 0 0 0 1 2 3 4 9 8 7 6.

So it's not that difficult to guess for some of the bad guys. So it sounds like a quick thing everyone needs to do. If you're not already using a password manager, I mean, go back to basics. That's something you should do. I think most people here have probably heard me talk about password managers enough to hopefully have gotten on the board with that train, but calling your cell phone carrier and making sure you have that pin set up.

I know I called Verizon once and just said, Hey, can you put me in some sort of more secure version of, you know, an account that that can work with some banks, financial institutions, some don't. I also like to change my mother's maiden name and give them a different word or number or any string of characters than an actual mother's maiden name, because that like your phone number is not too difficult to find online.

Are there any other kind of fundamental basics to protect yourself from SIM swapping that people should be doing? Well, I mean, you know, that also just be very alert. And if if all of a sudden you're not getting phone calls or you're not getting texts or something just doesn't feel right, immediately contact your mobile provider.

But you also brought up an interesting thing, too, when you talk about changing your mother's maiden name. I always say to people, listen, when you set up security questions and answers, lie like a superhero. I mean, Clark Kent is not going to tell people he's Superman. Bruce Wayne doesn't run around saying, Hey, I'm Batman.

So if your mother's maiden name is Smith, tell people it's Jones. If you went to Ridgefield High School, tell them you went to to Southwick. The key thing is consistency. It's not as if you're doing an interview to get a security clearance for national security. All you're trying to do is create something that will be a benchmark.

So it's not about veracity. It's just about consistency. Sometimes I just have strings of numbers. You know, I use one password and I generate a random string of characters. So it's like, what's your favorite book? It might be, you know, gobbledygook to me. It's just a bunch of numbers and symbols and letters, but it certainly isn't something anyone would guess.

And the same goes for the high school I went to, or my dog's name, or things that you might actually be able to find out online. No, no, listen, that's a great idea, as they say, the algorithm. There's a lot of places we could take this, right? I didn't think identity theft is a big area, cybersecurity is a big area.

Maybe we start with credit identity. You mentioned social security number is this protected thing. With the Equifax breach, in my mind, it's like, I'm kind of operating like my social security number's out there. I feel like for, I don't know, one in three Americans now, your social security number is out there.

Is that still as easily accessible such that if someone wants your social security number and they try hard enough, they can probably get it? And if so, what do we do? Let's face it. I mean, not just Equifax, we're talking about over the past several years, billions, and that's Dr.

Evil, pinky to the lip B, billions, billions of files have been exposed through data leaks, breaches, people hitting the wrong key and information getting out there. People just giving out their social security number. I mean, think about every time you go to the doctor's office, the dentist's office, what do they have on the form?

Your social security number, which by the way, you can say, no, I'm not giving you my social security number. They're not going to throw you out because they're either operating with your insurance information or they're going to get a credit card before you ever get out the door. So you don't need to give them your social security number.

You need to say, no, we have to have it for insurance purposes. No, they don't. They really don't. So, but I mean, there have been stories about people at their children's Little League games, they were passing around these sheets and people were filling them out and say, yeah, let me have your social security numbers.

Well, yeah, sure. Here it is. You know, people don't really think about it. They kind of toss it out like you were tossing out rose petals. So I think you have to assume your social security number is out there. You have to assume most of your information is out there.

So it's really about something that I developed with my collaborator, Beau Friedlander, who's also my cohost on What the Hack with Adam Levin. We wrote a book called Swiped, How to Protect Yourself in a World Filled with Scammers, Phishers, and Identity Thieves. We came up with a framework, 3Ms.

How do you minimize your risk of exposure, reduce your attackable surface? How do you monitor so you effectively know that there's a problem and that you have to do something about it? And then how do you manage the damage? So what you're raising right now with the fact that our information is out there is how do you effectively monitor so you know as quickly as possible that you have a problem?

Well, one of the things you do is, as we mentioned earlier, you go to the site Have I Been Pawned and see whether or not your user ID and password has been exposed in a breach. And then looking at the particular breach where it was exposed, you're going to know based on the information that has been provided by the companies that have been compromised how much of your information is out there.

And that's why monitoring is so important. Get your credit report. Look at your credit. Don't just say, "I got my credit report. I did my good deed." Get it. Review it. Be serious about it. If something doesn't look right, contact the credit reporting agency. You need to be looking for things you didn't do as well as things that you might have done that you forgot you did.

But review it and make sure that it says what you think it should say. And if it has additional dates of birth out there for you or different places where you've never worked or different home addresses, these are red flags. So get your credit report. Monitor your credit scores because if your credit scores take a sudden precipitous drop that you can't explain, then it's either one of three reasons.

You didn't pay a bill on time. Not good. You need to know that. You're using too much of your available credit. Not so good. You need to know that. Or you're a victim of identity theft. Really not good and you need to know that. Also sign up for what's called transactional monitoring alerts.

This is from your financial institutions, your credit card companies. It's free and it notifies you any time there's any activity in your account. And if you see activities going on that do not look familiar, then you have to notify your financial institution or the credit card company immediately. But that's one of those red flags.

Also, believe it or not, look at your explanation of benefits statements that you receive from your health insurance company, because a lot of people have discovered that they were victims of medical identity theft because there was a treatment on there or an appointment on there that they never had with a doctor they've never heard of.

So look at that to make sure it was you. And then finally, there are much more sophisticated forms of monitoring that come from the three credit reporting agencies, as well as third-party providers, where they have a number of different things that they're monitoring. You need them to be monitoring your social security number and your most personal information.

And then you need to get things like what's called instant alerts, which is not, "Hey Chris, a few weeks ago, somebody using your information to open an account." But it's, "Hey Chris, somebody is attempting to open an account right now. Is it you? Yes or no?" And then you need to have monitoring that monitors the dark web, because if it shows up that your information is out there, and it will tell you what information has been discovered on the dark web, whether it's an email address, a password, a phone number, account information.

That's why it's important to do that. So the third M is very important, the second M, very important. So just to recap, so I know getting your credit report, freeannualcreditreport.com, you can get it for free. Yes, you do. I believe even right now, as a result of maybe the pandemic, you can get it more regularly than once a year.

You are getting it in some cases, either once a month or once a week, depending upon the credit reporting agency. Yeah. And then a lot of the alerts you talked about are free. I sign up, I have an account with Experian, Equifax, and TransUnion. I get alerts, I don't pay for any of those premium services.

I get my credit score, gosh, I probably have five different ways to get it for free, whether it's Credit Karma, which isn't necessarily your FICO score, but it is a score, or different credit card companies, Amex gives you a free credit score, I think Capital One gives you a free credit score.

Are there any of the credit monitoring and reporting services that you actually should pay for, or are they kind of all a little bit fluffy products that people create for people who are worried, but you can kind of do all this on your own? I know you can freeze and lock your credit, which I do, for free also.

Yes. No, you can do that. That's as a result of an amendment to a banking law that was done a few years ago. But there are services that are worth it, because you really need them to take in-depth dives, and whereas with free credit reports, you can get them frequently, although a little less frequently now.

The important thing is, you really need to keep up to date, and with that payment, you're not just paying for the monitoring, but you're also getting access to a professional that can help you through identity incidents. And that's really the third M, is that how do you manage the damage?

Now a lot of people don't realize that through their insurance companies, some financial institutions, and now more and more through their employers, there are programs available to help you through identity incidents. In some cases, it's free as a perk of your relationship with the institution. In some cases, it's deeply discounted.

In some cases, it may not be. But you have to really think about how important it is to know whether or not you've got a problem and have somebody who can help you through the problem. I get that if you are involved in an incident, it can be helpful to have an expert get through this entire thing, manage the entire process.

But for just monitoring, would you say everyone needs to be using a premium service, or how do you set the threshold for someone thinking, "Okay, I feel like I've got monitors. I get my alerts. I get my transaction alerts. I check my credit every so often. When my score changes, I get an alert." Does the average person in that circumstance who hasn't yet been a victim of any fraud or theft need the premium services?

Well, it depends how premium you want to go, and you have opportunities to select amongst those premium services, and even then, the level of premium service you wish to get. It really has to do with your comfort level, and how alert you are, and how informed you think you are based on the alerts you're seeing.

The truth is, access to a professional to help you through incidents is priceless. It really is. If you talk to a lot of the folks who have been on both sides of the cyber world, they will all tell you that so much information is out there about us right now, that the fact that each and every one of us hasn't become a victim of some form of identity theft is simply because they haven't gotten around to us yet.

It's really a question of supply and demand. I can tell you, having owned a company, well, first a company that was involved in monitoring, and then a company that was involved in managing damage and taking care of people, it really depends on what you want to get out of it, how much you're willing to invest.

It's not a criminally expensive amount if you get the more moderately priced monitoring programs. You really need to know, and you need to know as quickly as possible, and you have to pay attention. I imagine if I Google credit monitoring services, there's thousands. I imagine some are much worse than probably just repackaging what you can get for free for a fee.

Are there particular companies or services that you think are actually providing that added value for their fees? There are. We don't single out anybody specifically, and it's not because I'm being paid by anybody in particular. I really feel like it's a function of, you really need to do your research.

Now, the Consumer Federation of America has a website called, I think it's called idtheft.info. I could be wrong, but just look up Consumer Federation of America. They actually have the majority of the major players in the identity monitoring service world signed up. They signed up for best practices. What they do at that website is they give you a list of questions and answers to think about when you're searching for someone to monitor your credit or to actually help you through a credit incident, and it's really worth it to go to that website.

But there are a number of very good companies that have very good and thorough monitoring programs. But as with anything, take time and do your research. I was hoping I could skip a little of the research and get the answers from you. Are there any companies you know in this space that's like definitely avoid, like companies that are on your blacklist of credit monitoring and identity theft protection?

Are there services where you're like, "Nah, just skip over LifeLock. They're the worst," or something, anyone in the space to avoid? Well, no. Well, see, now you're getting me to actually recommend certain companies. I mean, first of all, okay, I'll give you some. Aura is one that's very good.

LifeLock is very good. I can tell you for years, I've used Experian and Protect My ID, their program, that's very good. My old company, Credit.com, we had a number of products and services that we matched people with that were very good. And I'm sure the folks at Credit Karma and other places can also give you recommendations.

Another place to go, just for just great advice in general, is the Identity Theft Resource Center. They're out of San Diego. Eva Velasquez is the CEO. She's been CEO for a while. They're highly respected, and for those people who don't use paying services and are in trouble and need help and are victims of identity incidents, they actually work with some of the bigger companies and have a deal going on where these companies will help them help people for free.

So the Identity Theft Resource Center, ITRC, is very good. Thanks for giving some information that I know you've been giving a lot. Breaking the rule. Yeah. One thing I was just thinking about, with credit cards, I think a lot of the reason people are not too worried about just putting their credit card number online is that most, if not all credit card companies nowadays, take the burden of the risk of something happening and fraudulent charges.

But one thing I don't think I know, so I'm assuming most people don't, if someone uses your social security number to open a bank account or take out a mortgage or a loan or buy a car, how much of the liability ends up falling on you? Is the risk all the hassle of cleaning it up?

Or is there actually risk that you could be liable for what happens and someone else won't pick up the tab like they might with credit card fraud? Well, we've seen, for instance, situations where people have had their social security numbers used to take mortgages out on their homes. That becomes problematic because you really need attorneys for that and it's not a simple process to have a mortgage removed from your home when the money was actually taken using your information.

Now your insurance company can be very helpful there. That's why check with your insurance company and find out if they have identity protection programs, if it's automatic or you need to bring it on as an endorsement to your insurance policy, oftentimes your homeowner's policy, your renter's policy, and now even they're offering identity theft services through auto owner policies.

But you may need that insurance coverage for that. That you may pay for, but it's not a large sum of money. It's just generally a fee for an endorsement. But no, it can be a problem. We've seen cases, for instance, with Zelle. Now the Consumer Financial Protection Bureau just came out and kind of dropped the hammer on a number of those peer to peer payment apps because so many people have had their information stolen, the app used, or they in good faith used it because they thought they were dealing with somebody real and not an identity thief or a hacker or a scammer and the money's gone.

And of course they do tell you before you hit that button, make sure you know who you're dealing with. But that's changing. But let me take you back to sort of the beginning of identity theft. And in the early days of dealing with identity theft issues, and even to a little bit today, the victim was guilty until proven innocent.

And in fact, the consumer was considered collateral damage. It was viewed as the business was the victim of the identity theft or the fraud. Now with credit cards, you're right, banks, it used to be $50 liability. It's now down in most cases to zero. Debit cards, little different story.

Many of them have good protections, but in some cases, the financial institution will say that before we return your money to you, we have to do an investigation and we have to feel comfortable that you didn't just do something dumb and you're trying to get us to cover your loss.

Fortunately, most people listening here are a big fan of earning credit card points and aren't using their debit card much. But the identity theft, yeah, I'd love to go back. So to the beginning, you were the victim. How has that evolved? Well, it's evolved now that there is a greater understanding of the fact that millions upon millions of people have become victims of identity theft.

And in many cases through no fault of their own, simply their information was on the wrong database at the wrong moment and the wrong person gained access. And now suddenly they're victims of identity theft. And you have so many different levels of identity theft. You have the low hanging fruit, which is account takeover, which has to do with credit cards and debit cards.

Debit cards raise the food chain a little bit. Then you have new account identity theft. That's where someone using your information has gone about the countryside, happily opening accounts in your name with your information, running up the balances and then disappearing into the sunset. And then you get other forms of identity theft, like medical identity theft, where someone using your information gets medical treatment in your name, has a procedure in your name, has appointments in your name.

In most cases, it's a fraud against the insurance company, but it could come back to haunt you depending upon your lifetime allowances. But in cases where insurance wasn't involved, you've had many situations where people get a bill that comes out of nowhere from a medical provider and it's huge.

And they end up having problems with their credit reports and fighting with the medical provider and being sued. There is a greater understanding of that now. There's child-related identity theft, where kids have no idea because they don't check their credit. They don't even think they have a credit report.

Most parents don't check their kid's credit reports, although that's changing. But in that case, I mean, we had one guest on What the Hack, Axan Betts-Hamilton, who's become a very famous expert on identity theft, where she was a victim and her mother was the thief. Her mother stole her identity, her father's identity, her grandfather's identity, had a second life.

Oh my gosh. And as Axan said, I spent Thanksgiving sitting across the table for 19 years across from my identity thief. And there are a not insignificant number of identity theft victims where it occurs within the family. Foster children, for example, 10% are victims of identity theft because as they go through the foster system, they have a card with their information that's passed from family to family to family.

And in many cases, that information is used to steal their identity. So you have that, and now the government's gotten involved and try to be more helpful in situations like that. Obviously, reporting agencies are much more understanding when it comes to this. But there is a process that you go through.

And if you do it, it could take months, hours of your life. You could end up with no life and no job and no family because you're spending so much time focusing on resolving your identity theft issue. For instance, if you become a victim of criminal identity theft, that's a big problem.

That's where someone using your information commits a crime. There was a movie, Identity Thief, that you may have seen, but they commit a crime. We had a case once, a fellow was driving through the Midwest. He gets pulled over for a busted taillight. All of a sudden, his car is surrounded by guys with guns.

They make him get on the ground. They cuff him in front of his kids. They take him to jail, and he gets out in a couple days. But he needs to get a lawyer, and sometimes it takes a not insignificant amount of time to clear your name if you're a victim of criminal identity theft.

Is there a way that he could have prevented that? Obviously, committing a crime isn't something that's necessarily going to show up on your credit report. But is there a similar thing that monitors, I don't know, I know every time you apply for a job, they run a background check.

Is there like a background check monitoring service to see if things like that are happening before you're- Well, there are some of the services now that will monitor as part of their overall monitoring, whether you've had incidents of a criminal nature, or at least there are warrants out there for you that you might not know about.

But criminal identity theft is something that you can almost do absolutely nothing about. I mean, it's just someone did it, used your information, committed the crime. It's not like, how do you prove you didn't commit a crime, right? That's a little more difficult than someone nailing you for committing a crime.

So it becomes more complicated. That's why it's so important for people to be alert. If you get a notification about something, don't assume if you know nothing about it that it's a mistake. At the same point, don't immediately jump and try to do something about it because it could be somebody committing a fraudulent act and getting you to click on the wrong link or open the wrong attachment as well.

I want to come back to a few things, but when you get that link, when you get that email, I think it's wild to me how many different examples I've seen recently of successfully convincing people that this is the right link, whether it's using some weird font that doesn't actually isn't actually the right font.

I've seen one where someone had the domain register that was like mail.google.com. So it looks in a small window like it's correct, but then it's mail.google.com.someotheraddress.someotheraddress. So it actually looks like the right prefix, but it's not. So I always say, of course, look at the full URL, look at the full sender.

Are there other things in those moments that are things people could quickly do just to make sure or validate that it's correct? If you get a notification from what appears to be an organization of authority, you have to think about it. First, the IRS doesn't email anybody. Police departments wouldn't normally send you an email and go, "Hey, by the way, we think you've committed a crime, so notify us here." What you should do, even if you get one that looks really, really official, contact the specific agency and independently confirm the contact information, and then reach out to them and say, "I got the strangest thing.

Did you send me something?" Now most people don't like to red flag themselves with the IRS, but at the same point, you need to make sure that you're dealing with the IRS, and of course, generally, the only way they deal with you, initially, is you get a letter. Maybe not a letter you want to receive, but you will get a letter.

They don't call you unless you owe them money. You've owed them money for a very long time. They've sent you notice after notice after notice. You didn't respond, and then you might, might get a call from a legitimate debt collector. There are about three or four that have been designated by the IRS.

But again, generally, it's never something where you're asked to do something urgently. You never get something the IRS is saying, "Unless you pass right now, we're sending someone to arrest you," or even a phone call. They don't do that. You're always offered an opportunity to have a conversation with an agent and reach a settlement agreement with the IRS, for example.

But that's what scams are based on, and a lot of the scams are very similar. It's like, think of it as the music is the same, but the lyrics change depending upon what's happening in the world or what the scammer or the hacker is trying to achieve. So you really need to set a list of protocols for yourself as to what you do, and protocol number one, stop, read it carefully, calm down, think about what it's saying, and think about whether or not it's logical that you would have received this communication by way of an email, and whether or not what they're asking you to do seems logical within the timeframe they're giving you to respond.

Are there any new tactics? I know Sim Swapping made all the news years ago. Is there anything happening right now that you know about because you're in the industry that maybe other people will hear about over the next few years, but would be good to know now? Well, let's go through some of the scams that exist and sort of match them to what's going on.

First of all, there are healthcare scams that have been going on forever, but in particular, COVID was a petri dish for them, and now monkeypox is becoming a problem as well. And that could be anything from updates, to tracking, to notifications, to here's where you get your vaccine, here's where you schedule your test, these kinds of things.

So you have to be on the lookout for this. Again, as you said, run your cursor over the email address to make sure that where it's coming from looks legitimate. And even then, wherever it's coming from, even if it's a phone call from someone saying they're from the health department, thank them, hang up, independently confirm the right number for your county health department or your state health department, or even the CDC, if you think you're getting a call from the CDC, which I really haven't heard of too many calls coming from the CDC, and then call the real number and speak to somebody and confirm whatever that information that they're providing you.

And remember, in most of these cases, they are never supposed to ask you what your social security number is or getting credit card information from you. You can't pay to get to the head of the line with these. If it's a legitimate government situation and it's involving healthcare, there is a protocol to use and in no protocol that I know of and have ever known of, are you paying something in advance in order to advance your prospects with that?

So you have health, job scams all the time, especially during the great resignation and now with inflation and now with the concerns about whether or not there's going to be a recession. You know, people may be looking for additional jobs there. Go to legitimate, well-vetted websites and make sure that you're communicating with the right organization.

If someone asks you to provide your social security number right off the bat, that's not legitimate. Don't walk, run. So this could be a job board, you see a job you're interested in, you're like, "Ooh, this company is interesting. Maybe I should apply for it." It could just be a totally a fake company that's leading you down a path of interviewing for a job with the purpose of just collecting information about you.

Is that... Absolutely. Yeah. Or getting financial information by way of, you know, you giving them your credit card information. Let's say it's a secret shopper job and they say, "Well, you know, to get you started, you know, we're going to be laying out some money, but we'd like you to sort of reimburse us for this.

So be careful. You don't want to get involved in anything like that unless you can confirm the legitimacy of it." So always independently confirm. Also confirm that that particular company is actually looking to hire people, which you can go by going to the real website of the organization and then calling the HR department of the company and asking them if they're conducting interviews.

But you have to be very careful about job scams. There was a scam that was going around for a while, disappeared, came back again, the jury commission scam. That's where you get a phone call, someone represents themselves to be from the jury commission. They're polling "eligible jurors" in the district, and if you would be so kind as to provide them with your social security number, they'll be able to let you know whether or not you're eligible or not for the jury poll.

There have been scams where police departments were supposedly calling people and asking them for specific information. Generally police departments just don't call people out of the blue, or if they do, it's a legitimate detective, they may be asking you questions, but they're not going to be asking for your social security number, your date of birth, or things like that.

Unemployment scams, of course, have been a disaster during COVID. I mean, billions upon billions of dollars have been stolen. My own sister-in-law, who was on one of our episodes, was talking about the fact that she was legitimately notified by her home state of Colorado and by the state of Ohio that somebody using her information had applied for unemployment benefits.

In one case, she found out simply because she received a debit card in the mail from the unemployment agency, which she said, "I'm not looking for a job. I'm fine. I'm not out of work." We've had cases where people found out because someone in their company walked up to their desk in the days when people were actually at their desk and said, "By the way, why did you apply for unemployment?

You still have a job here." So that was going on. You have the tech scams, that's what you get a phone call from someone representing themselves to be from Apple or Microsoft saying that they've noticed that there's a problem with your computer, they are going to direct you to a site where you can download certain software, which will enable them to then come into your computer and check it out and solve whatever the problem is.

Apple and Microsoft, they don't do that, but scammers certainly do that. So be on the lookout for tech scams. Then, of course, in the line of work that you've been talking about too, which is vacations and points and all of that, there have been theft of frequent fire miles, there have been all kinds of vacation scams, all kinds of rental scams that people have to be on the lookout for, which we can go into further depth if you'd like to do that.

Then there's catfishing, which is huge. Whatever the theme may be, it's still a catfish. What people are trying to do is they're trying to tug on your heartstrings and get you to believe that they care about you, and the whole goal is to get into your life as quickly as possible and as authentically as possible, but yet you never really get to see them.

You never get to really hear them. You may just be communicating with them by text or by email, and then at some point relatively quickly into this relationship, you're suddenly asked for a lot of personal information, or they send you a compromising picture and ask you to reciprocate, which you don't realize that's not their picture, but unfortunately that's your picture you just sent to them, and suddenly you can become a victim of extortion and blackmail.

Or they ask you to provide credit card information so that you can help them get a plane ticket to come visit you. Or we've had cases. We had a woman on our show talking about the fact that she met someone online who even had a terrific LinkedIn profile as a very successful medical professional who had decided to dedicate part of his life to go to the Mideast and then open a clinic there, and somewhere in the first couple weeks that they were getting to know each other, he said, "You know, our equipment has come in.

It's held up by customs at the airport. If there's any way that you could help me by sending me $30,000 so I can get the equipment out, that would be great." Of course, she didn't do it. She wouldn't fall for it, but unfortunately a lot of people do. I mean, we've seen cases where someone was taken to the tune of $2 million by someone who convinced them that he loved them.

And the only way that they found out there was something wrong, which they should have known from the beginning, but was that a financial advisor notified members of their family and said, "Something's going on with your mom. She's taking a lot of money out and sending it overseas. You really need to look into this." And even after confronted with the reality of her situation, she said, "Okay, I understand it's a fraud, but in my heart, I still love him." I mean, this is how deeply they ingrain themselves into your life.

And then another scam, and I won't go on forever, but another scam are charity scams. And this is where they'll take the issue of the day, whether it's the Ukraine, it's a natural disaster, it's a crisis somewhere in the world, it's children. Any one of those topics, whatever is in the news, they will use it.

They will convince you that they are the newest, best, most successful, most respected organization in the space. And could you please give them credit card information or send money to this? And it's not real, it's a fraud. That's really interesting. So I've been a little familiar with some, not all the others.

When it comes to the frequent flyer miles thing, if you Google my name, there's some articles about having a lot of points in miles. And so I have been a victim of, I guess, theft of points, I guess, which we talked about maybe coming on your show. And if that happens, definitely go check it out.

I'll tell the full story. Absolutely. Absolutely. But in short, it led me to... That's what set me down a path of really locking down all these accounts, because someone was able to call Chase and get Chase to let them order things with points on the internet. The craziest thing, and I have still today don't understand it, was they ordered an Apple laptop using my points, but they shipped it to my house.

Now, maybe the plan was to come to my house and kind of pick it up, but they never did. And I just... An Apple laptop showed up. So it was like the strangest fraud, because Chase refunded the points and I had a laptop. I asked Chase what they wanted me to do with it.

And they said, "Try to take it to the Apple store." The Apple store didn't want it. So eventually, Chase said, "The best thing we can tell you is to keep it or donate it. We don't know what to do." Which ended up being a happy story for me, but it was probably payback for the hours of time to mitigate it.

Which comes back to... I want to go back to your first M, which is about minimizing the risk and talk about some of the things people can be doing to prepare and plan in advance of any of this happening. There's a couple areas here I'll go to, but one is around information online.

So I remember back when I was a venture capitalist, this company Fortalice, which I know you're familiar with, was raising money and they offered to run some reports on people in the investing group to show off their product. And they ran this report and I was like, "Wow." It's not that I didn't know there was information about me online.

There's family tree websites, there's white page websites, there's my social media. But when someone pulls all that information together into one place, and you see a list of every address you've ever lived at, every job you've had, all of your phone numbers, all of your email addresses, and then the exact same set of information for your spouse, your siblings, your parents, and they put it all together, you're just a little bit taken aback.

And it made me think, "Gosh, should I be getting rid of this?" Is there a way that consumers can just get a lot of this information off the internet? Or what goes into trying to mitigate this risk and minimize the risk and getting stuff taken away? Well, I could give you my favorite George Carlin line, which it's a mystery, but the truth is that there are things that can be done, but it is a long and arduous and time consuming process.

Because you literally have to go from data broker to data broker and there are procedures you can use, and each one explains it to you, and of course the CFPB, Consumer Financial Protection Bureau, has advice on exactly how to do all of that. But just like when LifeLock started and someone said, "Well, isn't it true that a lot of this stuff people can do themselves?" And the answer, which I thought was a very interesting answer, and I've been a fan of LifeLock, is they said, "Well, sure, you can also change your own oil, and if you want you could maybe even change your own muffler.

Do you want to?" So it really has to do with how much time you're willing to dedicate to it. Some people, it's a crusade, and they will do it because they don't want to pay anyone else to do it, and they will do it. Others will find companies like reputation.com, which is where they will work to get negative information about you offline, or companies like Abine, where they will work with you to actually delete information from the online world.

And now that there is a right to forget in the GDPR, which is the General Data Protection Regulation in Europe, and it's incorporated to some extent in the California Consumer Protection Act, and it is hoped that maybe it will be also incorporated in the American Data Protection Act, which is kind of wending its way through Congress, assuming it can actually find its way through Congress, which is very difficult for us.

As we've seen in the past years, it's very difficult for stuff to get through Congress while the interest is involved, but it still is a process. Now, you can contact Google, for instance, and ask them to remove certain information about you, which they're willing to do, but it's a process.

And even if, you know, this is just like with a credit report, when people would go to credit repair companies, and some of them are good, and some of them are really, really not good, and they would say, "Okay, we will get this information off," and they do, but unfortunately, it was legitimate information, and as a result, when the particular subscribing retailer does an update, the information finds itself back onto your credit report again.

So, you know, think of all of the millions of websites that are out there, and how, unfortunately, over the years, there's been this wholesale sharing of information, or selling information, or lending information, depending upon what the relationship was between these organizations, and it's going to be out there. And yeah, can you get it off, maybe, for a period of time?

Can you get it everywhere? It may take you forever to find out where everywhere is, and there's a new part of everywhere that shows up every day. So that's why you have to say to yourself, "Look, the world I live in, it's a surveillance economy." It just is. We are surrounded by billions of Internet of Things devices, tracking, listening, sending data back to manufacturers, data then being shared, that information also being hacked by hackers.

So that's why you need to really consider the three M's. And among the things you should be doing, assuming that your data is out there, even despite your best efforts to get it off the online world, is everything from long and strong passwords, not shared among websites or password managers, using two-factor authentication, which makes it, again, more difficult for someone to represent that they are you, because they do have to go through that extra layer of whether a code is sent to a cell phone, or you use biotech, not biotech, but you're using thumbprints, eye scans, depending upon the particular device you're using.

I'm a particular fan of thumbprints. They also, multi-factor authentication can involve voice prints. Of course, the issue is what if, God forbid, someone steals a database of a company where they have your voice prints, that could be a problem, too. But again, any layer of additional authentication you can add is important.

It also means you don't click on every link you see. You don't open every attachment, even if you think it's coming from someone you know. I mean, a perfect example, it's a buzzkill, but any time I get an e-card from someone, the first thing I do is I call that person and say, "I know this is a buzzkill, but did you just send...

You don't have to tell me what it says. I'll go do it, provided you confirm you really did it." But again, with the malware that's out there and the ransomware attacks that are going on, you always run the risk that someone you know receives something that they opened that they thought was hysterically funny and terrific, and they're sending it to you, but they didn't realize that it had malware on it, and all they've done is they've shared the love and the hack with you.

So you do run that risk. That's why it's really important to be very careful where you click, what you open. That means, as we talked about earlier, you lie like a superhero when you're sending up questions and answers. That means that you freeze your credit, which is, as we talked about, is free and you can do it.

It means that even the humble shredder, and I don't mean a ribbon cut shredder, because for those of us who saw Argo, as an example, what happens is you can get kids or people hopped up on drugs who will sit there and meticulously tape back up things that have been cut by a ribbon cut shredder.

That's why you need a confetti cut shredder or a cross cut shredder, which turns this into little useless pieces of confetti that no one can put back together again. So these are some of the things that you need to think about doing. Or as we also talked about earlier, that's where the third M comes in, and it's so important, and that is to contact your insurance agent, your financial services rep, or the HR department where you work and say, "If I become a victim of an identity incident, or if I'm worried about it, or I find out that an organization that I've had a relationship with has been hacked, are you going to help me through the incident?" And that's where it's really important.

And a lot of these programs are free, deeply discounted, and worth you signing up for. I'll share a couple others that I've learned in the past, I don't know how many years, that some I've employed, some I plan to. I actually have multiple email addresses. So I have an email address that I just use for financial institutions.

I have never shared that email with anyone. Only financial institutions know it. I've been recommended, though I haven't, to use a separate one for social media profiles. Yes. That was another recommendation, is to just have different email addresses. Look, if you don't have a password manager, I can only imagine how hard that is.

So we're going to go back to your original recommendation, which is everyone needs a password manager. Everyone should be using two-factor authentication everywhere they can. Well, yeah. And you can use Google Authenticator. You can use some of the more, the hardware-oriented, you know, when we talked earlier, you had mentioned one of them, when we talked prior to that.

Oh, yeah. Yeah. I'm a fan of all of my two-factor being one-time passwords that you can put in Google Authenticator, or Authy, or even 1Password. Though I had historically been putting all of my one-time passwords in 1Password, I am now realizing, as convenient as it is for them to copy and paste them, the fact that I'm storing my password in the exact same place I'm storing my two-factor Auth inherently makes it no longer two-factor, because they're in the same place.

So that's the... That's like 1A factor. Yeah. So it's, yeah, I got two types of single-factor. So I'll probably actually be changing that. Do you have an opinion on using security keys versus, you know, like hardware, Yubico, plug-in security keys versus a Google Authenticator and Authy app? Well, you know, there are some people that like it, that like using security keys, but they're generally one-account related keys, as I believe.

Yubico may be more than that, but I think it is one. Oh, so my Yubico key, I actually, I use it with Facebook, and with Google, and with different services. So I can sign into different services. Oh, good. All right. I just, it's such... It's not... It's a lot more hassle to have to carry this thing around and plug it in.

Obviously that comes with security, but it's just one where I'm like, I haven't quite determined that it's worth it. Well, that's like, yeah, because that's the issue is that, you know, you may carry it with you, but then if one day it disappears, it's not helpful to you. Yeah.

Just keep in mind, if you're using Google Authenticator, you lose your phone, you lose those passwords. Obviously, you can usually recover them with backup codes. I definitely recommend writing down those backup codes or using something like Authy, which is a competitor. But I know they actually store those so you can transfer them between devices.

There might be better services. If anyone listening has, by the way, if anyone listening here has any recommendations that we didn't cover or anything, please send them to me because I'm actually, hopefully between now and the time this airs, I'm going to try to put a lot of these into place, test a lot of these services out, and maybe release another little bonus episode with my feedback from trying to do all of this.

Oh, no, that would be great. Just remember, whenever you write down something, put it in some place secure. You always run the risk if you, you know, use a post-it on your computer and someone breaks in your house, you've just given away another key to the kingdom. So. Yep.

I think I'm actually going to try. Well, another tip someone gave me is actually not just emailing these white pages directories online. So, you know, if you just Google your name or your last name and your address in quotes, you'll see the websites that are sharing your address. You can reach out to them and get them to remove things.

A friend of mine recently told me another suggestion, which is to reach out to the MLS and have all of the, or have your real estate agent do it and have the photos of the house that you purchased whenever it was removed from the MLS. Otherwise someone has your address.

They can also then just go look inside your house, understand the entire floor plan. You know, I'm not saying you're a target of someone understanding the layout of your house, but it seems like information that provides very little value to the world for people to be able to look inside every room of your house.

Obviously it's not real time, it's not your cameras, but yeah, so that's something I'm going to be doing. No, that's important. The other thing is you can actually contact like Google and Apple and say, could you blur my house so that if someone's using maps or whatever, that they can blur it so it's not so easy to go, "Oh, I see.

That's where Chris lives. Hmm. Well, that's interesting. I didn't realize he was as close as he is." So these are little tricks of the trade that you can do as well that is another step toward helping you get your stuff offline, or at least less accessible. I'm trying to think of any other ones that I've done or have thought about.

I have a second phone number on Google Voice that if you're using, unfortunately, I don't know why, but it seems like every financial institution supports only text message or phone call-based two-factor auth. All of the tech companies seem to support using authenticator and one-time passwords, but all of my financial institutions, Chase, Vanguard, they're only text, and it's so frustrating.

So I've got my Google Voice number that I can use. So I'm not using the number that I've given out to so many people, as you mentioned earlier. No. Listen, that's an excellent idea, is Google Voice for calls, so that if you leave... Because as we talked about, the ubiquity of your cell phone number, it's always good to have another phone number.

Another scam that was going on is the Google Voice scam, and that's where you're supposedly doing business with someone online. They go, "Well, I don't really know if I can trust you. So I want to know that you're the real you, that this is really your phone number. So I'm going to send you a code, and then I want you to read me back the code." What they've actually done is they've applied for a Google Voice number using your phone as the point of authentication, and then they will have a code sent to you.

And then they will ask you to read them the code, and that then enables them to contact Google Voice and represent themselves as if they're you. I've seen the same thing happen with sending an iCloud two-factor code. They just pretend that it's something else. They say, "Oh, I want to confirm it's your identity.

Let me send you a code." And they go to Apple, and they go in and say, "Recover my password, send a code," and they just hope that you don't notice that that code actually is from Apple, or that code is from your bank, or something like that. So I'd say, if you're not dealing with a service where you're 100% sure it's the service, which means you called them.

If Verizon calls you and says, "Hey, we'd love to talk to you about your account. We're going to send you a code right now, and then we can get in," I would say, "Thank you, but let me call 611 back and get a Verizon rep before proceeding." That goes into the category of, "No, no, no, no, no." Yes, exactly.

A couple of quick questions just on the computer, while we're browsing the internet. Now that HTTPS is pretty ubiquitous, right? I think if you're not listening, or sorry, you're listening. If you don't already know to look for the secure lock, most browsers will throw off errors if they're not there.

Do VPNs really matter in these days? I know I've heard plenty of ads for them, but I wonder if now that almost everything we do online is HTTPS, if having a VPN really provides a lot of value other than maybe like your browsing activity, what types of things you're doing, whether you're streaming from different services.

Well, a VPN also is very helpful when you're, let's say you're connecting to your business network. Sure, sure. It's always good to use it. If your company has a VPN to get access things, yes, but the idea of, oh, if you're at a public Wi-Fi spot, you need a VPN to make sure people aren't stealing your information.

My understanding is that with HTTPS being so prolific and secure certificates being free, that that's not really a thing people need to be worried about. Well, the only issue is that there have been cases of the secure certificates being stolen. As a result, a VPN is still a good way to go.

I like DuckDuckGo, but there were people that will say to you that if you're going to get a VPN, use one you pay for because they're less likely to sell your information than ones that one day might share your information that are free. That goes back to another thing too, which is read privacy policies and understand what the privacy policy is, terms and conditions.

Now I realize privacy policies in many cases are written in 27th grade English and they're presented to you in mouse print, and there are translators where you can actually go and it'll translate what a privacy policy is. The name of some of them escapes me right now, but this is something we could talk to Travis about, for example, that he might be able to give information on that.

Again, anything that you can do to mask your identity is a good thing because just even something as simple as location services on your mobile device, many websites now scramble the things that would be identified by location services, but many of them don't. The last thing you want is you're publishing pictures and it shows when and where the picture was taken, especially if it involves people doing things they shouldn't do, like exposing their kids too much to people.

Like an example, here we are at Sustance Hutchin Park and it's little Susie's second birthday, and if the location services are on and it's not a site that scrambles them, the issue you have is that somebody could show up one day at that park, find little Susie, and say, "I feel so terrible that I missed your birthday, and I told mommy that I'd be over the park today to see you because I have a present for you.

If you just come with me over there, it's in my car." Then all of a sudden, you have a missing child. Location services, you should be discreet about when you use them, where you use them, and if you can disable them, you do it. Of course, I realize that your GPS system won't work in a few of them.

So turn them on for that, but be careful. Know that they can come back to haunt you. When I got that Fortalis report, they looked at all the photos that had been published on social media by me, by others, around my home address, and all of a sudden there are photos that you didn't know of your friends and your family inside your house and all that kind of stuff.

One of their recommendations was to go back and remove the geo tags from your photos from everything you've posted online. The only other thing that we didn't discuss from tips that I have are going in and doing an audit of things you've authed to your Google account or your Twitter account or your Facebook account.

There are so many websites that say, "Oh, just auth your Gmail," or, "Oh, just auth your Facebook," and some of them, many of them are legitimate, right? I authed my Gmail to Calendly so I can schedule meetings. But doing an audit every so often of, are there services that you've given access to your email or to your social media profiles that you don't use anymore?

Or even, I noticed that recently, I can't remember what service it was, but it's gotten a lot better, right? It used to be all or nothing authentication. Some of them now say, "What do you want to give information? Do you want to give your name, or do you want to give your email, or do you want to give full control to post, delete, and see everything?" And if you authenticated something five years ago, you might not have had the fine-grained detail to be able to choose what you give access to.

So it could even be worth deleting all of them and redoing them to make sure that you're only authenticating the kinds of information you want to the parties you want. You're not wrong about that one at all. And you absolutely should do an audit because it's very important to figure out when you're on a particular site, where your information is going.

I have a good friend who has a new company that he started, which is a privacy company. And what they do is they can scan a website and then show you all of the different places that your data is going, all the different companies that are sucking up your data that you had no idea.

And by data, just to be clear, it's usually IP address and activity, not stealing information off your computer and your files and that kind of stuff. Right. But it's still IP address you can identify. And they once proved, many years ago, they did someone, they were able to identify specifically who they were through analyzing their AOL searches.

And they were able to actually zero in on the individual. And today people will tell you, give me two or three social media entries and one receipt, and I'll be able to tell you who and where. Yep. I remember I worked at a company that was dealing with location data and we were talking to a cell phone carrier and you might not know that just from the towers you're on on your cell phone, the cell phone carriers are logging all of this data.

And unfortunately at the time, maybe not now, they're willing to sell this data. It doesn't have anything to do with you. It's just, there is a device, it's here, but no one knows who. But I remember we did some analysis and it was something like, with a reasonable degree of accuracy, you could figure out where any given phone would be at any given time because you had the history of where it had been.

Now, thankfully that information was anonymous to the person. But if you said, you could say this phone that's often at this address is likely to be here. It was just, it was a little too much. I don't want to get people too scared though. You could listen to this and say, oh my gosh, my kids are going to get abducted.

People are going to find me. They're going to see everything in my house. What message do you have to people that are maybe will help them get out of that feeling of leaving this thinking everything's coming to an end, I should turn off all my technology and never leave the home?

Well, interestingly enough, I've had someone say, well, thank you, Adam, now that I've listened to you, you speak, I'm going home, I'm going to disconnect everything, I'm going to burn off my fingerprints and I'm going to hide under my mattress. I said, but you can't do that. I mean, unless you're living under a bottle cap at the bottom of Loon Lake and you're completely off the grid, which nobody is, you're out there.

So the question is just be alert, know what the threats are, know what the red flags are and then practice, for example, the three Ms. Do everything you can to minimize your risk of exposure. Like for example, when you get a new internet of things device, which most things are these days, change the password.

Most of them come with manufactured default passwords and probably 98% of those passwords are for sale on the dark web. So change the password to something long and strong. Just read the manual, it'll tell you how to do it. Just like when you get your router in, make sure that the password is what you want it to be, not what someone else wants it to be and make it as complex as possible or use a password manager to help you with the whole thing.

It's really all about two things that people have to understand. Number one, we all have day jobs. We work, we raise families, we're involved in educational activities, philanthropic activities, we own companies, we're busy. That keeps us excited, interested, but also diverted. To a hacker who's not diverted, we are their day job.

This is what they do. Some countries, they come in at eight, they have their lunch break, they go home at 4.30 or five o'clock in the afternoon, and it's a job and they're working for the government. That's how they raise money. That's how they conduct espionage. Others work around the clock and do what they do.

But it is their day job. The second thing to understand is when you look in the mirror, you see you and you go, why would anyone in the world want to steal my identity? Why would anyone care? The answer is simple. You see you, but when they see you, a hacker, a scammer, an identity thief, they see Jay-Z, Beyonce, Adam Levine.

They see somebody who's got something they want that can enrich their lives. This is not to offend anyone. It's not you they're after, but it's your spouse, your child, your parent, an organization that you're involved with, a company that you work for, and you are simply the conduit to get them to whoever or wherever they want to get to.

This is why it's extremely important that you really focus on cyber hygiene. Just like you go to doctors, you go to dentists, you do things that you do to stay healthy, you have to maintain a healthy cyber environment because you're protecting yourself, your family, possibly your company, your coworkers, and millions of innocent consumers that may be doing business with your company.

There was a concept that was raised a couple years ago by the CEO of Microsoft, and I think he was dead right. It's called shared responsibility. It's that we know that business hasn't done enough. We know that government hasn't done enough, and we know consumers haven't done enough to protect each and every one of us from the ravages of cyber issues or identity theft or ransomware.

Each of us has a role to play. With consumers, we didn't ask for it. We're not trained for it. It's certainly not something we want, but it's a reality of where we are, what we do, who we are, and the world we live in. Therefore, it's incumbent upon each and every one of us to do our part because we could be protecting a whole lot more people than just ourselves by doing the right thing when it comes to cybersecurity.

It's not something that you need to be terrified of because it's reality. You're not going to escape it. As a result, it's a question of, just like they say with COVID, we got to live with it. When it comes to cybersecurity, we have to live with it. It is not an individual sport.

It is a group sport. It's a team. In addition to which, you can't take a victory lap for cybersecurity because you could be completely secure at 9 o'clock in the morning and suddenly exposed at 9.01 because somebody clicked the wrong link, opened the wrong attachment, gave the wrong information to somebody.

If we stick together, work with each other, collaborate, communicate, cooperate, we're going to be better off for it. I think there's a much more collegial attitude now that it comes to cybersecurity than ever before. Like you said earlier, with all the information out there, it's only a matter of time before someone decides to pick you as a target.

That's right. You win the lottery. One you didn't even enter. Yeah, but I'd say if you can make yourself a harder target by doing a lot of the stuff we talked about today, then you just move yourself further and further down that list where someone says, "Ah, this person's information isn't very easy to find online.

Let's just skip to the next person where their address takes me a second to find." It's like the whole issue, if you're a burglar, do you break into the house where there's no dog or one where there is a dog where you might not be sure that you're going to come out with both legs?

It's important to do that and a very important rule of thumb, anytime that anybody contacts you about anything and asks you to authenticate yourself for any reason, however plausible or logical it is, hang up. It's one thing if you contact them and they're an organization trying to do the right thing and they're asking you to authenticate yourself, but if they contact you, no good.

Great parting advice. Thank you so much for being here. Where can people stay on top of everything you're learning, all of the latest conversations you're having? Well, come to adamlevin.com, which is where we put a lot of information about the newest, scariest, maybe not so scary, but things you need to know.

We have that on the website. Come to What the Hack with Adam Levin. You can get it anywhere you get your podcasts. Think of it as car talk for cyber. There are three of us. We try to have a lot of fun with it. We focus on a lot of important issues.

We bring people on who have either been victimized or have managed to avoid victimization when it comes to cyber or identity theft, and there are a lot of lessons to learn. The whole thing is that this is where scaring is caring and sharing is caring, is that the more people that are willing to tell their stories about what they went through and what the red flags were and how to avoid it, the better it is for you.

We all gain. Well, I'm looking forward to joining you and talking about the fact that people always overlook their frequent flyer accounts. I think, "Let's lock down my bank account," but especially for this audience, you build up credit card points, you build up miles. To have someone go in and take a flight or drain them to buy a computer is the worst, and I've dealt with it.

No, it's not fair. You did the work to get it. Why should somebody get the benefit of your effort? Thank you so much for being here. I really appreciate it, and I enjoyed the conversation. Well, thanks for inviting me. I enjoyed it very much. Let's do it again. - Thank you very much, let's do it again.