Episode Transcript
[00:00:00] Speaker A: One thing that I would say is small businesses, beware.
[00:00:03] Speaker B: Absolutely small.
[00:00:04] Speaker A: Definitely beware. This is one where you could almost immediately lose everything.
[00:00:11] Speaker B: Yeah. If your spidey senses are going off like ours were, then back up and make sure that you say, we all know that phishing emails and scammers are out there, but whenever it affects you, it gets a little close to home and reality hits. And today we just want to discuss what happened to us and warn everyone out there about what's really going on in the cyber world and phishing for our data.
[00:00:41] Speaker A: Welcome to the Duster Mud podcast. This is episode 45. My name is Rich, and I'm Shelley, and after 25 years in the United States Air Force, I was a fighter pilot. We retired. I was a colonel, and we decided to start a farm. And airground Farms is our farm. And this is our podcast. A few days ago, I read an article, and the title of the article is North Koreans using Chat GPT to scam LinkedIn users. Attacks are getting very sophisticated. The keynotes from the article are North Korea using AI tools like Chat GPT for sophisticated attacks against U. S. Workers. Targets include employees in cybersecurity, defense, and crypto sectors. On platforms like LinkedIn, AI helps create fake recruiter profiles, craft messages, and build trust with targets. This article really piqued my interest, especially with the time that I spent in classified environments in the air Force. So, as I went further through the article, one of the comments that the article makes is hackers meticulously craft fake recruiter profiles on LinkedIn, engaging in extended conversations to build trust with their targets. Generative AI is crucial in this process, assisting with content creation, message crafting, and identity fabrication. And one of the things that the article highlights is that they're able to use Chat GPT to overcome some of the language barriers that that's really been the way to tell if you're dealing with someone from a foreign country is often that their english just doesn't sound quite right. And so this article highlighted that these nefarious actors, these cybercriminals, are being able to use artificial intelligence in order to overcome some of that language barrier. So that's a bit of background that leads us to an email that we received.
[00:03:01] Speaker B: So, a few days after he reads this article, we get an email. We sell meat online through our website, also through our farmers market. We sell beef, lamb, pork, chicken, eggs, and some milk. And so we get orders all of the time through our website and through our email address. So for an order to come in through our email address, was totally normal. Now, this one, and we've had some big orders before. Now, this one was a little abnormal, but we said, okay, we'll entertain this particular situation. So here is the email that we received on February the 16th.
How are you doing today? My name is Ruben Garcia. I would like to know if you have ground beef for pickup order. If yes, how much is it per pound? Also, are you the owner and what type of credit card do you accept for payment? Thanks. Regard, Ruben. Now, nothing about that initial email was anything out of the norm for us to receive as a small business that sells ground beef.
[00:04:12] Speaker A: So I clicked on it, I replied to it, and basically said, hey, I'm rich, and yes, I'm the owner. I sort of made some kind of joke about Shelley and being us owning it together and was like, hey, we sell ground beef. You could check the website, but we sell it for $8.50 a pound. And absolutely, we'd love to ship you some ground beef.
[00:04:38] Speaker B: So the next email after Rich's response was quite nice. Thanks for your prompt response. The essential reason for contacting you is my uncle's birthday is coming up on February 25, and I'd like to make an order.
A large order, 220 pounds of ground beef. This person was wanting to order and wanted to send a cold truck to come and pick it up. That was a lot of meat. We kind of cocked our heads, but we got a little bit excited, like, I'll sell you 220 pounds of ground beef. And if you want to send a van, send a van.
[00:05:12] Speaker A: That sounds great.
[00:05:13] Speaker B: We have all kinds of manner of things going on with large amounts of meat, so nothing really crazy, except it was a lot.
[00:05:20] Speaker A: Yeah, but we've sold whole hogs. We sold whole lambs. We've sold whole beef.
[00:05:25] Speaker B: Right.
[00:05:26] Speaker A: A 200 pound order of meat is abnormal, but it's not, like, extraordinary.
[00:05:32] Speaker B: Right? Exactly. So it was all in line with what we do.
It did get a little fishy, though.
[00:05:40] Speaker A: So it was about this point that looking back at the email, I noticed that he said his name was Ruben Garcia, but the name attached to the email, though was Ruben Aquina. And that was, it's one of those where it's like, okay, whatever.
I noted it and then dismissed it and went on about replying to what we thought, man, this is going to be a couple thousand dollars meat order. This is going to be great.
[00:06:07] Speaker B: Yeah. After that, they responded. We said, yep, we can do, can. We can do the order. We have that much beef. And Ruben responded with, thanks for the update and details. Everything sounds good to me. I'm okay with the total cost. Kindly go ahead and send me the invoice. I will be making the arrangement with a delivery van that will pick it up.
Care to read from you, Ruben?
Care to read from it? Well, man, I'm starting to think at this point that perhaps this person's first language is not English, right?
[00:06:49] Speaker A: And we even at this point were discussing this large order and had said to each other, I don't think this person's first language is English. And somewhere in the back of my mind, I'm thinking back to this article that I had just read about cybercriminals using Chat GPT. And I'm like.
And so it still was like spidey senses just starting to tingle a little bit, right? But still, it's the send the invoice, I'll send a truck to pick up the meat.
[00:07:25] Speaker B: And we're like, still nothing out of the ordinary?
[00:07:28] Speaker A: No, nothing out of the ordinary.
[00:07:29] Speaker B: Okay.
[00:07:31] Speaker A: One thing that was sort of banging in the back of my brain as well was, you haven't asked our address or how to get here. We live 3 miles down a dirt road.
[00:07:40] Speaker B: Yes. Or a farm out in the middle of nowhere.
[00:07:43] Speaker A: But our address is on our website.
It was one of those, most people ask, how do I get there? But it's, again, not totally abnormal. There's just a whole lot of things now that are not quite right, but not wrong either.
[00:08:02] Speaker B: So in response to can you go ahead and send an invoice? We did. Rich sent an invoice off. Here's the total. Here's the invoice. There is a button at the top, you can click to pay with your credit card. And here you go. And we got the next reply.
The next reply was, can you set up quickbooksintuit.com merchant on your mobile phone and you connect it to your bank account? It will just take a few minutes to take to download to your mobile phone. And it's good to run credit card. It's easier and faster. Care to read from you?
Those are the exact words on the.
[00:08:48] Speaker A: Email and the intuit. Quickbooks.com was a hyperlink. It was blue. It was ready for clicking.
[00:08:58] Speaker B: At this point, we're obviously savvy enough to know, no.
[00:09:07] Speaker A: I can't tell you how much training I had to sit through in order to continue to email on the DoD system, right?
It was an immediate trigger for me. The click on a hyperlink contained in an email.
And he was driving me to my phone. So had I clicked on that, I know enough now, at least from building our website, I know enough that you can embed a hyperlink on top of any words and that link. Then, although the words said Quickbooks, that link is not going to take me to QuickBooks. That link is going to take me to a website that that hacker has set up and asked me for my bank account information.
[00:09:52] Speaker B: Right?
[00:09:53] Speaker A: Which, had we not been thinking about this, okay, maybe.
[00:09:58] Speaker B: No, I never would have connect. No. Right? No, you never would have connected anything to your bank account ever.
[00:10:04] Speaker A: Some people do, though.
[00:10:05] Speaker B: So here's the point. Number one, if you receive an email from someone that you believe to be legitimate, that person will not put an embedded link into an email. They just won't. If it's your bank or if it's your insurance or if it's someone who says, hey, go here. No, do not click on that thing. You contact your financial institution or whoever it is that they're posing to be, contact those people directly before you click on anything. We all know this. And to me, the phishing emails had kind of come down. The spam emails, it goes to your junk mail. They kind of waned a little bit. We weren't getting as many as we were back 510 years ago, but things are changing.
[00:10:58] Speaker A: This one followed, although not a LinkedIn profile, it didn't follow the article that I had read. Exactly. It was an extended thing.
[00:11:09] Speaker B: Yes. Right.
[00:11:10] Speaker A: It wasn't just an out of the blue, hey, click on this link. No, it was a true hack.
[00:11:21] Speaker B: It fit because we sell meat. We are a farm. This situation. These hackers knew exactly what our business was, and they knew what to ask for. They tried to build the relationship rapport. It's my uncle's birthday.
[00:11:44] Speaker A: To which I replied, we would love to provide beef for your uncle.
[00:11:48] Speaker B: Right.
Building this rapport with you on the other side. And y'all. There's not a human involved in this. These are hackers using very sophisticated chat, GPT bot, large language models, whatever you all want to call.
[00:12:12] Speaker A: Yeah, I mean, there are probably humans involved.
They are just probably not speaking English.
[00:12:21] Speaker B: You think that somebody was on the other side?
[00:12:24] Speaker A: I do. I think that somebody was there.
I think this one was one that they felt like.
I think they call this one like a whale or something.
Sat that we're a business, and if we can get a business to link a bank account, little do they know. But if we could get a business to link a bank account, there's potential there for a big fish.
[00:13:30] Speaker B: Right?
[00:13:30] Speaker A: Okay, so I do think that there was a human there. I think that they were most likely using some type of chat bot to help them with it. Most likely.
[00:13:42] Speaker B: Let's all remember, too, and go back to the old adage. If it sounds too good to be true, it probably is. And with these phishing emails, with these cyber attacks on us coming from other countries, put it in the back of your mind as you're checking your email, as you're getting, I don't know.
Heck, some people don't even check their email anymore.
[00:14:06] Speaker A: Well, one thing that I would say is small businesses, beware.
[00:14:10] Speaker B: Absolutely small.
[00:14:11] Speaker A: Definitely beware. This is one where you could almost immediately lose everything.
[00:14:18] Speaker B: Yeah. Small businesses are in a position of man. You're eager to make the sale, you're eager to get the client. You're eager to move your business forward. But don't be so eager that you're blinded and can't see that this might not be real. Pay attention. Keep your head up. Pay attention to what's really going on. And if your spidey senses are going off like ours were, then back up and make sure that you say, how about we try to contact a real human being on this deal? So one of the things that we talked about right after this was any large orders that come in anytime, I'm going to need to talk to you directly on the phone.
[00:15:05] Speaker A: That was our key takeaway. So I've often talked about as a fighter pilot, you debrief what's going on. That way that you can learn from any mistakes that you made during the sorting. And on this one, our key takeaway, our key learning point was, if it's a large order, we're going to talk to a human, right?
And if there's no one to talk to, then we don't even waste our time.
[00:15:32] Speaker B: Right? Or brain bites or anything.
[00:15:36] Speaker A: Yeah. Well, I hope you found this helpful.
Take our experience. Yeah, experience. I wouldn't even call it a mistake. Just take our experience and use it as a tool in the back of your mind, keep an eye for these types of things. Don't just randomly click on things, especially if you're a small business eager to make that sale.
[00:16:03] Speaker B: Thank you for hanging out with us on this public service announcement today. And until next time. Bye.