Who Is Winning the Scam Game?
Cybersecurity

Hacking Humans

Who Is Winning the Scam Game?

Hacking HumansApr 16, 2026

Why It Matters

Understanding these scams reveals how everyday security controls—like MFA—can be bypassed, putting organizations and consumers at risk. The episode offers actionable guidance on hardening authentication and training staff, making it essential listening for anyone responsible for protecting digital assets in today’s increasingly AI‑driven threat landscape.

Key Takeaways

  • Indian visa holder arrested while collecting $800k gold scam payout.
  • $800k gold equals ~160 troy ounces, size of bowling ball.
  • BPO staff targeted with fake live‑chat login pages, phishing kits.
  • Text‑message MFA is least secure; hardware FIDO2 keys recommended.
  • Deep‑fake video lure tricked employees into creating paper‑airplane task.

Pulse Analysis

The episode opens with a cross‑border gold fraud that saw an Indian work‑visa holder arrested in Louisiana while attempting to collect nearly $800,000 in physical gold. At current prices, that amount translates to roughly 160 troy ounces—about the volume of a standard bowling ball—illustrating how scammers convert stolen funds into tangible assets that can be moved across state lines. The case underscores the importance of coordinated law‑enforcement alerts and the need for financial institutions to flag unusual gold‑purchase patterns before the loot reaches jewelry outlets.

The conversation then shifts to a rising threat against business process outsourcing (BPO) firms. Attackers exploit live‑chat interfaces and spoofed Okta login pages, using sophisticated phishing kits that bypass conventional multi‑factor authentication (MFA). The hosts rank text‑message MFA as the weakest link, vulnerable to interception and SIM‑jacking, while emphasizing that hardware‑based FIDO2 keys—such as YubiKey or Google Titan—provide cryptographic protection that cannot be harvested through social engineering. Recommendations include monitoring live‑chat traffic, blocking unauthorized domains, and regularly auditing enrolled MFA devices to harden the service‑supply chain.

Finally, the show highlights AI‑driven social engineering, featuring a deep‑fake video lure that persuaded employees to craft a paper‑airplane as part of a phishing campaign. By mimicking a C‑level executive’s voice and appearance, the lure leveraged authority and urgency, achieving a 10% conversion rate. The hosts advise organizations to update training with AI‑generated examples, enforce strict verification protocols for unusual requests, and adopt hardware security keys to eliminate credential exposure. Together, these measures aim to outpace increasingly sophisticated attackers and protect the human layer of cyber risk.

Episode Description

This week, hosts of N2K CyberWire ⁠⁠⁠⁠⁠⁠⁠⁠Maria Varmazis⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ and⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Dave Bittner⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ alongside ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Joe Carrigan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ are discussing the latest in social engineering scams, phishing schemes, and criminal exploits that are making headlines. If you thought you could escape chicken talk, you we're wrong, this week Joe shares some more updates on his chickens. Joe’s got two stories this week, one on a New Jersey man arrested while attempting to collect $800,000 in gold as part of a widespread scam targeting elderly victims, and the second is on a new Google-tracked threat group using social engineering and phishing tactics to infiltrate BPOs and steal corporate data for extortion. Maria’s story is on a conversation she had with Sean Colicchio, highlighting how trusting human instincts, slowing down, and balancing security training can help individuals and organizations better defend against social engineering attacks. Dave’s got the story on a surge in traffic violation scams now using QR codes in phishing texts to trick victims, alongside ten hard-stop rules emphasizing verification, avoiding links or inbound requests, and slowing down to prevent falling for increasingly sophisticated scams. Our Catch of the Day comes from Reddit, where a user questioned a supposed “Google Play Console partnership” email, and the community quickly flagged it as a likely scam—citing red flags.

Resources and links to stories:

⁠⁠⁠⁠Indian in New Jersey on work visa arrested in gold scam, nabbed when he was going to collect $800,000 in gold

Google Warns of New Threat Group Targeting BPOs and Helpdesks

Traffic violation scams switch to QR codes in new phishing texts

[Nepal] Is this “Google Play Console partnership” email a scam?

⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Have a Catch of the Day you'd like to share? Email it to us at ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠hackinghumans@n2k.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠.

Show Notes

Comments

Want to join the conversation?

Loading comments...