Tag Archive for: data security

When Caller ID Lies: How the New Zelle Scam Works

I’ve written about hundreds of scams. Crypto. Pig butchering. Nigerian-princes so obvious they wear plastic crowns studded with costume jewelry. But there’s a new one, and unfortunately for victims, it’s working incredibly well. 

Your phone rings. The Caller ID says “Wells Fargo.” The person on the line knows your name and says they’ve detected suspicious Zelle activity—money being sent to Las Vegas on a new bank account established in your name. Uncharacteristically, they give you information instead of asking for it. Case numbers. Cancellation codes. A long reference ID that you carefully note.

The scammer’s first secret is to overwhelm our brains with data, because we trust details. 

How do I know this isn’t fraud?” you ask. The response is deviously reassuring : “You’re right to be concerned, so let me transfer you to my supervisor. Please be advised that Wells Fargo will never ask for your password.” 

The scammer’s second secret is to mention security and pass you on to higher authority, a tactic to put you at ease so you take your eye off the ball. 

The supervisor comes on. Different voice. Confident. But you’re still suspicious, because you dutifully watch John Sileo’s videos! 😀

The supervisor asks you to google the phone number of the bank branch in your neighborhood. Which you do. The number matches the caller ID on your phone. You know it’s easy to spoof a phone number and use AI to gather personal details, but you’re already invested and the longer you’re on the phone, the more your guard lowers.

The supervisor says it’s easy to reverse the transaction together. And that’s the moment… 

When they start asking you to DO SOMETHING, the alarm bells should ring. There is no “together” in banking. The bank has all the power. All of the information. 

If you hadn’t just hung up, they’d tell you to open Zelle or Venmo and enter an amount: $3000. Then, instead of a phone number, they ask you to enter the “case number” they’ve given you, but to delete the letters off the front end. Which turns it into a 10-digit phone number to which you are transferring money.

Scammers lull their victim into the “task performance” zone, where they are more focused on completing steps than thinking critically.  

This scam, like nearly every type of cybercrime I speak on, isn’t about hacking technology. It’s about momentarily hacking human attention using urgency, authority, cognitive overload and real-life data. And the only effective answer is to build a proper anti-fraud reflex before the call comes in.  

Let’s strengthen your cyber-defense muscle by training people to think critically, recognize red flags, and stay one step ahead of fraud. If your workplace, organization, or community could benefit, let’s explore the options together. Email [email protected]

 

Hacked Minds, Not Systems: Why AI-Powered Fraud Is the New Cybersecurity Crisis

Ransomware hasn’t disappeared—it has evolved. Today’s threat is more sophisticated, more scalable, and far more dangerous: cyber-enhanced fraud. Powered by AI, attackers are no longer just targeting systems—they’re targeting people. And unlike software, humans don’t receive automatic security updates.

While organizations have invested heavily in strengthening their technical defenses, most remain critically vulnerable on the human side. In fact, an estimated 90% of organizations are unprepared for AI-driven, conversation-based attacks that exploit trust, urgency, and authority.

The solution isn’t more alerts or more tools. It’s better human judgment.

That’s where the “Hogwash and Verify” framework comes in—training individuals to instinctively question suspicious requests and verify them through trusted channels. When skepticism becomes a reflex, organizations can prevent catastrophic mistakes before they happen—like a fraudulent $100 million wire transfer.

The New Cyber Reality: From Ransomware to Human Hacking

For years, ransomware dominated the cybersecurity conversation. High-profile breaches demonstrated just how costly system vulnerabilities could be. But today’s attackers have found a more efficient path: bypassing systems entirely and manipulating people instead.

Why? Because it’s easier.

Rather than breaking through firewalls, cybercriminals are exploiting the most unpredictable—and often least protected—part of any organization: human decision-making. A convincing message, a sense of urgency, or a familiar voice is often all it takes.

Compounding the risk is a major insurance gap. Many organizations assume they’re protected, only to discover that policies often exclude losses resulting from “authorized” actions—like an employee willingly transferring funds based on a fraudulent request.

How AI Is Supercharging Cybercrime

Artificial intelligence has dramatically lowered the barrier to entry for cybercriminals while increasing the effectiveness of their attacks.

  1. Eliminating Red Flags
    Gone are the days of obvious phishing emails riddled with typos. AI enables attackers to craft polished, professional, and highly convincing messages—removing the friction that once made scams easier to spot.
  2. Deepfake Technology
    Attackers can now replicate voices and video with alarming accuracy. In one case, an employee transferred $25 million after attending a live video call featuring a deepfake of their CEO.
  3. Scalable Personalization
    AI allows criminals to conduct deep research on employees in seconds. From LinkedIn profiles to company announcements, attackers can tailor messages that feel personal, relevant, and legitimate—making phishing and smishing attacks far more effective.

The Human Defense: “Hogwash and Verify”

To counter these evolving threats, organizations must equip their people with a simple, repeatable mental model:

  1. Hogwash (The Trigger)

This is the instinctive reaction. Any unexpected request involving money, sensitive data, or credentials—especially those marked urgent—should immediately raise suspicion.

Think of it as building a reflex:
Pause. Question. Assume it could be fraudulent.

  1. Verify (The Response)

Once suspicion is triggered, verification must follow—but not through the same channel.

  • Don’t reply directly to the message 
  • Don’t click the provided link 
  • Use a trusted, independent method (like calling a known number) to confirm the request 

This simple two-step process creates a powerful safeguard against even the most sophisticated attacks.

Lessons from the Real World

The impact of cyber-enhanced fraud is already playing out across industries:

  • MGM Resorts suffered a $110 million loss after a hacker manipulated an IT help desk into resetting credentials. 
  • A fraudulent website mimicking Tesla’s branding successfully tricked users into handing over sensitive login information. 
  • In a near-miss at Ferrari, an executive noticed something subtle—a slight inconsistency in tone during a deepfake video call. By asking a personal question only the real CEO could answer, they prevented a major financial loss. 

These examples highlight a critical truth:
Technology alone doesn’t stop attacks—people do.

The Bottom Line

Right now, AI is giving attackers the advantage. They move faster, adapt quicker, and operate without regulatory constraints. While defensive technologies continue to improve, they are not enough to address the growing threat of human-targeted attacks.

Your strongest line of defense isn’t another tool—it’s a trained, alert, and empowered workforce.

Organizations that teach their teams to stop, slow down, and think will have a decisive edge. Because in a world of AI-driven deception, the ability to question, verify, and act with intention is what prevents the next major breach.

And sometimes, all it takes is one person saying:
“This doesn’t feel right.”

 

Want help putting these safeguards in place? Let’s talk: [email protected]

 

 

Are Your Employees Accidentally Leaking Sensitive Data to AI?

In today’s fast-paced, AI-everywhere world, connecting tools like ChatGPT, Gemini, or Claude to your company’s cloud storage—Google Drive, Dropbox, OneDrive—feels like the smart move.

💡 Automate more.
🧠 Think less.
⚡ Move faster.

But here’s what too many companies don’t realize: These integrations, while convenient, can quietly open the floodgates to serious security and privacy risks.

The Unseen Risks Lurking in AI Integrations

When your team links AI tools to company drives, they might think they’re granting access to a single file — but they could be giving away the keys to the whole kingdom.

Take Microsoft’s OneDrive File Picker, for example. Thanks to the way OAuth permissions work, an AI app might get read access to your entire OneDrive, even if the user only intended to share one folder. 😬

Even more concerning? Integrations with ChatGPT and other AI tools can pull sensitive data—financials, HR records, trade secrets—straight into responses, or worse, into training datasets.

And cybercriminals? They love complexity and blind spots. AI integrations are becoming a new playground for exploitation and backdoor entry.

How to Protect Your Data Without Ditching AI

Let’s be clear: we’re not saying ditch AI tools. The productivity gains are real. But you can (and should) use AI responsibly. Here’s how:

1. Limit Access to Only What’s Needed

Don’t link an entire shared drive. Seriously.
Instead, grant access at the folder level, and only to the files needed for a specific task. Less access = less risk.

📚 OpenAI’s documentation backs this up.

2. Opt Out of AI Model Training

Every time your team chats with ChatGPT, they could be sharing confidential data. By default, that data might be used to train future models.

But there’s good news:
You can turn that off.

Go to Settings > Data Controls and uncheck “Improve the model for everyone.”
✅ No more data sharing.
✅ More peace of mind.

As OpenAI spokesperson Taya Christianson put it: “We give users multiple easy-to-access ways to control how their data is used.”

And if you’re an enterprise customer? Your data isn’t used for training at all—unless you say so.

Even with images (yes, DALL·E fans), you can opt out of having them included in future model training via a simple form. Got a lot of content online? Use a robots.txt file to block AI crawlers. Most major AI companies honor it.

3. Stay Compliant (Seriously)

Working in finance, healthcare, or law? Regulations like HIPAA, GDPR, or CCPA aren’t optional.

Regular audits, encryption, and clear data retention policies should be baked into your AI strategy from the start.

4. Audit & Revoke Access Regularly

Set a calendar reminder. Seriously. Do a quick monthly check on what’s connected, who has access, and whether those tools are still needed.

And if something looks fishy? Revoke access immediately.

✅ Bottom Line: Use AI, But Use It Wisely

AI tools can transform how we work — but without proper oversight, they can also become massive liabilities.

With the right guardrails in place, your organization can unlock the full power of AI without putting your most valuable data at risk.

Because when it comes to data breaches?
Preventing one is a lot cheaper (and less embarrassing) than cleaning up the mess after.

Want help putting these safeguards in place? Let’s talk: [email protected]

Cybersecurity Alert: UnitedHealth’s Billion Dollar Data Breach

One in three Americans recently had their healthcare data hacked from UnitedHealth – TWICE. The stolen data likely includes medical and dental records, insurance details, Social Security numbers, email addresses and patient payment information.

UnitedHealth Group’s subsidiary, Change Healthcare (which processes an estimated 50% of all health insurance transactions in the U.S.), fell victim to a ransomware attack that thrust the U.S. healthcare system into chaos as pharmacies, doctor’s offices, hospitals and other medical facilities were forced to move some operations to pen and paper.

Behind the scenes, UnitedHealth Group chose to pay the BlackCat ransomware gang (aka ALPHV) an estimated $22 million in blackmail ransom to restore system functionality and minimize any further leakage of patient data.

Problem (expensively) solved, right? Not even close. After UnitedHealth paid the initial ransom, the company (or quite possibly BlackCat itself being hacked by hackers) reportedly experienced a second attack at the hands of RansomHub, which allegedly stole 4TB of related information, including financial data and healthcare data on active-duty U.S. military personnel.

To take the breach and ransom to an entirely new level, RansomHub is now blackmailing individual companies who have worked with Change Healthcare to keep their portion of the breached data from being exposed publicly. For many small providers, the ransom is far beyond what they can afford, threatening the viability of their business. Some of the larger individual providers being blackmailed are CVS Caremark, MetLife, Davis Vision, Health Net, and Teachers Health Trust.

As of today, even with millions of dollars collected by the hackers, all systems are not up and running.

There are three critical business lessons to take from the UnitedHealth breach:

  1. Ransom payments do not equal the cost of breach. The ransom amount companies pay is a fraction of the total cost of breach. In UnitedHealth’s case, they paid a first ransom of $22 million, but only months into the breach have reported more than $872 million in losses. Operational downtime, stock depreciation, reputational damage, systems disinfection, customer identity monitoring, class action lawsuits, and legal fees will move the needle well beyond $1 billion within the fiscal quarter. Risk instruments like cyber liability insurance can balance the losses, but prevention is far more cost-effective.
  2. There is no honor among thieves. Even when organizations pay the ransom demanded, (and in the rare case that they get their data back fully intact), there is no guarantee that the cybercriminals won’t subsequently expose samples of the data to extort a second ransom. In this case of Double-Dip Ransomware (as I call it), a dispute among partnering ransomware gangs meant that multiple crime rings possessed the same patient data, leaving UnitedHealth open to multiple cases of extortion. Paying the ransom instead of having preventative recovery tools places a larger target on your back for future attacks. If you haven’t implemented AND tested a 3-2-1 data backup plan and a Ransomware Response Plan, do so immediately.
  1. The Human Hypothesis on the Source of Breach. There has been no disclosure to date on exactly how the hackers got into Choice Health’s systems, but my highly educated guess (from seeing so many similar breaches) is that an employee of, or third-party vendor to, UnitedHealth was socially engineered (scammed) to share access into one of their business IT systems. The company will generally report this human oversight and poor training as “compromised credentials” which tries to make it look like a technological failure rather than a human decision. From there, the hackers “island hopped” laterally to increasingly critical servers on the network. It’s likely that the cyber criminals are still inside of key systems, hiding behind sophisticated invisibility cloaks.

The solution here is to make sure that the heroes in your organization, the human employees who are your first and best line of defense, are properly trained on how to detect and repeal the latest social engineering attacks. Over 90% of all successful attacks we see are due to a human decision that leads to malicious access.

All organizations and leadership teams must ensure your Security Awareness Training addresses all the changes that artificial intelligence brings to the cyberthreat sphere. To ignore the alarm bells set off by UnitedHealth Group’s disastrous breach is to risk your organization falling ill to a similar fate.

Anyone in your organization can be the unfortunate catalyst that triggers a disastrous data breach similar to UnitedHealth’s. My latest keynote, Savvy Cybersecurity in a World of Weaponized A.I., teaches the root cause of successful social engineering scams and necessary technological preparation for ransomware attacks. REACH OUT TO MY TEAM TODAY to discuss this vital topic at your next meeting or event.

  1. If you are a patient of UnitedHealth, Change Healthcare, OptumRx or any of their subsidiaries, take the following steps immediately:
  2. Visit the Cyberattack Support Website that UnitedHealth Group established for affected customers.
  3. Make sure that you have a Credit Freeze on your Social Security Number.
  4. If you are an OptumRX customer, call them directly (1-800-356-3477) to make sure that your prescriptions haven’t been affected and that they will ship on time.
  5. Monitor all of your health and financial accounts closely for any changes or transactions. Create automatic account alerts to make this easier.

 

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

Data Breach Expert John Sileo on Fox & Friends – Target Data Breach

Data Breach Expert John Sileo goes on Fox & Friends to discuss the 110 million records breached at Target.

Clean Up Your Online Profile with Fox and Friends

5 Disastrous Decisions that Destroy Small Business – and How to Avoid Them

Interactive Webinar, Sponsored by Deluxe Corporation, Featuring Privacy Expert John Sileo

ST. PAUL, Minn., Oct 04, 2012 (BUSINESS WIRE) — Cyber criminals sabotaged John Sileo’s business – and nearly landed him in jail. Now he’s determined to help small business owners prevent the disastrous mistakes that loom ever-larger in the age of identity theft, mobile computing and social media.

Sileo will share his story – and the lessons he learned – in an hour-long interactive webinar on Tuesday, Oct. 9 at 2 p.m. EST. Titled “5 Disastrous Decisions that Destroy Small Business,” the webinar is sponsored by Deluxe Corporation and designed to provide business owners with simple, actionable tools to help protect their operations and enhance their efficiencies.

To register for the 2 p.m. EST webinar, go to www.deluxe.com/highsecurity.

Sileo is the award-winning author of “Privacy Means Profit,” and has appeared on “60 Minutes” and “Fox and Friends.” He launched his career as a privacy consultant after thieves stole his identity and used it to embezzle nearly a half million dollars from his clients. The security breach destroyed his business and triggered a two-year legal morass.

Now, Sileo is America’s leading professional speaker on identity theft and information control. During the Deluxe’s interactive webinar, he will be joined by Susan Haider, executive director, high security product management, Deluxe Corp.

He will share insights gleaned from years of experience, including details on:

  • How Sileo’s business was destroyed by poor decision-making.
  • Mistakes other small business owners have made and how to avoid them.
  • Concrete, actionable steps you can take to minimize your risk now.Human, physical and digital threats to your business security.
  • Targeting skills you can use to design your plan of attack.We

Following the presentation, participants can get personalized advice from Sileo and Haider during a Q&A session. Participants also will receive a free copy of “Are Tax-time Identity Thieves Targeting Your Small Business? 5 Defense Strategies,” a white paper written by Sileo.

 

About John Sileo John Sileo is an award-winning author and privacy speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. His clients include the Department of Defense, Pfizer, the FDIC and Homeland Security. Watch him on Anderson Cooper, 60 Minutes or Fox Business.

His satisfied clients include the Department of Defense, Blue Cross, Homeland Security, the FDIC, Pfizer, the Federal Trade Commission and corporations, organizations and associations of all sizes.

About Deluxe Corporation Deluxe is a growth engine for small businesses and financial institutions. Over four million small business customers access Deluxe’s wide range of products and services including customized checks and forms as well as website development and hosting, search engine marketing, logo design and business networking. For financial institutions, Deluxe offers industry-leading programs in checks, customer acquisition, regulatory compliance, fraud prevention and profitability. Deluxe is also a leading printer of checks and accessories sold directly to consumers. For more information, visit us at www.deluxe.com , https://www.facebook.com/deluxecorp or https://twitter.com/deluxecorp .

SCAM ALERT: Target Texting Scam

SCAM ALERT! There is a Target texting scam going around. The text looks similar to the one in the picture to the left, and generally says you’ve won a $1,000 gift card if you simply click on the link and collect the money. When you click on the link, it takes you to a Target-looking site that a criminal has set up to collect your private information. The information is then used to steal your identity. In other cases, clicking on the link installs a small piece of malware that takes control of your phone and forwards your private information to the criminals.

 

Where do the criminals get my mobile phone number to text me in the first place?

  1. They purchase it off of black-market sites on the internet
  2. You give your mobile number away to enter contests, vote on reality shows, etc.
  3. You post it on your Facebook profile for everyone to see
  4. Data hijackers hack into databases containing millions of mobile numbers
  5. Most likely, the thieves simply use a computer to automatically generate a text to every potential mobile phone number possible (a computer can make about a million guesses a second).
What can I do to protect myself and my phone?
  • If you receive a text from any number you don’t know, don’t open it, forward it or respond to it
  • Instead, immediately delete the text (or email)
  • If you accidentally click on the link, never fill out a form giving more of your information
  • Place yourself on the national DO NOT CALL list.
  • Stop sharing your mobile phone number except in crucial situations and with trusted contacts
  • Remember when you text to vote or to receive more information, enter sweepstakes or take surveys via text, they are harvesting your phone number.
  • Resist the urge to post your mobile number on your Facebook wall or profile

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust. He is CEO of The Sileo Group, which helps organizations protect their mission-critical privacy. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation  or watch him on Anderson Cooper, 60 Minutes or Fox Business.

“Clickjacking” and “Likejacking” – Be Aware!

None of us wants to be part of a scam that allows links to be forwarded as if from a friend, invading their privacy and endangering their sensitive  information. It’s not always easy to avoid bad sites but by just being aware of the problem, you can become more adept. The following article is a summary of an original post By Rob Spiegel, E-Commerce Times.

In its on-going effort to mitigate spam activity, Facebook filed a lawsuit against a company that allegedly ran a “likejacking” operation. “We’re hopeful that this kind of pressure will deter large scale spammers and scammers,” said Facebook spokesperson Andrew Noyes. The state of Washington is also applying pressure, having mounted a similar lawsuit against the same company. Both suits were filed citing violation of the CAN-SPAM Act, which prohibits the sending of misleading electronic communications.  Facebook and Washington state filed federal lawsuits on Thursday against Adscend Media for “clickjacking,” a form of spamming that fools users into visiting advertising sites and divulging personal information.


“Likejacking” is similar; victims are tricked into using Facebook’s Like button to spread spam. Users believe links to spam sites are being sent to them by friends, and the advertiser collects money from clients for every user misdirected. A prominent example is the indictment in California of self-proclaimed “spam king” Sanford Wallace in August, Noyes said. “Two years ago, Facebook sued him, and a U.S. court ordered him to pay a (US)$711 million judgment. Now he faces serious jail time for this illegal conduct.” Facebook also secured a $360.5 million judgment against spammer Philip Porembski, said Noyes, which “followed an $873 million spam judgment in 2008 against Adam Guerbuez and Atlantis Blue Capital for sending sleazy messages to our users.” The Guerbuez judgment was the largest award ever under the CAN-SPAM Act, he noted.

Clickjacking is a programming technique that employs a seemingly innocent button to trick users into visiting sites unintentionally. Likejacking is a similar technique that utilizes Facebook’s Like button. The technique is also referred to as “UI redressing.” Clickjacking is “quite well understood,” Roger Kay, founder and principal of Endpoint Technologies, told the E-Commerce Times. “It is used by both legit and illegit programs.” Both clickjacking and likejacking are designed to trick users.

“When someone browsing clicks on a site, the site can execute arbitrary code in the browser,” said Kay. “It can set a cookie, say, for Amazon (Nasdaq: AMZN), or do more nefarious things, like inject malware designed to call other malware later.” Clickjacking has been prevalent for years, and likejacking has become similarly entrenched. Many users of Facebook have likely experienced it in the form of a product-related message that seemed to be from a friend. “The use of the technique is widespread,” said Kay. “Consumers need to use better judgment about which links they click on.”

Links can be forwarded as if from friends, and some come-ons are pitched just right to get around the user’s suspicions he noted.”If you’re the target of a spear phish, then the attack is tailored to you,” said Kay. “So, avoiding bad sites becomes a kind of ninja art everyone must learn.”

 

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper60 Minutes or Fox Business1.800.258.8076.

Whose Device – Yours, Mine or Ours?

Carrying multiple personal devices is a pain and, yet, the fear of giving away critical company data is a nightmare.

For most of us, being connected equals being productive. However, this simple equation becomes complex when one has to juggle personal devices with those issued by our employers. Paramount in an employer’s mind is the protection of the company’s critical and confidential business data but they don’t want to alienate employees by being too restrictive on using their personal smartphones and tablets.

Recent research has found that nearly three out of four adults don’t protect their smartphones with security software and these same people often use their devices to access social media and websites that attract cybercrooks. Poorly-secured  devices can be easily accessed by hackers who are becoming evermore sophisticated and ferocious.

This device conundrum ties directly to corporate IT culture and the question of allowing employees to use personal devices to conduct business. The solution ranges anywhere from an outright ban (which employees often ignore) to fully embracing an employee’s choice, while building corporate safeguards to block spam and corrupt application downloading. Some companies permit it with tight controls such as having the ability to wipe the gadgets clean of all information in the case of loss. Of course that means all personal data will be wiped along with business data but studies show employee satisfaction (ergo productivity) is tied to exercising personal preference of devices.

Security and legal teams wrestle with this dilemma constantly in the mobil world of today and there’s no clear cut answer. Protecting a company and its clients’ data is essential; but also, productivity, efficiency, organization and responsiveness are but a few benefits of giving employees their choice of gadget.

Arming those same employees with the safety measures to secure their devices from fraudulent activities is where IT departments can manage risk. Building a parallel strategy that serves both corporate IT and the end-user is not only necessary, it is beneficial to the bottom-line.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper60 Minutes or Fox Business1.800.258.8076.