Martin Hinton (00:05) Welcome to the Cyber Insurance News and Information Podcast. I'm your host and the executive editor of Cyber Insurance News, Martin Hinton. Today, joining us is Michael Scheumack. Who's Michael? He's the chief innovation officer at IdentityIQ . What does all that mean? Why don't we have Michael tell us? Michael, first of all, thanks for taking the time to join us today. Tell us a little about yourself, a little bit about IdentityIQ and how we got to this moment in your career. Michael Scheumack (00:31) Yeah, Martin, thank you for having me. I'm going to enjoy the conversation, I know. I've been in technology for 25 years, and for probably three quarters of that, been in security and helping consumers with their identity theft issues and problems that arise. I've been in the credit reporting space for two decades. You know, I love, I love the space, but also I'm always wowed by how much fraud there is in it. And, ⁓ you know, the fraudsters continue to get more and more advanced and, and, ⁓ smart about the ways that they, they con people and scam people. And, you know, it's podcasts like this that help bring awareness and education to the public. And I love being a part of it. Martin Hinton (01:18) How much fraud are we talking about? Before we dive into any more detail and hash it out, a lot. Do have any hard numbers or any kind of ⁓ analogies to examples, pardon me, to give? Michael Scheumack (01:30) Yeah, you know, we've seen triple digit growth in more AI driven ⁓ fraud over the past year. And a lot of that is, you know, driven through text message scams. Text message scams are just so heavy right now between toll roads, Amazon deliveries, anything you can name it. Martin Hinton (01:57) Old friends, old friends checking in with you. Hey, what's up? How you been? ⁓ Michael Scheumack (02:02) man, literally about five minutes before we jumped on here, I got a text message asking me how my new job was ⁓ and how I can reply to ⁓ get more information about other job opportunities. Martin Hinton (02:17) So it's big problem. ⁓ It's a problem for ⁓ individuals, for companies. It's a national security issue at times, I suppose. In this space, what's IdentityIQ's mission? What's the role that you guys all seek to fill? Michael Scheumack (02:32) You know, we want to bring awareness. We have very strong monitoring and alerting programs with identity . But mainly, we hope to protect consumers against fraudsters. We have a world-class fraud restoration team that allows consumers to call in, ask questions, and report different incidents. We help people understand if they are being taken advantage of or not. In some cases, you know, it's not necessarily fraud. And we let the consumer know that. But our mission and goal has been to create an environment where consumers have access. know, fraud is not necessarily, doesn't need to be a black box that nobody understands or doesn't know about. And we want to be that relative that you call on a regular basis to come fix your printer, we're that for the identity theft protection space. Martin Hinton (03:36) Outstanding well put so the reason you're here today is is someone in your PR team reached out with Subject line the phrase that got me was ghost students now this isn't kids playing hooky or Pretending to be at school or showing up for first period and checking the assignment box or the attendance box rather This is something ⁓ slightly more new school than old-school ⁓ ghosting so Tell me what it means. What is the ghost student scam? I should be diving with that. It's a scam. There's your, your, there's your, us away. What is, what's going on here? Michael Scheumack (04:11) Yeah, so ghost students itself isn't new. ghost student creating a ghost student in order to scam. funds, ⁓ know, school funding or add more students to your school because you get paid for as many people as are in the seats. That's nothing new. What is on the rise is the stealing of children's identities in order to enable these scams and become more realistic. And so we're seeing more identity theft around Children's personal information to enable these scams and really kind of drive these forward And that's the advancement of a ghost ghost student scam Martin Hinton (05:02) So take me through it. How does that work? mean, what sprung to mind when you were talking just now was the power school hack where they get 60 million student records, if give or take. ⁓ But we see this a lot where K through 12 schools have real issues with resources with regard to cyber security and the resilience that it helps create. But when you see these stories about student records being taken, sometimes I think in the conversations I've had personally, people are... confused by why it matters. So take me through the scam, how an individual or a student or a family could be hurt by it, and how the criminal profits. Michael Scheumack (05:41) Yeah, so the Power School data breach was huge and Power School was used by, I think it's the largest administration tool for schools to use to administrate student grades and just really in kind of administration within the school. so. with that breach came a lot of personal information that was also mishandled and lost. ⁓ And so when you have breaches like that and you lose student information, just the student records and social security numbers, personal information gets out into the dark web, the internet and in the hands of fraudsters. And so when that happens, fraudsters can use it for a number of things related to identity theft children's identity child children social security numbers and personal information is a prime target because most of the time you're not checking your child's credit score or you're not checking their credit report. so, and you have no monitoring on them because they're not 18. And so they don't really worry about it. But when they do turn 18, they'll find that they have thousands and thousands of dollars of student debt in their name and all these accounts that are opened, ⁓ you know, against them in their name. And they have no idea how that happened. And it's it's breaches like the power school breach and others that allow that information to to be exposed and for fraudsters to use it to create new identities. They'll create they'll ⁓ mix identities to create a synthetic identity as well. And. ⁓ And so and you'll oftentimes like I said never find out about any of this either as a parent or as a as a child until you've run that credit report for the first time and then you see all this debt just listed up Martin Hinton (07:45) So let me put on my tabloid journalist hat. You're saying that if a 10-year-old today has their social security taken, date of birth, name, you know, that's probably enough. Someone is then going to go out and create an online identity for that person and get money sent to them via some sort of student loan apparatus. Collect that money over time. And then when that person turns 18 and maybe gets their first credit card or goes to get a student loan of their own, they discover that they're already 50 grand in debt, but they don't know anything about it. I mean, is that literally what we're talking about? Michael Scheumack (08:27) Yeah, 100 % yeah, federal student loans, know, private loans. Private loans are a little bit more difficult because they do they go through a different process to verify identity. But the the federal student loans you can FAFSA. You know, there's a lot of different ways to apply for for federal loans. And that's exactly right. You turn 18, you run your credit report, and you see it's not just student loans that are the target. It's really accounts that are opened in your name and other identity theft impacts. But for the purpose of creating a ghost student, it's ⁓ generally those federal student loans. Martin Hinton (09:13) So the ease with which you can borrow money for higher education has been taken advantage of in the federal case, mean, without getting into whose fault it is, it's the bad actor's fault, let's be clear. But they're taking advantage of a system that was designed to provide the resources, the money for people to become whatever they might be that required college education level classes. Michael Scheumack (09:29) That's right. Yeah, they're taking a positive event or a positive direction that somebody would want to take and they're using it against, ⁓ you know, some unsuspecting child. Martin Hinton (09:50) So what happens, you know, I have two adult children now, but if your child turns 18 and comes to you with this scenario, what do you do? Michael Scheumack (10:05) Well, that's the time to get a fraud specialist or someone that can can walk you through a checklist of steps on what on what actions to take. We At IdentityIQ , have, you know, we want the fraud reported. That's our first step that we ask someone to take. And we help people walk through that. So we want the fraud reported. We want the FTC to know. We want the authorities to know. And then we want to start helping you restore that, your identity. And so we'll walk through whatever scenarios that we need to legally or with the authorities in order to start restoring your identity and also ⁓ find some forgiveness for any of those loans that are taken out. We then put you into a monitoring program that helps you monitor for any more use of your information since it was already used previously, it more than likely will be used again. Martin Hinton (11:07) You- we hear that a lot, once you become the victim of a scam or some kind of fraud, there's a greater likelihood of it happening again. Not unlike if you, I guess, dislocate your knee, there's a greater likelihood of that happening again. Is that just because your information's out there and it's been means tested, if you will, or is there some other explanation for why that frequency is more likely if you've fallen victim once? Michael Scheumack (11:28) Yeah, I don't want to sound ⁓ like a... throwing scare tactics out there, but we 100 % believe that everybody's information has been exposed in one way or another through all of the data breaches that have occurred, especially in the past few years. There's been so many large scale data breaches. And so, you know, that level of exposure just creates a scenario where your information can be used over and over again. If your information is being used successfully without anybody stopping that, then your information will just continually be used over and over again. And so it's just a cycle that'll happen. Martin Hinton (12:12) You know, I really appreciate your, ⁓ the, the couching use there because, know, as I said to you before we started recording, I've been doing this a couple of years now and leaning into this space pretty intensely. And one of the things I've come away with is this sort of concern that sometimes I'm being a bit hyperbolic about the state of cybersecurity from the individual to the enterprise level. And every time I do it, you get people who want to be measured in their language and they don't want to sound like the sky is falling. Yet at the same time, if We're dealing with a situation where every social security number has been put on the dark web. There is a big problem there that should probably be analyzed on a higher level than me for sure. So I guess, you know, am I overstating it there? Michael Scheumack (12:58) No, not at all. It's tough to talk about this subject without sounding like you are trying to create some sort of scenario where you're using scare tactics, ⁓ you know, or sound like a doomsday in some way, but that's really not the case. It's really education and awareness. It moves it from a scare tactic to something that you can handle and deal with when you create awareness. And people oftentimes with technology or cell phones, especially the older generation, they're like, you what I don't even want to use a cell phone or I don't even want to go on the internet. I don't want to do these things. And so they stay away from it. And that's fine. But it doesn't mean that they're not at risk or that they shouldn't understand some of the impacts that they could have on their their identity. Just because they don't go on the internet doesn't mean their identity won't be stolen in some way. And so for for that population, understanding and having education and awareness instead of putting blinders on and really absorbing the information that's available to them and understanding what to do puts them back in power and ⁓ takes the power away from those that are looking to abuse it. Martin Hinton (14:14) Yeah, that's really well put. mean, I think, you know, there's that whole, I mean, I've been in the communications business a long time. There's that whole line that the only thing we ever really do is regret having put off the difficult conversations. like delivering bad news is a big part of being a leader or being in charge of a situation where you have to deliver whatever it might be. That's not, you know, people aren't going to be happy to hear it, but you need to keep that, maintain that idea that all knowledge, and particularly if you're studying an adversary, Knowledge about your adversary is useful to you It's an empowering thing and it is sometimes hard to confront and you want to the joke I've been making lately is move back into a cave and live by a fire and and ⁓ that's it but but I fear that Is not possible for the vast majority of us or I suspect it's not at least So that's really really interesting. What's kind of scale you seeing on this? mean is it it? Michael Scheumack (14:57) you Martin Hinton (15:12) How many people, how many ghost student cases are there a year reported? You mentioned wanting to report and I know one of the big issues in this space is always the under reporting of events. What kind of, mean, do we have a dollar number on the amount of money lost to this in a year? What's the, what are the hard facts about it? Michael Scheumack (15:31) Yeah, it's still under, it's still in research. I haven't seen any hard numbers or hard facts on the exact number of dollar amount that's lost to Go students every single year. you know, the the amount of identity theft ⁓ occurring with children is far is greater than it is with adults. You know, there's old reports that go back to 2000. I don't know. I want to say the early 2000s where, know, it was like 50 times greater, you know, for a child to have their identity stolen. That number has been refined a little bit now from a javelin study that was ⁓ that was put out, which is is like one in 50 kids have their identity stolen or manipulated. And then you get into like the foster care system and kids in the foster care system, their information is being passed around so often and hands are being transferred ⁓ over and over again. And so their information is being used. And for a foster kid, they're supposed to go through some sort of a credit check on a regular basis to understand if there is abuse, but that doesn't always happen. And so with foster kids, it's really left up to who's going to advocate for them. ⁓ so there's a lot of different scenarios that are being researched ⁓ as far as around child identity theft and how those impacts are are growing ⁓ over the years. And so, ⁓ you know, we keep our eye on it, we're watching it, we're trying to understand more around how we can actually help, ⁓ especially in the Go Student scenarios specifically, but I don't have any research on any hard numbers. Martin Hinton (17:33) So one of the things that if you're watching this and you're not terribly familiar with this space, that might sound like we are being hyperbolic. But one of the huge issues with cybercrime and issues like data breaches is that there's an enormous amount of underreporting, both domestically here in the United States and in other places around the world. And that's because it's not required of a lot of people. So if you're the victim of a crime, you can easily not report it. And if you're embarrassed and you lose a thousand bucks, there's a lot of people who won't. The, the humiliation factor or the blaming the victim that people fear. It's very real. And we see it on the corporate level. I think Qantas just announced that their board had taken some pay away from the CEO and other members of the executive level over what was viewed as their responsibility in a data breach that occurred packing that airline down in Australia. So it is, there's the, The reason I ask about hard numbers is because they're hard to come by sometimes in this space. mean, if you're a publicly traded company or if you're in the healthcare environment in America, you got to talk about it. You got to say out loud. A lot of people aren't in that space and they don't have to say, and it creates this real issue with regard to understanding the problem and comprehending it for those of us who aren't in it every day. And it also makes things like the cyber insurance underwriting more difficult for companies that aren't in that reportable space. And that's kind of the topic I want to switch to next is the sort of cyber insurance and cybersecurity sort of melding. And I wonder what you had to say about that just to kick off this new section in our conversation. Michael Scheumack (19:06) Yeah, cyber insurance is definitely an interesting thing because it sounds like it's going to cover pretty much anything that you have, any kind of cyber incident that you have. It's not necessarily true. And so it does give a false sense of security. ⁓ In the cybersecurity space versus cyber ⁓ insurance space, I think that they have to definitely work together and understand each other. ⁓ very well and they are reliant on each other, the two different industries, although I think they fall under the same umbrella. But there are lot of caveats and a lot of, I guess, small print that you have to look at in the cyber insurance clauses. Martin Hinton (19:59) You absolutely need to read that policy because it's, I mean, it's like a lot of other things, right? There are a lot of things in there that are designed to be. clear to you, but you got to read them. I, you know, like carve outs for, you know, I mean, for example, if you policy requires multifactor authentication and in the wake of a data breach, turns out that some people weren't using it. That could very well avoid your policy to cover the ransom you pay for a data recovery, or, you know, you'd have to pay it alone. All sorts of other costs associated with the recovery, which is always the hardest part. ⁓ like credit monitoring for a thousand people whose data was taken from your ⁓ database. it's, ⁓ it is something to be very precise about. And you're not wrong. Like that, that intermingling of insurance and cybersecurity is a lot like the property and casualty days. the, the, isn't historically accurate, but you can imagine an insurance broker at one point going to a warehouse and saying, we'd love to insure you. But let me introduce you to this company over here that installs things called sprinkler systems. Because if we put that in your hay bale factory, which is a silly factory, but they do catch on fire, ⁓ is a better risk for us. And so we'll give you a better rate or maybe we'll even consider insuring you entirely. that's sort of the evolutionary moment, it seems. We get a lot of companies like there's one in San Francisco called Coalition that has what's called active insurance. So it's almost like the insurance company is providing a security guard to stand at your doorway and watch things. it is, it's dynamic and the risks to your point are fast evolving, right? It's not like we know that Florida gets hurricanes for a certain number of months a year and in all likelihood, it'll be in one of those months if a storm comes of any real size. So if you're insuring property along the coast or really anywhere on the peninsula. It is something that has a lot of historical data to help underwrite that risk. And cyber is just not like that. It is the new news of new things. So yeah, those are good points. So I want to move on because one of the things I touched on with regard to when you turn 18 and you find out you've been the victim of cyber fraud is sort of the incident response reality for individuals. There's a famous event example here in New York going back years where the NYPD created a unit that was dubbed by someone as the Apple Picking Unit. And it was because there had been a spike in crimes of people stealing Apple devices. So Apple Picking, you can see where that comes from. So it was a physical crime, though. People actually stealing phones, I presume, of bags or whatever it might have been. This was not a digital crime or an invisible ones and zeros crime to the naked eye, at least. become or you suspect you've had your identity stolen. How might you notice and what are the things you would go through, the steps you would recommend to go through to help you know undo that damage and and right that ship? Michael Scheumack (23:04) Yeah, we recommend that. that consumers check their credit report on a regular basis with whether it's through the free credit reports that you can get through annualcreditreport.com or through a service like ours. But the importance of checking that credit report is because that's gonna be the very first place that you end up seeing an identity theft event. You'll see aliases pop up in your credit report. You'll see. new accounts opened in your name. You'll see a new address pop up on your credit report. it might seem like small little things, but that's definitely a sign that there's something going on with your identity. And you should start to look into it. Then the next. Martin Hinton (23:50) I think that, well, I was going to say, sorry to interrupt, but the simplest way to think about that is if you come back to your house after a weekend away and there's a broken window, it's safe to assume, you know, like it may not have been a criminal, but you should look around and make sure all your things are still there. It could have been a stone thrown by some hooligan or it's the indication. So it's a telltale. It's a canary in a coal mine is your credit report is the first whisper of a problem would be. Michael Scheumack (24:00) 100%. Martin Hinton (24:18) you seeing an alias or seeing an account you don't recognize or it's saying you lived at an address you've never heard of. ⁓ Those are all just little things that should make your spidey senses tingle, I guess. So what's the next? Michael Scheumack (24:31) Yep, the fraudsters count on, you know, procrastination or someone just not paying attention. Majority of people don't check their credit report unless they're going to buy a house or a car or something that where they need their credit and they want to know what their credit score is. And it should just be like a regular almost health check for your financial, you know, your financial world. And so the next step ⁓ for us is if you do see something, then you need to report it. it's either reported to ⁓ your creditors ⁓ if that's where you see the impact, or you report it to the credit bureaus themselves so you can get a better understanding of what occurred. ⁓ You know, if you have questions, we do have a service ⁓ that we offer where someone could call in and ask questions and we help walk them through. Even if they are not a customer of ours, we like to answer questions and, you know, just really kind of educate people on what they might be seeing ⁓ in their credit report, if it's fraud or not fraud. And so that's probably the second step, monitoring your credit report, signing up for some sort of a monitoring service. That's going to alert you quickly. and your speed to action is really important for if you see something on your credit report or if you're alerted to it, your speed to be able to act on whatever you're seeing is important so that it doesn't continue to impact you and or if more accounts will start being opened in your name. The other things we recommend ⁓ that you look for is a change of address. Change of address is huge because that means that you're, could, if someone put in a change of address for your mail and now they're getting your mail, they can sign up for new accounts, can do, they can have all of your checks, your social security checks or your. or medical information, other things ⁓ redirected to them. And that's a number one way ⁓ for someone to steal an identity is still through the mail. And so we recommend a service that goes above and beyond on that change of address. It sounds like something that you should just look through in a benefits list and say, okay, check box, ⁓ change of address, ⁓ you know, it's on there. but you really want to make sure that it's a change of address service that is connected with the US Postal Service and National Change of Address Registry and not just change of address monitoring through the credit bureaus for a lot of different reasons. Martin Hinton (27:23) That makes sense. So what happens then? know that in your world, have the ability to, mean, the phrase fraud restoration is the phrase we hear. What does that mean? What are we restoring that only you can access money with your identity via whatever it might be, whether taking out a credit card or a bank loan or a car loan? Michael Scheumack (27:49) Yeah, the process of restoring an identity is very individual. It depends on what was stolen, how it was stolen, what was accessed or impacted. But our fraud restoration specialists will walk you through a basic onboarding questionnaire to figure out the basics of what had happened. But then we deep dive. And when we deep dive with a consumer or somebody that's been impacted, then we start finding out more information and that allows us to get in contact with the financial institutions that the consumer is connected with or that was impacted. It allows us to reach out to the authorities and work with the consumer on restoring their identity or figuring out what had happened, what the process was for their identity to be stolen in the first place and gives us access to really kind of handhold the consumer through restoring restoring their identity in a way that they're not being impacted in anymore by that identity theft. Sometimes that can take, you know, 90 days. Sometimes it can take years to restore somebody's identity depending on the length that it was occurring. So when we talk about identity theft with kids, it takes a long time to restore that identity for your child. because a lot of times it goes on for years and years before you even know that it happened. And so the length of time, you know, that identity theft was occurring or going on is important. We walk the consumer or we walk somebody through steps to take on their own as well as just handhold them through every step of the process. Martin Hinton (29:38) The, this isn't something that many people could do by themselves. ⁓ Michael Scheumack (29:44) You know, technically you could do it by yourself with a lot of research and time. And that's that's really where, ⁓ you know, a service, a service like ours or others comes in handy. And there are ⁓ nonprofits as well that help with identity theft. I'm on the board of ⁓ ITRC, IdentityIQ Theft Resource Center, and IdentityIQ Theft Resource Center helps people. They're nonprofit. They help people restore their identity and have a fantastic restoration center that focuses on helping individuals ⁓ in a similar manner to what we do. Martin Hinton (30:23) Which is a great point to transition, because one of the things that I wanted to talk about, we've touched on students and what makes them more vulnerable, but there are other vulnerable populations. And the one that jumps to mind is senior citizens who have always been historically targeted for all sorts of scams. So I'm wondering whether you could take me through some of what you see there. Because again, what happens is when you're dealing with perhaps marginalized or less financially secure. individuals, their identity can be quite useful illegally and then they don't have the means to restore it themselves or they perhaps need little more guidance, ⁓ if you will, resetting the VCR clock. So tell me a little about those vulnerable populations and some, you know, the human stories. I think one of things about this is it gets a bit abstract, like it's 60 million records here, 160 million there, and it just doesn't seem real to people because we don't have the ability to put our hands to it. It's not like someone cutting you off in traffic and you have the physical reality of someone doing something that hurt you. So talking about that seniors trusting, know, it's embarrassing, but the, I think the global wealth in the hands of the boomer and silent generation is something like $1.6 trillion. And as I say all the time, If there's a valuable thing somewhere, people will try and steal some of it. That's not a new thing. People rob banks. That's the great example of people going where the money is to get rich or try anyway. Tell me about these vulnerable populations and the sort of human side of this. Michael Scheumack (32:06) Yeah, you know, specifically we've had a recent case where, you know, an individual, an older individual ⁓ was on their computer and they got a Microsoft alert. So they thought, and so they had heard, you know, don't respond to these alerts because it could be a problem, which was great. So they ended up Googling, you know, Microsoft support. Well, By that point, they had had their computer had already been infected with something and gave them a fake phone number to call. And so they called and through, you know, social engineering techniques, this micro, you know, Microsoft agent walked them through a bunch of things which allowed access to scammers to take over the computer of this this individual. and actually gained access to her bank accounts and she lost over $30,000 through transfers to the scammers and was on the phone with this supposed technical support for hours. while they were doing this. And that's just one story. mean, my own parents have had those technical ⁓ alerts pop up. And that's just a common thing with the senior generation is when they're on their computer, they'll get an alert that pops up. they've already called somebody in their family so many times that they feel embarrassed to call them again. And so they end up calling that tech support line because it sounds like it's an easy thing to do and ⁓ it could turn into ransomware, could turn into a phishing scam where they're handing over $100, $200, $1,000 to try to get this technical problem fixed that never gets fixed because it's a scammer on the other line. It's really invading the trust of the seniors and their lack of understanding of technology and then putting urgency around it. And that package is just, it works almost every time unless somebody is very alert and they've heard stories from somebody else and so they can act on it. Martin Hinton (34:41) I mean, think it's worth emphasizing that if you ask Chachi BT for an image of a hacker, you get some guy in a hoodie in a basement with glowing lights and that sort of thing. It is a visual that betrays the truth. The truth of the matter is that these crimes are highly organized. And all of the knowledge we have now is a result of people studying behavioral psychology and human psychology and sociology has benefited corporations who want to sell us more or how to design a supermarket so we pass the things we don't always need to get to the things we do need and that creates a higher frequency of selling stuff like, I don't know, gum or whatever it might be. That information exists in the minds and the hands of these criminals and they are highly, highly organized. is, it is, you know, I mean, there are chat. Logs that have been leaked from some of these groups and they have their own help desks to help people who don't know how to buy crypto coin Buy crypto coin so they can pay them the ransom they're demanding. I mean it is it is not ⁓ It's not something that's you know, despite the mgm case just today. Some teenager was charged apparently this is not a Delinquency crime. This is a highly organized highly profitable crime, which is something to keep in mind because every one of us can fall victim to this sort of thing. The example I like to use is that it's almost like thinking you could go to a surgery you're having and you wouldn't be victim to the falling asleep when they give you the anesthetic. Or if you watch an amazing illusionist like David Blaine do a trick in front of you thinking you would see the card swapped out for the other one. It is just not something that you're immune to. None of us are. I think that your point about how vulnerable people can feel like there's no one to call is one that really deserves to be emphasized. you know, one of the things that I've talked to people about, and I'm curious what you think about that is the dialogue matters. And we touched on this earlier. So checking in with your, you know, parents if they're not nearby and asking them about this sort of thing or keeping it on their radar or making sure they know if it happens, there's places to call to get help is useful. Don't you think? Michael Scheumack (37:06) Yeah, 100%. You you want somebody to have a place where they can ask questions and get information, especially when they, you know. When they don't understand technology and they're trying to get access to their own bank and they see a pop up on their screen that says your computer is at risk, phishing or something virus detected, click here to resolve it. And things like that, they need someone to reach out to. so allowing access to a family member or not feeling bad for calling again. ⁓ is probably one level or just understanding that there are services out there that can help whether it's a paid service or a nonprofit service. There are places that can give you the answers and give you answers fairly quickly. So you don't have to wait. You don't have to go through a ⁓ long phone scripts or anything else and you don't necessarily have to be upsold on anything. You're just calling to ask a question. Martin Hinton (38:18) Yeah, yeah. I mean, think those are all excellent points. The big thing, I think, is if you ever see something, whether it's a text or a pop-up or an email, and it creates an uncomfortable level of urgency in you, or you feel like, oh my God, I have to drop everything and deal with this now, don't. Just ignore it. If you really owe someone money or your easy pass bill is overdue, the government will get a hold of you. They will find you. Don't worry. It is, is, it is, and again, we're all capable of being fooled like this. So remember that, but if you feel like it's gotta be done right away, stop yourself. Don't do it. Don't do it. Ignore it. Delete it. They'll get, there'll be another bill sent. There'll be another text sent, or they'll reach out to you a way that they're actually supposed to, but they won't because they're not real. Michael Scheumack (38:56) Yeah. Yep. That's right. There's no, there's no government entity or really any organization that will reach out to you over text message to, to tell you these things. The toll roads are not going to reach out to you to, to let you know about a toll road, ⁓ you know, fine or, or toll road. bill that you have, the IRS is never going to reach out to you over text message and the US Postal Service won't reach out to you over text message unless you specifically signed up to receive alerts about a package that's coming in. And so that's just not a method of communication that any legitimate company is going to use to give you important information. Martin Hinton (39:52) Yeah, mean, we get taken advantage of where we spend time and SMS and text messaging became so useful as a way to communicate that it naturally became a very useful place to target people for scams. it's almost like, I mean, even now you see quite frequently recommended you shouldn't use an MFA that relies on a text message because it's not as secure and that sort of thing. Yeah, I don't know if you have anything to say about that, but it is something to keep in mind. ⁓ Unfortunately, the environment that exists for text messages has been infiltrated by, if you will, an enemy. ⁓ And that makes it a place that you need to be cautious and look both ways before you cross the street and, you know, check your shoulders as well. ⁓ Michael Scheumack (40:40) Yeah, well, that's a great point. with ⁓ receiving a text message as part of your MFA, someone does have the ability ⁓ to sim swap. And so your phone is relying on a sim. And so a sim swap would allow them to basically take the place of your phone and get your text messages for you. And it's not that hard to do. It sounds very complicated, but what these scammers will do is they'll keep calling and calling and calling and calling ⁓ customer support rep at Verizon or AT &T and until they find get somebody that will allow them to say you know what I got a new phone and so I need this I need to change over to my new phone and I need the sim sim changed over and they finally get a rep that will do it and when they do then they have access to your to your phone number and when all of your if you hit forget password or you're logging into your financial accounts and they send you a text message, then the scammer can just initiate that themselves then and be able to get into your accounts. Martin Hinton (41:55) So we've talked a lot about where we are. ⁓ And I have come to a conclusion that we are only at the beginning, that the capacity of the good and bad sides of tech are only just starting, no matter how much it feels like we've been around or the world has changed so much since, depending on your age, and I'll date myself. I paid my first rent by mailing checks and putting stamps on envelopes. And I think that that is... It seems so far removed from where we are now when it comes to being able to, you know, Zell or Venmo or Revolut money, whatever it might be. When it comes to looking at where we are and the pace of change and how rapidly the sort of the bad actors are evolving, where do things stand? mean, AI is obviously always in the conversation, but cyber criminals have been doing pretty well without AI. So, you know, are they rushing to adopt it or are they realizing it can, you know, force multiply their email and ⁓ SMS, text outreach. What do you think about where we are in the timeline of all this? Michael Scheumack (43:03) You know, we're still in the, I would almost say the early stages of where we can be with AI and ⁓ amazing great things, but as well as the fraudsters using it for some sort of bad acting. the, you know, the change that you see is that, ⁓ The Froster's have been very successful with phishing scams and emails and things like that in the past, but they've been more blanket and just kind of like throwing throwing stuff out there to see who would respond to it in any way. Now with AI and ⁓ the ability to search through multiple social media accounts and online communications and other methods to understand more about an individual that you want to target, you can be way more targeted on your delivery of that text message, especially for any kind of ⁓ corporate. corporate scams if you're trying to get into a corporation and you want to be able to get to a ⁓ customer service agent who will then transfer you to the right person in accounting to get access to bank accounts on the corporate level. get access ⁓ to systems within a corporation that you're not supposed to have access to. there's the level of targeting, I think, is where we're going to see it just continue to grow. And the ability to ⁓ have phishing scams that just give you more information or allow you to talk to somebody as though you just know them. And with voice clones and deep fakes and everything else, people are so being so inundated with it, with the phrasing of AI and all of these things that it's almost overwhelming. But I would challenge people to not be overwhelmed, but to do a little bit of research and create some sort of simplified view of how they can how they can, you know. encapsulated in their own minds so that they can have awareness and education. And just like you said, I think the simplest thing is if you feel any urgency at all by a text message or a phone call. Even if it sounds like somebody that you know, if there's any urgency, you need to stop and take a breath and take a step back for a minute because that is 100 % of bad actors go to in their tool bag that's the most effective is that urgency because it puts people in that mindset that they need to act quickly and before they can have a chance to think about anything. so, ⁓ That's probably what you said is probably one of the biggest pieces of advice that I would give as well. ⁓ Martin Hinton (46:03) Yeah, I mean we know this right when we're stressed or we're worried. We don't think as clearly right we these are this is the human condition So this isn't gonna go away, but there are tons of things we can do to help You know react with calm if you will the inner buddhist and is all right just your first reaction should be calm I don't know you know anyone any money. So yeah, I again I I know we talked about it. We'll probably clip that that part, but it's a really really good idea So where we are now? In the next two, three years, how do you see the state of all this unfolding? mean, are banks and financial institutions helping organize? mean, are there public institutions and other organizations like AARP stepping up? One of the things I've talked about lately is we spend a lot of our K through 12 education with regard to cyber on very basic computer stuff and then also online predators, right? So natural and intelligent things to worry about. Do we need a more holistic sort of educational environment from a very early age that sort of ingrains some of this reality about the level of deception that's possible and the scale of deception that's possible? Michael Scheumack (47:12) We definitely need more education, ⁓ I mean, around finances in general, but in the education, ⁓ even in the lower education system. But with ⁓ cyber specifically, 100%. The more people understand and know. I think that the generations that are coming up, they're understanding it more and more and more than we ever have in the past. And so they're already going to have some level of understanding. But. having more understanding around how deceptive behavior can impact them, what that means, how to protect yourself. The banks are becoming more diligent in their fraud alerts. I know that I get a lot more fraud alerts now than I ever have before. I know with... even with us as an organization working with the banks, we know that their fraud departments are becoming more more aggressive on how they're identifying fraud or they're alerting someone to be able to better identify fraud. ⁓ so the banks really are kind of at the forefront of trying to understand how bad actors are stealing and stealing from individuals. And so I think that in the next few years, to your question. We're gonna see that grow a lot more. I don't think that there's any way to go back. We've won, we're in it now. Like there's no way to go back to paper checks and doing the things that we used to do. If you haven't already adopted it or accepted it, you do need to to learn more about how these things can impact you, but also become involved with ⁓ some sort of service that can help you monitor at the very minimum. Monitor the dark web for your information and monitor your your credit report. Like those would be the two basic things that I would say. that somebody should do just because there's so much impact ⁓ to you if you have some sort of identity theft event where someone is actually using your information and it's such an easy thing to do. it's not preventative, but it does allow you to take action very quickly. Martin Hinton (49:49) So rising tide lifts all boats kind of idea is a broader knowledge and a younger generation enters sort of adulthood in the workforce. There'll be a natural sort of rising of cyber resilience and that'll extend through populations. I guess what I'm hearing you say, is that a fair way to sort of sum it up? Michael Scheumack (50:11) Yeah, absolutely. Martin Hinton (50:12) So we touched on go students, we touched on individual responses, we talked a bit about cyber insurance and cyber insurance gaps. Is there anything that we touched on or we talked about that you want to go over again or say a little more about or is there something that I haven't asked you about that you want to get into for a bit? Michael Scheumack (50:29) You know, I think we touched on most of the fishing ⁓ or even the ghost student. type scams, but I think I'd want to put out there that we have a service at identityiq.com forward slash scam that allows someone to go on and report scams or see if they've been scammed or give us a call and we'll walk somebody through it. You know, the one of the, one of the things that cyber insurance does doesn't cover is, is, ⁓ certain levels of social engineering and phishing scams. And so you want to be. careful that ⁓ you don't fall victim to those. But if you feel like you have been, then giving us a call and allowing us to help you with that is a good first step. We also have a lot of information and education on our website. We're constantly putting out videos for people to watch. And our social media is filled with ⁓ different how-to's and things like that on a more general basis. But if someone feels like they have been scammed or they fall victim to something, then give us a call. There's no pressure. We don't put pressure on people to sign up. We help answer questions and really give them the information so that they can take action themselves. Martin Hinton (51:54) So you can put your pens down everyone. All the links and other things that Michael just mentioned are gonna be down in the show notes wherever you might be listening or watching this. So you can refer to them there. And if you have a question or anything like that, leave a comment. perhaps I'll be able to answer it, but we can certainly get it to Michael or we'll see what we can do for you. So I mean, think what Michael's saying and I think it's true of so much, problems don't go away on their own. and the more information, the more proactive you are, ⁓ the more you can be resilient against this. And these are new problems for sure, new realities or relatively new realities, but human beings were brilliant. And I say this every now and then on the podcast, don't bury your head in the sand. It may seem, if you're not techie, like how do do? I don't even understand how it happens. Don't worry. There are really, really smart people out there willing to give you frankly right now is a great time for it. a lot of what Michael just said, you can get a lot of advice for free because these companies are chasing this problem to solve it. And there's a lot of money in fixing this problem. So one of the things they're doing is they're being very generous with their information and their time. Even if it's just watching their social media for a little cute ways to contextualize it or keep it clear and you had a highly recommended. So before I wrap up and say goodbye, Michael, anything else? Anything else you want to touch on? Michael Scheumack (53:19) No, thank you for having me on. This is one ⁓ way that people can get more information and we can bring awareness. So thank you for partnering with us and I enjoyed the conversation. Martin Hinton (53:31) Yeah, so did I. So for those of you didn't catch at the beginning or you didn't see the chyrons during, this is Michael Scheumach, the Chief Innovation Officer for IdentityIQ . Michael, thank you so very much for joining us. ⁓ If you've got a question or if you've got a comment, please drop it in below and we'll do our best to get answers to you and reply and all that sort of thing. ⁓ But again, Michael, thanks so much for joining us and all of you. Thanks for joining us as well. I'm Martin Hinton. executive editor and host of the Cyber Insurance News and Information Podcast. Thanks for joining. Hope you enjoy the rest of your