Sept. 14, 2022

Cybersecurity and Protecting Yourself from Scammers, Phishers, and Identity Thieves


#77: Cybersecurity expert, Adam Levin, joins Chris to discuss all things cybersecurity, privacy, identity theft, and fraud. They cover how to avoid becoming a victim of online scams, ways to ​​effectively monitor your credit, managing the damages of identity incidents and methods to protect your personal information online. 

Adam Levin (@Adam_K_Levin) is a consumer affairs advocate and cofounder of Credit.com and CyberScout. His mission is to educate consumers, businesses, law enforcement officials and lawmakers about consumer privacy, identity management, and protection. Adam’s weekly cybersecurity podcast is What The Hack and his critically acclaimed book is Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.

 

Partner Deals 

DeleteMe: 20% off removing your personal info from the web

Daffy: Free $25 to give to the charity of your choice

Goodr: Free shipping on $25 stylish and comfortable sunglasses

Inside Tracker: 20% off personalized wellness & nutrition plans backed by science

 

Selected Links From The Episode

Connect with Adam Levin: Website | Twitter

Adam Levin’s Resources::

Resources Mentioned: 

 

 

Full Show Notes

The importance of protecting yourself online with secure passwords and keeping your phone numbers private   [1:28]

Protecting yourself from SIM swapping: the fundamental basics [3:27]

Lie like a superhero when setting up security questions [6:23]

Protecting your credit identity [7:29]

The three M’s: minimize, monitor, manage [9:19]

Six ways to ​​effectively monitor your credit activity [9:50]

Should you pay for credit monitoring and reporting services? [14:04]

Managing the damage of identity incidents [14:58]

Deciding if you need help from an expert [15:34]  

Credit monitoring service resources [17:26]

Stolen SSN: what is your liability? [20:12]

Different levels of identity theft and the evolution of the blame game [23:11]

Criminal identity theft: are there services available to avoid becoming a victim? [26:28]

How to avoid falling for online scams [28:20]

More advice about online security, protecting your financial identity, and avoiding scams [31:25]

Minimizing your risk: how to function as safely as possible in a “surveillance economy” [41:19]

Chris shares methods he uses to protect his personal information and financial identity online [49:21]

Hardware security keys vs. Google Authenticator or other apps [50:52]

Adam and Chris discuss the importance of safely storing written passwords and share more ways to remove personal information from the internet [52:08]

Using Google Voice as a secondary phone number and protecting yourself from being scammed [53:39]

Are VPNs necessary? [55:44]

Protecting yourself by limiting or disabling location services [57:32]

Regularly auditing authorizations from other accounts [59:24]

Adam’s message to those who are anxious about security breaches [1:02:21]

Where to find Adam Levin online [1:08:46]

 

Partners

DeleteMe

DeleteMe is a simple subscription, privacy service for reducing unwanted personal information exposed on the public Web. They’ll remove your cell phone #, address, email, family members and more from hundreds of data broker websites and then continuously scan for new data that shows up and get that removed as well. On average DeleteMe finds and removes over 2,000 pieces of data for a customer in their first two years.

Get 20% off a plan for you or your entire family at allthehacks.com/deleteme

 

InsideTracker

InsideTracker provides a personalized plan to improve your metabolism, reduce stress, improve sleep, and optimize your health for the long haul. It's created by leading scientists in aging, genetics, and biometrics. They analyze your blood, DNA, and fitness tracking data to identify where you’re optimized—and where you’re not. With InsideTracker you’ll get a daily Action Plan with personalized guidance on the right exercise, nutrition, and supplementation for your body.

For a limited time, you can get 20% off at allthehacks.com/insidetracker

 

Daffy

Daffy is a not-for-profit community built around a new modern way to give, with a mission to help people be more generous, more often. Daffy makes it so much easier to put money aside for charity. You can make your tax deductible contributions all at once. Or you can set aside a little each week or month. Then anytime in the future, you can give to more than one and a half million charities, schools, and faith-based organizations in a matter of seconds.

So you can separate the decision to give (and get your tax deduction) from deciding exactly which organization you want to support and when. My favorite part is that you can invest your contributions to your Daffy account so they can grow tax-free to let you have even more impact in the future. To start giving today and get your free $25 to give to the charity of your choice, go to allthehacks.com/daffy

 

Goodr

Goodr makes $25 active sunglasses that don’t slip, don’t bounce, and are 100% polarized. They’re lightweight, stylish and comfortable. I love my Goodrs and have been wearing them everywhere, from running to hiking, just hanging out or watching the sunset. Also, because they’re so affordable I never worry about losing or breaking them.

To get free shipping and a 30-day money back guarantee go to allthehacks.com/goodr

 

Connect with All the Hacks

All the Hacks: Newsletter | Website | Facebook | Email

Chris Hutchins: Twitter | Instagram | Website | LinkedIn

Transcript

Adam Levin - 00:00:00:

If you get a notification from what appears to be an organization of authority, first you have to think about it first. The IRS doesn't email anybody. Police departments wouldn't normally send you an email and go, hey, by the way, we think you've committed a crime, so notify us here. What you should do. Even if you get one that looks really official, contact the specific agency and independently confirm the contact information and then reach out to them and say, I got the strangest thing. Did you send me something? Now, most people don't like to red flag themselves with the IRS, but at the same point, you need to make sure that you're dealing with the IRS. And of course, generally the only way they deal with you initially is you get a letter. Maybe not a letter you want to receive, but you will get a letter. They don't call you unless you owe the money. You've owed the money for a very long time. They've sent you notice after notice after notice. You didn't respond. And then you might get a call from a legitimate debt collector. There are about three or four that have been designated by the IRS, but again, generally, it's never something where you're asked to do something urgently.

Chris Hutchins - 00:01:25:

Hello and welcome to another episode of All the Hacks, a show about upgrading your life, money and travel, all while spending less and saving more. If you're new here, I'm your host, Chris Hutchins, and I'm excited to have you on my journey to optimize my own life by sitting down each week with the world's best experts to learn the strategies, tactics, and frameworks they use for their own lives and their success. Today I'm talking with Adam Levin, who is an absolute expert on cybersecurity privacy, identity theft and fraud. At 27, he became the youngest director in the history of the New Jersey Division of Consumer Affairs. He later went on to found at least two companies credit.com, which focused on consumer credit building and was acquired in 2015, and Cyber Scout, a global identity and data protection company that helped pioneer the cyber insurance business and was acquired in 2021. On top of all that, he's the author of the critically acclaimed book Swiped How to Protect Yourself in a World full of Scammers, Phishers and Identity Thieves. And he hosts the weekly cybersecurity podcast What the Hack? For many months, I've been wanting to do an episode on everything you need to know about cybersecurity identity theft. So I'm really excited that I got connected with Adam. We're going to talk about how to protect yourself from all these threats, what kind of tools and services like VPNs or security keys or credit monitoring are actually worth using. Basically, I want to leave you with everything you need to know to protect yourself online. Adam, welcome to the show.

Adam Levin - 00:02:51: Chris, thanks so much for inviting me.

Chris Hutchins - 00:02:53:

Yeah, so just to kick us off, I want to know, what do you think is the most common thing you see most people doing wrong when it comes to protecting themselves online?

Adam Levin - 00:03:01:

Password protocol is terrible with most people. Most people pick a easily decipherable simple password because that's what they can remember and they use it everywhere. And unfortunately, what you have to understand is that even assuming that you have the most indecipherable sophisticated password possible, if it's been exposed as a result of a leak or a breach, then it's discovered and a discovered password is no good to you anymore. And if it's through your entire universe of websites, it's going to come back and be a nightmare for you. So you really have to think hard about the kinds of passwords you're going to use. In fact, that's why most people use password managers that want to simplify their lives. But you need to do that because one ubiquitous password in your life is guaranteed to create a problem for you.

Chris Hutchins - 00:03:58:

I know that in the past, password managers often will tell you this password has been in a breach. There was a site that was like, have I been pwned? Is that still like the gold standard of finding out what passwords of yours have been in a breach? Or what is it?

Adam Levin - 00:04:13:

Pretty much is, yeah, have I been pwned? And it's not a happy place by any means and you can also now track your phone number too.

Chris Hutchins - 00:04:24: Cool.

Adam Levin - 00:04:25:

Because the issue is that for years we've been told that the ultimate skeleton key to your life is your Social Security number. And that's pretty much true. But if you think about it now everybody gives their cell phones number out to everybody and on top of which, it's not something because they're now portable, nobody's going to change their cell phone number. So this is a number that's going to stick with you most of your life and it is everywhere. So that's an issue as well.

Chris Hutchins - 00:05:00:

What's the risk of your phone number being out there? Obviously people can call you, but is it that they could know your number and spoof your number calling customer service and pretend to be you with automated systems? Or why is having your number out there as bad or dangerous as maybe your email password? Which makes more sense to me, why that would be a bad thing?

Adam Levin - 00:05:21:

Well, the reason why having your number out there is a problem is because if you think about it, most people who use multi factor authentication, the second factor tends to be a code sent to their phone number. But so if your phone number is stolen as a result of a SIM swap. Which is not as difficult as one would think for a few bucks. Unfortunately. People call people at mobile providers and get them to switch things based on the fact that they go. Sorry. I forgot my password and this is my phone number and I just got a new device. By the way. So can you please transfer to my new device and then all of a sudden you don't get the code. We've had cases where people have lost millions in cryptocurrencies because the code was sent to the phone number that had been stolen by a hacker.

Chris Hutchins - 00:06:16:

Now I owe in 5, 10 years ago SIM swapping kind of hit all the news and it was a big thing. Is it still happening as much as it was or have the carriers gotten better about requiring more information to switch a phone number or is it still a really big concern?

Adam Levin - 00:06:31:

Well, again, if you pay somebody off, it doesn't matter what kind of protocols you have in place, the carriers are getting better and of course now you have the opportunity to use a Pin number as an additional layer of security for someone calling to find out more about your phone. The only problem is that a lot of people, just like we tend to use simple passwords, people use codes like 0000,1234,9876 so it's not that difficult to guess for some of the bad guys.

Chris Hutchins - 00:07:05:

So it sounds like quick thing everyone needs to do if you're not already using a password manager, I mean, go back to basics, that's something you should do. I think most people here have probably heard me talk about password managers enough to hopefully have gotten on the board with that train, but calling your cell phones carrier and making sure you have that Pin set up? I know I called Verizon once and just said, hey, can you put me in some sort of more secure version of an account that can work with some banks, financial institutions, some don't? I also like to

change my mother's maiden name and give them a different word or number or any string of characters than an actual mother's maiden name because that like your phone number is not too difficult to find online. Are there any other kind of fundamental basics to protect yourself from SIM swapping that people should be doing?

Adam Levin - 00:07:57:

Well I mean that also just be very alert and if all of a sudden you're not getting phone calls or you're not getting texts or something just doesn't feel right, immediately contact your mobile provider. But you also brought up an interesting thing too. When you talk about changing your mother's maiden name, I always say to people, listen, when you set up security, questions and answers lie like a superhero. I mean, Clark Kent is not going to tell people he's Superman. Bruce Wayne doesn't run around saying, hey, I'm Batman. So if your mother's maiden name is Smith, tell people it’s Jones, if you went to Ridgefield High School, tell them you went to Southwick. The key thing is consistency. It's not as if you were doing an interview to get a security clearance for national security. All you're trying to do is create something that will be a benchmark. So it's not about veracity, it's just about consistency.

Chris Hutchins - 00:09:01:

Sometimes I just have strings of numbers. I use one password and I generate a random string of characters. So it's like, what's your favorite book? It might be gobbledygook. To me, it's just a bunch of numbers and symbols and letters, but it certainly isn't something anyone would guess. And the same goes for the high school I went to or my dog's name or things that you might actually be able to find out online.

Adam Levin - 00:09:21:

No, listen, that's a great idea, as they say, the algorithm.

Chris Hutchins - 00:09:26:

So there's a lot of places we could take this, right? I think identity theft is a big area. Cybersecurity is a big area. Maybe we start with credit identity. You mentioned Social Security number. Is this protected thing with the Equifax breach, in my mind, it's like I'm kind of operating like my Social Security numbers out there. I feel like for, I don't know, one in three Americans. Now your Social Security number is out there. Is that still as easily accessible such that if someone wants your Social Security number and they try hard enough, they could probably get it? And if so, what do we do?

Adam Levin - 00:09:59:

Let's face it. I mean, not just Equifax. We're talking about over the past several years, billions. And that's Dr. Evil Pinky to the lip, V billions. Billions of files have been exposed through data leaks, breaches, people hitting the wrong key and information getting out there, people just giving out their Social Security number. I mean, think about every time you go to the doctor's office, the dentist's office, what do they have on the form? Your Social Security number. Which, by the way, you can say, no, I'm not giving you my Social Security number. They're not going to throw you out because they're either operating with your insurance information or they're going to get a credit card before you ever get out the door. So you don't need to give them your Social Security number. You need to say, no, we have to have it for insurance purposes. No, they don't. They really don't. But there have been stories about people at their children's Little League games, they were passing around these sheets and people were filling them out. It's like, yeah, let me have your Social Security number. So, yeah, sure, here it is. People don't really think about it. They kind of toss it out like you were tossing out rose petals. So I think you have to assume your Social Security number is out there. You have to assume most of your information is out there. So it's really about something that I developed with my collaborator, Bofried Lander, who is also my co host on What the Hack with Adam Levin. We wrote a book called Swiped how to protect yourself in a world filled with scammers, phishers and identity thieves. And we came up with a framework three M. How do you minimize your risk of exposure, reduce your attackable surface? How do you monitor so you effectively know that there's a problem and that you have to do something about it. And then how do you manage the damage? So what you're raising right now with the fact that our information is out there is how do you effectively monitor so you know as quickly as possible that you have a problem? Well, one of the things you do is, as we mentioned earlier, you go to the site, Have I been Pwned? And see whether or not your user ID and password has been exposed in a breach. And then looking at the particular breach where it was exposed, you're going to know, based on the information that has been provided by the companies that have been compromised, how much of your information is out there. And that's why monitoring is so important. Get your credit report. Look at your credit. Don't just say, I got my credit report. I did my good deed. Get it. Review it. Be serious about it. If something doesn't look right, contact the credit reporting agency. You need to be looking for things you didn't do as well as things that you might have done that you forgot you did. But review it and make sure that it says what you think it should say. And if it has additional dates of birth out there for you, or different places where you've never worked or different home addresses, these are red flags. So get your credit report. Monitor your credit scores, because if your credit scores take a sudden precipitous drop that you can't explain, then it's either one of three reasons you didn't pay a bill on time. Not good. You need to know that you're using too much of your available credit. Not so good. You need to know that. Or you're a victim of identity theft. Really not good. And you need to know that. Also, sign up for what's called transactional monitoring alerts. This is from your financial institutions, your credit card companies. It's free, and it notifies you anytime there's any activity in your account and if you see activities going on that do not look familiar, then you have to notify your financial institution or the credit card company immediately. But that's one of those red flags also, believe it or not, look at your explanation of benefit statements that you received from your health insurance company, because a lot of people have discovered that they were victims of medical identity theft because there was a treatment on there or an appointment on there that they never had with a doctor they've never heard of. So look at that to make sure it was you. And then finally, there are much more sophisticated forms of monitoring. They come from the three credit reporting agencies as well as third party providers, where they have a number of different things that they're monitoring. You need them to be monitoring your Social Security number and your most personal information. And then you need to get things like what's called instant Alerts, which is not, hey, Chris, a few weeks ago, somebody using your information to open an account, but it's, hey, Chris, somebody is attempting to open an account right now. Is it you? Yes or no? And then you need to have monitoring that monitors the dark web, because if it shows up that your information is out there, and it will tell you what information has been discovered on the dark web, whether it's an email address, a password, a phone number, account information. That's why it's important to do that. So the third M is very important. The second M very important.

Chris Hutchins - 00:15:36:

So just to recap, so I know getting your credit report FreeAnnualCreditReport.com, you can get it for free. I believe even right now, as a result of maybe the pandemic, you can get it more regularly than once a year.

Adam Levin - 00:15:48:
You were getting it in some cases either once a month or once a week, depending upon the credit reporting agency.

Chris Hutchins - 00:15:55:

Yeah. And then a lot of the alerts you talked about are free. I sign up. I have an account with Experian, Equifax and TransUnion. I get alerts. I don't pay for any of those premium services.

Adam Levin - 00:16:06: Right.

Chris Hutchins - 00:16:07:

I get my credit score gosh. I probably have five different ways to get it for free, whether it's Credit Karma, which isn't necessarily a FICO score, but it is a score, or different credit card companies. Amex gives you a free credit score. I think Capital One gives you a free credit score. Are there any of the credit monitoring and reporting services that you actually should pay for, or are they kind of all a little bit fluffy products that people create for people who are worried? But you can kind of do all this on your own. I know you can freeze and lock your credit, which I do for free also.

Adam Levin - 00:16:44:

Yes, you can do that. That's as a result of an amendment to a banking law that was done a few years ago. But there are services that are worth it because you really need them to take in depth dives. And whereas with free credit

reports, you can get them frequently, although a little less frequently now. The important thing is you really need to keep up to date. And with that payment, you're not just paying for the monitoring, but you're also getting access to a professional who can help you through identity incidents. And that's really the third M, is that how do you manage the damage? Now, a lot of people don't realize that through their insurance companies, some financial institutions, and now more and more through their employers, there are programs available to help you through identity incidents. In some cases, it's free as a perk of your relationship with the institution. In some cases, it's deeply discounted. In some cases, it may not be. But you have to really think about how important it is to know whether or not you've got a problem and have somebody who can help you through the problem.

Chris Hutchins - 00:18:03:

I get that if you are involved in an incident, it can be helpful to have an expert kind of get through this entire thing, manage the entire process. But for just monitoring, would you say everyone needs to be using a premium service? Or how do you kind of set the threshold for someone thinking, I feel like I've got monitors, I get my alerts, I get my transaction alerts, I check my credit every so often. When my score changes, I get an alert. Does the average person in that circumstance who hasn't yet been a victim of any fraud or theft need the premium services?

Adam Levin - 00:18:36:

Well, it depends how premium you want to go, and you have opportunities to select amongst those premium services and even then the level of premium service you wish to get. And it really has to do with your comfort level and how alert you are and how informed you think you are based on the alerts you're seeing. And the truth is, access to a professional to help you through incidents is priceless. It really is. And if you talk to a lot of the folks who have been on both sides of the cyber world, they will all tell you that so much information is out there about us right now, that the fact that each and every one of us hasn't become a victim of some form of identity theft is simply because they haven't gotten around to us yet. It's really a question of supply and demand. But I can tell you, having owned a company, well, first a company that was involved in monitoring, and then a company that was involved in managing damage and taking care of people, it really depends on what you want to get out of it, how much you're willing to invest. It's not a criminally expensive amount. If you get the more moderately priced monitoring programs, you really need to know, and you need to know as quickly as possible, and you have to pay attention.

Chris Hutchins - 00:20:07:

I imagine if I Google credit monitoring services, there's thousands. I imagine some are much worse than probably just repackaging what you can get for free for a fee. Are there particular companies or services that you think are actually providing that added value for their fees?

Adam Levin - 00:20:23:

There are. I generally don't single out anybody specifically, and it's not because I'm being paid by anybody in particular. It's just I really feel like it's a function of you really need to do your research. Now, the Consumer Federation of America has a website called, I think it's called IDtheft.info. I could be wrong, but just like a Consumer Federation of America, they actually have the majority of the major players in the identity monitoring service world signed up. They signed up for best practices. And what they do at that website is they give you a list of questions and answers to think about when you're searching for someone to monitor your credit or to actually help you through a credit incident. And it's really worth it to go to that website. But there are a number of very good companies that have very good and thorough monitoring programs. But as with anything, take time and do your research.

Chris Hutchins - 00:21:35:

I was hoping I could skip a little of the research and get the answers from you. Are there any companies, you know, in the space that's, like, definitely avoid companies that are on your blacklist of credit monitoring and identity theft protection? Are there services where you're like, no, just skip over LifeLock, they're the worst, or something? Anyone in the space to avoid?

Adam Levin - 00:21:53:

Well, no. Now you're getting me to actually recommend certain companies. First of all. Okay, I'll give you some. Aura is one that's very good. LifeLock is very good. I can tell you for years I've used Experian okay. And protect my ID. Their program is very good. My old company, Credit.com, we had a number of products and services that we matched people with that were very good. And I'm sure the folks at Credit Karma and other places can also give you recommendations. Another place to go just for just great advice in general is the Identity Theft Resource Center. They're out of San Diego. Eva Velasquez is the CEO. She's been CEO for a while. They're highly respected. And for those people who don't use paying services and are in trouble and need help and are victims of identity incidents, they actually work with some of the bigger companies and have a deal going on where these companies will help them help people for free. So the Identity Theft Resource Center ITRC okay. Is very good.

Chris Hutchins - 00:23:13:

Thanks for giving some information that I know you're breaking the rule. Yeah. One thing I was just thinking about with credit cards, I think a lot of the reason people are not too worried about just putting their credit card number online is that most, if not all, credit card companies nowadays take the burden of the risk of something happening in fraudulent charges. But one thing I don't think I know so I'm assuming most people don't, if someone uses your Social Security number to open a bank account or take out a mortgage or a loan or buy a car, how much of the liability ends up falling on you? Is the risk all the hassle of cleaning it up? Or is there actually risk that you could be liable for what happens and someone else won't pick up the tab like they might with credit card fraud?

Adam Levin - 00:23:59:

Well, we've seen, for instance, situations where people have had their Social Security numbers used to take mortgages out on their homes. That becomes problematic because you really need attorneys for that. And it's not a simple process to have a mortgage removed from your home when the money was actually taken using your information. Now, your insurance company can be very helpful there. That's why check with your insurance company and find out if they have identity protection programs, if it's automatic or you need to bring it on as an endorsement to your insurance policy, oftentimes your homeowner's policy, your renters policy. Now even they're offering identity theft services through auto owner policies. But you may need that insurance coverage for that that you may pay for, but it's not a large sum of money. It's just generally a fee for an endorsement. But no, it can be a problem. We've seen cases. For instance. With Zelle now the Consumer Financial Protection Bureau just came out and kind of dropped the hammer on a number of those peer to peer payment apps because so many people have had their information stolen. The app used. Or they in good faith used it because they thought they were dealing with somebody real and not an identity thief or hacker or scammer and the money's gone. And of course they do tell you before you hit that button, make sure you know who you're dealing with. But that's changing. But let me take you back to sort of the beginning of identity theft and in the early days of dealing with identity theft issues and even to a little bit today, the victim was guilty until proven innocent and in fact, the consumer was considered collateral damage. It was viewed as the business was the victim of the identity theft or the fraud. Now, with credit cards, you're right banks, it used to be $50 liability. It's now down in most cases to zero. Debit cards, little different story. Many of them have good protections, but in some cases the financial institution will say that before we return your money to you, we have to do an investigation and we have to feel comfortable that you didn't just do something dumb and you're trying to get us to cover your loss.

Chris Hutchins - 00:26:42:

Fortunately, most people listening here are a big fan of earning credit card points and aren't using their debit card much, but the identity top. Yeah, I'd love to go back to the beginning. You were the victim. How has that evolved?

Adam Levin - 00:26:55:

Well, it's evolved now that there is a greater understanding of the fact that millions upon millions of people have become victims of identity theft and in many cases through no fault of their own. Simply their information was on the wrong database at the wrong moment and the wrong person gained access. And now suddenly they're victims of identity theft. And you have so many different levels of identity theft. You have the low hanging fruit, which is account takeover, which has to do with credit cards and debit cards. Debit cards raise the food chain a little bit. Then you have new account identity theft. That's where someone using your information has gone about the countryside, happily opening accounts in your name with your information running up the balances and then disappearing into the sunset.

And then you get other forms of identity theft, like medical identity theft. Or someone using your information, gets medical treatment in your name, has a procedure in your name, has appointments in your name. In most cases, it's a fraud against the insurance company, but it could come back to haunt you depending upon your lifetime allowances. But in cases where insurance wasn't involved, you've had many situations where people get a bill that comes out of nowhere from a medical provider, and it's huge, and they end up having problems with their credit reports and fighting with the medical provider and being sued. And there is a greater understanding of that now. There's child related identity theft where kids have no idea because they don't check their credit. They don't even think they have a credit report. Most parents don't check their kids credit reports, although that's changing. But in that case, we had one guest on What the Hack? Accident Bets Hamilton has become a very famous expert on identity theft, where she was a victim and her mother was the thief. Her mother stole her identity, her father's identity, her grandfather's identity, had a second life.

Chris Hutchins - 00:29:08: Oh, my God.

Adam Levin - 00:29:08:

And as Accident said, I spent Thanksgiving sitting across the table for 19 years, across from my identity fee. And there are a not insignificant number of identity theft victims where it occurs within the family. Foster children, for example, 10% are victims of identity theft because as they go through the foster system, they have a card with their information that's passed from family to family to family, and in many cases, that information is used to steal their identity. You have that, and now the government's gotten involved and try to be more helpful in situations like that. The reporting agencies are much more understanding when it comes to this. But there is a process that you go through, and if you do it, it could take months, hours of your life. You could have ended up with no life and no job and no family because you're spending so much time focusing on resolving your identity theft issue. For instance, if you become a victim of criminal identity theft, that's a big problem. That's where someone using your information commits a crime. There was a movie Identity Thief, which you may have seen, but they commit a crime. We had a case once. A fellow was driving through the Midwest. He gets pulled over for a busted tail light. All of a sudden, his car is surrounded by guys with guns. They make them get on the ground. They cuff him in front of his kids. They take him to jail, and he gets out in a couple of days. But he needs to get a lawyer. And sometimes it takes a not insignificant amount of time to clear your name. If you're a victim of criminal identity.

Chris Hutchins - 00:31:04:

Theft, is there a way that he could. Have prevented that. Obviously, committing a crime isn't something that's necessarily going to show up on your credit report. But is there a similar thing that monitors? I don't know. I know every time you apply for a job, they run a background check. Is there like a background check monitoring service to see if things like that are happening before your well, there are.

Adam Levin - 00:31:26:

Some of the services now that will monitor as part of their overall monitoring whether you've had incidents of a criminal nature or at least there are warrants out there for you and you might not know about. But criminal identity is something that you can almost do absolutely nothing about. I mean, it's just someone did it, use your information, committed the crime. How do you prove you didn't commit a crime? Right? That's a little more difficult than someone nailing you for committing a crime. So it becomes more complicated. That's why it's so important for people to be alert. If you got a notification about something, don't assume if you know nothing about it that it's a mistake. At the same point, don't immediately jump and try to do something about it, because it could be somebody committing a fraudulent act and getting you to click on the wrong link or open the wrong attachment as well.

Chris Hutchins - 00:32:27:

I want to come back to a few things, but when you get that link, when you get that email, I think it's wild to me how many different examples I've seen recently of successfully convincing people that this is the right link, whether it's using some weird font that isn't actually the right font. I've seen one where someone had the domain registered that was like Mail Google.com, so it looks in a small window like it's correct, but then it's mail Google.com some other

address, some other address. So it actually looks like the right prefix, but it's not. So I always say, of course, look at the full URL, look at the full sender. Are there other things in those moments that are things people could quickly do just to make sure or validate that it's correct?

Adam Levin - 00:33:14:

If you get a notification from what appears to be an organization of authority, first you have to think about it first. The IRS doesn't email anybody. Police departments wouldn't normally send you an email and go, hey, by the way, we think you've committed a crime, so notify us here. What you should do. Even if you get one that looks really official, contact the specific agency and independently confirm the contact information and then reach out to them and say, I got the strangest thing. Did you send me something? Now, most people don't like to red flag themselves with the IRS, but at the same point, you need to make sure that you're dealing with the IRS. And of course, generally the only way they deal with you initially is you get a letter, maybe not a letter you want to receive but you will get a letter. They don't call you unless you owe the money. You've owed the money for a very long time. They've sent you notice after notice after notice. You didn't respond. And then you might get a call from a legitimate debt collector. There are about three or four that have been designated by the IRS, but again, generally, it's never something where you're asked to do something urgently. You never get something in the eyes saying, unless you pass, right now we're sending someone to arrest you, or even a phone call. They don't do that. You're always offered an opportunity to have a conversation with an agent and reach a settlement agreement with the IRS, for example. But that's what scams are based on, and a lot of the scams are very similar. It's like, think of it as the music is the same, but the lyrics change depending upon what's happening in the world or what the scammer or the hacker is trying to achieve. So you really need to set a list of protocols for yourself as to what you do. And protocol number one, stop. Read it carefully, calm down, think about what it's saying, and think about whether or not it's logical that you would have received this communication by way of an email, and whether or not what they're asking you to do seems logical within the time frame they're giving you to respond.

Chris Hutchins - 00:35:47:

Are there any new tactics? I know SIM Swapping made all the news years ago. Is there anything happening right now that you know about because you're in the industry that maybe other people will hear about over the next few years, but would be good to know now?

Adam Levin - 00:36:04:

Well, let's go through some of the scams that exist and sort of match them to what's going on. First of all, there are healthcare scams that have been going on for forever, but in particular, COVID was a petri dish for them, and now monkey pox is becoming a problem as well. And that could be anything from updates to tracking to notifications to here's where you get your vaccine, here's what your schedule, your test, these kinds of things. So you have to be on the lookout for this. Again, as you said, run your cursor over the email address to make sure that where it's coming from looks legitimate. And even then, wherever it's coming from, even if it's a phone call from someone saying they're from the health department, thank them, hang up independently, confirm the right number for your county health department or your state health department or even the CDC. If you think you're getting a call from the CDC, which I really haven't heard of, too many calls coming from the CDC, then call the real number and speak to somebody and confirm whatever that information that they're providing you. And remember, in most of these cases, they are never supposed to ask you what your Social Security number is or getting credit card information from you, you can't pay to get to the head of the line with these. If it's a legitimate government situation and it's involving healthcare, there is a protocol to use and no protocol that I know of and have ever known of. Are you paying something in advance in order to advance your prospects with that? So you have healthy job scams all the time, especially during the great resignation. And now with inflation and now with the concerns about whether or not there's going to be a recession, people may be looking for additional jobs there. Go to legitimate, well vetted websites and make sure that you're communicating with the right organization. If someone asks you to provide your Social Security number right off the bat, that's not legitimate. Don't walk, run.

Chris Hutchins - 00:38:32:

So this could be a job board. You see a job you're interested in, you're like, oh, this company is interesting, maybe I should apply for it. It could just be a totally a fake company that's leading you down a path of interviewing for a job with the purpose of just collecting information about you.

Adam Levin - 00:38:47:

Absolutely. Or getting financial information by way of giving you giving them your credit card information. Let's say it's a secret shopper job and they say, well, to get you started, we're going to be laying out some money, but we'd like you to sort of reimburse us for this. So be careful. You don't want to get involved in anything like that unless you can confirm the legitimacy of it. So always independently confirm, also confirm that that particular company is actually looking to hire people, which you can go by going to the real website of the organization and then calling the HR department of the company and asking them if they're conducting interviews. But you have to be very careful about job scams. There was a scam that was going around for a while, disappeared, came back again. The jury commission scam. That's where you get a phone call. Someone represents themselves to be from the jury commission. They're polling, quote, eligible jurors in the district. And if you would be so kind as to provide them with your Social Security number, they will be able to let you know whether or not you're eligible or not for the jury pool. There have been scams where police departments were supposedly calling people and asking them for specific information. Generally, police departments just don't call people out of the blue, or if they do, it's a legitimate detective. They may be asking you questions, but they're not going to be asking for your Social Security number, your date of birth, or things like that. So unemployment scams, of course, have been a disaster during Covid. I mean, billions upon billions of dollars have been stolen. My own sister in law, who was on one of our episodes was talking about the fact that she was legitimately notified by her home state of colorado and by the state of Ohio that somebody using her information had applied for unemployment benefits. In one case, she found out simply because she received a debit card in the mail from the unemployment agency, which she said, I'm not looking for a job. I'm fine. I'm not out of work. We've had cases where people found out because someone in their company walked up to their desk in the days when people are actually at their desk and said, by the way, why did you apply for unemployment? You still have a job here. So that was going on. You have the text scams. That's what you get a phone call from someone representing themselves to be from Apple or Microsoft saying that they've noticed that there's a problem with your computer. They're going to direct you to a site where you can download a certain software which will enable them to then come into your computer and check it out and solve whatever the problem is. Apple and Microsoft, they don't do that, but scammers certainly do that. So be on the lookout for text scams. Then of course in the line of work that you've been talking about too, which is vacations and points and all of that, there have been theft of frequent fire miles. There have been all kinds of vacation scams, all kinds of rental scams that people have to be on the lookout for, which we can go into further depth if you'd like to do that. And then there's catfishing, which is huge and whatever the theme may be, it's still a catfish. And what people are trying to do is they're trying to tug on your heartstrings and get you to believe that they care about you. And the whole goal is to get into your life as quickly as possible and as authentically as possible. But yet you never really get to see them. You never get to really hear them. You may just be communicating with them by text or by email and then at some point relatively quickly into this relationship, you're suddenly asked for a lot of personal information or they send you a compromising picture and ask you to reciprocate, which you don't realize that's not their picture, but unfortunately that's your picture you just sent to them. And suddenly you can become a victim of extortion and blackmail or they ask you to provide credit card information so that you can help them get a plane ticket to come visit you. Or we've had cases, we had a woman on our show talking about the fact that she met someone online who even had a terrific LinkedIn profile as a very successful medical professional who had decided to dedicate part of his life to go to the Mideast and open a clinic there. And somewhere in the first couple of weeks that they were getting to know each other, he said, our equipment has come in. It's held up by customs at the airport. If there's any way that you could help me by sending me $30,000 so I can get the equipment out, that would be great. Of course she didn't do it. She wouldn't fall for it. But unfortunately, a lot of people do. I mean, we've seen cases where someone was taken to the tune of $2 million by someone who convinced them that he loved them. And the only way that they found out there was something wrong, which they should have known for the beginning, but was that a financial adviser notified members of their family and said, something's going on with your mom. She's taking a lot of money out and sending it overseas. You really need to look into this. And even after confronted with the reality of her situation, she said, okay, I understand it's a fraud, but in my heart, I still love it. I mean, this is how deeply they ingrained themselves into your life. And then another scam and I won't go on forever, but another scam are charity scams, and this is where they'll take the issue of the day, whether it's the Ukraine, it's a natural disaster. It's a crisis. Somewhere in the world, it's children. Any one of those topics, whatever is in the news, they will use it. They will convince you that they are the newest, best, most successful, most respected organization in the space, and could you please give them credit card information or send money to this? And it's not real. It's a fraud.

Chris Hutchins - 00:45:33:

That's really interesting. So I've been a little familiar with some, not all the others. When it comes to the frequent flier miles thing, if you Google my name, there's some articles about having a lot of points and miles. And so I have been

a victim of, I guess, theft of points, I guess, which we talked about maybe coming on your show. And if that happens, definitely go check it out. I'll tell the story.

Adam Levin - 00:45:59: Absolutely.

Chris Hutchins - 00:46:00:

But in short, it led me to that's what set me down a path of really locking out all these accounts, because someone was able to call Chase and get Chase to let them order things with points on the Internet. The craziest thing, and I have still today don't understand it was they ordered an Apple laptop using my points, but they shipped it to my house. Now, maybe the plan was to come to my house and kind of pick it up, but they never did, and that the laptop showed up. So it was like the strangest fraud, because they chase refunded the points, and I had a laptop. I asked Chase what they wanted me to do with it, and they said, try to take it to the Apple Store. And the Apple Store didn't want it. So eventually Chase said, the best thing we could tell you is to keep it or donate it. We don't know what to do. Which ended up being a happy story for me, but it was probably payback for the hours of time to mitigate it, which comes back to, I want to go back to your first M, which is about minimizing the risk and talk about some of the things people can be doing to prepare and kind of plan in advance of any of this happening. There's a couple of areas here I'll go to, but one is around information online. So I remember back when I was a venture capitalist, this company Fordalus, which I know you're familiar with, was raising money and they offered to run some reports on people in the investing group to show off their product. And they ran this report and I was like, wow. It's not that I didn't know there was information about me online, right? There's family tree websites, there's white page websites, there's my social media. But when someone pulls all that information together into one place and you see a list of every address you've ever lived at, every job you've had, all of your phone numbers, all of your email addresses, and then the exact same set of information for your spouse, your siblings, your parents, and they put it all together, you're just a little bit taken aback. And it made me think, gosh, should I be getting rid of this? Is there a way that consumers can kind of just get a lot of this information off the internet? Or what goes into trying to mitigate this risk and minimize the risk and getting stuff kind of taken away?

Adam Levin - 00:48:20:

Well, I could give you my favorite George Carlin line, which it's a mystery, but the truth is that there are things that can be done, but it is a long and arduous and time consuming process because you literally have to go from data broker to data broker and there are procedures you can use and each one explains it to you. And of course the CFPB Consumer Financial Protection Bureau has advice on exactly how to do all of that. But just like when LifeLock started and someone said, isn't it true that a lot of the stuff people can do themselves? And the answer, which I thought was a very interesting answer and I've been a fan of LifeLock, is they said, well sure, you can also change your own oil and if you want, you could maybe even change your own muffler. Do you want to? So it really has to do with how much time you're willing to dedicate to it. Some people it's a crusade and they will do it because they don't want to pay anyone else to do it. And they will do it. Others will find companies like Reputation.com, which is where they will work to get negative information about you offline, or companies like Abine where they will work with you to actually delete information from the online world. And now that there is a right to forget in the GDPR, which is the general data protection regulation in Europe and it's incorporated to some extent in the California Consumer Protection Act. And it is hoped that maybe it will be also incorporated in the American Data Protection Act which is kind of wending its way through Congress, assuming it can actually find its way through Congress, which is very difficult for us as we've seen in the past years. It's very difficult for stuff to get through Congress, all the interests involved but it still is a process. Now you can contact Google for instance, and ask them to remove certain information about you which they're willing to do. But it's a process. And even if this is just like with a credit report when people would go to credit repair companies and some of them are good and some of them are really really not good and they would say okay we will get this information off and they do. But unfortunately it was legitimate information and as a result when the particular subscribing retailer doesn't update the information finds itself back onto your credit report again. So think of all of the millions of websites that are out there and how unfortunately over the years there's been this wholesale sharing of information or selling information or lending information depending upon what the relationship was between these organizations and it's going to be out there. Can you get it off? Maybe for a period of time? Can you get it everywhere? It may take you forever to find out where everywhere is and there's a new part of everywhere that shows up every day. So that's why you have to say to yourself look the world I live in, it's a surveillance economy. It just is. We are surrounded by billions of internet of things devices tracking, listening, sending data back to manufacturers, data then being shared, that information also being hacked by hackers. So that's why you need to really consider the three M’s. And among the things you should be doing, assuming that your data is out there even despite your best efforts to get it off. The online world is everything from long and strong. Passwords not shared among websites or password managers using two factor authentication which makes it again more difficult for someone to represent that they are you because they do have to go through that extra layer of whether a code is sent to a cell phones or you use biotech. Not biotech but you're using thumbprints eye scans depending upon the particular device you're using. I'm a particular fan of thumbprints. They also multi-factor. Authentication can involve voice prints. Of course the issue is what if, god forbid, someone steals a database of a company where they have your voice prints? That could be a problem too. But again any layer of additional authentication you can add is important. It also means you don't click on every link you see. You don't open every attachment even if you think it's coming from someone you know. I mean, a perfect example, it's a buzzkill. But anytime I get an Ecard from someone, the first thing I do is I call that person and say, I know this is a buzzkill, but did you just say, you don't have to tell me what it says. I'll go do it, provided you confirm you really did it. But again, with the malware that's out there and the ransomware attacks that are going on, you always run the risk that someone you know received something that they opened that they thought was hysterically funny and terrific, and they're sending it to you, but they didn't realize that it had malware on it, and all they've done is they've shared the love and the hack with you. So you do run that risk. That's why it's really important to be very careful where you click what you open. That means, as we talked about earlier, you lie like a superhero when you're sending up questions and answers. That means that you freeze your credit, which is, as we talked about, is free and you can do it. That means that even the humble shredder and I don't mean a ribbon cut shredder, because for those of us who saw Argo as an example, what happens is you can get kids or people hopped up on drugs who will sit there and meticulously tape back up things that have been cut by a ribbon cut shredder. That's why you need a confetti cut shredder or a cross cut shredder, which turns this into little useless pieces of confetti that no one can put back together again. So these are some of the things that you need to think about doing. Or as we also talked about earlier. That's where the third M comes in and it's so important. And that is to contact your insurance agent. Your financial services rep. Or the HR department where you work and say. If I become a victim of an identity incident. Or if I'm worried about it. Or I find out that an organization that I've had a relationship with has been hacked. Are you going to help me through the incident? And that's where it's really important. And a lot of these programs are free, deeply discounted, and worth you signing up for.

Chris Hutchins - 00:56:10:

I'll share a couple of others that I've learned in the past I don't know how many years that some I've employed, some I plan to. I actually have multiple email addresses, so I have an email address that I just used for financial institutions. I have never shared that email with anyone. Only financial institutions know it. I've been recommended, though I haven't, to use a separate one for social media profiles. Yes, that was another recommendation, is to just have different email addresses. Look, if you don't have a password manager, I can only imagine how hard that is. So we're going to go back to your original recommendation, which is everyone needs a password manager. Everyone should be using two factor authentication everywhere they can well, yeah, and you.

Adam Levin - 00:56:52:

Can use Google Authenticator. You can use some of the more the hardware oriented. When we talked earlier, you had mentioned one of them when we talked to them.

Chris Hutchins - 00:57:04:

Yeah. I'm a fan of all of my two factor being one time passwords that you can put in Google Authenticator, Authy, or even one password. Though I had historically been putting all of my one time passwords in one password, I am now realizing, as convenient as it is for them to copy and paste them, the fact that I'm storing my password in the exact same place I'm storing my two factor off inherently makes it no longer two factor because they're in the same place.

Adam Levin - 00:57:34: That's like one a factor.

Chris Hutchins - 00:57:36:

Yeah, I got two types of single factor, so I'll probably actually be changing that. Do you have an opinion on using security keys versus hardware ubiquito plug in security keys versus a Google Authenticator and a app?

Adam Levin - 00:57:52:

Well, there are some people that like it. That like using security keys, but they're generally one account related keys, as I believe you become maybe more than that, but I think it is one.

Chris Hutchins - 00:58:07:

So my Ubico key, I actually use it with Facebook and with Google and with different services. I can have sign up for different services. It's a lot more hassle to have to carry this thing around and plug it in. Obviously, that comes with security, but it's just one where I'm like, I haven't quite determined that it's worth it.

Adam Levin - 00:58:28:

Well, that's why, because that's the issue, is that you may carry it with you, but then if one day it disappears, it's not helpful to you.

Chris Hutchins - 00:58:36:

Yeah. Just keep in mind, if you're using Google Authenticator, you lose your phone, you lose those passwords. Obviously, you can usually recover them with backup codes. I definitely recommend writing down those backup codes or using something like Authy, which is a competitor, but I know they actually store those so you can transfer them between devices. There might be better services. If anyone listening by the way. If anyone listening here has any recommendations that we didn't cover or anything. Please send them to me because I'm actually. Hopefully between now and the time this airs. I'm going to try to put a lot of these into place. Test a lot of these services out. And maybe release another little bonus episode with my feedback from trying to do all of this.

Adam Levin - 00:59:16:

Oh, no, that would be great. Just remember, whenever you write down something, put it in some place secure, you always run the risk. If you use a Post It on your computer and someone breaks in your house, you've just given away another key to the kingdom.

Chris Hutchins - 00:59:31:

Yeah, I think I'm actually going to try. Well, another tip someone gave me is actually not just emailing these White Pages directories online. So if you just Google your name or your last name and your address in quotes. You'll see the websites that are sharing your address. You can reach out to them and get them to remove things. A friend of mine recently told me another suggestion, which is to reach out to the MLS and have your real estate agent do it and have the photos of the house that you purchased whenever it was removed from the MLS. Otherwise, someone has your address. They can also then just go look inside your house, understand the entire floor plan. I'm not saying you're a target of someone understanding the layout of your house, but it seems like information that provides very little value to the world. For people to be able to look inside every room of your house, obviously it's not real time, it's not your cameras. But yeah so that's something I'm going to be doing.

Adam Levin - 01:00:27:

No, that's important. The other thing is you can actually contact, like, Google and Apple and say, could you blur my house from so that if someone is using Maps or whatever, that they can blur it. So it's not so easy to go, oh, I see. That's where Chris lives. Well, that's interesting. I didn't realize he was as close as he is. So these are little tricks of the trade that you can do as well. That is another step towards helping you get your stuff offline or at least less accessible.

Chris Hutchins - 01:01:02:

I'm trying to think of any other ones that I've done or have thought about. I have a second phone number on Google Voice. That if you're using, unfortunately, I don't know why, but it seems like every financial institution doesn't support two factor off or sorry, supports only text message or phone call based two factor off. All of the tech companies seem to support using authenticator and one time passwords. But all of my financial institutions, Chase, Vanguard, they're only text, and it's so frustrating. So I've got my Google voice number that I can use. So I'm not using the number that I've given out to so many people, as you mentioned earlier.

Adam Levin - 01:01:46:

No, listen, that's an excellent idea, is Google Voice for calls. So that if you leave because as we talked about the ubiquity of your cell phone number, it's always good to have another phone number. Another scam that was going on is the Google Voice scam, and that's where you're supposedly doing business with someone online. They go, I don't really know if I can trust you, so I want to know that you're the real you, that this is really your phone number. So I'm going to send you a code, and then I want you to read me back the code. And what they've actually done is they've applied for a Google Voice number using your phone as the point of authentication. And then they will have a code sent to you, and then they will ask you to read them the code, and that then enables them to contact Google. Voice and represent themselves as if they're.

Chris Hutchins - 01:02:49:

You or I've seen the same thing happen with sending an icloud two factor code. They just pretend that it's something else. They say, oh, I want to confirm it's your identity, let me send you a code. And they go to Apple and they go in and say, like, recover my password, send a code. And they just hope that you don't notice that that code actually is from Apple or that code is from your bank or something like that. So I'd say. If you're not dealing with a service where you're 100% sure it's the service. Which means you called them. If Verizon calls you and says. Hey. We'd love to talk to you about your account. We're going to send you a code right now and then we can get in. I would say. Thank you. But let me call six one one back and get a Verizon rep before proceeding.

Adam Levin - 01:03:36:

That goes into the category of no.

Chris Hutchins - 01:03:38:

Yes, exactly. A couple of quick questions just on the computer while we're browsing the internet. Now, the HTTPS is pretty ubiquitous, right? I think if you're not listening sorry. If you don't already know to look for the secures lock, most browsers will throw off errors if they're not there. Do VPNs really matter in these days? I know I've heard plenty of ads for them, but I wonder if now that almost everything we do online is Https. If having a VPN really provides a lot of value, other than maybe like your browsing activity, what types of things you're doing, whether you're streaming from different services.

Adam Levin - 01:04:18:

Well, a VPN also is very helpful when you're, let's say, you're connecting to your business network.

Chris Hutchins - 01:04:24:

Sure, it's good to you if your company has a VPN to get access things, yes. But the idea of if you're at a public WiFi spot, you need a VPN to make sure people aren't stealing your information. My understanding is that with Https being so prolific and secure certificates being free, that that's not really a thing people need to be worried about.

Adam Levin - 01:04:48:

Well, the only issue is that there have been cases of the secure certificates being stolen.

Chris Hutchins - 01:04:54: Okay.

Adam Levin - 01:04:54:

So as a result, a VPN is still a good way to go. I like DuckDuckGo, but there were people that will say to you that if you're going to get a VPN, use one you pay for, because they're less likely to sell your information than ones that one day might share your information that are free. And that goes back to another thing too, which is read privacy policies and understand what the privacy policy is. Terms and conditions. I realize privacy policies in many cases are written in 27th grade English and they're presented to you in mouse print, and there are translators where you can actually go and it'll translate what a privacy policy is. The name of some of them escapes me right now, but this is something we could talk to Travis about, for example, he might be able to give information on that. But again, anything that you can do to mask your identity is a good thing because just even something as simple as location services on your mobile device. Many websites now scramble the things that would be identified by location services, but many of them don't. And the last thing you want is you're publishing pictures, and it shows when and where the picture was taken, especially if it involves people doing things they shouldn't do, like exposing their kids too much to people. Like an example, here we are at sustain such a park, and it's little Susie's second birthday. And if the location services are on and it's not a site that scrambles them. The issue you have is that somebody could show up one day at that park. Find little Susie. And say. I feel so terrible that I missed your birthday. And I told mommy that I'd be over the park today to see you because I have a present for you if you just come with me over there. It's in my car. And then all of a sudden, you have a missing child. So location services, you should be discreet about when you use them, where you use them, and if you can disable them, you do it. Of course, I realize that your GPS system won't work, and if you owe them, so turn them on for that, but be careful, know that they can come back to haunt you.

Chris Hutchins - 01:07:39:

When I got that for the list report, they looked at all the photos that had been published on social media by me, by others around my home address, and all of a sudden there are photos that you didn't know of your friends and your family inside your house and all that kind of stuff. So one of their recommendations was to go back and remove the geo tags from your photos, from everything you've posted online. The only other thing that we didn't discuss from tips that I have are going in and doing an audit of things you've asked to your Google account or your Twitter account or Facebook account. There are so many websites that say, oh, just off your Gmail or just off your Facebook. And some of them, many of them are legitimate, right? I Gmail to Calendly, so I can schedule meetings. But doing an audit every so often of are there services that you've given access to your email or to your social media profiles that you don't use anymore? Or even I noticed that recently, I can't remember what service it was, but it's gotten a lot better, right? It used to be all or nothing authentication. Some of them now say, what do you want to give information? Do you want to give your name or do you want to give your email, or do you want to give full control to post, delete and see everything. And if you authenticated something five years ago, you might not have had the fine grained detail to be able to choose what you give access to. So it could even be worth deleting all of them and redoing them to make sure that you're only authenticating the kinds of information you want to the parties you want.

Adam Levin - 01:09:12:

You're not wrong about that one at all. And you absolutely should do an audit because it's very important to figure out when you're on a particular site where your information is going. I have a good friend who has a new company that he started, which is a privacy company, and what they do is they can scan a website and then show you all of the different places that your data is going, all the different companies that are sucking up your data that you had no idea.

Chris Hutchins - 01:09:45:

And by data, just to be clear, it's usually IP address and activity, not stealing information off your computer and your files and that kind of stuff, right.

Adam Levin - 01:09:54:

But it's still IP address you can identify. And they once proved many years ago they did someone they were able to identify specifically who they were through analyzing their AOL searches, and they were able to actually zero in on the individual. And today people will tell you, give me two or three social media entries and one receipt, and I'll be able to tell you who and where.

Chris Hutchins - 01:10:29:

Yes, I remember I worked at a company that was dealing with location data, and we were talking to a cell phone carrier. And you might not know that just from the towers you're on, on your cell phones. The cell phones carriers are logging all of this data. And unfortunately, at the time, maybe not now. They're willing to sell this data. It doesn't have anything to do with you. It's just there's a device, it's here, but no one knows who. But I remember we did some analysis and it was something like with a reasonable degree of accuracy, you could figure out where any given phone would be at any given time because you had the history of where it had been. Now, thankfully, that information was anonymous to the person, but if you said you could say, this phone that's often at this address is likely to be here, it was a little too much. I don't want to get people too scared, though, right. You could listen to this and say, oh my gosh, my kids are going to get abducted. People are going to find me. They're going to see everything in my house. What message do you have to people that are maybe will help them get out of that feeling of leaving this, thinking everything's coming to an end, I should turn off all my technology and never leave the home.

Adam Levin - 01:11:38:

Well, interestingly enough, I've had someone say, well, thank you, Adam. Now that I've listened to you, you speak, I'm going home. I'm going to disconnect everything. I'm going to burn off my fingerprints, and I'm going to hide under my mattress. I said, but you can't do that unless you're living under a bottle cap at the bottom of Loon Lake and you're completely off the grid, which nobody is you're out there. So the question is, just be alert, know what the threats are, know what the red flags are, and then practice, for example, the three M's. Do everything you can to minimize your risk of exposure. Like, for example, when you get a new Internet of Things device, which most things are these days, change the password. Most of them come with manufacturer default passwords, and probably 98% of those passwords are for sale on the dark web. So change the password to something long and strong. Just read the manual. We'll tell you how to do it. Just like when you get your router and make sure that the password is what you want it to be, not what someone else wants it to be. And make it as complex as possible. Or use a password manager to help you with the whole thing. It's really all about two things that people have to understand. Number one, we all have day jobs. We work, we raise families. We're involved in educational activities, philanthropic activities. We own companies, we're busy. That keeps us excited, interested, but also diverted. And to a hacker who's not diverted, we are their day job. This is what they do. And in some countries, they commit at eight. They have their lunch break. They go home at 430 or 500 in the afternoon, and it's a job. And they're working for the government. That's how they raise money. That's how they conduct espionage. Others work around the clock and do what they do. But it is their day job. And the second thing to understand is, when you look in the mirror, you see you, and you go, why would anyone in the world want to steal my identity? Why would anyone care? And the answer is simple. You see you. But when they see you a hacker, a scammer, an identity thief, they see Jay Z, Beyonce, Adam Levin, they see somebody who's got something they want that can enrich their lives. Or and this is not to offend anyone, it's not you thereafter, but it's your spouse, your child, your parent. An organization that you're involved with, a company that you work for. And you are simply the conduit to get them to whoever or wherever they want to get to. So this is why it's extremely important that you really focus on cyber hygiene. Just like you go to doctors, you go to dentists, you do things that you do to stay healthy. You have to maintain a healthy cyber environment because you're protecting yourself, your family, possibly your company, your coworkers, and millions of innocent consumers that may be doing business with your company. There was a concept that was raised a couple of years ago by the CEO of Microsoft and I think he was dead right. It's called shared responsibility. It's that we know that business hasn't done enough, we know that government hasn't done enough and we know consumers haven't done enough to protect each and every one of us from the ravages of cyber issues or identity theft or ransomware. And each of us has a role to play. And with consumers, we didn't ask for it, we're not trained for it, and it's certainly not something we want, but it's a reality of where we are, what we do, who we are and the world we live in. And therefore it's incumbent upon each and every one of us to do our part because we could be protecting a whole lot more people than just ourselves by doing the right thing when it comes to cybersecurity. But it's not something that you need to be terrified of because it's reality. You're not going to escape it. So as a result, it's a question of just like they say with COVID, we got to live with it. So when it comes to cybersecurity, we have to live with it. It is not an individual sport, it is a group sport, it's team. And in addition to which, you can't take a victory lap for cybersecurity because you could be completely secure at 09:00 in

the morning and suddenly exposed at 901 because somebody clicked the wrong link, opened the wrong attachment, gave the wrong information to somebody. So if we kind of stick together, work with each other, collaborate, communicate, cooperate, we're going to be better off for it. And I think there's a much more collegial attitude now when it comes to cybersecurity than ever before.

Chris Hutchins - 01:16:56:

And like you said earlier, with all the information out there, it's only a matter of time before someone decides to pick you as a target.

Adam Levin - 01:17:04:

That's right, you win the lottery. One you didn't even enter.

Chris Hutchins - 01:17:07:

Yeah, but I'd say if you can make yourself a harder target by doing a lot of the stuff we talked about today, then you just move yourself further and further down that list where someone says, this person's information isn't very easy to find online. Let's just skip to the next person where their address? Takes me a second to find it's.

Adam Levin - 01:17:25:

Like the whole issue. If you're a burglar, do you break into the house where there's no dog or one where there is a dog, where you might not be sure that you're going to come out with both legs? So it's important to do that. And a very important rule of thumb, anytime that anybody contacts you about anything and asks you to authenticate yourself for any reason, however plausible or logical it is, hang up. It's one thing if you contact them and they're an organization trying to do the right thing and they're asking you to authenticate yourself, but if they contact you, no good.

Chris Hutchins - 01:18:10:

Great parting advice. So thank you so much for being here. Where can people stay on top of everything you're learning, all of the latest conversations you're having.

Adam Levin - 01:18:20:

Well, come to Adam Levin.com, which is where we put a lot of information about the newest scariest. Maybe not so scary, but things you need to know. We have that on the website. Come to What the Hack with Adam Levin. You can get it anywhere. You get your podcasts. Think of it as car talk for cyber. There are three of us. We try to have a lot of fun with it. We focus on a lot of important issues. We bring people on who have either been victimized or have managed to avoid victimization when it comes to cyber or identity theft. And there are a lot of lessons to learn. And the whole thing is that this is where scaring is caring and sharing is caring, is that the more people that are willing to tell their stories about what they went through and what the red flags were and how to avoid it, the better it is we all gain.

Chris Hutchins - 01:19:22:

Well, I'm looking forward to joining you and talking about the fact that people always overlook their frequent flier accounts. I think, let's lock down my bank account. But especially for this audience. You build up credit card points. You build up miles. To have someone go in and take a flight or drain them to buy a computer is the worst. And I've dealt with it.

Adam Levin - 01:19:41:

No, it's not fair. You've you did the work to get it. Why should somebody get the benefit of your effort?

Chris Hutchins - 01:19:48:

Thank you so much for being here. I really appreciate it. And I enjoyed the conversation.

Adam Levin - 01:19:53:

Well, thanks for inviting me. I enjoyed it very much. Let's do it again.