Tag Archive for: Data Protection

When Caller ID Lies: How the New Zelle Scam Works

I’ve written about hundreds of scams. Crypto. Pig butchering. Nigerian-princes so obvious they wear plastic crowns studded with costume jewelry. But there’s a new one, and unfortunately for victims, it’s working incredibly well. 

Your phone rings. The Caller ID says “Wells Fargo.” The person on the line knows your name and says they’ve detected suspicious Zelle activity—money being sent to Las Vegas on a new bank account established in your name. Uncharacteristically, they give you information instead of asking for it. Case numbers. Cancellation codes. A long reference ID that you carefully note.

The scammer’s first secret is to overwhelm our brains with data, because we trust details. 

How do I know this isn’t fraud?” you ask. The response is deviously reassuring : “You’re right to be concerned, so let me transfer you to my supervisor. Please be advised that Wells Fargo will never ask for your password.” 

The scammer’s second secret is to mention security and pass you on to higher authority, a tactic to put you at ease so you take your eye off the ball. 

The supervisor comes on. Different voice. Confident. But you’re still suspicious, because you dutifully watch John Sileo’s videos! 😀

The supervisor asks you to google the phone number of the bank branch in your neighborhood. Which you do. The number matches the caller ID on your phone. You know it’s easy to spoof a phone number and use AI to gather personal details, but you’re already invested and the longer you’re on the phone, the more your guard lowers.

The supervisor says it’s easy to reverse the transaction together. And that’s the moment… 

When they start asking you to DO SOMETHING, the alarm bells should ring. There is no “together” in banking. The bank has all the power. All of the information. 

If you hadn’t just hung up, they’d tell you to open Zelle or Venmo and enter an amount: $3000. Then, instead of a phone number, they ask you to enter the “case number” they’ve given you, but to delete the letters off the front end. Which turns it into a 10-digit phone number to which you are transferring money.

Scammers lull their victim into the “task performance” zone, where they are more focused on completing steps than thinking critically.  

This scam, like nearly every type of cybercrime I speak on, isn’t about hacking technology. It’s about momentarily hacking human attention using urgency, authority, cognitive overload and real-life data. And the only effective answer is to build a proper anti-fraud reflex before the call comes in.  

Let’s strengthen your cyber-defense muscle by training people to think critically, recognize red flags, and stay one step ahead of fraud. If your workplace, organization, or community could benefit, let’s explore the options together. Email [email protected]

 

Hacked Minds, Not Systems: Why AI-Powered Fraud Is the New Cybersecurity Crisis

Ransomware hasn’t disappeared—it has evolved. Today’s threat is more sophisticated, more scalable, and far more dangerous: cyber-enhanced fraud. Powered by AI, attackers are no longer just targeting systems—they’re targeting people. And unlike software, humans don’t receive automatic security updates.

While organizations have invested heavily in strengthening their technical defenses, most remain critically vulnerable on the human side. In fact, an estimated 90% of organizations are unprepared for AI-driven, conversation-based attacks that exploit trust, urgency, and authority.

The solution isn’t more alerts or more tools. It’s better human judgment.

That’s where the “Hogwash and Verify” framework comes in—training individuals to instinctively question suspicious requests and verify them through trusted channels. When skepticism becomes a reflex, organizations can prevent catastrophic mistakes before they happen—like a fraudulent $100 million wire transfer.

The New Cyber Reality: From Ransomware to Human Hacking

For years, ransomware dominated the cybersecurity conversation. High-profile breaches demonstrated just how costly system vulnerabilities could be. But today’s attackers have found a more efficient path: bypassing systems entirely and manipulating people instead.

Why? Because it’s easier.

Rather than breaking through firewalls, cybercriminals are exploiting the most unpredictable—and often least protected—part of any organization: human decision-making. A convincing message, a sense of urgency, or a familiar voice is often all it takes.

Compounding the risk is a major insurance gap. Many organizations assume they’re protected, only to discover that policies often exclude losses resulting from “authorized” actions—like an employee willingly transferring funds based on a fraudulent request.

How AI Is Supercharging Cybercrime

Artificial intelligence has dramatically lowered the barrier to entry for cybercriminals while increasing the effectiveness of their attacks.

  1. Eliminating Red Flags
    Gone are the days of obvious phishing emails riddled with typos. AI enables attackers to craft polished, professional, and highly convincing messages—removing the friction that once made scams easier to spot.
  2. Deepfake Technology
    Attackers can now replicate voices and video with alarming accuracy. In one case, an employee transferred $25 million after attending a live video call featuring a deepfake of their CEO.
  3. Scalable Personalization
    AI allows criminals to conduct deep research on employees in seconds. From LinkedIn profiles to company announcements, attackers can tailor messages that feel personal, relevant, and legitimate—making phishing and smishing attacks far more effective.

The Human Defense: “Hogwash and Verify”

To counter these evolving threats, organizations must equip their people with a simple, repeatable mental model:

  1. Hogwash (The Trigger)

This is the instinctive reaction. Any unexpected request involving money, sensitive data, or credentials—especially those marked urgent—should immediately raise suspicion.

Think of it as building a reflex:
Pause. Question. Assume it could be fraudulent.

  1. Verify (The Response)

Once suspicion is triggered, verification must follow—but not through the same channel.

  • Don’t reply directly to the message 
  • Don’t click the provided link 
  • Use a trusted, independent method (like calling a known number) to confirm the request 

This simple two-step process creates a powerful safeguard against even the most sophisticated attacks.

Lessons from the Real World

The impact of cyber-enhanced fraud is already playing out across industries:

  • MGM Resorts suffered a $110 million loss after a hacker manipulated an IT help desk into resetting credentials. 
  • A fraudulent website mimicking Tesla’s branding successfully tricked users into handing over sensitive login information. 
  • In a near-miss at Ferrari, an executive noticed something subtle—a slight inconsistency in tone during a deepfake video call. By asking a personal question only the real CEO could answer, they prevented a major financial loss. 

These examples highlight a critical truth:
Technology alone doesn’t stop attacks—people do.

The Bottom Line

Right now, AI is giving attackers the advantage. They move faster, adapt quicker, and operate without regulatory constraints. While defensive technologies continue to improve, they are not enough to address the growing threat of human-targeted attacks.

Your strongest line of defense isn’t another tool—it’s a trained, alert, and empowered workforce.

Organizations that teach their teams to stop, slow down, and think will have a decisive edge. Because in a world of AI-driven deception, the ability to question, verify, and act with intention is what prevents the next major breach.

And sometimes, all it takes is one person saying:
“This doesn’t feel right.”

 

Want help putting these safeguards in place? Let’s talk: [email protected]

 

 

Are Your Employees Accidentally Leaking Sensitive Data to AI?

In today’s fast-paced, AI-everywhere world, connecting tools like ChatGPT, Gemini, or Claude to your company’s cloud storage—Google Drive, Dropbox, OneDrive—feels like the smart move.

💡 Automate more.
🧠 Think less.
⚡ Move faster.

But here’s what too many companies don’t realize: These integrations, while convenient, can quietly open the floodgates to serious security and privacy risks.

The Unseen Risks Lurking in AI Integrations

When your team links AI tools to company drives, they might think they’re granting access to a single file — but they could be giving away the keys to the whole kingdom.

Take Microsoft’s OneDrive File Picker, for example. Thanks to the way OAuth permissions work, an AI app might get read access to your entire OneDrive, even if the user only intended to share one folder. 😬

Even more concerning? Integrations with ChatGPT and other AI tools can pull sensitive data—financials, HR records, trade secrets—straight into responses, or worse, into training datasets.

And cybercriminals? They love complexity and blind spots. AI integrations are becoming a new playground for exploitation and backdoor entry.

How to Protect Your Data Without Ditching AI

Let’s be clear: we’re not saying ditch AI tools. The productivity gains are real. But you can (and should) use AI responsibly. Here’s how:

1. Limit Access to Only What’s Needed

Don’t link an entire shared drive. Seriously.
Instead, grant access at the folder level, and only to the files needed for a specific task. Less access = less risk.

📚 OpenAI’s documentation backs this up.

2. Opt Out of AI Model Training

Every time your team chats with ChatGPT, they could be sharing confidential data. By default, that data might be used to train future models.

But there’s good news:
You can turn that off.

Go to Settings > Data Controls and uncheck “Improve the model for everyone.”
✅ No more data sharing.
✅ More peace of mind.

As OpenAI spokesperson Taya Christianson put it: “We give users multiple easy-to-access ways to control how their data is used.”

And if you’re an enterprise customer? Your data isn’t used for training at all—unless you say so.

Even with images (yes, DALL·E fans), you can opt out of having them included in future model training via a simple form. Got a lot of content online? Use a robots.txt file to block AI crawlers. Most major AI companies honor it.

3. Stay Compliant (Seriously)

Working in finance, healthcare, or law? Regulations like HIPAA, GDPR, or CCPA aren’t optional.

Regular audits, encryption, and clear data retention policies should be baked into your AI strategy from the start.

4. Audit & Revoke Access Regularly

Set a calendar reminder. Seriously. Do a quick monthly check on what’s connected, who has access, and whether those tools are still needed.

And if something looks fishy? Revoke access immediately.

✅ Bottom Line: Use AI, But Use It Wisely

AI tools can transform how we work — but without proper oversight, they can also become massive liabilities.

With the right guardrails in place, your organization can unlock the full power of AI without putting your most valuable data at risk.

Because when it comes to data breaches?
Preventing one is a lot cheaper (and less embarrassing) than cleaning up the mess after.

Want help putting these safeguards in place? Let’s talk: [email protected]

Your 23andMe DNA Is Up for Sale: Here’s How to Protect It Before It’s Too Late

If you’ve ever submitted your DNA to 23andMe, now is the time to act. The company has filed for bankruptcy, and buried deep in their user agreement is a disturbing clause: they can sell your genetic data to whoever offers the highest bid. And that’s not a hypothetical—at one point, a major pharmaceutical company was the highest bidder for millions of profiles. Your DNA, including markers for disease risk, ancestry, and physical traits, could soon belong to corporations, insurers, or even foreign governments—all without your explicit consent.

Here’s the problem: HIPAA doesn’t apply. Genetic testing companies like 23andMe aren’t bound by the same privacy protections as your doctor’s office. That means your most intimate biological data—your blueprint—can be sold off with fewer restrictions than your medical records from a routine check-up. Imagine a world where insurers hike your rates based on a gene you didn’t know you had. Or a world where governments use inherited markers to surveil or discriminate. That world is a lot closer than you think.

But you still have a window to protect yourself. The good news? You can download your data and delete your account before it changes hands. This includes requesting that your physical DNA sample be destroyed. Here is a step-by-step guide:

To completely delete your data:

  1. Log into your 23andMe account and navigate to “Settings.”
  2. Scroll down to the bottom to “23andMe Data” and click “View.”
  3. Scroll down to the bottom of this page and add your birthdate. Click “Delete Your Data.” You will then be taken to another page where you will choose “Permanently Delete Data.” This begins the irreversible process of removing all your genetic information from 23andMe’s systems.
  4. You should receive a message stating that 23andMe received your deletion request, but you need to confirm it by clicking a verification link sent to your email address. This two-step process is designed to prevent accidental deletions.
  5. Access the email titled “23andMe Delete Account Request.” Click the “Permanently Delete All Records” button at the bottom of the email. You will be taken to a confirmation page that states “Your data is being deleted.”
  6. After completing these steps, you should receive a final confirmation email from 23andMe acknowledging that your data deletion request has been processed. Keep this email as documentation of your deletion request.
  7. If you don’t receive confirmation within a reasonable timeframe (typically 30 days), contact 23andMe customer service directly to ensure your deletion request was properly processed.

The implications of this go far beyond 23andMe. This moment is a wake-up call for every person who’s handed over their DNA to a private company. Even if you didn’t, a close relative might have—and your genetic data overlaps with theirs. Once it’s out there, it’s nearly impossible to reclaim.

The 23andMe bankruptcy shows us how vulnerable we really are when it comes to genetic privacy. So take control while you still can. Download your data. Delete your account. And demand that companies treat your DNA with the same respect as your identity—because that’s exactly what it is.

Concerned about how your team is handling security threats like this—and the dozens more we face every day? Let’s start the conversation. Reach out at [email protected].

A Wildly UN-BORING Cybersecurity Awareness Month: How to Make Security Training People Actually Want to Attend

When most employees see Cybersecurity Training pop up on their calendars, their first instinct is to feign a mysterious illness. It’s no wonder: Cybersecurity Awareness Month (CSAM) has earned a reputation for being the corporate equivalent of watching paint dry. But in a world where cybercriminals are evolving into full-fledged criminal enterprises—complete with HR departments and holiday parties—it’s time we gave security training the glow-up it desperately needs.

Here’s how to make this October’s CSAM wildly un-boring—and, more importantly, wildly effective.

1. Make the Fundamentals Feel Like Insider Intel

You lose your audience the moment you start with “password hygiene.” Instead, open with urgency: “Here’s how hackers used A.I. to steal $1.7 billion in crypto and hijack patient health records.” That’s when eyes open and pens come out.

While the fundamentals are still the most critical defense (hello, multi-factor authentication), don’t present them as basics. Frame them as the “stuff hackers don’t want you to know”—because that’s exactly what they are. Dress up the content in compelling narratives and real-world stakes.

Even better? Gamify it. Turn MFA adoption into a “Least Hackable Department” contest. Security becomes a game. Engagement goes through the roof.

2. Make AI the Villain—With a Plot Twist

If you want to grip your audience, give them a good villain. In 2025, that villain is AI. Show how it’s being used to craft eerily convincing phishing emails, generate ransomware code, and create deepfakes that could fool a world leader.

But don’t just lecture—show it. Host an internal “phishing competition” where teams use AI to create their own deceptive emails (with ethical guardrails). This type of hands-on learning sparks lasting behavior change.

Then flip the script. Reveal how AI can also be a defender—spotting malicious links, identifying deepfakes, and analyzing unusual activity. That’s your plot twist: AI is both the villain and the superhero.

3. Turn Humans Into Heroes, Not Punchlines

Yes, most breaches begin with human error—but beating people over the head with that doesn’t help. Instead, reframe employees as your “human firewall.” Share stories of real workers who spotted scams and thwarted attacks by trusting their gut.

Create a “Security Champion of the Month” program. Recognize vigilance with visibility and rewards. People want to be heroes, not the next cautionary tale in a team meeting.

You can even run security-themed escape rooms, scavenger hunts, or “spot the phish” challenges. When people are engaged, they’re more likely to remember—and apply—what they’ve learned.

4. Say Goodbye to Digital NyQuil

The fastest way to destroy security culture? Slap together a generic slideshow and a monotone narrator. Instead, embrace “edutainment.” Bring in a social engineering expert. Run live hacking demos. Host casual AMAs with your security team.

And above all, make it personal. Show how these principles protect not just the company, but employees’ private photos, banking info, and digital identities. When people see the personal value, professional compliance follows naturally.

Serve content in bite-sized portions—a weekly 5-minute tip beats a two-hour snooze-fest every time.

Final Thought: Don’t Be Boring

Cybercriminals are dynamic, creative, and relentless. If your defense strategy is static, dull, and forgettable… they’ve already won.

Cybersecurity Awareness Month is your moment to flip the script—transforming training from something employees dread into something they remember, apply, and maybe even enjoy.

Because when it comes to cybersecurity, boring is the biggest risk of all.

John Sileo is a high-energy cybersecurity keynote speaker and award-winning author who turns boring security training into unforgettable, action-inspiring experiences. If you’re ready to make security awareness stick—and actually get people to care—reach out and start the conversation: sileo.com/contact-us 

When Encryption Isn’t Enough: How Human Error Undermines Even the Best Security Tools

In the realm of cybersecurity, we often focus intensely on technical solutions—better encryption, stronger firewalls, and more sophisticated intrusion detection. Yet, time and again, the most significant security breaches don’t come from technical failures but from something far more difficult to patch: human behavior.

The Signal Incident: A Case Study in Human Error

The Trump administration recently provided a perfect example. Top officials, including Vice President JD Vance and Defense Secretary Pete Hegseth, used Signal—an encrypted messaging app widely considered highly secure—to discuss detailed plans for airstrikes against Yemen’s Houthi militants. Then, they accidentally added a journalist from The Atlantic to the chat.

These weren’t junior staff discussing lunch plans. These were high-ranking officials planning military operations using an app on their personal devices—compromising that information through a simple mistake. President Trump later acknowledged the issue, stating, “Generally speaking, I think we probably won’t be using it very much.” An understatement, to say the least.

Encryption ≠ Security

Signal was doing exactly what it was designed to do—providing end-to-end encryption that ensures messages are scrambled on one device and can only be unscrambled by the recipient. However, as this incident highlights, encryption alone does not equal security.

National security experts pointed out that discussing classified information on consumer apps is a major security breach, regardless of how secure the app is. Conversations about military operations should take place in Secure Compartmented Information Facilities (SCIFs), where cell phones are banned. The government’s secure communication tools have strict access controls, preventing unauthorized users from being added to conversations.

The Convenience vs. Security Tradeoff

Why would top officials bypass these secure systems in favor of a consumer app? The answer lies in a challenge familiar to every security professional: secure solutions are often less convenient. Government-approved communication tools are likely clunkier and more restrictive than sleek consumer apps like Signal. However, that inconvenience is often the price of true security.

Shadow IT: A Persistent Risk

The Signal incident highlights a broader problem in organizations: shadow IT. Employees often turn to unauthorized tools because official solutions feel cumbersome. This creates significant security vulnerabilities, regardless of how secure these shadow tools claim to be.

Building a Culture of Security

Technical solutions alone won’t fix human error. Organizations must:

  1. Make security personal—showing employees how breaches affect them directly.
  2. Design for human behavior—implementing user-friendly security measures.
  3. Train on real scenarios—using case studies and hands-on exercises.
  4. Make security visible—rewarding security-conscious behavior.
  5. Lead by example—ensuring executives follow security protocols.

At the end of the day, even the best encryption can’t protect against human mistakes. True security requires a cultural shift—one where individuals take personal responsibility for safeguarding sensitive information.

With two decades of experience helping organizations build security-focused cultures, John Sileo is passionate about empowering people to take ownership of data security, both personally and professionally. His approach bridges the gap between technical controls and human behavior to create security systems that actually work in the real world. Call 303.777.3222 or contact us to inquire about booking John for your next meeting or event.

Identity Theft for Businesses: Mobile Data Breach

Mobile Data Theft

Technology is the focal point of data breach and workplace identity theft because corporations create, transmit, and store so many pieces of information digitally that it becomes a highly attractive target. This book is not intended to address the complex maze that larger organizations face in protecting their technological and digital assets. Rather, the purpose of this book is to begin to familiarize business employees, executives, and vendors with the various security issues facing them.
The task, then, is to develop a capable team (internal and external) to address these issues. In my experience, the following technology-related issues pose the greatest data-loss threats inside organizations:

  • Laptop Theft: According to the Ponemon Institute, 36 percent of reported breaches are due to a lost or stolen laptop.
  • Mobile Data Theft: Thumb drives, CDs, DVDs, tape backups, smart phones
  • Malware: Software that infects corporate systems, allowing criminals inside these networks
  • Hacking: Breaking into your computer system from the outside, using networks, wireless connections, remote access, and your Internet pipeline
  • Wireless Theft: Wireless connections to the Internet in airports, hotels, cafes, and conferences
  • Insider Theft: When someone in the IT department (or elsewhere) decides to make extra money by selling your data

According to the Ponemon Institute, ‘‘Thirty-six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing, or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study, the per-victim cost for a data breach involving a lost or stolen laptop was just under $225, over $30 more than if a laptop or mobile device was not involved.’’ Continue Reading….

The post above is an excerpt from John’s latest book Privacy Means Profit. To learn more and to purchase the book, visit our website www.ThinkLikeASpy.com.

Privacy Means Profit

Prevent Identity Theft and Secure You and Your Bottom Line

This book builds a bridge between good personal privacy habits (protect your wallet, online banking, trash, etc.) with the skills and motivation to protect workplace data (bulletproof your laptop, server, hiring policies, etc.).

In Privacy Means Profit, John Sileo demonstrates how to keep data theft from destroying your bottom line, both personally and professionally. In addition to sharing his gripping tale of losing $300,000 and his business to data breach, John writes about the risks posed by social media, travel theft, workplace identity theft, and how to keep it from happening to you and your business.

Identity Theft of H&R Block Customers | Sileo Group

The number of identity theft victims rose 22% last year! Although it’s important to always protect your identity, tax season makes people more vulnerable to this crime and you should be especially cautious.

H&R Block identity Theft

A recent article in the New York Times uncovers an H&R Block office in the Bronx that was infiltrated by identity thieves (apparently it was not the only office affected).

Last year, Kevin Johns, a construction worker in the Bronx, did his taxes at the H&R Block store on Riverdale Avenue that he had used for the past 20 years or so. The next day, though, he got a call from the tax preparer: his return was rejected because he had already filed. Or at least, someone had filed in his name. That someone helped himself or herself to a $8,499 refund.

Sharon Hawa, a disaster-relief coordinator with the Red Cross and another longtime customer at the same office, had a similar experience. Ms. Hawa said she went to have her taxes done, only to be told that someone had already e-filed her taxes and collected $6,145.

Both Ms. Hawa and Mr. Johns said they were told by police detectives investigating their cases that at least 20 customers of the branch and possibly many more had been robbed by identity thieves who were very likely H&R Block employees. Both said the fraudulent filers used their previous year’s adjusted gross incomes as proof of identity.

Top Tips for Tax Time Identity Theft Protection Safe Preparation

Your greatest risk of identity theft during tax season comes from your tax preparer. In this case it was because they are dishonest, but sometimes it is because they are careless with your sensitive documents. Just ask yourself how easy it would be for your tax preparer or anyone in their office to walk off with a few client folders containing mounds of profitable identity. Here are a few effective solutions:

Choose your preparer wisely

How well do you know the person and company preparing your taxes? Did they come personally recommended, or could they be earning cash on the side by selling your personal information. Do they have an established record and are they recommended by the Better Business Bureau? Don’t be afraid to ask for references.

Interview your preparer before you turn over sensitive information. Ask them exactly how they protect your privacy (do they have a strong privacy policy?). Are they meeting with you in a room full of client files, or do they take you to a neutral, data-free, conference room or office? Do they leave files out on their desk for the cleaning service to access at night, or do they lock your documents in a filing cabinet or behind a secure office door? Do they protect their computers with everything listed in the next section?

Asking professional tax preparers these questions sends them a message that you are watching. Identity thieves tend to stay away from people they know are actively monitoring for fraud. Remember, losing your identity inside of their accounting or bookkeeping business poses a tremendous legal liability to their livelihood. When it comes to the case with H&R Block it causes a huge loss of clients due to a damaged reputation.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

[youtube https://www.youtube.com/watch?v=A0fcQyqBtfQ&rel=0]