2860: AI Deception: Combating Phishing and Deepfakes in Election Season

[00:00:00] Have you ever pondered the profound impact of technology on our democratic process?

[00:00:07] Because this year roughly half of the planet will be voting in an election.

[00:00:13] The digital battlefield becomes increasingly complex, making it a fertile ground for cyber

[00:00:19] threats targeting unsuspecting voters.

[00:00:22] So because of this today I want to dive into a critical conversation with Andrew Newman

[00:00:27] CTO and co-founder of Reason Labs.

[00:00:31] But Reason Labs is a cybersecurity firm at the forefront of protecting consumers with enterprise

[00:00:37] grade solutions.

[00:00:39] And Andrew has over two decades of experience that he's going to be bringing to the table

[00:00:43] and providing us with invaluable insights into the evolving landscape of cyber threats

[00:00:49] from sophisticated phishing attacks, utilizing AI generated content to the rampant spread

[00:00:55] of deep fakes.

[00:00:57] Andrew is here to guide us through these murky waters of cybersecurity during an election

[00:01:03] season.

[00:01:04] But how can we as a society fortify our defences against these insidious attacks?

[00:01:10] Well today I invite you to join me on the front lines of digital security with an expert

[00:01:15] who's leading the charge in safeguarding our democratic integrity and so much more.

[00:01:21] Now before I get today's guests on it's time for me to mention the sponsors of Tech Talks

[00:01:27] Daily and in an era where digital security is non-negotiable, legacy managed file transfer

[00:01:33] tools they simply don't cut it now.

[00:01:35] So that's where KiteWorks comes in.

[00:01:38] Revolutionizing the MFT landscape with unparalleled security credentials including

[00:01:44] the much coveted FedRAMP moderate authorization.

[00:01:47] So with KiteWorks you can benefit from advanced file sharing, email security and customizable

[00:01:53] integrations all within a platform designed to safeguard your most sensitive data.

[00:01:59] So don't let outdated technology compromise your security.

[00:02:02] Step into the future of secure managed file transfer.

[00:02:06] Get started today by going to kiteworks.com that's kiteworks.com where security meets

[00:02:12] sophistication but now it's time to get today's guests on.

[00:02:16] So buckle up and hold on tight as I beam your ears all the way to New Jersey where Andrew

[00:02:21] Ease is waiting to share his insights.

[00:02:25] So a massive warm welcome to the show.

[00:02:28] Can you tell everyone listening a little bit about who you are and what you do?

[00:02:32] Hey Neil, thanks for having me.

[00:02:33] It's actually great to talk to you and I've been an avid podcast listener for

[00:02:38] you for years now and I'm happy to say I'm very excited to be on the show.

[00:02:42] So I'm Andrew Newman.

[00:02:43] I'm the co-founder and CTO of Reason Labs.

[00:02:46] I've myself been in the cybersecurity industry for over two decades now started back in the

[00:02:51] early early 2000s, co-founded a company called Giant which was acquired in 2004 by Microsoft

[00:02:59] and Microsoft I helped develop and architect their initial foray into consumer cybersecurity

[00:03:04] protection created Microsoft anti-spyware and then later Windows descender and I

[00:03:08] help head up the team.

[00:03:10] I left Microsoft about a decade ago and started Reason Lab.

[00:03:14] Now Reason Labs is 100% a consumer focused anti malware company.

[00:03:19] We currently have tens of millions of users on our product.

[00:03:23] And what we kind of focus on is providing identity and security protection under the

[00:03:28] scope of anti malware, anti virus for the consumer market.

[00:03:31] We don't focus on enterprises.

[00:03:33] We don't focus on businesses.

[00:03:35] It's strictly in the consumer market.

[00:03:37] And the reason we do that is because we saw a huge gap in the last decade around the where

[00:03:43] the AV space was going and what the AV companies, AV anti virus companies were providing to

[00:03:47] consumers.

[00:03:49] So what happened about a decade ago, we saw massive exodus in technology from the

[00:03:54] consumer space to the enterprise space.

[00:03:56] And the reason that was because obviously enterprises need protection was sophisticated

[00:04:01] at malware threats that have been happening, ransomware to you name it nation states

[00:04:06] attacks on the enterprises.

[00:04:08] They've been pouring in billions and billions of dollars.

[00:04:10] So obviously, you know, a lot of these companies are going to go where the money is and they've

[00:04:14] been investing some incredible resources and technology into building anti virus, anti

[00:04:19] malware for the enterprises.

[00:04:21] And what we saw was a pretty large gap in the market where consumers weren't

[00:04:26] benefiting from the same level of protection that enterprise were experiencing.

[00:04:31] But we're also getting the same type of sophisticated attacks against them in one

[00:04:35] form or another.

[00:04:36] So what we decided to do is kind of figure out ways to apply the next generation

[00:04:40] anti virus technologies to the consumer market.

[00:04:44] So we spent about a decade building technology and building solutions around

[00:04:47] that. And what we have is an endpoint protection product that basically has an

[00:04:53] EDR solution that is able to do what next gen AV does today on the

[00:04:58] enterprises for a fraction of the cost.

[00:05:00] And this is kind of where our patent pending technology exists is that

[00:05:05] today, if you look at the enterprise market and the EDR, they provide, they're

[00:05:09] protecting a million or so endpoints.

[00:05:11] And there's a huge cost associated with the amount of data that's flowing over

[00:05:15] the network and the ability to manage and deal with all that infrastructure

[00:05:21] is very cost prohibitive to the consumer market.

[00:05:27] So if you're protecting tens of millions of users, that cost could end up

[00:05:30] being a couple of dollars at end point.

[00:05:32] And it's not really doable on the consumer side to do that because you have

[00:05:37] a lot of free consumers and consumers just aren't willing to pay what enterprise

[00:05:41] do. So anyway, what we developed over the years was a solution that provides

[00:05:44] that same level of data aggregation and collection, monitoring on the

[00:05:48] consumer front.

[00:05:50] And what we provided is technology to build a lot of that protection

[00:05:55] is on the behavioral and dynamic detection front as opposed to where

[00:06:00] the current consumer AV is still focused on static detection and

[00:06:03] signature and some dynamic stuff, but mostly on the old school static stuff.

[00:06:08] So anyway, so that's a little bit about reason to myself.

[00:06:11] And I'm sorry, I went probably way too far on that.

[00:06:14] No, not at all.

[00:06:15] It's a huge pleasure to have you on the podcast.

[00:06:17] And there's so much I want to talk with you about today.

[00:06:20] And what makes it a special treat for me is that you have been

[00:06:23] a listener for the show for many years.

[00:06:25] And that's one of the reasons I always ask at the end of every

[00:06:27] episode, getting contact with me, come on the show.

[00:06:29] We'll have a chat and I've heard there's what three, four thousand

[00:06:32] miles difference between us right now.

[00:06:35] I think globally more voters than ever in history will head to the polls

[00:06:41] for elections.

[00:06:41] It is in the US, the UK and 64 countries plus

[00:06:47] from around the world and the European Union will be representing

[00:06:51] a combined population of 49 percent of the world.

[00:06:55] Now, the reason I bring this up is what would you say are the

[00:07:00] the main cyber threats that voters should be aware of?

[00:07:03] And how have they evolved from previous years?

[00:07:05] Because there's a lot of talk about the US and the UK, but it eats

[00:07:09] so much bigger than that, isn't it?

[00:07:11] Yeah, no, it's a great question.

[00:07:12] And what's happened over the last few years is a bit concerning

[00:07:15] because what we've seen are cyber threats have significantly

[00:07:18] involved in the last few years, right?

[00:07:21] There they became very sophisticated through their

[00:07:24] different infection techniques, social engineering techniques,

[00:07:27] their delivery, all the different methodologies to effect

[00:07:31] you have evolved significantly in those last couple of years

[00:07:33] since at least on the US side in the last four years since

[00:07:36] the last election.

[00:07:37] So it's a very concerning, right?

[00:07:39] We've seen on like the malware side of things, it's a lot

[00:07:42] harder for traditional anti viruses on the consumer side

[00:07:45] to detect and protect against a lot of these threats.

[00:07:48] They're using sophisticated methods like living off

[00:07:50] the land and supply chain attacks.

[00:07:52] We see a lot more zero day vulnerabilities being utilized

[00:07:55] like consumer endpoints that used to just be reserved

[00:07:58] for the enterprise markets.

[00:07:59] You know, and what we're also seeing is a lot of these tried

[00:08:02] and true techniques that have that attackers have used

[00:08:05] on the enterprises are now they're now bringing them

[00:08:07] to consumers because they know they work and they know

[00:08:10] they can't be defended against.

[00:08:11] So on the malware side, we're seeing a lot of sophistication,

[00:08:14] you know, much more than we saw four years ago

[00:08:17] that on the delivery and social engineering side,

[00:08:20] which we'll probably get into in a little bit,

[00:08:22] you know, we're seeing widespread use of generative AI

[00:08:25] for social engineering.

[00:08:26] Again, like we'll talk about a lot of that.

[00:08:28] And again, social engineering is the ability to get

[00:08:31] your payload on the consumers or any on an endpoint

[00:08:34] and then provide, you know, start the infection chain.

[00:08:37] So we're also seeing in the last four years,

[00:08:40] attackers are starting to utilize services like fishing

[00:08:42] as a service and other shared services that are,

[00:08:45] you know, able allowing them the ability to deliver,

[00:08:49] these attacks much quicker and for, you know, much cheaper

[00:08:52] and in a much larger quantity.

[00:08:55] Then, you know, on the social engineering front

[00:08:57] as far as elections, we're seeing a lot of things

[00:08:59] we saw four years ago like robo calling and fishing

[00:09:03] and smishing, you know, SMS fishing,

[00:09:05] all these kinds of things happening.

[00:09:06] And we've seen it already on the robo call side

[00:09:09] a couple of months ago during the US primaries

[00:09:11] where like there was a Biden robo call

[00:09:13] using deep fake AI technology, you know,

[00:09:16] and the goal there was to suppress primary,

[00:09:18] you know, voting right ends.

[00:09:19] We've seen a bunch of SMS fishing attacks.

[00:09:22] There was a scam in Utah not too long ago

[00:09:25] where there were telling people they weren't registered

[00:09:26] to vote and they're sending out fishing links

[00:09:28] and ultimately it's delivering various payloads

[00:09:30] in that particular attack.

[00:09:31] They were stealing users info and personal identification.

[00:09:35] And then, you know, what we're really concerned

[00:09:38] with now is because of genitive AI

[00:09:40] and how far it's gotten just in the last 12 months,

[00:09:44] you know, a lot of sewing distrust in the industry,

[00:09:46] right? So we obviously,

[00:09:47] we've seen a lot of this already, you know,

[00:09:49] deep fakes from videos to images to audio.

[00:09:52] I mean, just last week we saw Trump supporters

[00:09:55] parting specific demographics of voters

[00:09:57] with various deep fake images, you know,

[00:09:59] and what they're really trying to do there

[00:10:00] is just so some sort of distrust or, you know,

[00:10:04] something to kind of upset the election.

[00:10:07] You know, just a little bit here and there

[00:10:08] and really all it takes is selling believing something

[00:10:11] and then spreading the word over social media,

[00:10:13] which could cause, you know, a relatively big impact.

[00:10:15] And then obviously the biggest thing,

[00:10:17] which I kind of touched on a little that we're gonna start with

[00:10:19] is the rise in fishing scams, right?

[00:10:22] So we're seeing a lot more, again,

[00:10:26] sophisticated and in-depth fishing scams

[00:10:29] much greater in quantity than we've seen four years ago.

[00:10:32] And because of genitive AI and a lot of these technologies

[00:10:35] are just getting better and better

[00:10:37] at doing this and fooling people, right?

[00:10:39] So you have your typical scams

[00:10:40] which are in voter registration scams

[00:10:43] where ultimately the scammer is trying to get

[00:10:45] some sort of personal information from the user

[00:10:47] whether it's social security numbers or whatnot.

[00:10:49] And then they're either selling it on the dark web

[00:10:51] or, you know, various other channels.

[00:10:54] You know, there's absentee voting scams

[00:10:56] which we've seen donation scams

[00:10:58] which are your typical financial scams

[00:11:00] where, you know, donate to this particular candidate

[00:11:02] or whatnot and they're just, you know

[00:11:03] taking money from users.

[00:11:06] And then more importantly, a lot of these scams too

[00:11:08] are not just about stealing information

[00:11:10] they're about delivering malware payloads

[00:11:12] to the end user, right?

[00:11:13] So what we're seeing significantly happened

[00:11:16] in the last few months alone

[00:11:18] are a lot of these phishing, you know

[00:11:20] social engineering phishing scams

[00:11:23] delivering some form of malware

[00:11:24] and most of that malware we're seeing are infostealers.

[00:11:26] So an example of that would be a user gets a message

[00:11:30] that maybe they didn't fill out all their voter information

[00:11:33] they have a PDF that they need to sell in.

[00:11:35] Now these emails and phishing emails

[00:11:37] at the crafters so good now through, you know

[00:11:39] genitive AI technology

[00:11:41] that they're almost indistinguishable to the end user.

[00:11:44] And then ultimately like in a scam like that

[00:11:46] the user gets a weaponized PDF document

[00:11:50] the PDF document or regular, you know

[00:11:52] Microsoft Word document is weaponized

[00:11:55] in the sense that it'll drop some sort of payload

[00:11:57] the payload will download or it contains

[00:11:59] some sort of infostealer

[00:12:00] infostealer being a piece of malware

[00:12:04] that will steal, you know

[00:12:05] personal information from your computer

[00:12:06] whether it's passwords, credit card information

[00:12:10] you know, crypto wallet passwords

[00:12:11] things of that and then sending it into the attacker.

[00:12:16] But basically what we're expecting

[00:12:18] and what we're starting to see already

[00:12:19] is just really advanced sophisticated

[00:12:22] malware and social engineering attacks to consumers.

[00:12:27] And if I look at the last few weeks alone

[00:12:29] in my news feeds whether it be LinkedIn or news sites

[00:12:32] it seems that the biggest trending topic

[00:12:35] at the moment is around concerns

[00:12:37] around the advancements in AI and deep fake technologies

[00:12:41] even the princess of Wales Photoshop skills

[00:12:43] are being fiercely debated online.

[00:12:45] So I've got to ask though, I mean

[00:12:47] how significant do you think it is as a threat

[00:12:50] and how do they, what kind of threat do they pose

[00:12:52] in the context of election scams

[00:12:55] and are there any new forms of scams

[00:12:57] that you anticipate could emerge

[00:12:59] and that listeners should be aware of?

[00:13:03] Yeah, I mean it's very concerning.

[00:13:05] So in the past obviously there was plenty of scams

[00:13:07] but with generative AI and the ease of use

[00:13:12] and the widespread adoption by scammers

[00:13:15] you know, what we've seen is that

[00:13:17] it's really taking these things to the next level.

[00:13:19] So at the end of the day most scamming

[00:13:22] is done through social engineering right?

[00:13:23] Where a scammer had to create

[00:13:25] whether it's a fake phishing email

[00:13:27] or SMS or whatever it is they had to take time

[00:13:29] they had to generate these messages

[00:13:31] these websites, these templates

[00:13:33] and then kind of test them

[00:13:34] and then see what works or not right?

[00:13:36] And this would take them many days, weeks even

[00:13:39] to have success with.

[00:13:42] Now with generative AI

[00:13:44] and you have both off the shelf

[00:13:46] and open source platforms right

[00:13:48] that are able to do this

[00:13:50] it cut down the time to develop really successful

[00:13:54] social engineering phishing campaigns

[00:13:57] to minutes and hours.

[00:13:59] So you have today like

[00:14:01] again with the adoption

[00:14:02] you have off the shelf products right?

[00:14:04] Which are really good

[00:14:05] and I mean obviously as we know

[00:14:06] the technology is fantastic

[00:14:07] and these companies are trying to put guard rules in place

[00:14:10] and for the most part they're doing a good job

[00:14:12] but as scammers they always find ways around it right?

[00:14:14] So you have things like open AI

[00:14:15] and chat GPT, you have Gemini, Microsoft Co-Pilot

[00:14:19] which uses open AI

[00:14:21] to do things like creating

[00:14:22] you know better phishing and scam emails

[00:14:25] to create images even.

[00:14:27] You have like mid journey

[00:14:28] and Dolly part of open AI

[00:14:29] to create these images

[00:14:31] that are used for various different exploits

[00:14:34] and social engineering attacks.

[00:14:35] Then you have audio kind of generative AI

[00:14:38] like 11 labs is pretty incredible technology

[00:14:41] but what they're able to do is

[00:14:43] through very minimal worth of audio recordings

[00:14:46] generate very sophisticated

[00:14:50] and almost undetectable speech, fake speech.

[00:14:56] So you have these off the shelf platforms

[00:14:57] like I said there's guard rails

[00:14:58] but there's always scammers that are trying to

[00:15:01] go ahead and find ways around it.

[00:15:02] And then there's your open source platforms

[00:15:04] that don't have any sort of guard rails

[00:15:06] and you have things like deep face labs

[00:15:08] or create videos

[00:15:09] and we've seen a lot of these

[00:15:10] on various social media networks in the past

[00:15:14] where they'll take some sort of politician

[00:15:16] or a famous person

[00:15:18] they'll be able to spin video and audio around it

[00:15:20] and again, they're not 100% convincing yet

[00:15:23] but they're pretty damn close

[00:15:24] where they'll sow some sort of

[00:15:26] maybe it's real and maybe it's not

[00:15:28] and again, like I said, all you have to do is see it

[00:15:30] and kind of don't know what to believe anymore.

[00:15:33] I mean, it used to be as when we were children

[00:15:36] it was always if you see it, you should believe it

[00:15:39] if you hear it, you should believe it

[00:15:40] and now it's no longer the case

[00:15:41] so it's really concerning.

[00:15:43] And again, in the last just few months

[00:15:46] we've seen not only wide adoption

[00:15:48] but the technology has progressed so much.

[00:15:53] And then getting back to some of the other questions

[00:15:55] was the types of scams that we're gonna see

[00:15:57] and at the end of the day, scammers in the consumer world

[00:16:00] scammers are scammers, right?

[00:16:02] They have a couple of goals in mind.

[00:16:04] One of those goals would be trying to financially get money

[00:16:07] or trying to install some sort of malware on the endpoint

[00:16:11] in order to steal information

[00:16:13] but what they're doing is they're using the election

[00:16:16] to as just another ploy to get people

[00:16:19] to do something that they normally wouldn't do

[00:16:22] whether it's open an email and go to a website

[00:16:24] or click a link to download it

[00:16:26] and again, getting back to some of the scams that we saw

[00:16:28] which would be like the fake donation scams

[00:16:31] or the voter registration scams

[00:16:33] they're just using these tactics

[00:16:35] to ultimately get the malware onto the endpoint.

[00:16:39] So regardless of it's election

[00:16:41] or something else happening, the grand Macy Oscars

[00:16:43] scammers are gonna find some way

[00:16:45] to leverage what's happening in the real world

[00:16:47] to get people to build a scam around

[00:16:50] and then using AI they're able to build

[00:16:53] really sophisticated messaging around that.

[00:16:57] And you mentioned a few months ago

[00:16:59] how it's becoming difficult to believe everything we see

[00:17:02] and everything we hear.

[00:17:04] So on that point, can you expand on some

[00:17:06] of the specific challenges that AI

[00:17:08] and deep freight technologies

[00:17:10] present in creating believable threats

[00:17:13] and also how voters can distinguish

[00:17:15] between genuine and fraudulent communications

[00:17:18] because it's getting so difficult, isn't it?

[00:17:21] Yeah, this is the really challenging point.

[00:17:23] And the challenging thing is being able

[00:17:25] to distinguish real from fake, right?

[00:17:27] So fishing was really easy to, not really easy

[00:17:30] but much easier a couple of years ago to spot, right?

[00:17:33] You look for things like grammar or spelling errors

[00:17:36] just things didn't look right

[00:17:37] and you were able to say, yeah,

[00:17:38] this is fishing I'm not gonna click it on this link.

[00:17:41] Today with AI, it's kind of narrowed that gap

[00:17:44] where you really can't tell the difference anymore, right?

[00:17:47] And which is really concerning

[00:17:49] because we used to train people on,

[00:17:52] at least we would train our kids or our parents on,

[00:17:54] these are the things to look for

[00:17:55] and you could tell that they're fake and throw them out, right?

[00:17:58] And not necessarily have to look very technical

[00:18:00] at the URLs of their pointy too.

[00:18:02] And then obviously for someone that's not in cybersecurity

[00:18:05] it's very hard to distinguish what a real URL looks like

[00:18:07] but where that website is going to

[00:18:09] and then once they're on the website

[00:18:11] what they're looking at.

[00:18:12] But again, that ability to spot

[00:18:15] that fishing email right off of that

[00:18:17] has almost gone at this point.

[00:18:21] So it is a problem, right?

[00:18:23] And then the companies today are trying to fight this

[00:18:27] by, so a scammer can't go to chat GBT right now

[00:18:31] and say craft me a fishing email

[00:18:33] about voter registration, right?

[00:18:34] There's tons of guardrails on that

[00:18:36] but they'll find ways around it

[00:18:38] to kind of build up to it

[00:18:39] and they'll get little snippets of information here

[00:18:41] and there and they'll piece that together

[00:18:42] to build a full email.

[00:18:45] Yeah, but these companies are doing a really good job

[00:18:47] that at putting these guardrails in

[00:18:49] but it's just a cat and mouse game, right?

[00:18:50] So, and we saw this from the beginning

[00:18:52] when chat GBT first came out

[00:18:54] scammers were able to create entire fake websites

[00:18:57] around whatever they're trying to target or market.

[00:19:00] That ability is completely gone

[00:19:02] and OpenAI has done a really successful job

[00:19:04] of getting rid of it.

[00:19:05] But like I said, if a scammer wants something

[00:19:07] they'll figure out how to do it eventually

[00:19:09] and they'll find ways.

[00:19:13] And it is a cat and mouse game between

[00:19:15] the technology companies and the scammers.

[00:19:20] So really to combat this,

[00:19:21] what we really need is better layers of security, right?

[00:19:25] So, better layers of security to stop fishing attacks

[00:19:28] before the human sees it,

[00:19:30] kind of pull the human out of the equation

[00:19:32] where technology is able to make that decision

[00:19:34] whether or not this particular email

[00:19:36] or whatever it is is generated by AI,

[00:19:40] is it generated by AI and scammed,

[00:19:42] things like that before the user could actually make

[00:19:45] or the human could actually make a decision.

[00:19:47] And then obviously a lot more education around

[00:19:50] what they expect to be social engineering attacks

[00:19:54] and what actually are social engineering attacks.

[00:19:56] Like I referred to before,

[00:19:57] it used to be easier but easier

[00:20:00] to determine what was a social engineering attack

[00:20:04] to where it is today.

[00:20:05] So we just need to provide better education

[00:20:08] to everybody around how to spot these evolving threats.

[00:20:14] And then one of the biggest concerns that we have

[00:20:18] is the timing of the US election, right?

[00:20:20] Around where AI has done to

[00:20:23] in the last couple of months or a year, right?

[00:20:26] Because Jenner of AI meets such a huge leap in 12 months

[00:20:29] and it's kind of tying perfectly

[00:20:31] for where the primary started

[00:20:34] and now the US elections will be starting in November.

[00:20:38] You know, it's a very concerning timeframe

[00:20:41] where we will expect and we're starting to see

[00:20:43] a lot more of these scams happening.

[00:20:47] And I think that education piece you mentioned

[00:20:49] is so important and I'm sure like me

[00:20:51] you get relatives messaging you saying,

[00:20:54] I've had this email, I've had this text message,

[00:20:56] should I click on it?

[00:20:57] And they almost send it to ourselves here

[00:20:59] just to give it that sanity check

[00:21:02] but what would you say for other people listening

[00:21:04] who haven't got the pleasure of emailing

[00:21:06] or texting us directly with those links?

[00:21:08] What is the most effective strategy

[00:21:10] that individuals can employ to verify

[00:21:13] the legitimacy of those links

[00:21:15] and also the viability of donations

[00:21:17] related to election campaigns?

[00:21:20] It's a concern.

[00:21:22] So to be honest, there is technology to do this

[00:21:25] but it's never 100%, right?

[00:21:27] And all the bad guys or the attackers need to do

[00:21:30] is get through once or twice

[00:21:31] and they had a successful campaign.

[00:21:34] So as far as educating people,

[00:21:36] I mean that by far is the best approach

[00:21:39] as one layer of security, right?

[00:21:41] So when we look at security as a company

[00:21:43] or most companies look at, there's different layers, right?

[00:21:46] So the first layer for a consumer

[00:21:48] would be have a good technology solution in place, right?

[00:21:51] Have a good anti-fishing solution

[00:21:54] or a good AV solution in place

[00:21:56] and then if something bad gets through that layer,

[00:22:00] have backup layers for that.

[00:22:02] And then ultimately the backup backup layer

[00:22:04] would be the human having eyes on the particular

[00:22:08] messenger one on being able to make a decision on that.

[00:22:11] And they're only gonna be able to make a reliable decision

[00:22:13] if they're well educated to understand that

[00:22:16] there are scammers trying to take advantage of them

[00:22:19] and these are the things to kind of look out for.

[00:22:21] And then ultimately, if they do click on something,

[00:22:23] you have to look at the context

[00:22:25] of what you're clicking on, right?

[00:22:26] So let's say you're clicking on a voter registration form

[00:22:31] and you think that you're actually filling out

[00:22:32] a voter registration form,

[00:22:34] look at the information that it's asking for, right?

[00:22:36] Is it asking for social security numbers

[00:22:37] or things that you normally wouldn't expect them to give out?

[00:22:41] Don't provide that information clearly.

[00:22:43] And then obviously if you think that

[00:22:46] they are asking for too much information,

[00:22:48] just call your local election authority

[00:22:50] and ask them what the status of your,

[00:22:54] your voting rights are and stuff like that

[00:22:56] and don't actually go through by submitting any information.

[00:22:58] And then obviously don't fall for any non-solicited

[00:23:02] kind of fishing attempt, right?

[00:23:05] So if someone's telling you that you need to fill out

[00:23:08] X, Y and Z because you're not able to vote

[00:23:10] or you want an absentee ballot,

[00:23:12] you need to fill out this information.

[00:23:14] If they're sending it to you

[00:23:16] and you're not actually seeking it,

[00:23:17] don't fill that stuff out.

[00:23:19] Just be careful the type of information you provide.

[00:23:24] And I think in the UK,

[00:23:25] we first saw the impact of technology

[00:23:27] and social media on democracy

[00:23:29] with the Cambridge Analytica scandal

[00:23:31] and tactics used to sway voters for Brexit.

[00:23:34] But I don't know how this happened

[00:23:35] but something how that was eight years ago.

[00:23:37] So in your opinion,

[00:23:39] would the volume of election related cyber scams

[00:23:42] increase in comparison to previous years

[00:23:45] and what factors are you seeing contributed

[00:23:48] to these trends?

[00:23:49] Yeah, so it's definitely increasing

[00:23:51] based on our data four years ago

[00:23:53] and our data today,

[00:23:54] the amount of malware and fishing attempts

[00:23:59] around the election has significantly

[00:24:02] had a higher uptake in the last four years.

[00:24:05] And what we're attributing that to again

[00:24:07] is a lot of what we talk about

[00:24:08] is the generative AI side of things

[00:24:11] is just making it easier

[00:24:13] and less time for attackers

[00:24:15] to craft these messages, right?

[00:24:17] So in the past,

[00:24:19] it used to take like I was talking about

[00:24:20] like days and hours and days

[00:24:23] to craft a well formed malware fishing campaign, right?

[00:24:27] Now with generative AI,

[00:24:29] it's taken a lot shorter.

[00:24:31] It's reduced that time significantly.

[00:24:33] So they're not,

[00:24:34] they're now able to send out a lot more

[00:24:36] of a lot more quantity of these attacks

[00:24:39] and kind of seeing what sticks.

[00:24:41] So as far as the quantity,

[00:24:43] yeah, it's definitely increasing

[00:24:45] since the last election trend.

[00:24:48] And then we're seeing a lot of these services

[00:24:51] that are helping increase that as well, right?

[00:24:53] You have fishing as a service

[00:24:55] that are providing all the tools necessary

[00:24:57] for attackers to kind of...

[00:24:59] It's a one-stop shop, right?

[00:25:00] To, they'll provide the templates,

[00:25:02] they'll provide even the victim list,

[00:25:04] the support necessary to provide,

[00:25:06] to accomplish the whole scam.

[00:25:08] So all these things over the last four years

[00:25:10] have developed a lot more

[00:25:12] and had a lot more time

[00:25:13] to kind of prove themselves.

[00:25:16] And now the scammers are taking advantage of them now.

[00:25:19] So because of that,

[00:25:20] the volume is just increasing relatively significantly.

[00:25:25] And ask about yourselves at reason labs here.

[00:25:28] How do you approach the challenge

[00:25:30] of protecting consumers from these evolving cyber threats

[00:25:33] and everything we're talking about today?

[00:25:35] Particularly those targeting voters

[00:25:37] during the election season.

[00:25:40] Yeah, so as far as the production,

[00:25:42] you know, we try to do two things.

[00:25:44] One is obviously provide a very in-depth set

[00:25:47] of layers of protection.

[00:25:49] So with our multi-layer protection,

[00:25:50] we have everything from the endpoint,

[00:25:52] which would be the initial, you know,

[00:25:54] potentially attack vector,

[00:25:55] which is your fishing emails.

[00:25:56] So we have anti-fishing products that prevent that.

[00:25:59] We, you know, anti-fishing comprises of,

[00:26:01] you know, multitude of different layers, right?

[00:26:05] So you have, you know,

[00:26:06] black listing endpoints, domains, IPs, URLs.

[00:26:09] We have, you know, AI and machine learning on the endpoint

[00:26:12] that's able to look at the emails that are being sent in

[00:26:15] and kind of make a determination

[00:26:17] whether or not these are fishing.

[00:26:19] You know, when you compare the URLs

[00:26:21] that they're being redirected

[00:26:22] to the context of the message,

[00:26:24] you know, all these kinds of things you have

[00:26:25] at the endpoint layer of the network, right?

[00:26:28] So the anti-fishing stuff.

[00:26:30] And then you have on the endpoint of the device,

[00:26:32] we have what I was talking about before

[00:26:33] is our EDR layer,

[00:26:35] which will stop malicious payloads

[00:26:37] from, you know, being executed on the device, right?

[00:26:40] So we see a phishing attack.

[00:26:42] We see an email that's now dropping some piece of malware.

[00:26:45] We'll stop, obviously, these things as they're occurring,

[00:26:48] you know, particularly like info stealers

[00:26:50] which will prevent them from stealing

[00:26:51] your Chromium passwords and stuff right before they happen.

[00:26:54] But it's really just a matter of getting back

[00:26:56] to the matter of layers.

[00:26:57] The more layers of protection you have,

[00:27:00] the better off you are.

[00:27:01] But at the end of the day,

[00:27:02] it's also we try to educate our users

[00:27:04] to look out for these things, right?

[00:27:05] So we'll, yeah, we provide them a wealth

[00:27:08] of resources of, you know,

[00:27:09] the array election.

[00:27:10] These are the things to look out for.

[00:27:11] These are the type of stands we know

[00:27:13] about that are happening.

[00:27:14] These are exactly what these emails look like, you know?

[00:27:16] So if we can't protect them,

[00:27:17] at least we try to provide some layer of education

[00:27:20] to our consumers to keep their eyes out for them

[00:27:22] and not trying to be prey,

[00:27:23] not fall prey to these attacks.

[00:27:25] And if we were there to look beyond the elections of 2024,

[00:27:29] are there any other long-term strategies

[00:27:31] that you think could be useful

[00:27:33] or even essential for enhancing cybersecurity measures

[00:27:36] to protect the electoral process

[00:27:38] and also ultimately maintain public trust in democracy?

[00:27:42] Because that's what's at stake here, right?

[00:27:44] It is, it is.

[00:27:45] And it's, you know, there's a couple ways that we can do that.

[00:27:48] And there are ways that are happening right now.

[00:27:51] We have, you know, artificial intelligence regulation

[00:27:53] that's happening from, you know,

[00:27:55] a lot of countries right now.

[00:27:57] We saw this

[00:27:57] and you actually had a great podcast on it

[00:27:59] a couple of weeks ago, I believe.

[00:28:00] It was on the EU AI Act.

[00:28:03] So we're seeing a lot of these companies

[00:28:05] or these countries, you know,

[00:28:06] get involved with at least a start

[00:28:09] to help protect against, you know, these new threats.

[00:28:12] I know Georgia and the United States just start this,

[00:28:15] I don't think it's approved yet,

[00:28:16] but they created a House bill.

[00:28:18] You know, if signed into law,

[00:28:19] would kind of, you know,

[00:28:21] you could get up to two years to five years from prison

[00:28:23] and $50,000 fine for any deep fates you create

[00:28:26] around the election or anything, I think, for that.

[00:28:29] But what this is basically saying is that, you know,

[00:28:32] we need regulation from a political standpoint

[00:28:35] from a government standpoint to help protect against this.

[00:28:37] And we also, you know, then need to rely on big technology

[00:28:40] to help us, you know, if you're gonna provide

[00:28:43] the technology to do this,

[00:28:44] you also need to cut the guardrails in place

[00:28:46] to prevent it from being misused.

[00:28:48] And we are seeing that like I talked about

[00:28:50] from big tech companies,

[00:28:51] but because of the cat and mouse game,

[00:28:53] it's just like cybersecurity, right?

[00:28:55] You know, you're always gonna try to,

[00:28:56] you know, one up each other

[00:28:57] and eventually, you know,

[00:28:59] everyone's gonna lose at some point,

[00:29:00] but at least they make it harder for, you know,

[00:29:03] your average scammer to go ahead and easily craft,

[00:29:06] you know, phishing emails or whatever they're trying to do.

[00:29:09] So big tech, you know, getting involved

[00:29:11] is absolutely critical.

[00:29:12] And then you have things like, you know,

[00:29:14] artificial intelligence fighting artificial intelligence,

[00:29:17] who I know seems a little dystopian,

[00:29:19] but it's kind of what we witness today, right?

[00:29:21] So if you look at, you know, scammers

[00:29:23] create using AI to create, you know, phishing emails,

[00:29:26] you know, we use AI to stop those phishing emails.

[00:29:29] Little scary again, dystopian,

[00:29:31] but that's kind of where we're going.

[00:29:33] And that too is also cat and mouse game.

[00:29:36] And then most important, like we touched upon

[00:29:38] is education, right?

[00:29:39] We need more education experts out there

[00:29:41] to teach everybody about, you know, what to look for,

[00:29:45] whether it's your younger generation,

[00:29:46] your older generation, you know,

[00:29:49] it's just education is absolutely critical.

[00:29:51] And the biggest problem is that

[00:29:54] it's hard to educate people on brand new technology

[00:29:58] and then find, you know,

[00:29:59] and educate those people enough

[00:30:00] they can become educators themselves.

[00:30:01] When technology changes so quickly,

[00:30:04] it's just really hard to keep up with that.

[00:30:05] So finding those education experts is really difficult,

[00:30:08] but it is a must.

[00:30:10] I think that's a powerful moment

[00:30:11] to end our conversation on today.

[00:30:14] But as you're a listener of the show,

[00:30:15] you know, you don't get away that easily.

[00:30:18] I always ask one question here to finish on

[00:30:21] and that is, is that a book

[00:30:23] that you'd like to pass down to everyone listening

[00:30:25] or a song that you would like to add to our Spotify playlist?

[00:30:28] Guilty pleasures are allowed,

[00:30:30] but all I'm going to ask is before I let you go,

[00:30:32] what would you like to leave everyone listening with it?

[00:30:35] So I'm reading an amazing book right now.

[00:30:37] It's called Invention to Innovation by Vaclav Smil.

[00:30:41] He writes some amazing books,

[00:30:43] but this book by far is probably one of the best books

[00:30:45] I've read in some years.

[00:30:47] And basically what it is in a nutshell

[00:30:49] is just explaining how new technologies are created

[00:30:51] and then how they change our lives.

[00:30:53] And most importantly explains

[00:30:54] the hype and failure of these technologies

[00:30:57] and the negative impact on society

[00:30:59] that these once high technologies are promised.

[00:31:02] And it kind of, I think, fits nicely

[00:31:04] into the whole AI talk we just had.

[00:31:07] Excellent. Well, I'll get that added straight

[00:31:09] to our Amazon wish list so people can find that.

[00:31:12] And obviously we've talked a lot today

[00:31:15] about things that people can look out for,

[00:31:18] but also about reason labs.

[00:31:19] You are a cybersecurity pioneer

[00:31:21] equipping tens of millions of home users around the world.

[00:31:25] So I've got to ask,

[00:31:27] where would you like to point everyone listening?

[00:31:28] Just want to dig a little bit deeper,

[00:31:29] find out a bit more information

[00:31:31] about that great work that you're doing.

[00:31:33] Yeah, I mean, you could go right to our website,

[00:31:36] reasonlabs.com and check out our product offerings and stuff.

[00:31:39] And most of our products are freemium,

[00:31:42] so feel free to download, use forever.

[00:31:44] We want to protect you.

[00:31:46] Well, we covered so much today

[00:31:48] from those traditional classics

[00:31:50] from robo-calls, smithing, fishing sites

[00:31:52] and fake donation scams.

[00:31:54] But it's interesting how this world is evolving,

[00:31:56] especially with advancement in technology,

[00:31:59] such as AI and deep fakes.

[00:32:00] But you've provided so much gold today,

[00:32:03] especially around avoiding election scams

[00:32:05] in verifying links before clicking,

[00:32:07] ensuring the viability of any donation

[00:32:10] before hitting that send button

[00:32:12] and also avoiding donations

[00:32:14] that require things like cash-apple,

[00:32:16] P2P transactions.

[00:32:18] Pure gold.

[00:32:18] Hopefully we've saved a few people out there

[00:32:20] without conversation.

[00:32:22] But more than anything, just thank you

[00:32:23] for sharing your insights today.

[00:32:25] Thank you so much Neil, this was Neil.

[00:32:28] So as we wrap up our enlightening discussion

[00:32:31] with Andrew Newman today,

[00:32:32] I'm left to ponder the gravity of cybersecurity

[00:32:35] in the context of our electoral process.

[00:32:38] And by that, I mean the global electoral process,

[00:32:42] not just UK, not just the US.

[00:32:43] As I said, I think it's something like

[00:32:44] four billion people going to the polls this year.

[00:32:48] And it's clear that the advent of AI

[00:32:50] and deep fake technology

[00:32:51] has not only transformed the landscape of cyber threats,

[00:32:55] but he's also raising the stakes

[00:32:56] for voters and candidates alike.

[00:33:00] And Andrew's insight shed light

[00:33:01] on that critical need for education,

[00:33:04] layered security measures,

[00:33:05] and also a collective vigilance

[00:33:08] to navigate some of these challenges.

[00:33:11] And as we look towards the future,

[00:33:12] I think the question remains,

[00:33:13] how can we as individuals and as a society,

[00:33:17] how can we adapt to these evolving threats

[00:33:19] to ensure the sanctity of our elections?

[00:33:23] And I invite you to share your thoughts

[00:33:25] and join the conversation on how technology,

[00:33:28] yes, can be a force for good,

[00:33:30] but also protect our democratic processes

[00:33:33] from the shadows of cyber threats.

[00:33:36] And what steps will you take

[00:33:38] to safeguard your digital footprint

[00:33:41] during this election season?

[00:33:43] As always, email me,

[00:33:44] tech blog writer outlook.com,

[00:33:46] Twitter, LinkedIn, Instagram, just at Neil C Hughes.

[00:33:49] Nice and easy to connect to.

[00:33:51] I'd love to hear your thoughts on this one.

[00:33:52] It's something that will impact

[00:33:54] every single person listening around the world.

[00:33:56] So I'd love to hear your thoughts on it.

[00:33:58] But tomorrow, I'll be back again,

[00:34:01] waiting in your podcast feed

[00:34:02] with a completely different topic.

[00:34:05] And I invite you to join me again there.

[00:34:07] But if you can't make it tomorrow,

[00:34:08] just a big thank you for choosing to listen today.

[00:34:11] And until next time,

[00:34:14] don't be a stranger.