July 19, 2026

Helping Others: Has Empathy Turned Us into Targets? | Online Scams, Digital Deception, Cyber Safety & the Psychology of Trust

Helping Others: Has Empathy Turned Us into Targets? | Online Scams, Digital Deception, Cyber Safety & the Psychology of Trust
Ruined By The Internet?
Helping Others: Has Empathy Turned Us into Targets? | Online Scams, Digital Deception, Cyber Safety & the Psychology of Trust

We used to rely on biological cues to verify a stranger in need. But in a faceless digital world full of scams and deception, has our empathy become a liability - and left us in a state of permanent suspicion?

Welcome to Ruined By The Internet?the show where we examine how technology is shaping modern lifewhether we want it to or not.

Follow or subscribe to never miss the next investigation. https://www.ruinedbytheinternet.com/

We’re joined by Travis Simcox, a cyber threat hunter and former cognitive science researcher – a combination that makes him uniquely placed to tell us what the digital world is doing to our instinct to help.

In this episode we investigate how the internet transformed scams from local nuisances into a global industry, examine how AI is dramatically amplifying the sophistication and emotional manipulation of digital deception, and ask whether the era of the inherent high-trust society is gone forever - or whether there's a way back.

(00:00) The digital shift in trust and what it's done to our instinct to help

(02:07) Scale of online scams: from village communities to virtual identities

(04:15) High trust societies versus the permanent mistrust the internet created

(05:45) Modern phishing: far beyond the basics most people know about

(08:42) The rise of romance and investment scams and the psychology behind them

(11:03) The Golden Triangle: a hub for untouchable cybercrime operating beyond the law

(16:16) Emerging scams: executive gift card and overpayment fraud

(20:10) How AI is supercharging scam sophistication and emotional manipulation

(25:56) Can regulation and individual vigilance actually counter AI-driven scams?

(39:58) Practical protective strategies for individuals and businesses

(42:59) The permanence of digital mistrust, and what that means for how we live

Key takeaways:

• Illusion of Scale: The internet allows a single malicious actor to project dozens of fake identities simultaneously - completely undermining the natural societal balance of trust that biological cues once maintained

• The Confidence Gap and AI: While headlines focus on AI writing malware, the more insidious threat is generative AI telling low-level scammers exactly what to say to emotionally manipulate victims - lowering the barrier to sophisticated deception dramatically

• The Devastation of Pig Butchering: The most financially and socially destructive digital scams are long-term investment or romantic setups that systematically drain victims until they've alienated friends, pawned belongings, and sold their homes - leaving them entirely destitute

• Permanently Broken High-Trust Society: Because global digital connectivity bypasses local law enforcement and enables lawless operations in special economic zones, the era of inherent high-trust society may be permanently gone

If this episode got you thinking, check out:

The Internet: A Corporate Hijacking of Digital Freedom? | Big Tech, Digital Censorship & Online Freedom https://pod.link/1825601333/episode/MmIzMDA0ZTQtMDA1Ny00OTE1LTkyY2QtNjhhM2NlMzJmODdh

Trust in Information: The End of Believing Our Own Eyes? | Misinformation, Media Trust, AI & Digital Literacy https://pod.link/1825601333/episode/MGMwN2YyNzItZmU3Yy00Njk0LTkxNWYtYmU5NDdkN2VkY2Y3

Child Safety: Public Platforms Full of Private Predators? | Online Safety, Cyberbullying, Social Media & Digital Parenting https://pod.link/1825601333/episode/M2U3MWEyMGEtM2I3NC00ZjUxLTk0YzItYTY3NDhmZjUwNTBm

Guest links – Travis Simcox

Website: https://behindthesurface.net

YouTube: https://www.youtube.com/@Behind_The_Surface

LinkedIn: https://linkedin.com/in/tsimcox

Join the investigation

Visit us: https://www.ruinedbytheinternet.com/

Share your thoughts: https://www.ruinedbytheinternet.com/survey/

Support the show: https://buymeacoffee.com/rbtishow

Gareth King (00:36)

Travis, thanks so much for joining us and welcome to the show.

 

Travis Simcox (00:39)

Thanks, it's good to be here.

 

Gareth King (00:43)

Before we get into it today though, can you just tell us a little bit about what it is that you do?

 

Travis Simcox (00:50)

Currently, I lead a cyber threat hunting team at a risk management firm. Strictly speaking, cyber threat hunting means that you're looking at past data for an adversary that you've recently learned about that might be in the network. So, I see a lot of really interesting, really interesting attacks, scams, malware, whatever you can think of. Sometimes we can't even figure out what the angle is, but we know it's something.

 

I actually used to do psychological research and teaching, teaching cognitive science students how to perform research. And I had this picture of how the internet was going to change the world into this global community of everyone being happy and together. And what we got is not quite what I pictured. And then of course my role now is definitely not teaching people that it's all one big happy family. It's teaching people that you need to be on guard a lot and you need to look critically at things.

 

Gareth King (01:39)

That's a great explanation of what it is you there to do because we are here today to discuss what's been happening when it comes to our willingness to help others or be helped by others in a digital space. But we know that scams and scammers, they've always been around in various, you know, shapes and forms.

 

But how has the internet and tech changed not only their methods but their size and in and their sophistication?

 

Travis Simcox (02:07)

I think the biggest factor is scale. If you imagine back in living in a village, there were scammers and crooks and such, but there were probably stories being told around the village of who to trust and who not to trust. And you could recognize those people and well these people are good, these people are not, these people just want to mind their own business.

 

But with the internet, one good person is still one good person, but one malicious person tends to have hundreds of identities sometimes. We've seen Famous Chollima operators that's sponsored by North Korea, they have an identity in each US state, for example, a different name, different sets of documents, different accounts. So that's one malicious person that appears to be fifty or a hundred. So even though there might be one malicious person, one good person, one person who wants to mind their own business, that malicious person looks like fifty or a hundred people. So, it completely throws off the balance.

 

Gareth King (03:02)

Can you just explain then how one person is presenting themselves as, say, fifty different malicious people and then what the outcome of that is?

 

Travis Simcox (03:11)

Well, in the example with Famous Chollima, they open Gmail accounts, they open LinkedIn accounts, they have companies where there's all these employees and engineers and executives, but really, it's all one person playing all those roles to try to trick people and scam people and get people's trust.

 

And then once they once they get a lot of heat, they just move on to another set of identities. They have stacks and stacks of documents and Gmail accounts, LinkedIn accounts, all these accounts and all these services just warehoused waiting to move on to those new identities.

 

Gareth King (03:45)

Right. So essentially, it's not one person trying to scam one-to-one their victims. It's kind of one to fifty to however many multipliers each of those, say, fifty fake personas are targeting. Which sounds, as you said, like the scale of the problem's just been growing like crazy, and I'm sure we're gonna get into that.

 

But let's rewind a little bit and kind of set the scene from what would have traditionally been known as high trust societies. And if you can just give us a little bit of a breakdown from how we've gone from those, to this place where we are now where that level of trust and inherent I guess inherent trust and empathy for strangers is potentially getting close to non-existent.

 

Travis Simcox (04:33)

Well, a high trust society is this idea that there's always exceptions, but the idea that you can walk down the sidewalk and go to your bank and maybe take some money out and walk home with the money without being attacked or being scammed by the bank or being robbed by the police or any number of things. Of course, there's always exceptions, but the general expectation that it's probably not going to happen.

 

But on the internet, you open your email account, you have lots of spam. People don't realise most spam is filtered out before they even see their spam folder. Ninety nine percent is filtered out before it gets to the spam filter. Then most of that is filtered out just because the advances in the filtering technology over the years.

 

But most of what's going on in email is scams and spam. It's like if you walk down to the sidewalk to the bank and there was a mob of a hundred people surrounding you the whole time trying to scam you and attack you.

 

Gareth King (05:25)

Beyond the obvious email ones and phishing and things like that, which we're kind of all pretty aware of by this stage, what else is going on in the digital space scam wise that people may not be so aware of? And what are people doing that is potentially making them a perfect target for this kind of stuff?

 

Travis Simcox (05:45)

I think that most people don't really have a concept of what phishing is. Even professionals in cybersecurity, most of them that I talk to don't actually understand what phishing looks like. It does not look like the corporate training materials these days. They're pretty far off from reality.

 

With phishing modern sophisticated fishing, usually it comes from someone you've heard of often, or you even know because they're compromised and it's not hey, it's the Prince of Nigeria, the Microsoft help desk, your boss wants to give you a raise, click here to reset your password. Sophisticated phishing is really compromised accounts get used to send the phishing attacks out to all their contacts.

 

And it's something that kind of makes sense. Usually, it's a bit too generic. Say you work in real estate; you have real estate contacts. It'll be, hey, look at this contract for the property we talked about. The more generic they can keep it, the more they can use that same template for more people. And you click on the link, and it redirects, goes through a captcha, and it shows you need to log in to download that document.

 

But what's really going on is you're connected to a reverse proxy. And when you log in through that reverse proxy, you'll still see the same branding. So, suppose that when you log into your email, you see your company's branding, their logo, and everything. You still see that on a phishing proxy. And if you have MFA, say there's a pop-up on your phone or a code you have to type in, you still see that and go through that process. But the proxy is taking the session cookie, and what it's doing is when you complete the login process, the attacker is now logged into your account.

 

And you don't see anything off right away. Maybe you get directed to an error message or a Google page or something that doesn't quite look right, but people just think that's some kind of glitch and they go about their day. They don't realise that the attacker now has access to their whole inbox and they've already searched it for critical items to conduct fraud with. And I think that the training and the picture people have of fishing just looks a lot different than the modern reality does.

 

Gareth King (07:57)

Right. You know, obviously if you're walking down the road, you've been to the bank and you and someone robs you, they stick you up, you know, like it's quite aggressive attacking. Whereas it seems like on the internet, it's not that blatant. Like obviously there is cases where it is that, you know, extortion type stuff, which we can probably get into as well.

 

But on the internet, it seems like a lot of it is preying on our empathy. You know, we've got sites like GoFundMe and all of these things, which plays to ironically our good nature. How does that landscape of our empathy get weaponised by the scammers beyond these typical fishing things? Like is there is there some more common digital scams happening right now or emerging that you're seeing in your work?

 

Travis Simcox (08:42)

One that I don't see in my work, but I probably the biggest by dollar amount right now is what in the US we call pig butchering. I understand that in Asia it's called precision chat, but often it's based on what's supposedly a romantic relationship, usually conducted by you get a text message with it's a wrong number, or maybe you're on a dating site or a social media site, anywhere where you meet strangers

 

And they cultivate this relationship over a period of months. There's a couple of variations. The really big one is that they talk about, say, their uncles, they display this life where they're wealthy and carefree, and they don't want to talk about it at first, but they start talking about my uncle trades, he has inside information and all this, whatever angle they tell the story to get you to invest in this really sophisticated put-together company with fake web pages. It's all fake, but it looks, it has your real apps for phones, real websites, real paperwork.

 

And they get people to invest in this company, and they never get the money back out because eventually they realise when they try to get their money back out, it there is no money. It's all just numbers on the app, but the actual funds have been drained. It was all just organised cybercrime, leveraging cues like romantic, friends, greed, whatever to get people to invest in the fake company with the fake cryptocurrency or binary options or whatever the month's latest topic is for investing.

 

Gareth King (10:16)

Now it seems like from my perspective, those angles are very traditional for scams. Even long before the internet, you know of people who are getting their life savings fleeced by someone pretending to be romantically interested in them, etc., etc. etc. So, there's obviously a constant that is making people feel or not making people feel, making them susceptible to attacks and scams of this kind.

 

Beyond, you know, say the implementation of payment through cryptocurrency or something else like that, numbers on a screen, how has the internet changed the ability for people to try and scam, to not only pull off the scam but then get away with it?

 

Travis Simcox (11:03)

The reach, global reach. A lot of this happens in what is the new Golden Triangle, not too far from the old Golden Triangle, but it's called a special economic zone that's kind of this essentially lawless organised crime area. Sometimes they get raided by countries that do have militaries, but they just build back up. They have these whole cities full of whole office buildings and whole streets full of these office buildings that run these scams, and until they get raided by a neighbouring country's military and they don't, not much really happens. They'll they're let free because they don't know what to do with them.

 

But they can operate outside of the hand of normal law enforcement. There's no normal law enforcement that can touch them, you know, up until they get re raided by a military and have to pay someone off or move to a different country or something. So, they can yeah, reach all over the world without any fear of persecution in a normal legal sense.

 

Gareth King (12:02)

Okay, so two questions there. Where is this zone if it is one place, and then also why are they so untouchable by law enforcement?

 

Travis Simcox (12:13)

Well, the Golden Triangle Economic Zone is on the border of Laos and Thailand, not too far from one border of China. And you can look across the border and see soldiers from other countries, is my understanding. I've seen photographs. Of course I've never been there myself. I wouldn't want to go there based on the stories you hear.

 

But they have this economic zone where there's no really strong law enforcement presence in that economic zone. So, unless another country invades temporarily and things like that, takes over an office building or accepts a bribe or something, there's no local law enforcement that'll come in and say, arrest someone.

 

Gareth King (12:59)

Why is that? Are they corrupt as well? Are they in on the scams? Like why, it seems if it's such a problem on such a scale that there would obviously be a trail of evidence that could be leveraged to stop this. What's going on? Like why is it just kind of given this untouchable status until the military comes and gets involved?

 

Travis Simcox (13:20)

It's not clear what the solution is. If you are in a city on the border here, you don't want to go and arrest five thousand people. What are you gonna do with them? You can't take them to your court. You don't want to fill your prison with them. Plus, they're not your citizens.

 

You could have political problems if there's an organized crime group from a different country that owns that and may say they have a connection with a politician or something. It's just really politically difficult if you can even do it. And then what do you do with all these scammers that you take from these buildings?

 

I guess I neglected to mention a lot of them are trafficked in there. So, for example, they have a pipeline of young Indian engineers that are human trafficked in with fake promises and documents into the Golden Triangle, and they scam Indians in the US. They have a pipeline of Malaysians, they human traffic in with fake promises and documents, and they have to scam Malaysians in developed countries for one year until their contract ends.

 

These people are held in by armed guards and it's just the political climate and it's not clear what to do. It's not like a country that has strong police presence and very clear order of law. This economic zone was established so they could run illegal casinos and stuff, so they don’t, so they have loose laws to begin with. And then they figured out they could do a lot more than just the casinos once they had that situation.

 

Gareth King (14:45)

Right. So, from everything that you said there, it's just sounds like the scale that they've built this zone into simply can't be absorbed by local or neighbouring law enforcement. I mean, if I was one of the scammers, like that's probably a mentally pretty good place to be, knowing that the more people you can human traffic in to keep the scams going, like the less likely you are to be stopped, which sounds pretty awful.

 

But just quickly there, you mentioned they get them in for a year contract. Now I'm imagining that that's not a voluntary contract, right? What happens if they refuse to scam people?

 

Travis Simcox (15:23)

So, the stories go that they get drugged, beaten, electrocuted if they cause problems and if they don't meet their KPIs, but they don't cause problems, they just don't get money to purchase food with. So, they get one small meal per day and that's not enough to survive on. If they don't produce results, they don't get sufficient resources to survive.

 

Gareth King (15:47)

That sounds absolutely awful, and you know, I'm sure we could spend hours just discussing that. But I think what I would love if we could focus on now is, you know, you've got this this zone of all these, you know, slaves essentially, scamming people all over the globe. And we've touched on a couple of types of scams already, but what are some kind of more emerging ones that you are seeing and then how do they operate?

 

Travis Simcox (16:16)

There's a lot that they're not necessarily that new, but they must be successful because they they're getting bigger. Like one big one is the executive gift card scam, where someone pretends to be your boss or the CEO, usually the CEO of your company. The first message is, hey, can you give me your cell phone number? I'm in an urgent meeting and I need to send you a text.

 

And the text is that they need you to buy them, they need you to buy gift cards for a client that they have to have the gift cards by the end of the meeting, send them a picture of the gift card numbers.

 

Of course, the whole thing is a scam, but it's really effective because it's really emotional trigger, especially if you don't know the CEO. Oh the CEO reached out to me personally. This is my chance to make a name for myself and help him out, help him out of this difficult position, and then I'll be known for helping the CEO out of that position. And then it turns out it's a scam. So that one we see we see a lot, a lot of attempts of that one.

 

There's accidental overpayment scams that you hear a lot about on social media, people are falling for, where they get, whether it's a fake check or stolen credit card, any sort of payment, they buy something from you or a service and they send you too much money and say, Oh I sent you too much, can you send me back half? Or I sent you too much, can you send the rest as a tip? Or I sent you too much, can you give half of it to charity as a gift? That's a big one now, too. I sent you too much money, just give some of it to charity as a gift. But really, they're the charity, they're the movers, they're whatever, and they're giving you the fake check and getting your real money from you.

 

Gareth King (17:57)

Hmm. Yeah, look, I actually know someone that's fallen victim to that gift card scam a few years ago now, and why would anyone have any reason to doubt unless you really kind of read between the lines?

 

But that you know, depositing excess money into your account. So is that operating through online marketplaces, whether it's Facebook or other retailers and things? Like how are they making that one work? And is it essentially once you send them the money, they have your bank details that they can drain?

 

Travis Simcox (18:31)

They contact you, for example, on marketplaces. Purchasing a car is a common one on marketplaces. So, they send you a check for the car, but the check is a bad check. It's drawn on someone else's account, or it is fake, or in some way or another, it's going to bounce, right?

 

A lot of people, like younger people, don't quite understand how checks work anymore. They don't understand that they can deposit it, but then a week later, five weeks later, the check can bounce because it was fraudulent or the owner of the checking account wasn't the person who wrote it. So, a lot of younger generations don't really understand that a check can bounce weeks later.

 

But for the vehicle scam, it's I'm sending you five thousand dollars, even though the vehicle's four thousand dollars say, send the other thousand to the vehicle moving company. And then of course they're taking that thousand.

 

And on like dating sites and stuff, it's usually framed like a sugar daddy or sugar baby sort of thing. Well, I'll give you an allowance, but to get your trust, here's a check for ten thousand dollars. I want you to give half to the charity that I tell you to, and you can spend the other half on yourself. And of course, the charity they tell you to is just themselves under a different name.

 

Gareth King (19:47)

Yeah. Look, they, again checks bouncing, things like that, again, this has all kind of been going on before the arrival of the internet. So, it seems like the trigger points, and I guess appeals to humanity for a lot of these scams are continuing.

 

But I think one of the things that's obviously changed is you're not actually dealing face to face with a person. You're never seeing somebody. And it's there's so many ways that the internet and technology and digital means allow somebody to present themselves as obviously what they're not. So how is over the last say twenty, thirty years this really compounded what in hindsight now seem like fairly analogue, innocent scams compared to what we're dealing with today?

 

Travis Simcox (20:38)

Bad checks have been around for a long time, but it wasn't quite the same. I'm barely old enough to remember when stores would post bad checks on the wall because people were getting them printed from their bank and it had their driver's license on it and everything. But nowadays, the scammers can just make a thousand email accounts that send out a thousand, you know, photoshopped images of checks drawn on different accounts.

 

So, they don't have to actually have a check printed and hand it to someone and have a fake ID to go with it. They just email it out to people and say, hey, this is from my account. And people use their mobile deposit on their banking app right on their phone when they get the email in. They deposit right on the app. They don't ever have to touch paperwork or look at someone or touch an ID.

 

And the scammers can do a thousand a day instead of just a few a day, for example. So, it's again it’s the scale that is allowed by the digital model of the scam versus the old paper model.

 

Gareth King (21:33)

Yeah, absolutely. And I think there's also that not the kind of face-to-face verification, but the verification of the digital content or the representation of whether it's that check, an image, et cetera, which we know is getting more sophisticated quality-wise as we move forward.

 

And I think that we've all seen AI, whether it's LLMs, Gen AI imagery that looks, you know, if you know what you're looking at, it looks clearly dodgy, but some people just totally think it's real. And so, where do you reckon that with the arrival of just this such ease to make what's clearly not real stuff, but it a lot of people fall for it. Like, where do you think we go from here as the sophistication of AI models gets even better and used for scams?

 

Travis Simcox (22:24)

Yeah, the image of the check doesn't really matter if it's high quality. They used to call them confidence men, right? Instead of scammers because they'd inspire confidence in them, and they would use emotional manipulation. They could give you the worst picture of a check, but you have confidence in them, and you have trust in the person that you're not looking at the check. You're being manipulated emotionally.

 

And the thing is with AI; people like to talk about in the news, oh AI is going to write malware, AI is going to find vulnerabilities and write exploits and hack things, because that's sort of like a sexy picture of AI doing those things. The reality, what we see people doing with AI tools, is that they're turning those low-level scammers into master confidence artists.

 

The AI, they have AI models specialise in giving them lines for scams and how to respond in the context of scams. So, the scammer doesn't have to be good at scamming, but the AI is the world's best scammer and tells them exactly what to say at just the right times.

 

So, it's that generative language models that we really see scammers using and not this nebulous hacking zero-day AI thing that shows up in the headlines. I mean maybe one day that'll be the big thing, but right now it's those generative language models telling scammers what to say.

 

Gareth King (23:45)

Yeah, for sure. And I think that that that essentially boils down to that these language models and tools are essentially reducing the competence gap. And I think that that's like the real thing to watch out for because once that skill is there, you know, I've heard of other voice recording manipulation tools as well, you know, like you could get someone's phone number, call that you're their kid or their parent or their sibling or whatever, asking for money or help, etc, sounding exactly like them. And look what likelihood are we gonna have anything that will be able to identify those as scams and people trying to take advantage of us?

 

Travis Simcox (24:25)

I think trying to identify it is a losing game because say you come up with a tool that for the next month can identify it, it's not going to last, but then people are going to start trusting it and they think that it'll tell them if it's a scam or not. And once the scammers surpass it, everyone's trusting this tool that's giving them bad information.

 

And you know, with the race of AI getting better and better, I don't think there's any point where we can actually trust a model that'll tell us if something is a scam. Even if someone comes out with one that seems to work okay and it's kind of neat, if we trust it, it's a mistake because it's not going to last for long.

 

Gareth King (25:03)

Hmm. Yeah, like everything, there's constantly people just devoted to finding those workarounds. And I think that, you know, my concern on stuff like that is as the more sophisticated that these AI tools get, like the harder it is to tell the fake from the real. You know, we've all seen how these generative image models have gone from six fingers and horrible faces to really, really legit looking stuff.

 

And I think that unless you're really on top of that and knowing what's possible and really vigilant and paying attention, the amount of people that could potentially fall for these scams is just going to explode.

 

Is that is that kind of where you see playing it out? Or do you think that there's a way that we as a global community, whether it's through governance, regulation, etc., are going to be able to combat this?

 

Travis Simcox (25:56)

I don't think there's any way through governance, regulation because if you come up with a law that says, you can't have a generative AI for scams, then you'll just have some special economic zone that is the owner of that super powerful AI and making a billion dollars off of it. There's always going to be someone who that the potential value is high enough that they're going to ignore or rewrite the laws or be somewhere where the laws aren't enforced and run those models.

 

So, I think that's also a losing game trying to regulate the models. I think you can't really outrun or out tech the technology. You have to address the psychology of it. And that's really hard because it's always been hard. Those same psychology cues have been throughout history what scammers have targeted. And they're really hard to get people to learn to identify and respond to in an effective way.

 

They're using these cues, romance, greed, panic. So short-term scams, panic is the big one. They’re, you know, there's a warrant for your arrest because you didn't go to jury duty, or you're going to get fired because you didn't fill out this paperwork right, or your family member got in a car accident or anything, a hook to get you to panic.

 

And once they have your heart rate up, we know that reduces critical thinking significantly. And then they can start molding you with whatever their script is and manipulate you to do what they want.

 

So, I think more than any piece of technology to stop scams is identifying those triggers. Identify if you're feeling panic and then you put down the phone, close the email, sit there for 60 seconds, breathe, and then think about it. Wait a minute, what's going on here? And call them back on a known good contact information.

 

Don't you know the incoming call, the incoming text message, the incoming email - you don't trust that. So, recognising panic, recognising if you're being manipulated through greed, it's hitting multiple cues at once on those types of scams.

 

Gareth King (28:02)

Yeah, absolutely. And again, you touched on something there, that kind of psychological angle, the panic, identifying how to manipulate people through desperation, fear, et cetera, et cetera. And I think that again, those very human reactions have always been around. But I think that it's the ability of the tools that have been developed or are being developed that is obviously allowing people to do this to such an extent.

 

What would you say, if any, responsibility for this lies with the people creating these tools? Or is it essentially, you know, the same kind of thing as being an internet provider? It's like, look, you just provide the thing, you don't have any responsibility for what people do with it?

 

Travis Simcox (28:48)

So, I know a lot of people are going to disagree with me on this one, but I think blaming the, you know, chat bot for someone using it for a scam is like blaming a pen for a fraudster using it, or blaming the printing press for someone printing false news.

 

It's tempting to blame the tool because that's a big company with a lot of money, and you can point at them and say they're responsible. But blaming the tool just is not useful for progress, in my opinion. It's not, doesn't get you to a solution.

 

Gareth King (29:19)

Hm. Yeah, of course. And I think I think we touched on it a couple of minutes ago as well, around people do need to be aware and vigilant and just think about what's going on. You know, does this feel legit? And look, I think through various means and fraud detection that we might be making some kind of progress against some scams.

 

But, you know, in terms of all these ones we've been talking about, they seem to be what I would consider on the smaller side, you know what I mean? Like if it's a few hundred dollars for a bill or whatever it is, I mean it's not the end of the world. It's awful, but they are still individual, unless you're getting hit over and over and over, quite small.

 

That said, I'm sure there is big and severely damaging scams that are going on and that you've seen. What are some of the worst or most damaging ones that you've seen through your line of work?

 

Travis Simcox (30:14)

So, I haven't seen the pig butchering in work, but I'd say that's the most damaging scam because they're not going for a few hundred dollars. That's the long-term investment scam.

 

And they'll actually get victims to once the victims are out of money; they'll get victims to borrow from their friends. And once their friends won't loan them anything, they get the victims to pawn their belongings, to take out a title loan on their car, to sell their house and wire the money. So, these people are ending up these are usually elderly people ending up on the street once the scam reaches the end, that's how the scams end.

 

Once the person's on the street with no friends and no family that trusts them anymore, then the that's when the scammer will finally move on. Once they can't get anything else, not one single penny more from this person. That person's out of credit, out of friends, out of family. So that's definitely the most damaging.

 

In business, the business email compromise is it's I mean, it's not putting people on the street usually, but by volume, it's pretty big. So I discussed phishing earlier. Usually, the goal of a lot of phishing is business email compromise.

 

Once they have access to your inbox, they look for invoices and conversations about payments. Then they modify those invoices and put them back into the email chains with a different bank account number and they'll continue the conversation. And then they'll go for say $50,000, $600,000, some amount, they're not usually going for millions because that's too hard to pull off, but they're not going for a few hundred. They're going for mid-sized businesses for those wire payments for five and six digits and getting those payments from those modified invoices.

 

Gareth King (31:51)

Right. How often is this happening? Just do you have an estimate on, you know, the amount of victims on a daily basis?

 

Travis Simcox (32:00)

Well, I see attempts just all day, every day. That's what these phishing kits, that's the primary way to monetise phishing that I see is that when people get access to inboxes, the way they make the money is by making those fraudulent invoices.

 

And that's around the world too. I've seen attacks against South Korea, for example, the same attack. They're trying to get into the inbox to modify invoices, change bank account details so they get the payment to their own bank account. So, it's going on I mean the FBI says billions, the FBI doesn't know about what's necessarily going on in Asian countries inside that country, right? But just in the US alone, it's billions.

 

So that's, it's big business. The business email compromise is huge. I've seen booths at security conferences just to talk to people about this one particular scam is how big it is.

 

Gareth King (32:47)

That totally makes sense with the amount of business and people within businesses and I guess the amount that we're all communicating via email these days as well.

 

One thing I did want to speak to you about is these kinds of crowdfunding platforms. Now we know a lot of these are used by someone in need. They may have a huge medical expense or some tragic event happen in their life that puts them into a state of supreme vulnerability and need, which seems to me as a great way to find legitimate help, but also a very open way of broadcasting that you are particularly vulnerable in that moment.

 

Are these platforms things that scammers, you know, tend to focus on in any way?

 

Travis Simcox (33:39)

I’m not sure about the GoFundMe, but like on Reddit, I was saying the people who are asking for help are the some of the biggest targets for scammers. They want help with their bills, and the scammers start working some angle, like a fake check, you can pay me back with the real money. Anyway, people are asking for money on sites like Reddit, they're gonna get a thousand scammers responding to them because the scammers know exactly what to say to get their trust and to execute the scam.

 

Something that it's still hard to wrap my head around, even though that makes perfect sense on paper, is there was this platform Pump Fun, this cryptocurrency platform. And this guy came on and said he had 120 hours to live. He wanted to sell some cryptocurrency to have some savings for his family. And he created this cryptocurrency coin and got so much hype. People were buying it from each other until it was six figures per coin. And then 120 hours, he didn't die. He just logged off and kept the money. He had some liquidity contract that sent the money to him at the end of that 120 hours, and everyone just lost their money.

 

And it's interesting. I mean, on the surface, you think people are trying to help him because he begged for help for his family. He's about to die. But what I think is going on is that was a greed one. People thought that other people would buy into the coin and they could sell before 120 hours, they thought they would sell the coin to the other suckers who wanted to help the guy and they weren't the sucker, but it turns out everyone was the sucker except for that guy who logged off and took the money.

 

Gareth King (35:09)

Yeah, look, I'd believe that the way that you'd summarised that there. We know a lot of that happens in that cryptocurrency space. And I think then another thing I'd love to ask you about is with all there's so many scams going on all day long all around the world, but it feels that there's not I mean, at least from my perspective, there's not as much kind of encouragement of vigilance, as I would imagine there would need to be to deal with these kinds of scams that we've been talking about.

 

Do you think that it would be a case of people don't want to raise the alarm so loud because it would lead into panic and paranoia, which would allow that psychological, you know, condition for scammers to prey on?

 

And then if we if we do kind of get people so aware of all these different types of scams and constantly telling them hey, here's this scam, here's this new scam, here's this new scam, would that eventually make people paranoid, do you think, about scams online and then just ruin everything for everybody?

 

Travis Simcox (36:18)

I think that it's really hard to teach people this stuff because those triggers, they're using panic and greed and those things, they're so emotional and deep-rooted that people will logically think, well, I'm not going to send all my money to a stranger, and then once those psychological cues happen, they do.

 

And so, you can teach them that you can present on paper this, you know, don't send your money to a stranger all you want, but being safe when you don't need to is the thing.

 

They say that I think it's an ancient Greek saying, you don't rise to the occasion, you drop to the level of your training and your habits. So, practicing you not falling for these things when the stakes are low is what's needed. So, you get in the habit of recognising emotional states because people have this training and they think they're going to apply it when their heart's beating a hundred times a minute 'cause they think their family's in a car wreck, but it doesn't actually connect.

 

Gareth King (37:15)

Right. Do you think then if we're also conscious of these training and, you know, these little tactics, which essentially, we should all be responsible in a way for ourselves, where does that tip into just distrust of people who are potentially in need or offering help? And do you think that that will eventually break the way that we are willing to help each other at all in a digital sense?

 

Travis Simcox (37:41)

Yeah, it's hard for me. It's getting into an area that's hard for me to really answer well because I see so many attacks, so many scams, because that's what I'm looking for. So, I'm just constantly thinking about what's the angle here, what factors are at play. Because I have to because that's my role. So, it's hard for me to say, you know, I'm already past the point of being suspicious of things, so…

 

Gareth King (38:07)

Yeah, look, I can I can imagine that you are, yeah, and probably a little bit desensitised to it as well. Let's say that everybody becomes aware of all of these scams. We all train ourselves little ways to protect ourselves and essentially, we're on guard twenty-four hours a day, or as long as we're in this kind of digital space.

 

Would you say from that point we can ever go back to, you know, a high trust digital environment? Or it's just permanently gone thanks to, you know, the endless amount of digital scam creativity?

 

Travis Simcox (38:44)

I think it's permanently gone and I hate that it's permanently gone because that's not what I pictured, you know, 20 years ago talking to college students about how the world was going to change and talking about psychological research and how psychology works and connections with humans around the world. That's not what I pictured, it's not what I wanted, but I think that that's what we've got and it's here to stay. As long as we're globally connected, there's no way to go back.

 

Gareth King (39:08)

Hmm. Which sounds, you know, it sounds pretty bad that when we get to a default response to a potential stranger in need, even if it's somebody that we know and now we can't trust because we know of all these kinds of impersonation scams, etc. Like and none of us are really willing to help each other.

 

But all of that said, things aren't panning out how you imagine they were. We found ourselves in a situation that the scammers are getting more creative, more sophisticated, more powerful, more lawless, their tools are getting better and better now with the rise of AI.

 

From here then, moving forward, what tactics and practices would you say that people, or businesses as well, can best utilise to protect themselves as these scams get more and more sophisticated?

 

Travis Simcox (39:58)

In addition to what I said, recognising those emotional cues, I think that people have to step back and look at the big picture of what they're about to do, because the scammers they build up this context and get people, you know, thinking about those intricate details. It's like quick change artists at a cashier. They're moving the dollar here or five bill, whatever. But you need to step back and look at the big picture if things add up.

 

You need to step back and say, wait, I'm going to send $2,000 from my account to a mover I've never heard of, hired by a stranger that I've known for five minutes. If I lose that $2,000, do I have recourse? Am I comfortable doing that? And I don't think people have an easy time stepping back from the story that's built up and looking at the simple act that you're sending $2,000 to a stranger and you don't know what's going to happen to it and you don't have recourse.

 

Gareth King (40:54)

Hmm. So yeah, it really is unfortunate that the outcome from here is heightened cynicism, but the fact that it is something that we're gonna have to get more and more vigilant with is probably not ideal. Oh well. Look I think that some good advice there. Is there anything that you would suggest that businesses should do?

 

Travis Simcox (41:19)

As far as concrete advice for security, move to phishing resistant authentication methods like passkeys. That's the biggest protection against phishing. And it's a pain to move to. Companies don't like to move to it, but that's the biggest protection against phishing, against business email compromise, against all this invoice fraud going on, because pass keys can't be phished.

 

As far as all those pig butchering, people get wrapped up in in this relationship they have with the fake person and they use some investment platform no one's ever heard of that has a website that, you know, it looks slick, but then when they post on social media, well, this company ripped me off, everyone looks at it and says, well, this company's been around for five months and the website it doesn't look like it doesn't look like Fidelity. It doesn't look like you know, a legitimate bank. It's just this vibe-coded stuff.

 

So just because your new friend or, you know, romantic acquaintance says that this is the best investment platform, doesn't mean that you should be investing in that. And who knows? Maybe that person is scammed themselves and they're not even lying to you. Maybe they've been sucked into the scam, and they think they're telling you the truth. But it doesn't mean they're an expert on it just because they've been told to say something or they think that they saw some profits.

 

Gareth King (42:38)

Yeah, look, very interesting to know that we need heightened vigilance and essentially protect ourselves by disabling all of those human emotions and psychological traits which do make us susceptible. So, there's a lot there for people to think about.

 

Thanks so much for all of that, Travis. What have you got coming up and where can people follow what you're up to?

 

Travis Simcox (42:59)

Well, I have a YouTube channel that I recently started. It's a bit technical. I do some videos about latest phishing attacks, and I do some biweekly deep dives into specific phishing techniques and how they work.

 

So, if you want to follow me, I know it's behind the surface on YouTube. And then I have a blog, behind the surface dot net. I recently did an episode on ATM jackpotting, this attack that this malware attack that makes ATMs dump all their money out that's really big in the United States right now. It's been all over the news. There's been ninety-three indictments as of this week. So different attacks like that, I deep dive into them and run the attacks and break down how they work and how to defend against them.

 

Gareth King (43:41)

Awesome. Thanks so much for your time.

 

Travis Simcox (43:43)

Well thank you, it's been great.

Travis Simcox Profile Photo

Lead Cyber Threat Hunter

Travis Simcox is a Cyber Threat Hunter and former cognitive science researcher. By day, he tracks threat actors for a risk management firm, analyzing logs and developing detections that stop breaches before they happen. By night, he adopts various personas to engage directly with criminal organizations, studying the humans behind the hacks. He is also the creator of Behind The Surface, where he breaks down the latest cyber threats with his digital gumshoe sidekick.