How to avoid the scams that cost people money

Speaker 1 (00:00):

The discussion contained in this podcast is for information purposes only. The mention of any specific brand or other commercial products or services, including apps, websites or other recommendations by the guest, does not represent an endorsement or recommendation by Truist, its employees, affiliates or subsidiaries. Persons listening to this podcast are encouraged to thoroughly research any product or service before using or purchasing.

Brian Ford (00:38):

Welcome to Money and Mindset With Bright and Brian, a podcast that explores how good financial habits and positive psychology can help you find more happiness and confidence. I'm Brian Ford, head of Financial Wellness at Truist. I'm joined by my co-host and friend, Bright Dickson, Truist's resident expert in positive psychology. What's shaking, Bright? How are you doing today?

Bright Dickson (00:59):

I'm good. How are you, Brian? What's up?

Brian Ford (00:61):

I am doing good. Doing really good. I'm excited for the show today. But today's topic, it's one that's pretty serious and it could end up saving some of our listeners a lot of stress. On today's show, we're talking about fraud and scams, online scams that can cost people their hard-earned and their hard-saved money in a matter of minutes.

Bright Dickson (01:22):

Just even thinking about the word scam, I'm interested, I love hearing about scams and what's going on, and I'm so excited for this episode, because scammers have gotten so—I don't want to give them a compliment and call them clever, but they really are. These scammers can be really clever, really fast moving, they're super tricky today, and I know plenty of smart people who have fallen victim to them. So I think it's great that we're not just talking about the latest, most common scams, but also the red flags to look out for, the steps you can take to protect yourself, and what you can do if it happens to you, because it can. And I feel like I'm definitely going to take away some good pointers and action after this episode.

Brian Ford (02:07):

Yeah, me too. Let's get the show started and introduce our special guest.

Bright Dickson (02:19):

Today we're chatting about scams that cost people money and how we can avoid them. This is a really big topic, but thankfully we're joined today by someone who can help us feel more confident and prepared when it comes to dodging scammers.

Brian Ford (02:31):

I am really psyched about our guest, Matt Toussain. Now, look, I of course appreciate all of our awesome guests, but I think this might be one of the coolest experts we've had on the show. He is the founder and CIO of Open Security, a holistic security services company whose passion is not only to help other companies protect their data and assets, but also to inspire and educate. He also works with a company called IANS, a cybersecurity advisor for Truist, runs a YouTube channel that uncovers the latest cybersecurity tactics, and, fun fact, while serving as the senior cyber tactics development lead for the United States Air Force, he trained multiple members of the FBI, which I think is pretty cool. Welcome to the show, Matt.

Matt Toussain (03:15):

Howdy, Brian, it's an absolute pleasure to be here. I'm so excited and thank you for that absolutely flattering introduction. I have had the opportunity to be involved with a fair number of, let's call them, engagements and scenarios, sometimes with the FBI, sometimes with the NSA, so my background is absolutely pretty government-centric. But I now run a private sector security company, if you will, and we deal with all kinds of security problems from many organizations, including folks like you all at Truist.

Bright Dickson (03:45):

Yeah, we are super excited to chat with you. You have a very impressive resume, and I'm super excited to learn. And, Matt, as you might guess, I have so many questions for you.

Brian Ford (03:56):

Yeah, I'm going to start. Look, we're talking about scams, and we're not just talking about the ones that are affecting older folks. We're also talking about scams that are targeting and tricking younger adults. Let me kick us off with a surprising statistic. Even though Generation Z, they're obviously more digitally savvy, they're surprisingly three times more likely than their grandparents to be affected by an online scam.

Bright Dickson (04:22):

I find that really surprising. Did we fact-check that? Are you sure about that, Brian?

Brian Ford (04:28):

Hey, look, we fact-check our stuff. Look, I was surprised to see that too, Bright. And I'll give you another one also that is pretty surprising. So in 2025, 50% of Gen Zers who encountered a scam in the past year lost money, followed by 45% of millennials, 32% of Gen Xers, and only 26% of baby boomers.

Bright Dickson (04:54):

I do find that really surprising. Matt, I guess this has to be our first question. How is this possible? So why are Gen Zers more susceptible to online scams even though they grew up with social media and smartphones and they're what we call digital natives? Why are they getting scammed so much more?

Matt Toussain (05:12):

I think this is a fantastic way to start off the conversation, because, you see, opportunity is one of the things that's most important from the perspective of cybersecurity concerns in general. And so as a cybersecurity expert, what I always think is what is the mean time or what is the mean average of exploitation activity to be successful? And so what that means, if we're thinking about something like younger generations, I’m a millennial myself, Gen Z as well, but if we're digital natives, that also means that we are kind of terminally online, we're there all the time, which means from an opportunistic perspective, that means we get 10 times the number of attacks versus folks who are less online. But I think it is also really important to understand the impact. So if we think about cybersecurity, we're always calculating risk. And risk we like to put in the perspective of the likelihood of something negative happening times the impact of how bad that might be.

(06:07):

And one of the things I think is very often missed from this conversational perspective is that, yeah, from a likelihood side of the framework, Gen Z, the younger you are, the more terminally online you are, the more actively you're probably getting targeted. But at the same time, what do you have to give up? And so if we look at baby boomers, or boomers, in general as an alternative example, we do see is much more significant impact if there is an attack that ends up being successful versus Gen Z, whereas the impact is much more likely, but, generally speaking, a lot lower in significance. That isn't to say that it isn't insignificant, because anytime that you're taken advantage of in a digital perspective, that is significantly damaging for you. And if you've got less of a safety net that you have personally created, then the more disruptive it's going to be to your life in general.

Bright Dickson (06:58):

Yeah, that makes sense now that you explain it. So it's basically the more time you spend online, the more scams you're just exposed to. Matt, what type of scams are we talking about? What are some of the biggest scams or frauds that you see out there right now?

Matt Toussain (07:15):

Let me jump into that with a bit of a backstory here. For example, one of the things that we do see is self-selection. Let's say for example that you get a phishing email, it's an email and says, "Hey, look, I'm a Nigerian prince and you're a cousin of mine, and if you were to give me a little bit of money, I can give you a lot in return." Now, we obviously know that this is the traditional Nigerian prince scam, and a lot of folks will be very aware that this is not true, because, you know what, as humans, we have this idea of interacting with each other, communicating with each other, and then having a bit of trust about the reality of that conversation, if you will. Now, there are some things that break it, and in the case of email, I think that a lot of folks today in 2025 have a good understanding that we can't necessarily trust everything that we see online, but there are a lot of opportunities if you're an adversary in this case.

(08:08):

For example, the number one country, if you will, where we see a lot of, let's say, scams and phishing based activity come out of is India, maybe Bangladesh. And effectively, one of the things that a lot of folks ask me all the time is, "Hey, look, I have this obvious phishing email that came in, all of the words are misspelled, it's poor English." But the thing is you know where the number one country is of English speakers? It's India. It absolutely is. And so if they speak English natively, why are they misspelling things? Is it perhaps on purpose?

(08:41):

And so in the cybersecurity community, this is something we refer to as self-selection. The idea there is that if I send you an email that's obviously potentially malicious and you click on my links anyways, guess what that tells me about you? It tells me that you're very gullible and you're worth my time to try to exploit. In which case I might try to get you to buy, let's say, gift cards from Apple or Google or the Play Store or whatever it is, so that I can take my compromise of you and then monetize it. This is something that is much more effective against vulnerable communities, so we're talking often here about the elderly, folks who might have a little bit of social disability perhaps. They're, generally speaking, very targeted by these types of groups because they can specifically give you an email that is obviously bad.

(09:32):

But if you so happen to interact with it anyways, that tells them that you're worth their time to attack. And that's the kind of fraud that we're seeing a huge amount of right now, specifically.

Brian Ford (09:40):

Oh my goodness, that's fascinating. I didn't know that. I'm excited for this conversation to keep going. So in the next segment we're going to get into how to spot these scams, what you can do if you're targeted, and what the future might look like as scammers and technology continue to evolve.

(10:07):

OK, let's jump back in. So, Matt, what are the biggest red flags our listeners need to watch out for so that they can avoid these scams?

Matt Toussain (10:13):

I think this is a fantastic question. It's a great way to look at the conversation in general, right? Because you want to protect yourself. But here's the thing. So you get these kinds of, let's say phishing scams. A lot of them might be via text. Maybe you get a text that says, "Hey, look, you're getting a package from FedEx, but it was routed incorrectly. Here's a link. Click on the link." This is a very basic kind of phishing scam that we might see, and we could talk about the red flags that you could use to identify whether it is phishing or not phishing. But here's the real truth. The real truth is the problem is us, because all an adversary is trying to do is they're trying to emotionally connect with us in a way that's going to get us to respond to them, which might have some negative effects on ourselves personally, as in we're giving them money, for example.

(10:57):

And if we're talking about emotionality here, I think emotionality is perhaps the most prevalent red flag here. And if there's an emotion that we want to really dive into, it's desire. We were talking about Gen Z here specifically earlier, and I think if we look at Gen Z and we say, "Hey, look, let's try to explain away why they’re so much more susceptible, if you will, to these kinds of attacks." I think it's all about desire. We have needs; we're trying to accomplish them. We're a little bit unstable, and here we're presented with an opportunity. How could we say no to this opportunity? Guess what? The opportunity itself might not be real. So kind of check the idea of desire that you have. Check your greed. If someone's saying, "Hey, look, here's an opportunity to get rich quick." You should really consider why are the rich not already using this to get richer in the first place? Why am I so special? And I think this is the biggest question that we don't ask ourselves. And if we ask ourselves that question, it becomes much more easy to stave off these kinds of scams.

Bright Dickson (12:01):

Yeah, that's really helpful. So sort of that too good to be true thing, but there's this grain of truth in it, right? Are there any identity protection or cybersecurity tools that you'd recommend or educational resources where people can get more info and stay up to date and sort of know what's happening in this arena?

Matt Toussain (12:23):

Absolutely. If we're talking about identity protection specifically, this is really the realm that adversaries are focusing on right now. People have this idea about Hollywood-style hacking where you've got a computer and I'm going to get into it because I'm awesome and I'm a genius. But that's really just not how it works in the real world. We're generally speaking as adversaries targeting you because of who you are and what you interact with. So if you've got accounts on different, let's say web applications, and those accounts maybe have the same username, that's pretty typical. Guess what? If you also maybe have the same password and maybe multiple of these things get breached, we can connect those dots and I can log in as you, I can impersonate you inside of these applications. So the more access you have to more systems, the more likely you are to be attackable.

(13:12):

We call this attack surface. And one of the things that you can do personally is do attack surface management on your own. One of the things that often is from a technology perspective, really valuable here are things like password vaulting solutions. So you might look at something like Dashlane or LastPass, and probably you should use something like multifactor authentication to unlock that vault. If it's just a straight up password, not ideal. But the idea here is that if we have unique credentials for all of the things that we interact with and access, if that remote application, let's say LinkedIn, gets hacked, it doesn't destroy our ability to interact with all of the other identities that we have in different applications. Maybe you have a Facebook account. Does that connect to your LinkedIn? Maybe it shouldn't. Something like a password manager or password vault can really be helpful there.

Brian Ford (14:00):

Yeah. And, Matt, is there any, I mean as far as nonprofit organizations, websites you like? Give us a little bit more about where we might be able to go to find some additional information. Any thoughts there?

Matt Toussain (14:12):

So there's this site that's actually kind of built and maintained by, let's call it an extended friend of mine, and it's called Have I Been Pwned. And I think that this is a really good eye-opening opportunity for a lot of folks. If you go to haveibeenpwned.com and you type in your email address, it'll tell you what websites you have an account on where that site has been breached and your account has been exposed as a result. So a lot of folks think, hey, look, I haven't been hacked. My money hasn't been stolen, so part of this is correct. Maybe your money hasn't been stolen yet, but that doesn't mean you haven't been hacked. And so if we look at something like Have I Been Pwned, it'll give us a really good understanding of when we need to change our passwords. Granted, perhaps we should be changing our passwords on a regular basis, but there's two ways of consideration here, right?

(14:58):

There is the proactive style where I'm maybe rotating my credentials on a 30-day basis. I don't recommend this. It's really difficult to keep ahead of that. But you know what? If you want to be absolutely crazy, go for it. On the other hand, the reactive style is really rather valuable. Do you know that your account has been breached on certain websites? And if the answer to that is I have no idea, something like Have I Been Pwned could be a great opportunity to say, "Hey, look, I have been pwned, but it's going to take attackers maybe three or four years in order to identify and then exploit me." So guess what that is? That's an opportunity to secure yourself. If we can identify it, then we can do something about it.

Brian Ford (15:40):

Yeah, it's great information. I'm certainly taking notes over here, not just because I'm someone who's online, but also as a dad. I've got a couple of kiddos in their early 20s. This is going to be a must-listen for them. Matt, talking about friends and family, do you have any conversation starters or ideas on how we can chat with our parents, our children, spouses, friends, about these topics, really just to help all of them to become more aware?

Matt Toussain (16:05):

So let's actually bring this down specifically to the perspective of scams. And so if we're talking about scams in general, oftentimes these are being generated out of call centers. And those call centers are focused on, generally speaking, targeting vulnerable populations, vulnerable individuals, gullible folks. But oftentimes just on an average basis. I don't wake up on the left side of the bed every day. Sometimes I am absolutely one of those vulnerable populations. And so how do we have a conversation about this that is fun and engaging? Now, this is obviously a very serious topic, so it becomes very difficult to make it fun. And that becomes, in my opinion, one of the larger challenges.

(16:46):

So let's talk about scams. For example, there's this YouTube account called Kitboga. I think that's how you pronounce it. I might be incorrect. But there are a number of YouTube accounts and channels that are in this specific space. And what they do is they respond to scam emails and scam calls, and they try to waste as much of the scammers’ time as possible. And what we get to see from this—A, that's kind of funny, but B, what we really get from this is we get to see what the tactics and techniques are from a scamming-based perspective. And I think the biggest challenge here is lack of knowledge. Ignorance, at the end of the day, really constricts us all.

(17:26):

And so if we get to see what adversaries are actively doing in real time, and then they try to do that to us, we get to take a step back and go, oh, I know what this is. Maybe instead of me being a victim, I might actually have the opportunity to have fun in this interaction. Not to say that you should actually mess around with scammers, though why not? If you want to, go for it. But the point is, if you can identify them ahead of time or during the actual interaction, you can safeguard yourself from the negative events.

Brian Ford (17:55):

And so your thought is use something that's a little bit more interesting. Obviously this is a serious topic. We want our kids and significant others to learn about this. But you're saying like, hey, some of these YouTubers, some of these other folks that are showing this in a way that kind of is in a fun light; it's just an opportunity to learn together. And then that starts a conversation, I think. You can then say, "That was crazy, but now let's talk about this, kiddos." I like that idea. I like that. I think you said Kitboga. I think that's how you say it. Kitboga.

Matt Toussain (18:26):

Yeah. I think it's Kit-kaboga, but something like that.

Brian Ford (18:28):

It sounds pretty fun to watch.

Matt Toussain (18:30):

And if I can double down on that, the thing about this kind of exploitation is that it is so embarrassing, right?

Bright Dickson (18:37):

Yeah.

Matt Toussain (18:38):

If you are a victim, you feel like it was your fault. This sucks, right? And we look at the numbers. Sometimes we're talking about your entire retirement fund. This is what you have spent your entire life trying to build towards for your family, and an adversary might've been able to convince you to give it away to them. This kind of scamming and this kind of exploitation is radically transformative to people's entire lives and for their entire families as well. And so if this happens, at a certain point you have to say, "Oh, hey, everyone. Let's get around the dinner table, and let's talk about what happened. I'm sorry." That is one of the most difficult kind of conversations to possibly have.

(19:25):

In more non-cybersecurity style conversations, this is often going to be, "Hey, look, we're going to talk to law enforcement, and they're going to help make this right." But from a cybersecurity perspective, things like extrajudicial treatment and the ability to, let's say, extradite someone to the United States because we're talking about a foreign adversary, perhaps, they might just straight up not exist. And then even more so, one of the things that is actually in this space, really not disingenuous per se, but it's really terrifying, is that a lot of the people who are doing these attacks, and that's, I think, one of the things that we've really got to talk about. What is the human condition here? Who are these people who are going after grandma and grandpa's Social Security accounts and their personal investments and trying to extract that kind of value? Who are these monsters?

(19:16):

And in reality, a lot of these folks might actually have been human trafficked in order to be able to do the job in the first place. And I would point to Bangladesh here as a very direct example. A lot of these scammers, guess what? They might be locked in a room and forced to have these conversations over the phone in order to feed themselves and their families. And so we're talking about victims attacking and assaulting other victims here, and yet there is this overarching component that does make money off of it, and those are the real enemy.

Bright Dickson (20:48):

It gets very dark very quickly when you get into it, Matt. And to go back to the what do you do if this happens to you, if you fall victim to it? And I had a good friend who fell victim to one of these scams. She was tricked into losing a lot of money, and she won't talk about it very much because she's embarrassed, but from what I've heard, it was almost like something took over her mind in a way, she's super smart. From the outside, you wouldn't think that she would fall for something like this, but people do, and she did, and smart people do. So I have two questions here. So, one, if this happens to you, you talked about this a little bit, but what do you do in terms of logistics? Do you call your bank? What do you do? And then, second, what do you do with all of that embarrassment and shame, and I think loss of trust in the world? How do you deal with that?

Matt Toussain (21:53):

I think that's a fantastic question. I'll start with the first part. And unfortunately, the first part isn't necessarily great. So let's say that this was banking fraud, as in they got routing numbers from you, and they were able to directly steal the money from a direct account. In that kind of situation, there are government protections that can help you retrieve that money back, or at least that are kind of insurance style. But to be honest with you, most of these adversaries are looking for more direct financial interaction as the way that they monetize their compromise. The most common variant of this is going to be like, they might ask you for a gift card, but they specifically might say something like, "Hey, look, we're reaching out because we are part of Microsoft," right? Remember, remember, remember, these folks are lying through their teeth the entire time.

(22:37):

So they say, "Hey, we're with Microsoft. Give us a call. Something bad is going on with your computer," or whatever it might be. So you give them the call. And then they say, "Hey, look, we want to give you money back for your time," and so they'll create a gift card for you, and they might create a ruse around that. "Oh, shoot, I gave you too much money and I'm going to lose my job because I made a mistake. Please give me the money back so that I don't lose my job." And you as a concerned good citizen are going to do that, and then this is how they start. How do you get that money back? Maybe it's through a gift card of some sort. Maybe it's an Apple Card, maybe it's a Google card, maybe it's not enough money. Maybe they need more.

(23:16):

Maybe they add an extra zero, or they actually get you click a link, or they have a fake site associated with it. Effectively, you could have saved yourself right off the bat by hanging up the phone in the middle of that interaction, and then they're out. But unfortunately, what they're really focused on is exploiting our empathy for their personal situations, their manufactured personal situations, I should say. Second side of that question, though, Bright, you mentioned also the embarrassment, and I think that the embarrassment is actually one of the problems from the perspective of getting better here. Look, we don't hear enough stories from the victims. If we heard more stories from the victims about how this happened to them, we would have more insight into it going into the whole situation. But beyond that, we'd also be a little more aggressive in these interactions, and be aware that we should maybe defensive-drive these situations, if you will.

(24:08):

But the problem is that if you were a victim, you feel like you're at fault because you were targeted, you were attacked, and you were gullible enough to give in. But the thing is, these folks are professionals. They do it every single day to hundreds and hundreds of people, and you just happen to have been one of them who fell in line at that specific point in time. So I think that if we're talking about victims, don't think about yourself as a victim after the fact. Think about yourself as an opportunity to be a champion because you have a story to share, and that story can help other people too.

Bright Dickson (24:43):

Yeah, I think that's really powerful. You're sort of taking back that control and paying it forward in a good way to get your confidence back, and to do other people a solid. I mean, I know that what I do know of her story, she doesn't talk about it much, but what I do know, it's clued me into, well, if it can happen to her, it can happen to me, right? I'm no smarter than she is. And so I think that's really important. So one more question, Matt. What's on the horizon in terms of scamming? What are you predicting is going to happen in the next year or two, and what do we need to be aware of?

Matt Toussain (25:20):

Oh, this is, I don't want to be hyperbolic by any means, but the sky, perhaps, might just be falling. So we have this new technology on the horizon called all the artificial intelligence, machine learning, et cetera. And so very specifically, if we think about this from a threat modeling perspective, if I'm an attacker and I want to make money from you in this fashion, what it does is it requires every minute of my time that I spend on the phone with you is a minute of your time that you're also spending on the phone. Let's actually back that up though. For example, another way that we do a lot of scamming, I say we as if I'm a scammer, the opposite. But another way that we see a lot of scamming happening is via phishing emails, right? If I spend 30 minutes of my time creating an email and I have a thousand email addresses to send that out to, guess what?

(26:07):

I have a thousand targets, 30 minutes of actualization to make that occur. But if I want to do it over phone, which is far more effective, by the way, because people understand that if I get a Nigerian sprint scam kind of email, maybe you don't trust the email. But you wouldn't lie to me directly, would you? We have a little bit of trust for humanity in that sense. And so it's much more effective to do a phone call, but it also takes a lot more of my adversary attacker time to do it. In the case of artificial intelligence models, we're seeing a huge amount of capability to do voice enabled-based operations. This means that I can say, "Hey, look, let's create a ruse around how I'm going to try to get money off of you." And the way that we can scale that from an email-based perspective is suddenly something that we might be able to scale from a voice-based perspective on the phone directly, especially for vulnerable populations. This is one of the things that terrifies information security organizations right now in an extreme sense, because what do you do about this? From a corporate perspective, I can give you a lot of tools, and techniques, and solutions. There are software vendors that'll do liveliness detection to identify, is the voice that's on the phone a human or is it an AI, all of these kind of things? But for you and I, as direct humans, as potential victims, we don't have these kind of solutions accessible to ourselves, at least not yet. And so if we're thinking about the next year to three years, this is not just an emerging concern, but it is kind of an existential crisis.

Bright Dickson (27:37):

Yikes.

Brian Ford (27:38):

Wow. I mean, not only is that a little scary—it's fascinating at the same time. Matt, as we come to a bit of a conclusion here and kind of wrapping things up, anything else you can think of that you think would be good information for our listeners, whether it's kind of a summary of what we've talked about, just a few things that they can do differently? What else would you share with our listeners so that they can stay safe online?

Matt Toussain (28:04):

Absolutely, I'd be happy to. So this is going to be maybe a little bit basic, if you will, because at the end of the day, adversaries are trying to make money. That's what we’ve got to understand. And so the question really is, how can they maximize their billable rate, right? Their question from themselves is, how can we maximize our billable rate? By focusing on the low-hanging fruit. So if you want to make yourself secure, don't be the low-hanging fruit.

(28:31):

That's the biggest thing that we can take away. We'll talk a little bit about exactly what you can do to prevent yourself from being the low-hanging fruit, but recognize that you do not have to be stupid secure. You don't have to do anything extreme. All that you need to be is better than the Joneses. So, for example, I'm from Alaska, and in Alaska, we have a lot of bears. And we also have a lot of handguns, but we often like to say is that the handgun isn't for the bear, it's for your friend because the bear's only coming after somebody, and if you shoot them in the leg and you can run away, woo, we just made it. And I think that cybersecurity is rather similar in this sense.

Brian Ford (29:05):

Matt, that is a dark take on—I thought I knew where you were going with this. I was like, "Oh, bears, you've only got to be faster than the person next to you," but like you're talking about, "Okay, you're not messing around here."

Matt Toussain (29:17):

I'm not suggesting that you shoot your grandmother in the leg and say, "Hey, look, she should get compromised, not me." But at the end of the day, it's all about not being the low-hanging fruit, which does mean it's all about the basics. That means it's also very accessible to you. So the first thing is defensive driving, right? When you're getting a conversation with someone and money abridges the conversation, have doubt.

(29:40):

Let's say it's your bank. Your bank called you. Guess what you can always do? You can hang up, you can Google their phone number, and you can call them back. You can always do that because the thing is, if I call in to you and I pretend to be the bank, I don't have the bank's number. I don't. So I'm hoping that you believe me. Guess what? You can always just say, "Hey, look, thank you for this information. Who should I ask for when I call back?" And they're not going to give you any information because they don't know who even works at the bank. But if you hang up that phone, you call back in, you're going to get the right target in there and they're probably going to say, "Who were you talking to in the past? Probably not us. Probably not the right folks."

(30:20):

So the first thing to think of is defensive driving. The second thing to think of is proactive considerations and proactive controls, so things like using multifactor authentication when you're logging into something. You might've seen, "Hey, look, can we give you an SMS message," or, "Type in your phone number here and then give us a code." This sounds and feels really kind of disruptive when we're trying to just access an application, but it's stupendously powerful. If we look at Google statistics on this, even if we're talking just SMS messaging for an MFA, multifactor authentication situation, we're talking about 90% less exploitation, 90%, and that's the worst way you could do it.

(30:58):

On the other hand, we could use something like, let's say push notifications or maybe FIDO2-style authentication procedures, passwordless, all of these kind of things. Don't even necessarily worry about the details because I'm a big Pareto principle fan myself, and I think 90% for most of us might just well be enough. Find an easy solution that works for you, but raises that bar, because guess what? We just don't want to be the low-hanging fruit.

(31:21):

And then finally, one of the things that adversaries really do—this is in cybersecurity, something we call credential stuffing. But the idea here is they really try to leverage all of the accounts that you have across many different sites. And if any of those sites get breached, they use that data to try to access your accounts in other sites. So make those as differentiated as possible. Things like a password vaulting solution, let's say LastPass for example, or maybe 1Password, Bitwarden, whatever it might be; it doesn't really matter. One is not better than the other. What we're effectively doing is we're changing the paradigm that adversaries are engaging us against.

(32:00):

So the three solutions here. First, defensive driving, defensive cybersecurity, protect yourself. Second, multifactor authentication, and third, don't have the same password on multiple different sites simultaneously. Use something like a password vault to help you out with that. I know that might sound really basic, but the basics are what keep us secure.

Brian Ford (32:21):

I love it. I agree. Stick to the basics. This has been a great conversation. Thank you, Matt, for joining us today. Look, this is going to be a must-listen-to for my kiddos. Thank you.

Bright Dickson (32:31):

Yeah, thanks Matt. I'm going to make other people listen to this too because I just think it's critically important that we have this conversation, and I feel lucky that we had you on the show. So thank you.

Matt Toussain (32:43):

I'm so glad to be here. I'm a little bit of a cybersecurity nerd, so I do tend to be in cybersecurity spaces all the time, but the opportunity to talk to the folks at wide is so fantastic. I know we mentioned a little bit about FBI back in the day, or about an hour ago or so. But the idea here is that if you're in these kinds of agencies, what we're trying to do is we're trying to reduce the harm that people are experiencing. And so the opportunity to be on a podcast like this to just talk to those kinds of concerns, if there's even one person who I've been able to help with maybe fraud in the future, fantastic.

Brian Ford (33:19):

Ah, you helped more than one person. Thank you, Matt.

(33:25):

Well, that wraps up another episode of Money and Mindset With Bright and Brian. We hope you've gotten some helpful knowledge about keeping your data and accounts protected. We want to thank our guest, Matt Toussain. It was great to have you on, bud. We appreciate all the information you can keep in touch with Matt by liking and subscribing to his YouTube channel at Matthew Toussain and check out his website at OpenSecurity.com. Also, please share this episode with others you know that you care about so that they can stay safe too.

Bright Dickson (33:56):

Yeah, we appreciate you, Matt, and all of our listeners as well. We'll be back with another episode next month. In the meantime, we have some great additional resources on the Truist website that can help you with creating strong passwords and protecting your personal data. So be sure to check those out at truist.com/money-mindset. Stay safe out there, friends.

Speaker 1 (34:25):

This episode of Money and Mindset With Bright and Brian is brought to you by Truist.