How Scammers Exploit Trust and FOMO: Kicking Off Cybersecurity Awareness Month with Lisa Plaggemier

Show Notes

Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance, joins host Frank Cilluffo to discuss how public education can combat online scams, fraud, and cyber threats. With billions of campaign impressions and only a nine-person team, the Alliance focuses on motivating behavior change through creative, jargon-free outreach. Plaggemier explains how scams like pig butchering are orchestrated by organized crime and even nation-state actors—and why the U.S. needs a coordinated national response. The episode highlights the growing need for cross-sector data sharing, targeted messaging for seniors, and a “scam czar” to unite fragmented efforts. As Cybersecurity Awareness Month kicks off, the conversation underscores how individual actions and shared responsibility can help close critical gaps in digital safety.

Main Topics Covered
• The mission of the National Cybersecurity Alliance and its consumer-focused campaigns
• Core Cybersecurity Awareness Month themes: MFA, passwords, updates, and scams
• Reaching overlooked populations through creative outreach like Kubikle and safe-word campaigns
• The scale and structure of online scams like pig butchering and their ties to nation-state actors
• The call for a national “scam czar” to coordinate public-private response
• Challenges in cross-sector data sharing and the limits of current fraud response models
• Upcoming efforts to reach K-12 audiences and improve campaign impact across age groups

Key Quotes
“We are a tiny nonprofit of nine people and we reach billions of people every October.” — Lisa Plaggemier
“I can hack away at our banks and probably not come away with any cash. [But] I can hack away at individual customers of the bank and come away with millions of dollars, and there’s no ISAC for my mom.” — Lisa Plaggemier
“I do not think it would be a bad idea if we had a scam czar at this point because the adversary is so well organized.” — Lisa Plaggemier
“Older folks are targeted less often, but when they fall victim, the dollar amounts are very high. They have their whole life savings at stake.” — Lisa Plaggemier
“We’ve got in a lot of organizations, fraud teams that don’t talk to security teams that don’t talk to trust and safety teams. And so if you’re still siloed in your organization, I think the call to action here is that that all needs to be seen as one.” — Lisa Plaggemier

Relevant Links and Resources

• National Cybersecurity Awareness – staysafeonline.org

• Then & Now: Helping Older Adults Stay Secure

• Kubikle Series

Guest Bio
Lisa Plaggemier is Executive Director of the National Cybersecurity Alliance, where she leads efforts to make cybersecurity practical and accessible. She describes herself as “on a crusade to eliminate stock photos of hackers in hoodies,” underscoring her focus on real-world education over clichés. A former Ford Motor Company marketing executive, she now serves on the U.S. Secret Service Cyber Investigations Advisory Board and is based in Austin, Texas.

Transcript

1
00:00:00,000 –> 00:00:01,000
Lisa Plaggemier [00:00:00]:

2
00:00:01,000 –> 00:00:02,000
So older folks are targeted less often, but when they fall victim, the dollar amounts are very high. They have their whole life savings at stake, and there’s no ISAC for my mom.

3
00:00:02,000 –> 00:00:03,000
Frank Cilluffo [00:00:11]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo. And as we kick off Cybersecurity Awareness Month, we couldn’t ask for a better or more timely guest than Lisa Plaggemier. Lisa is the executive director of the National Cybersecurity Alliance, which has done yeoman’s work to bring practical advice to the cybersecurity community, including many audiences that quite honestly have been forgotten in our cybersecurity world. Some of the elderly and the like. And I’m really excited to have Lisa join us today. She also does a lot of work with U.S. Secret Service and previously served at Ford Motor Company.

4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:00:57]: So, Lisa, really excited to have you here. Thank you for joining us.

5
00:00:04,000 –> 00:00:05,000
Lisa Plaggemier [00:01:01]: Thanks. It’s great to be here.

6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo [00:01:02]: So I thought, I mean, obviously we’re at the cusp of Cybersecurity Awareness Month and NCA has played a major role from the get go for Cybersecurity Awareness Month. But before we jump into that, I thought a little bit about your mission, who you’re focused on, how you go about doing the important work you do.

7
00:00:06,000 –> 00:00:07,000
Lisa Plaggemier [00:01:23]: Yeah, our mission is public education on all things related to cybersecurity and these days more and more related to fraud and scams. So we’re the founders of Cybersecurity Awareness Month, also Data Privacy Week in January. And mainly it’s all about meeting people where they are and educating people in terms that they can understand. So no jargon, no acronyms. We love our acronyms in cybersecurity, no acronyms, stuff, frankly, that my mom and my kids will engage with. So we try to put the most engaging content out there on a variety of subjects with really plain spoken layman’s terms, clear advice on what people can do to protect themselves.

8
00:00:07,000 –> 00:00:08,000
Frank Cilluffo [00:02:03]: So not only speaking to our cybersecurity community, but more importantly, bringing cybersecurity to everyone else.

9
00:00:08,000 –> 00:00:09,000
Lisa Plaggemier [00:02:11]: Absolutely. Yeah. We do have some events that focus on, you know, where the guest list is full of security professionals and chief security officers. We have two events a year for people who work in training and awareness and human risk management. And those are really great events where we get to hear from practitioners in the space. But the crux of our mission is really educating the everyday American.

10
00:00:09,000 –> 00:00:10,000
Frank Cilluffo [00:02:36]: This year’s Cybersecurity Awareness Month highlights four core issues. What are they and why are they important?

11
00:00:10,000 –> 00:00:11,000
Lisa Plaggemier [00:02:43]: So first and foremost, multi factor authentication, making it easier to use. We don’t even call it the same thing. At Amazon, it’s an OTP, it’s a one time password. We might call it MFA, 2FA. That’s confusing to the average consumer, especially those older adults that you talked about. So first of all MFA, not just encouraging consumers to use it more, but companies to make it easier to use, maybe to enable it by default. That would be fantastic.

12
00:00:11,000 –> 00:00:12,000
Lisa Plaggemier [00:03:12]: Then we talk about good password habits. And these days to have really good password habits, you probably need the help of a password manager.

13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:03:19]: Absolutely.

14
00:00:13,000 –> 00:00:14,000
Lisa Plaggemier [00:03:20]: And then keeping all your stuff up to date, software and antivirus, your devices up to date. And then finally this year the one thing we’ve changed a little bit is not just talking about phishing or social engineering, but being more broad and talking about all scams and fraud because most of it’s coming to us in the forms of know smishing, vishing all those things.

15
00:00:14,000 –> 00:00:15,000
Frank Cilluffo [00:03:41]: Which is essential. And I want to pull the thread much more on, on the fraud and scam side because I think that that is precisely what we’re seeing. But before we do that, I, I, I thought it would also, and I think what NCA does uniquely is convey and package and bring some creativity to all of this. Help, help us understand some of these campaigns.

16
00:00:15,000 –> 00:00:16,000
Lisa Plaggemier [00:04:07]: So we’re also B to B to C. That’s one way to think about it. So we create campaigns that are meant for the end consumer. But then we take those same campaign materials and package them up in campaign kits and security professionals and well meaning people all over the globe will download those and run a campaign in their school, in their company, in their government organization, at their senior center, whatever it is. So those people are carrying a lot of water for us. And that’s how we get impressions and reach into the billions of people. Especially during Cybersecurity Awareness Month. Billions.

17
00:00:16,000 –> 00:00:17,000
Lisa Plaggemier [00:04:41]: We are a tiny nonprofit of nine people and we reach billions of people every October. It’s pretty exciting.

18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:04:48]: That’s the asymmetry we want to see. Normally I say it’s in the, favors the attacker.

19
00:00:18,000 –> 00:00:19,000
Lisa Plaggemier [00:04:52]: Right.

20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:04:52]: That’s good to see. Yeah.

21
00:00:20,000 –> 00:00:21,000
Lisa Plaggemier [00:04:53]: Yeah. Creativity. Well, probably this is where I get to have a ton of fun. So somebody approached me a couple of years ago and said hey Lisa, if you could do something that was a little bit edgy and got the attention of people who don’t care, who aren’t paying attention to this stuff, who don’t get up every day and worry about cybersecurity who have other things to do with their lives. What would you do? And I said, I got exactly the idea. So when I was working in marketing and I was tapped on the shoulder to come join a security team, on day one, we were a newly spun off company from a large corporate parent, we had four incidents and I was doing incident communications. So baptism by fire on day one.

22
00:00:21,000 –> 00:00:22,000
Lisa Plaggemier [00:05:38]: But I realized how sophisticated the adversary is and how well organized they are. And I just thought those little things I’m doing that I think are going to make a difference, like changing that same old password by one character here or there or adding a bang at the end. That’s not going to cut it. I’m up against organized crime and nation state actors. So that was a light bulb moment for me personally when I realized that, I mean, we all act as our own risk managers. Right? There’s a ton of secure, I hear this all the time when I speak to people in organizations.

23
00:00:22,000 –> 00:00:23,000
Lisa Plaggemier [00:06:10]: We do a lot of public speaking. Especially during October. I’ll do eight or nine virtual sessions a day. And people will say things that they just believe to be true. I spoke to the California Judicial Council last October and I had a judge say, well, I don’t need an antivirus because I use a VPN. I mean, just a complete security myth, something that somebody told him or her at some point.

24
00:00:23,000 –> 00:00:24,000
Frank Cilluffo [00:06:34]: And there’s a lot of myth busting there is too. Right? I mean, I think you’ve been on a crusade to remove that hacker with the hoodie.

25
00:00:24,000 –> 00:00:25,000
Lisa Plaggemier [00:06:41]: Exactly.

26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:06:42]: Whatever it is. That’s not what we’re up against. Is it?

27
00:00:26,000 –> 00:00:27,000
Lisa Plaggemier [00:06:47]: So we came up with a series called Kubikle. It’s Kubikle spelled with K’s. Season two is out right now. It’s like watching The Office, but it’s the office of the bad guys. So on a very modest advertising budget, we’ve had 18 million views of season one.

28
00:00:27,000 –> 00:00:28,000
Frank Cilluffo [00:07:02]: Awesome.

29
00:00:28,000 –> 00:00:29,000
Lisa Plaggemier [00:07:02]: And we’re really looking forward to similar success in season two. We hope. But that’s an example of some of the creativity.

30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo [00:07:08]: How do our viewers and listeners find that?

31
00:00:30,000 –> 00:00:31,000
Lisa Plaggemier [00:07:11]: Kubikleseries.com. Kubikle spelled with K’s, or it’s also on YouTube. So Kubikle series will resolve to staysafeonline.org slash something something Kubikle. But if you go to kubikleseries.com you’ll get there, or our YouTube channel.

32
00:00:31,000 –> 00:00:32,000
Frank Cilluffo [00:07:26]: Awesome. Well, I will put that to my must watch going forward.

33
00:00:32,000 –> 00:00:33,000
Lisa Plaggemier [00:07:30]: I mean we use comedy. You know, there’s, that’s the thing is, is oftentimes it’s the same advice that we’re giving over and over and over again to the end user, but you have to package it up differently. We don’t all consume the same types of media. We don’t, not everybody is going to find Kubikle or anything comedic interesting. We just started a new campaign for aging adults with our, our then and now campaign.

34
00:00:33,000 –> 00:00:34,000
Lisa Plaggemier [00:07:54]: So it’s a nice thin little workbook. It’s not, you know, there are other examples out there of workbooks for the older demographic that are, there’s one from a government agency that’s 60 pages long. There’s one from another nonprofit that’s 100 pages long. And I don’t know about you, but my mom is not going to look at those things. So we boiled the ocean.

35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:08:14]: And I don’t want to be her chief information security officer for life, right?

36
00:00:35,000 –> 00:00:36,000
Lisa Plaggemier [00:08:17]: You don’t want to be the one going through that. Yeah. So you can order these online or there’s a micro site that’s a similar experience. And we’ve had such a, more demand than we expected right out of the gate.

37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:08:27]: That’s awesome. And again, it’s sort of, and I’d be curious, who is your target audience? How do you define success? Is it changing individual behaviors? I think. Is it influencing policy? Probably. Is it a combination of both? Or is it…

38
00:00:37,000 –> 00:00:38,000
Lisa Plaggemier [00:08:44]: It’s really individual behaviors. But we don’t have a visibility because of who we are and what we do. But when somebody picks up one of our campaigns and runs it in their organization, and if that’s a government entity or a large corporation, they have a whole lot more data than I have. So the data I’ve got is website views and time on page and impressions and all those sort of marketing and PR statistics. But if I’m at a large company and I run one of our campaigns with one of our campaign kits, one of my goals might be password manager adoption or demand for security services. I mean, that’s how you know you’re changing culture is when the business starts asking you questions, you start getting invited to meetings you didn’t even know were happening.

39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:09:30]: There you go.

40
00:00:39,000 –> 00:00:40,000
Lisa Plaggemier [00:09:31]: That’s how secure by design happens. We have to be involved upstream. So there’s all kinds of ways to measure engagement and behavior change at that level. And that’s one of the things we cover in our convene events with people working in human risk management is how do you measure the culture? How do you measure behavior change at the, at the, at that level?

41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:09:51]: Which matters, right?

42
00:00:41,000 –> 00:00:42,000
Lisa Plaggemier [00:09:52]: It does matter. It absolutely matters.

43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:09:54]: I mean that’s where the action actually is.

44
00:00:43,000 –> 00:00:44,000
Lisa Plaggemier [00:09:55]: Yeah, I think the hard, the hard thing is that a lot of technical people will ask, well, how do you know this stuff is working? And as somebody who’s like, incredibly, you know, I’m all soft skills. Like, I don’t have a math brain at all. I can tell you that, I mean, just think about it. There’s, is there ever a time when you see an ad or, or, you know, you read something and you immediately make a purchase decision or change your behavior? It doesn’t work that way.

45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:10:23]: Not for me, but…

46
00:00:45,000 –> 00:00:46,000
Lisa Plaggemier [00:10:24]: No. We’re kind of on a journey. So the important thing for us is to have content that engages different demographics, that meets people where they are and maybe spark some curiosity. Doing a little bit edgier things like Kubikle. Doing things that are, I mean, honestly, this is just, this is super cute. So doing things that are visually engaging.

47
00:00:46,000 –> 00:00:47,000
Frank Cilluffo [00:10:42]: Absolutely.

48
00:00:47,000 –> 00:00:48,000
Lisa Plaggemier [00:10:43]: And then, you know, hoping for that lightbulb…

49
00:00:48,000 –> 00:00:49,000
Frank Cilluffo [00:10:46]: And user friendly, right?

50
00:00:49,000 –> 00:00:50,000
Lisa Plaggemier [00:10:47]: Correct.

51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:10:47]: I mean, that’s the beauty of the work I think you have is it’s practical, it’s tangible.

52
00:00:51,000 –> 00:00:52,000
Lisa Plaggemier [00:10:53]: Right.

53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:10:53]: And it’s not trying to boil the ocean.

54
00:00:53,000 –> 00:00:54,000
Lisa Plaggemier [00:10:56]: No. When we, we did a campaign for April Fool’s Day called AI Fools, it kind of wrote itself. It turned into an evergreen campaign. We decided that the call to action was going to be super, super targeted because we could all talk about AI and all the issues with it all day long.

55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:11:11]: We spent a lot of time on this podcast talking about it.

56
00:00:55,000 –> 00:00:56,000
Lisa Plaggemier [00:11:16]: I’m sure. So we boiled it down to having a safe word, like just targeting deepfake phone calls when you’re not on the phone with who you think you’re on the phone with. And we did a series of radio ads that were on iHeartRadio and some outdoor advertising in D.C., and all those same materials are available for people to download and run a campaign in their organization. So you can throw the radio ads on your security portal or Slack.

57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:11:40]: So when my mom or my aunt or someone gets a phone call and it doesn’t include the safe word they know I’m not kidnapped. Not me, I’m too old, but my kids. So…

58
00:00:57,000 –> 00:00:58,000
Lisa Plaggemier [00:11:50]: Exactly.

59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:11:51]: Or their grandkids.

60
00:00:59,000 –> 00:01:00,000
Lisa Plaggemier [00:11:52]: But we had to be really targeted. It’s just deep fake phone calls and it’s just talking about safe words. If we tried to cover too much at once, like the hundred page workbook probably does…

61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:12:01]: You’d be drowning.

62
00:01:01,000 –> 00:01:02,000
Lisa Plaggemier [00:12:02]: It’s, right, right. And you just don’t get the same kind of engagement.

63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:12:04]: And it doesn’t trigger the action. And what triggers that action point could be different for different people.

64
00:01:03,000 –> 00:01:04,000
Lisa Plaggemier [00:12:12]: Exactly.

65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:12:12]: And you gotta get to where they are.

66
00:01:05,000 –> 00:01:06,000
Lisa Plaggemier [00:12:14]: It’s the old adage, I know half my marketing is working, I just don’t know which half. So that doesn’t, so you have to keep going with all of it.

67
00:01:06,000 –> 00:01:07,000
Frank Cilluffo [00:12:22]: Awesome, awesome. Let’s get to some of the fraud because I think this is also in the myth busting category. And we’re not just, this is not just the consumer protection set of issues. Right? It’s much broader. It includes that. And still we still need that phone number that someone can call. But beyond that, we’re dealing with syndicates, we’re dealing with criminal enterprises to one extent or another.

68
00:01:07,000 –> 00:01:08,000
Lisa Plaggemier [00:12:53]: I think we’re dealing with nation states too.

69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo [00:12:55]: Nation states and proxies of nation states. Yeah.

70
00:01:09,000 –> 00:01:10,000
Lisa Plaggemier [00:12:57]: Yeah. I think if you look at something like pig butchering, for example, let’s just take that. Matt Cronin, when he was the investigator at the House Select Committee on the CCP, wrote a great paper on the fentanyl crisis and traced that back to a kind of a kingpin who’s at the top of the food chain named Broken Tooth Koi. And he sits on an advisory council or something for the CCP. He’s also at the top of the food chain on, on pig butchering. So it’s…

71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:13:24]: No pun intended.

72
00:01:11,000 –> 00:01:12,000
Lisa Plaggemier [00:13:25]: No. So it gets pretty, I think you can pretty easily tie those types of scams that are, the scale and the speed of it is, you know, when I talk to folks that are in fraud at different financial services institutions, nobody’s thinking this is just random. This is a strategy because it’s so well orchestrated and they’ve, you know, I don’t like to talk about humans being the weakest link, but the weakest link in this case is the individual as compared to our institutions. So I can hack away at our banks and probably not come away with any cash. I might cause disruption, I might come away with some data, but I’m probably not going to come away with millions of dollars.

73
00:01:12,000 –> 00:01:13,000
Lisa Plaggemier [00:14:11]: I can hack away at individual customers of the bank and come away with millions of dollars, and there’s no ISAC for my mom. We’ve done a great job over the years of protecting our different sectors of our economy and standing up things like ISACs to do that. But the weak point is that cross sector data sharing and there’s been some efforts to do that.

74
00:01:13,000 –> 00:01:14,000
Frank Cilluffo [00:14:33]: And it’s really democratized crime. Right? Because it touches everyone now.

75
00:01:14,000 –> 00:01:15,000
Lisa Plaggemier [00:14:38]: It does, it does. So older folks are targeted less often, but when they fall victim, the dollar amounts are very high. They have their whole life savings at stake. Younger folks, according to our, we do a report every year called Oh Behave!, an annual report on cybersecurity attitudes and behaviors, because I wanted some consumer sentiment as a marketer. Younger people are more likely to lose money or data, but the dollar amounts are much smaller.

76
00:01:15,000 –> 00:01:16,000
Frank Cilluffo [00:15:05]: And I look back, I mean, at the start of the Internet and email, you had the 419 scams coming out of Nigeria. Princes and princesses. That has changed dramatically. And the scale, the speed, and the scope as well.

77
00:01:16,000 –> 00:01:17,000
Lisa Plaggemier [00:15:26]: There still are those, I mean, if you look at sextortion and the Yahoo Boys, I mean, there are smaller…

78
00:01:17,000 –> 00:01:18,000
Frank Cilluffo [00:15:29]: That’s actually horrific. Yeah.

79
00:01:18,000 –> 00:01:19,000
Lisa Plaggemier [00:15:31]: Yeah, yeah, it’s terrible. There are still those sorts of organizations in existence, but something like pig, pig butchering with, you know, the last…

80
00:01:19,000 –> 00:01:20,000
Frank Cilluffo [00:15:40]: Can you explain pig butchering for our audience?

81
00:01:20,000 –> 00:01:21,000
Lisa Plaggemier [00:15:41]: So it usually starts, I mean, we’re all getting these texts multiple times a day that, that look like, I got one that said, I left my shoes in your car. They’re just looking for me to respond because, because what do I get immediately? The mental image of somebody standing on the street with, barefoot, missing their shoes. So it kind of tugs at your heartstrings, or it’ll just be something that looks like a wrong number.

82
00:01:21,000 –> 00:01:22,000
Frank Cilluffo [00:16:06]: Hi. I seem to get that one all the time. Yeah.

83
00:01:22,000 –> 00:01:23,000
Lisa Plaggemier [00:16:08]: So what they’re hoping, they’re kind of weaponizing our friendliness, maybe weaponizing our loneliness. And so they’re hoping that we’re just gonna respond. And they know they have a live human on the other end. So eventually, over time, these are long cons. They’re gonna develop a friendship, maybe tell you about a great vacation they took that was all funded because their uncle taught them how to invest in crypto. And when it comes to crypto, there are a lot of us, me included, who don’t know that much about it, but have FOMO. We feel like we’ve missed out because somebody we know in our friend circle has maybe made a bunch of money.

84
00:01:23,000 –> 00:01:24,000
Lisa Plaggemier [00:16:40]: Exactly. So they’re weaponizing that FOMO as well. So they’ll get us to invest in crypto. They have fake crypto exchange websites, fake statements showing us we’re making a lot of money. They might even let us make a small withdrawal. But eventually, when we want to really withdraw some of these earnings, they’re going to say, well, you have to pay some taxes first with new money, so do that, and then you can withdraw the rest. At that point, it’s the sunk cost fallacy. Well, I’m in this deep.

85
00:01:24,000 –> 00:01:25,000
Lisa Plaggemier [00:17:10]: I’m starting to think this might not be real, but I should just pay these taxes so I can get this money. And then at that point it’s all gone. Some of those victims are also then turned into money mules. And I know there’s been some discussion about whether or not we should even be calling this pig butchering. That’s, that’s a literal translation from the Chinese. And some of us, like, or Erin West, who’s an advocate in this space, she’s runs a thing called Operation Shamrock. I mean we, it’s an attention getting term and that’s how we’re viewed as a pig to be butchered. And we feel like, you know, even though it’s kind of a crude term, it, it really brings it home, what’s, what’s happening. Pretty descriptive.

86
00:01:25,000 –> 00:01:26,000
Frank Cilluffo [00:17:55]: And it’s building trust.

87
00:01:26,000 –> 00:01:27,000
Lisa Plaggemier [00:17:59]: Yeah. Over time.

88
00:01:27,000 –> 00:01:28,000
Frank Cilluffo [00:18:00]: So these aren’t onesies and twosies. Now, now here’s the one thing I always said. So you could send out a million and all you need is one click and the adversary is successful. Right?

89
00:01:28,000 –> 00:01:29,000
Lisa Plaggemier [00:18:11]: Well, and sending that million now is very different with AI. And then when you’re using human trafficked slave labor in a, basically a concentration camp to do it and there’s, you know, beatings and dismemberments and killings and sexual assault in these places, I mean, it’s just so tragic on so many levels.

90
00:01:29,000 –> 00:01:30,000
Frank Cilluffo [00:18:33]: I’m going to throw one policy issue. This is why we need DMARC and it needs to be spread everywhere. So, so at least you have a sense of who the sender is and at least there’s some likelihood of it being flagged if you’re sending too many.

91
00:01:30,000 –> 00:01:31,000
Lisa Plaggemier [00:18:47]: I mean, the only comment I’ll make in regards to policy is, I do not know, do not think it would be a bad idea if we had a scam czar at this point because the adversary is so well organized. I mean, the latest Secret Service report I saw, which is probably a little out of date, so there’s five or six of these scam centers with hundreds of thousands of people in them. And they’re growing. I mean, if you look at the aerial photos that Erin West has, you can see the construction happening on a regular basis. They’re just expanding like crazy.

92
00:01:31,000 –> 00:01:32,000
Frank Cilluffo [00:19:18]: So not to pull you too far into that policy discussion, but where should that sit? Is that Secret Service or should it be FCC or should it be…

93
00:01:32,000 –> 00:01:33,000
Lisa Plaggemier [00:19:27]: I have no idea. I just know that there are too many, I think, my opinion, too many private sector organizations with competing priorities and a lot of concerns about the privacy of the victims when it comes to data sharing. So if I’m a bank and I have signal that my customer is being defrauded and they’re trying to withdraw their whole 401k. Now I have tellers or call center people that are having to act as social workers because I’ve got somebody deep in the trance of a scam. They would love to have more data from social media platforms, ISPs, telecoms.

94
00:01:33,000 –> 00:01:34,000
Frank Cilluffo [00:20:00]: Because they are campaigns, they’re not one off.

95
00:01:34,000 –> 00:01:35,000
Lisa Plaggemier [00:20:03]: Exactly. Exactly. So I don’t know how you get that private sector, cross sector data sharing happening in a real meaningful way without the government playing a role in, and giving them cover honestly too, especially when it comes to privacy considerations of the, I think there needs to be some legal cover there. Just like there’s legal, legal cover for the ISACs.

96
00:01:35,000 –> 00:01:36,000
Frank Cilluffo [00:20:26]: Absolutely. Which I actually haven’t given a whole lot of thought to this, but it’s something I definitely want to pull the thread on in the future.

97
00:01:36,000 –> 00:01:37,000
Lisa Plaggemier [00:20:33]: So there are some small groups that are starting some data sharing. Some big brands have, have come together with some nonprofits and other companies. But it’s, you know, it’s, it’s kind of heroic efforts by small groups of individuals and not really institutionalized yet and not scaled.

98
00:01:37,000 –> 00:01:38,000
Frank Cilluffo [00:20:53]: You know, so deep fakes and all the various, you mentioned some of the AI and how it’s applied in some of these spaces. It’s getting harder and harder and harder to spot.

99
00:01:38,000 –> 00:01:39,000
Lisa Plaggemier [00:21:08]: Yeah. And unfortunately our research tells us that people still think they’ll be able to tell the difference.

100
00:01:39,000 –> 00:01:40,000
Frank Cilluffo [00:21:13]: And they won’t.

101
00:01:40,000 –> 00:01:41,000
Lisa Plaggemier [00:21:14]: And you won’t.

102
00:01:41,000 –> 00:01:42,000
Frank Cilluffo [00:21:15]: So how do we automate some of that? Or do we? How do we, how do, so my mom asks me lots of questions on, on the cyber side. What should I be telling her? What should she be looking for to…

103
00:01:42,000 –> 00:01:43,000
Lisa Plaggemier [00:21:27]: You need to independently verify things. Everything, you know.

104
00:01:43,000 –> 00:01:44,000
Frank Cilluffo [00:21:31]: So trust but verify. I’m a Reagan guy.

105
00:01:44,000 –> 00:01:45,000
Lisa Plaggemier [00:21:32]: Yeah, use the safe word when it comes to phone calls and things like that, or video calls, you know, FaceTime, Zoom, all of that. I have a friend, he’s on our board, Perry Carpenter, who’s been able to break all of the tools that are supposed to be able to tell whether or not something is a deep fake. So basically, if you have something that’s AI generated and you make some, some tweaks to it, you can kind of fool some of the tech that’s being, now this is a changing space and the minute this comes out of my mouth, it could be wrong because it’s evolving so quickly. But, but I haven’t seen anything yet that 100% can tell you whether or not you’re looking at something real.

106
00:01:45,000 –> 00:01:46,000
Frank Cilluffo [00:22:11]: And you can really capture someone’s voice, you can capture their images and it doesn’t take a whole lot to put together a persona that is hard to differentiate even yourself.

107
00:01:46,000 –> 00:01:47,000
Lisa Plaggemier [00:22:22]: Yeah, yeah. I mean there’s an upside to this. I mean there’s, there’s kind of a positive way to use these things. So there are vendors now, I met some of them at our convene conference that will allow you to make deep fake phone calls to your employees. Just like we do simulated phishing, you can do simulated deepfake phone calls to your employees to see if they give up their MFA code or in a simulated MFA attack, for example.

108
00:01:47,000 –> 00:01:48,000
Frank Cilluffo [00:22:47]: And I think that that’s great, but I still think that’s reactive.

109
00:01:48,000 –> 00:01:49,000
Lisa Plaggemier [00:22:51]: It is.

110
00:01:49,000 –> 00:01:50,000
Frank Cilluffo [00:22:52]: And at some point, so you sort of mentioned where government and the banks and others can come together. How could that be even nurtured or fostered?

111
00:01:50,000 –> 00:01:51,000
Lisa Plaggemier [00:23:04]: I think there’s some competing priorities. I mean, if I’m a social media company, some of the things that I probably need to do to work harder to get bad actors off my platforms might actually be at odds with some of my business goals.

112
00:01:51,000 –> 00:01:52,000
Frank Cilluffo [00:23:17]: Absolutely, it is.

113
00:01:52,000 –> 00:01:53,000
Lisa Plaggemier [00:23:18]: I think, you know, there’s been regulation in Australia and the UK that is holding the financial services institutions responsible if they have signal that their customer is being defrauded. And, but that feels a little anti American to us because I have a right to my money. It’s my money and I should be able to withdraw it. So that creates really awkward situations for the banks. It’s traumatic for the bank employees, it’s traumatic for the person on the phone trying to talk somebody out of withdrawing their entire 401k to hand it to a scammer. I mean, it’s just, it’s a bad situation. That’s why I think we need something like a scam czar whose primary goal it is to look at this across the public and private sectors and see what makes sense.

114
00:01:53,000 –> 00:01:54,000
Frank Cilluffo [00:24:02]: Yeah, I, I, I, I agree with that. I, I do think that is something, it’s hit that tipping point or it has already tipped and, and we need something.

115
00:01:54,000 –> 00:01:55,000
Lisa Plaggemier [00:24:12]: I think it’s, I think reality is probably, you know, like any difficult deal you negotiate or any divorce, every party’s a little bit unhappy. There’s no, there’s, because there’s no civil silver bullet here. There’s work that a lot of different sectors can do. I mean, that’s the whole, that’s, I mean that’s what we’re talking about when we say it’s cross sector. There’s, there’s no one entity that can solve this problem. It’s kind of heavy handed to say, well this is the, the bank’s problem like they’ve done in the, in the UK and Australia. And, but that is, that’s where the scam ends. The scam starts with a text or a direct message or something else.

116
00:01:55,000 –> 00:01:56,000
Lisa Plaggemier [00:24:53]: So it’s, I think it’s hopeful to, helpful to look across the entire food chain of what’s happening there.

117
00:01:56,000 –> 00:01:57,000
Frank Cilluffo [00:25:00]: Have we done enough of that? Because, because I go back to sort of some of the counter narcotics efforts where we only started having major impact when we looked at it as an enterprise, as a business.

118
00:01:57,000 –> 00:01:58,000
Lisa Plaggemier [00:25:12]: You have to look at this as an enterprise.

119
00:01:58,000 –> 00:01:59,000
Frank Cilluffo [00:25:14]: You have to look at it and have a, it’s going to take a campaign to defeat a campaign. Right? Otherwise you have a couple of big arrests, but that doesn’t make a drip in the bucket.

120
00:01:59,000 –> 00:02:00,000
Lisa Plaggemier [00:25:23]: No. Ask the Secret Service. You cannot arrest your way out of this problem.

121
00:02:00,000 –> 00:02:01,000
Frank Cilluffo [00:25:27]: Yeah, yeah. And I think that what differentiates this from traditional crime is the private sector has to be a big proponent and, and they’re on the front lines and, and many of them want to, they don’t always have the authorities, they don’t know how to put all the pieces together.

122
00:02:01,000 –> 00:02:02,000
Lisa Plaggemier [00:25:47]: Right. Or they don’t get collaboration from, you know, I’m sure there are financial services companies that would love to have more data from social media companies, more indicators of fraud. That would be super helpful. And that’s happening to some degree, but not in any large scalable way. I think that’s what they’ve, you know, that’s what they’ve exploited. We’ve got in a lot of organizations, fraud teams that don’t talk to security teams that don’t talk to trust and safety teams. And so if you’re still siloed in your organization, I think the call to action here is that that all needs to be seen as one, you could almost argue in some organizations it should all roll up to the Chief Security Officer.

123
00:02:02,000 –> 00:02:03,000
Frank Cilluffo [00:26:25]: I would agree with that. I would almost say that Chief Security Officer and Chief Information Security Officer have to come together inextricably interwoven. And in the cyber world we talk about IT OT convergence and rarely do you have a combined SOC, but you can have full visibility and can’t do a whole lot until you have visibility. So…

124
00:02:03,000 –> 00:02:04,000
Lisa Plaggemier [00:26:45]: And trust and safety teams have been, you know, subject to being politicized in some organizations and it’s been a little bit controversial. I don’t know that they’re as empowered as they should be to really be advocates for their users. Because remember, at social media companies, the users aren’t the customers.

125
00:02:04,000 –> 00:02:05,000
Frank Cilluffo [00:27:03]: Yep, yep.

126
00:02:05,000 –> 00:02:06,000
Lisa Plaggemier [00:27:04]: So it’s a, it’s a, it’s a difficult position.

127
00:02:06,000 –> 00:02:07,000
Frank Cilluffo [00:27:08]: So where does public awareness fit into all of these institutional efforts? And I know you’ve done some amazing work, and I’d like to hear a little more about the K through 12 as well. So we talked a little bit about the older demographic, but…

128
00:02:07,000 –> 00:02:08,000
Lisa Plaggemier [00:27:24]: K through 12 is coming next year.

129
00:02:08,000 –> 00:02:09,000
Frank Cilluffo [00:27:25]: Boom. Good, good.

130
00:02:09,000 –> 00:02:10,000
Lisa Plaggemier [00:27:27]: We have, there’s a whole lot of great information out there. There are great non profits doing work in, in K through 12. So what we’re working on now is sort of that competitive landscape so we can see what’s available and where are the gaps and where do we need maybe simpler information that’s more targeted, that’s more digestible, you know, snackable content, if you will, things that people can, can learn quickly, that resonate fast and to enable them and inspire them. I mean, a lot of the work we do is based on the behavioral science model COM-B. So before you exhibit a behavior, you need capability, which is knowledge, opportunity, which we all have with technology all day long, and motivation. Motivation is the hardest part. You can know something, you know, I can know I should go to the gym tomorrow morning, but whether or not I’m motivated to get up and do it, that’s a whole nother thing.

131
00:02:10,000 –> 00:02:11,000
Lisa Plaggemier [00:28:19]: We’re very, very emotional, that motivation piece. So that’s really what we strive for, is making sure that we’re doing things that motivate people and then making sure we do things that get your attention. If I don’t have your attention, you’re not going to engage in whatever it is I’m saying. So we’ve got to do things that maybe sometimes are a little bit edgy or unexpected to try and get people’s attention. If I go to you at the outset and say, maybe a title to an email is, says something about protecting yourself or protecting your company and you don’t care. Like that’s just not interesting to you. You’re not going to open the email.

132
00:02:11,000 –> 00:02:12,000
Frank Cilluffo [00:28:55]: Exactly.

133
00:02:12,000 –> 00:02:13,000
Lisa Plaggemier [00:28:56]: So I have to work hard to get your attention. And sometimes it’s a little bit of a bait and switch, but I’ll take it.

134
00:02:13,000 –> 00:02:14,000
Frank Cilluffo [00:29:01]: Exactly. And, and, and when you’re looking at the younger demographic, they are digital natives too, so they can also be the solution drivers.

135
00:02:14,000 –> 00:02:15,000
Lisa Plaggemier [00:29:10]: But they’re not security natives.

136
00:02:15,000 –> 00:02:16,000
Frank Cilluffo [00:29:11]: But they’re not security aware. That’s the last thing they’re thinking about. Exactly, exactly.

137
00:02:16,000 –> 00:02:17,000
Frank Cilluffo [00:29:16]: I, I mean, I know my younger kids are much more, and they’re not so young, but it’s all TikTok, so it’s not even email. They’d look at me like I have three heads that they never look at email.

138
00:02:17,000 –> 00:02:18,000
Lisa Plaggemier [00:29:28]: Yeah. I mean, we try and do things that are seasonal. So around Valentine’s Day, we’ll talk about romance scams. And we’ve had some really, we’ve done some really cute graphics in the past that look like the little cards you get your kids at CVS, but they have some sort of cybersecurity phrase on them. We’ll do, you know, safe holiday shopping around the holidays. We did a campaign lately with LinkedIn about job scams when they brought out their new certification process to make sure that a job is actually legitimate. We’re doing more and more talks.

139
00:02:18,000 –> 00:02:19,000
Lisa Plaggemier [00:29:59]: This year we’ve partnered with a couple of different scam survivors, and we’re using a rug pole in one of those stories. So we’re not going to reveal until the end that the woman you’ve been listening to for 40 minutes is an actual survivor herself. Because people have a tendency to victim blame and victim shame. And that’s actually, I think the scam…

140
00:02:19,000 –> 00:02:20,000
Frank Cilluffo [00:30:17]: All of cyber has been a little bit blame the victims. So we’ve got to flip that equation.

141
00:02:20,000 –> 00:02:21,000
Lisa Plaggemier [00:30:22]: Right, Right. So if I can get you listening to her as an expert in the field for half an hour before I reveal to you that one of the stories we just told you was hers, then I think maybe you might understand that you could be vulnerable too.

142
00:02:21,000 –> 00:02:22,000
Frank Cilluffo [00:30:34]: Love it. Love it. Lisa, I mean, you guys are in the middle of such important work. What questions didn’t I ask that I should have?

143
00:02:22,000 –> 00:02:23,000
Lisa Plaggemier [00:30:42]: So one of the things we’ve, we’ve noticed, we have been partnered with CISA for a long time on the Cybersecurity Awareness Month campaign. And we’ve always tried to be good partners to government overall. So we’ve got relationships with folks at different departments and agencies that are putting out consumer awareness on cybercrime scams and fraud. But one of the things we’ve noticed is, you know, they all have people doing this good work, very well intentioned, and they all have budgets, big or small, mostly on the small side, and they might have enough budget to go to an ad agency and do a campaign. But because it’s all, even though it’s incredibly well intentioned, because it’s all disparate, it’s just not getting share of mind with the public. And then the other thing we know is that the public doesn’t, I think our latest study said 8% of people turn to the government when they’re looking for advice on the safe use of technology. They’re more likely to go to a tech company or a non profit or get that education elsewhere.

144
00:02:23,000 –> 00:02:24,000
Frank Cilluffo [00:31:43]: Or places of faith or anyone they trust. Right?

145
00:02:24,000 –> 00:02:25,000
Lisa Plaggemier [00:31:44]: Exactly. Yeah. Family member, a friend. So that’s one of my longer term goals is to find a way to, and then IC3. People don’t know what it is, they don’t know how to report. These crimes are severely under reported. You know, I’m not sure that name resonates with the public. IC3.gov. Maybe we should call it something else.

146
00:02:25,000 –> 00:02:26,000
Lisa Plaggemier [00:32:05]: So if there were ever an opportunity for us to partner with and have more of a whole of government approach so that there’s one overarching message that has a chance, and a campaign big enough that has a chance to resonate with the public and get some share of mind, I think that’s, that’s, that’s one of the goals that I have.

147
00:02:26,000 –> 00:02:27,000
Frank Cilluffo [00:32:23]: You know, and, and maybe success is just getting people to think and I call staying curious.

148
00:02:27,000 –> 00:02:28,000
Lisa Plaggemier [00:32:29]: Right.

149
00:02:28,000 –> 00:02:29,000
Frank Cilluffo [00:32:29]: That is going to be part of the solution. Right?

150
00:02:29,000 –> 00:02:30,000
Lisa Plaggemier [00:32:32]: Absolutely.

151
00:02:30,000 –> 00:02:31,000
Frank Cilluffo [00:32:33]: Lisa, thank you for the fight you’re fighting every day. For many of the people who aren’t, didn’t realize they’re part of this challenge but are essential to success. Thank you for the hard work you’re doing and onward and upward. So thank you.

152
00:02:31,000 –> 00:02:32,000
Lisa Plaggemier [00:32:48]: We have a great team. It’s all the team.

153
00:02:32,000 –> 00:02:33,000
Frank Cilluffo [00:32:50]: Well thank you, Lisa.

154
00:02:33,000 –> 00:02:34,000
Lisa Plaggemier [00:32:51]: Thanks.

155
00:02:34,000 –> 00:02:35,000
Frank Cilluffo [00:32:52]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.