Why People Still Fall for Phishing Scams

We've extended our Bar10der giveaway!
If you want to be the perfect modern rogue, you need the ability to mix any drink. When your special someone asks for a drink, what're you gonna do? Get them a lukewarm PBR from a floating keg? Are you gonna grab a red solo cup and pour equal parts margarita mix and failure? HELL NO. You're gonna make the perfect lemon drop, mojito, martini, you name it. And you'll have the all-in-one tool to make anything: The Bar10der.
With 10 essential tools--including jiggers, a knife, zester, strainer, and muddler--The Bar10der gives you everything you need to keep up with our favorite bartender Trever.
We're giving away Bar10ders to two lucky winners of our free giveaway, just signup at gimme.scamstuff.com (no purchase necessary, ends 3/22/2018 EXTENDED!).
For more info on the Bar10der: www.scamstuff.com/products/the-bar10der

Sorry I’ll watch this later my bank is texting for my details

My mom got a call from “her bank” and they asked for her information, she told them “I won’t fall for a scam!” and hung up. She then called her bank to report it and it was actually her bank that had called her. I laughed so hard at her.

I'm a simple man. I hear Brians witch Laugh and "WOW"™ , i press like

Finally, someone realizes my paranoia, social anxiety, and trust issues are GENUINELY USEFUL SKILLSETS in today's world.
1. They ARE out to get you. It doesn't matter if they aren't at the moment, its coming.
2. It doesn't matter that you are home alone, live alone, and no one else has a key to your house... lock the bathroom door!
3. Never tell anyone something you aren't comfortable letting everyone know.
4. Never share something someone else shared with you. No one else needs to know what secrets you know.
5. Everything is a weapon given enough motivation and creativity.
Livin' like a rogue, every day of my life.

A good way to avoid getting phished is just, avoid clicking on any embedded link being sent via email in general. Lots of trusted banks nowadays literally just tell you "Go to our website and log-in normally to your account" and specifically avoid sending specific links for that reason. Or if you're unsure, just pick up the phone and call your bank's hotline and see what's up. Can't really fall for an impersonator if you're the one initiating the call.

This video is AMAZING. Im an IT teacher and I learned A LOT! I will dedicate an entire class for this content because its very important. Thank You so much!

There is a woman running a phishing scam in my area. I get at least a few calls per week. She always changes her name and script, she uses a burner/proxy number each time so I can't block the number or report it. And I know she's blanketing the area because Ive gotten calls on my cell phone and work phone. I swear if I ever catch this girl...

This is actually perfect because my college recently got two different phishing scams going around. As a programming major and having to take networking classes I thought it was great when in the email they said the "attack" came from IP 24.176.229.15 (where the largest an ip can go is 225) then the one last week was even better it was an IP 1,541,605,760 (yes almost all those numbers are too large, it was written with commas, and it is basicaly impossible to ever see an IP address start with 1)
Also small note right off the bat you called phishing a man in the middle attack. Man in the middle is just wire tapping so a man in the middle is like a skimmer and phishing is like building your own store that just looks like another store.

As a student in computer science I'm happy to hear you guys talking these tech subjects!!! Awesome video and examples :)

I fell for ONE phishing scam. Back in my Runescape days, I got an email saying that someone was taking my account, and to enter my login. Lost years of progress in a few hours. Never again.

One time, my dad got a phone call from some kind of phishing attack, which he realized pretty quickly. He has worked in IT / Comp Sci for decades, and is generally very privacy-focused and cautious (and paranoid, which helps in these cases). He managed to turn the whole thing around on the guy and claim that he was actually calling them (since often with these types of scam / telemarketing calls, what happens is a robo-dialer calls people, and if someone picks up, that then calls the human on the other end in a call center (rather than people actually dialing everyone manually). He convinced this guy that he worked in their company in HR or IT or something else, and managed to get this guy to tell him some personal / private information. In my memory, it was a social security number, but I'm not a hundred percent sure. He hung up and shouted "Yes!" and I went over and asked what happened. He explained, and had written down the number on a sticky note. He was thrilled and kind of shocked that it worked. Who knows if the guy actually gave him real info, or was just playing along, but it was a really funny experience. I asked what he was going to do with the info and he just destroyed it, but it was the sentiment that counts.

I'm an IT security specialist, and I love this video. I love the plain-language explanations and completeness you guys show here.
The only thing I would add is that the "hover over the link" trick isn't all that helpful any more. MANY legitimate companies use email list software, or tracking software (you know, like the Lastpass link you have in the description).

My mom called me very angrily yesterday saying she had been scammed. For months she had been getting mail saying that she owed money for a magazine subscription that was about to expire. She showed the magazine that she had sent the check, and it had been cashed. It turns out that, somehow, a scam company using the same letterhead, etc, had sent renewal notices right around the same time, and she had sent the check to this company instead. Just something to watch out for.

Aw yeah, I've been waiting for a fishing episode for ages!
Wait... what do you mean "not that kind of fishing"?

Even worse, some sites always say your password is invalid.... You'll put in every password you've ever had trying to get in and they'll have access to everything you ever did...

I need a gif of Jason saying 'penetrated'. For... reasons.

"Punished Props X Modern Rogue Collab 2018"
I don't know who those guys are but nice little Easter egg there in the thumbnail! 👍

Today's Scam School day! You can't fool us just by putting 'scam' in the name of the episode.
Then again, we're getting an extra The Modern Rogue episode, so I ain't one to complain. :3

Here's my interesting (sort of) phishing story: I was contacted by someone claiming to be working with the Hands and Feet Foundation, which is a real charity focused on helping children in need. They said that they were working on a big project to spread awareness about the cause, asked if I wanted to help out, and stated that it wouldn't cost any money. So, of course I agreed, since the charity was legitimate. Then this person proceeded to ask me to send him pictures of my hands and, more importantly, feet (you can probably see where this is going). Obviously, this was strange to me, so I contacted the charity and they said they had nothing to do with this and that I should stay away from this person. So, the moral of the story is: scams aren't always about getting money, sometimes they're about getting pictures of women's feet.

My favorite phishing emails are the ones that come and say like "Facebook notification of some sort!", but the link is some long-ass URL that ends in .ru!
"Yes, we am Face Book, click this link! *CrazyRussianHackerAndNotTheCoolKind420.Pizza*

But today isn't Friday...

Not one minute after I finished watching this episode, I receive a text from someone claiming to be my dentist as a reminder for my appointment. So I called them on the number I had and asked about the text. I'm learning things and applying them in real life! Applaud me!
But in all seriousness, you guys are doing great things as always. Keep up the great work!

Back in the 90's when I was still in school, I learned a lot about phreaking. Phishing was alive and well in the 90's and was often used in conjunction with phreaking, likely explaining the naming convention. Phishing used to be done via phone mostly, calling people impersonating a company - or more commonly, with a target in mind, calling a company and impersonating as your target to get information out of the representative on the other end.
I recall one writing detailing being able to call up banks or utilities, impersonating a relative of a target. It took very little information to report the target as deceased, opening up the door for information and some trolling - such as turning off the electricity or closing bank accounts.

What a world we live in. I’m always amazed by the human trash that exist in our society. Some of these people, and I use that term lightly, are smart enough to contribute to the world, but instead they would rather use their brain and time to take things from other people. The penalty for phishing and other cons should be more harsh.

I was victim to a 'fishing' scam a few months ago when I received a sms from 'dhl' or 'tnt' asking me to call a number to set a delivery date. The call (a 06 number) turned out to be a paid call. I realized it quickly but it still cost me 2€... And I'm a nerd, I know about these things...

I remember a few years ago, phishing links were sent to many MANY accounts on steam. There was a time where lots of people who owned massive inventories for different games like team fortress 2, dota 2, csgo, etc. were sent these links through people in their friends lists or through friend requests and ended up losing all their items. For these people who had these massive expensive inventories, they lost thousands of dollars worth of stuff because of it, because these in-game items are infact worth real world money. Unusual tf2 cosmetics, csgo knives, and extremely rare dota skins were sold on the steam market and even on websites made for trading these items for either actual money or in-game currency, but currency regardless. Because of all of these phishing links being sent to people on steam giving access to their accounts, eventually steam had to make a 2 way protection service for their users. You HAD to have the steam app on your smartphone to be given the code to log in and it's completely random and only exists for 30 seconds, and it also gives you notifications for trade requests. The reason for this to be created was because for those people to take the items from accounts, they still need to initiate a trade, and to login, they need to have access to the users code which only can be accessed through one smartphone at a time.

I swear this channel in general is just like two cool uncles just have their fun together and the nieces and nephews look up to them

Oh my gosh! I was in the middle of watching this, and I got a call saying my car warrantee has expired and I must act now or there will be a fee. And I don't even have a warrantee on my car!! Phishing scam? Probably!😂😂 obviously I hung up

the best way to advertise anything is to do it while drunk

Thank you thank you thank you for this video. I'm a delivery driver for Doordash, a company that delivers food to people from restaurants that normally don't deliver. This morning I got an order for just a hot tea from Wendy's, so I decided to take it. While I was on my way to Wendy's, I got a call from a supposed Doordash hq employee. He just basically told me that the customer cancelled the order, oh and by the way I also qualify for a $200 dollar driver bonus, which was a tiny red flag. I just had to confirm my phone number, which then they sent a text to which I had to reply with my Doordash email and password, that was a major red flag. I remembered the rule from this video that if they contact you first, don't give any info. I muted the call and looked up the situation on Google and the same thing happened to other people; they get an order for something small and then get a suspicious phone call. I immediately hung up, and he called back right away and then I just told him "look I have another order, I'll call you later " which I never did. Point is, without this video I probably would have walked into the trap.. thanks guys.

LastPass is definitely the best sponsor you've had yet.

When I first saw this I thought it said "Fisting". You can see where my priorities lie.

IT ALL MAKES SENSE NOW! How did I miss it!
*The Robot Voice belongs to DRESS PANTS ROBOT!* In other episodes, that is how he talked! He does the intro voice!!!!
I think we are on the verge of making a modern rogue lore!

there was an instance of spearfishing at a company my close friend worked at where there was a person spoofing the CEO's email and got the head of finance to disclose the access to all of the financial information for every person in the company. subsequently every person in the company had to change banking information and then the person who fell for the attack got premoted and now has way more power.

I became aware of your channel via The Whiskey Vault episodes that you did a while back. I appreciate that you're producing material for thinking men - while often keeping it fun. Bravo!

This channel is the only channel I enjoy the sponsorships. Jason is just.... 😂

Great video guys, I'm in IT and I have to say you guys are hitting on some good stuff here, I will be sharing this video with friends in family

Wow, really glad that a) Someone is educating people about this issue, and b) It's also my favourite TH-cam channel! I'd love to see more of this!

I wasn't paying attention and I paused at 16:38. When I looked up I about had a panic attack... Thanks for making paranoid again, Modern Rogue!

A buddy of mine got Wells Fargo'd when we we're driving to lunch one day.
Unfortunately, I only caught that it was a scam after he had entered his info since I know where he actually does his banking. Lucky, he doesn't use WF and is just techno-illiterate but unlucky is that they can still sell that email and password so he had to change both of them and drop that email account for anything important.
Also, wed-nes-day MR?
Also also, DRESSPANTS-ROBOTMAN for the bingo cards.

The ultimate bromance.
Thank God the modern rogue is a thing, thank god.

Henry Winkler walks into his kitchen while wearing his robe at 2:37 AM. He hears a clicking sound and turns around. There stands Brian with a torch ablaze in his hand.
Brian: “THE CONCEPT OF RESISTANCE TO FIRE IS ONE AS OLD AS HISTORY ITSELF...”

Fun fact: A spear phishing attack that targets a senior member of a company is called a whaling attack.

Brians "witch Laugh"™ COLLECTION;
0:13 , 0:19 , 0:50 , 9:31 , 10:09 , 15:19 , 16:44 , 19:13
Brians "WOW"™ COLLECTION;
15:40
Murphys "Pulling a Murphy"™ COLLECTION;
NONE, This video does not include a scene i which Murphy embarrasses himself.
The 3 categories above must be populated by at least 1 entry in order for this Modern Rogue video to be added in my Favorites Playlist

5:03 God dammit! Dyslexics are screwed

You guys are really good at acting. It looks *just* like a regular conversation!

A lot of banks and organisations make it clear that they will never expect you to click on a link in one of their emails and/or that they will never email you asking for sensitive information.
I routinely get emails from the Inland Revenue Department saying "you have a notification/letter/message" and instructing me to log in using their secure server.
The only things that show up as links in the emails are my own address (where it says "this has been sent to .... because this is the address you have recorded as your contact address") and the email address to which I should report any suspected phishing attacks. Both of these occur in their warning about phishing scams.
In order to view the message, I need to go to another tab, type in the address for IRD's secure login server then enter my username and password - and _this_ just to read a *letter* from them.
They make it pointedly clear that *under no circumstances* will they ever contact you with "click on this link to amend your details" in the message. If there were ever a problem, they would email me and tell me to contact them through the *proper* channels.

Anyone remember when Brian had a mohawk?

Good afternoon everyone.

This is very important information to spread around. My mother-in-law fell for a few phishing scams before I helped her understand how to know the difference between authentic communication and phishing attempts, and what to do when you're not sure.

I literally have some mead brewing because of your last episode. Cheers!
P.S. Does anyone else keep getting Apple phishing emails? I don't even own an Apple device, but still get them...

Can u do some videos on blowing stuff up and building weapons. This sounds so sketchy lol

Ello, I work for Microsoft and your computer as a wirus.

I can't wait for the follow up episode where you showed that you used the spoofing test thing to link this episode.
I mean, its gotta be no coincidence that you did a video on phishing and on the same day I got an email from scam stuff (like I normally do) except it was about a normal episode (which is weird in my experience) nor did it go to the folder I use for promotions and sales.
Though, tbh, I looked at the email, did all the things you said, and saw the links went to scam stuff so *shrug.* I'm going to be part of your statistic even though I knew it was a scam. I was expecting a link going to an unlisted page or something going, "OI YOU JUST GOT PHISHED! Go to our new video on phishing to see how you done goofed..."
Either that or I actually just got hacked and I'm screwed.

you guys are making me laugh as hard as some of my favorite comedians, not just on this video or even on just the videos. laughed harder today than I did yesterday, thank you :)

Only about 30 seconds in, but my first guess as to why people keep falling for scams, is... Horribly un-tech-savvy old people, or... Oblivious children.

Number 15: Burger king foot lettuce. The last thing you'd want in your Burger King burger is someone's foot fungus. But as it turns out, that might be what you get. A 4channer uploaded a photo anonymously to the site showcasing his feet in a plastic bin of lettuce. With the statement: "This is the lettuce you eat at Burger King." Admittedly, he had shoes on.

Also recheck whatever safety measures you've employed, over time they may need updating or checks for faults. Software measures can be hacked or found vulnerable, so think maintenance and maybe layers.

Hey guys love your videos... it’s been so inspirational and has made a ... explosive impact

This is basically a 20 minute add for lastpass

I was absolutely TERRIBLE with passwords until you did the first lastpass video. I tried it out and now I don't know any of my passwords. Thanks :)

Something I thought was missing from the video was the fact that many businesses tell you they will never ask you for your info via email/over the phone so that if it looks like they are, you know it's not them.

Very helpful. Always someone out there trying to bring you down.

I use lastpass since you last episode about it, very happy how it works, very enjoyable ad to watch ;)

So happy to see a new video from you guys. Your show and channel is so amazingly interesting

The modern Rouge does sushi.
I had sushi tonight with my wife and this would be an awesome series to learn about for you guys. Kind of like you did with whiskey, cigars, or the Mongolian archer where you learn from an expert!

The hovering over a link only works in an email. If you are on a website there is the possibility that the moment you click there will be another link that is exactly 1 pixel in size that is shoved under your cursor and you click on a totally different link.

Used to work AppleCare, and I swear to god half the calls we got were people calling in about information they got from a phishing attempt.
Felt nice to calm them down, educate 'em, and show them where to forward the email. :)

Yup I'm gonna need the outtakes for this one asap.

It's good to know that someone is concerned about the safety. It's difficult to create a new password the is not too long or short and it should be something you remember.

One of the best attackers I've seen was a girl at the bar where I work. Diabolical.
She comes in dressed up and looking super hot, hitting on a few guys and since shes wearing a skimpy dress she says "I don't have my phone, let me put my number in yours and add my snapchat." or whatever... She then used their phones and Venmo'ed and Apple Pay'ed herself thousands of dollars over the course of a weekend. Apparently she made out with 5 figures money and just disappeared.
I don't think the police caught her because they came back over and over for info and a bunch of the rich guys were too embarrassed to come forward, some of the more drunk guys were too drunk, and the rest barely bothered to look at her face or ask her name and even if they did she probably wore a wig and used a fake name.
She is a fucking genius (not that I condone it.), and her clever use of modern technology and manipulation was pretty amazing.
From what I gather she used her apple watch for the transactions and even went so far as to pretend to take pictures with the guys by tapping the flashlight on and off and pretending to go through the pictures and edit them, or she pretended to try to find her snapchat or whatever... stuff that takes longer than adding a number, which is clever. She just went from group to group, guy to guy, and phone to phone.
People... LOCK YOUR PHONES UP! Add codes or fingerprints to your financial shit! How did she even find that many guys with money apps with no security!?
Edit: I just realized I have my Samsung Pay setup with no security either... face. fucking. palm. Uggghh.. I'm adding fingerprint security to it. Damn. She could've gotten me if I weren't socially awkward and grey-sexual as hell. Jeez.
Lock your shit up!

I get emails claiming to be apple that I've bought something from the app store like a song or something, but I'm not an apple user. They could fool an actual apple user

such an underrated channel. such a good video!

I love these kinds of video's. After your video of tails os and the deep web i even tried it. The 419 scam video and this one were really interesting. Keep posting content!!!
Love from Belgium

That’s so weird literally yesterday my school fell for a phishing scam and everyone’s accounts were compromised now I see this in my recommended

I remember finding a Google ad for youtube after serching for youtubeand it redirected to some site telling me to call it's weird that even google gets caught up in this kinda stuff

I got a scam saying I need to get in touch with them, or I'm going to jail, and the cops will be at my door at any minute.

Another important thing to look out for that can be telling is understanding what they're asking of you. The vast majority of the time a bank or similar trusted entity won't be asking for anything that can allow them to get money from you. If your bank wanted to rob you, they wouldn't have to ask; they already have your money. If your bank routinely asks you for sensitive information, switch banks. Take a fraud detection alert for example: the bank will simply ask you if you made the charges and cancel your card if not. A third party wouldn't be able to access your funds using such information. They'll never ask you for your password, and shouldn't need any sensitive PII, and the only action being taken is a potential freeze on your card/account. If you're being asked to provide information that would allow someone to access your money/property or otherwise take over an account of yours, it's almost certainly a phishing attempt. In this case, contact the involved company directly without using any links or phone numbers from the email you got but instead looking up the contact info yourself and verify the suggested action first.
I've used banks as an example here but this info goes for any trusted entity.
Source: Have been trained and worked in network security and development of security software for several years.

Definitely not a "man in the middle" attack but mainly correct and great video, I love you guys. Just fyi a MITM or man in the middle attack is where you actually inject yourself between the client device (phone, laptop, etc..) and the server side (wifi access point, internet connection, web server etc.) and you pass the traffic back and forth as it should be but at the same time capture the data or alter the data to your benefit.

perfect mix of humor and knowledge, you guys never let me down

I've seen so many friends who get scammed online and I always ask them if they remember clicking a link and 99% of the time they did. ALWAYS check to see a the green lock next to a URL before giving info.

A MITM attack is actually its own type of phishing. MITM is when, as the name suggests, you are in between someone’s device and the router. Like if you went to Starbucks and set up your own rogue AP and get everyone to join it( devices like the WiFi Pineapple have a thing where they can send a kick command to the real router and force devices to reconnect to them.) Then when people visit their bank or whatever, the request will go through the rogue point first, where it can be replaced with a fake response that would be the phishing site. There’s actually a tool used called the Social Engineers Toolkit that clones a web page so that it looks exactly like the real site, except that the login credentials will go to the hacker, and the user will just be redirected to the real site like as if they mistyped their login.

The reason Gmail catches these spoofed mails is probably SPF, which limits which mail servers are allowed to send out mail for a certain domain. It's one of those things every mail server should do these days but way too few actually verify.

I been using LastPass since your first video with lastpass

The way you guys put about the topic is interesting.

Only problem with hovering over the link for the address is the sender can put the actual address and then use an "onclick" on the link to completely ignore the link.

I actually started using LastPass because of yall, it's great

Lastpass? Now the hackers only need to figure out 1 password in order to find out every password you use. Genious. Just brilliant!

Another phishing scam that my mom got was a guy talking on an unstable line claiming to be my mom's bank.... Caller ID verrified it was from her bank, but when she complained, he called her back from a second line... This time, the caller ID said "mastercard"....

I know this kind of things because is my job, and guys you are doing an amazing job! Top quality video!
And always funny!

Here is a thing. Recently there was an exploit in all major browser(firefox,chrome,brave,edge etc.) that allowed you to make your website look like it had the same adress as any website

You could check the email header and see if the email actually came from the legitimate source. The URL its taking you too usually reveals the phishing as it wont take you to the actual website that sent you the email. I also recommend getting a javascript blocker like uMatrix and you can visit the website without javascript which might save you from getting infected.

One of these days im gonna get a call or message from like the fbi or something asking why im so interested in improvised weapons, weapons usage, espionage, scams, alcohol, ect. Because i regularly watch your videos. I hope the agent that asks me about yall is a fan of yalls

a safe way to check any website before going on it is: view-source:(then your website URL) Simply type that in the URL bar as if it were a website.If it is a hyperlink, then right-click on it and select: "Copy Link Address" then paste it in after "view-source:"

Set and maltego are my two favorite tools on Kali :)

I picked up free lastpass because of you guy's suggestion, the amount of accounts it has saved me and the fraud alerts I've avoided from myself and even from actual attempted account thefts is innumerable. Thanks for giving me the info about this amazing tool

I love your recent content, guys! Also, NordVPN, LastPass, solid sponsors. Would buy, if I hadn't subscriptions already. Keep the content coming, you're on a roll

My Company got attacked by a spear fishing attack and almost lost a sizable amount of money, was able to get it back last minute. Second last year we got attacked by a different method, busy couple days but again ended up not loosing anything. These attacks can fool anyone, at least we have learned some good lessons and have some good stories from it.

That could be a MITM (man in the middle attack) but that refers to much more than phishing and can be part of crafting a social engineering attack (like with SET (Social Engineering Toolkit (toolkit designed to perform advanced attacks against the human element))).