4D3D6188_87 – Tyfone – Digital Banking Podcast – Uku Tomikas

Uku Tomikas: [00:00:00] take a second, look at the text, look at the URL. Does that look legitimate to you?

there’s a pretty big likelihood that you will realize that it isn’t real, that it’s a fake, and you won’t fall victim to it.

[00:01:00]

Josh DeTar: Welcome to another episode of the Digital Banking Podcast. My guest today is Uku Tomikas, the CEO of Mesenta. And this dude is an animal. He literally told me he’s like a dog with a bone. Once he latches on to something, he’s going to give it his all. Uku is from the small country of Estonia, and every time I have talked to Uku, he has been doing something active.

Our first call together, he stepped out of the rock climbing gym for a quick minute to chat with me. And after we wrap up this podcast recording, he’s going to ride his bike 20 plus miles home. It’s a mindset of persistence and determination that have shaped who Uku is and where he is today. He said he’s always prided himself on, while he may not be the smartest person in the room, what’s in his control is trying to be the hardest worker in the room.

I mean, follow this journey of hard work and determination. He started out his college career path in law school, then became a waiter, where he had to wear medieval attire, to a platoon commander in the military, to running a seafood wholesale business. Alda then decided to take a step back and force himself to start from the bottom, and work hard to earn his way back up the ladder with Missenta. While on paper, this may seem all over the place, Uku highlights it’s these life experiences and the press on mentality that has brought him success and fulfillment. So much so, he has the statement tattooed on his arm. Uku’s also a huge family man. He and his wife and two young children spend every minute they can out in nature, exploring, traveling, being in the water, and ultimately building memories and bonds for a lifetime. Who has a strong passion for financial services and the role that they play in people’s lives and how fraud is having a major impact on both the industry and the people that it serves lives. Welcome to the show, man.

Uku Tomikas: Thanks for having me. Love that intro.

Josh DeTar: I mean, you’re a beast. I love it. I’m a huge fan. Anytime I talk to somebody, they’re always, uh, you know, on a walk or trying to be active or do something. I don’t know. I think there’s definitely something to be said for,you know, just keeping the blood flowing, staying active and just even that kind of, you know, persistent,embrace the suck, mindset, is a, is a really valuable one, both in your personal and professional life.

So yeah, I love seeing you get after it.

Uku Tomikas: Yeah, I mean, it’s, it’s one of the things that, as I said, I sort of pride myself on, but it’s also one of the things where once you get a habit going, like a habit of one sort of an activity or another, it’s so easy to build everything else on that. Like one of the things I’m most proud of is I do yoga every single morning and I’ve done yoga every single morning for literally a thousand and one hundred days in a row without ever skipping a day.

So more than three calendar years in a row haven’t skipped a single day. And because of that, I also know that I can build any other habit on top of it. Because I’ve already built the massive habit, so I know that I can build every other habit as well, so I already know how I function in that regard. So, building any other activity on top or starting a new thing or a new hobby is that much easier once you have that consistency going and you’re in the loop.

Then you can just build other loops around it or into it or utilizing the same techniques you’ve sort of learned.

Josh DeTar: You know, I didn’t know,of that technique until, I don’t know, maybe a year or so ago. And our CEO Sibbo was talking to me a lot about, ability to tack a habit on top of a habit. and it was really funny. There’s a, it’s a silly example, but,my wife has like running lights on her truck and I like to have her have them on because they provide an extra level of visibility.

Um, you know, just for safety and driving around in traffic, but they’re on an auxiliary switch. that you have to manually turn on and off. They’re not tied to like the automatic headlights of her truck. and she was talking to me about how she was like, man, I just, I can never remember to either turn them on or turn them off.

and I recalled a conversation with Siva where he was talking about attaching it to another habit. And I was like, well, you already are in the habit of putting the parking brake on. Anytime you park and then taking it off anytime you go to move, I was like, just attach it to that habit. So as soon as you, you know, take the park break off, turn your lights on.

As soon as you, you know, put the park brake on, turn them off. And she, it literally took her one day and she was like, it’s now a habit. And now I never forget to turn them on or off. And it was just by attaching it to another already established habit. So it’s kind of a fascinating, like I said, like it’s a silly example, but if you extrapolate that out to other areas of your life, it is a really, you know, effective technique.

Uku Tomikas: Yeah, my wife had a thing where she wanted to read more books, but quite often when people want to read more books, it’s sort of like it has to be, you know, an hour a day in good mood lighting, in complete silence, et cetera, et cetera. And when you have small kids and work and hobbies, you know, that doesn’t

So it just doesn’t exist. It’s not realistic. And then. You know, she found a hack for herself where she reads a few pages every time she brushes her teeth, so the book is next to the sink. And you know, she’ll get like 3 5 pages sometimes, you know, she’ll read 10 pages, something like that. But the thing is that if you do that twice a day, you’re reading between 10 and 20 pages every single day.

And because you’re doing that for a week, all of a sudden you’re reading half of a book. A week, or maybe you’re reading a quarter of a book a week, which means that in two weeks to a month, you have a book or two week books every single month. And when you then extrapolate that to a year, you’re only reading maybe five minutes a day, but the thing is that you will go through 20, 30 books a year.

Like you don’t have to do your absolute maximum every single time you do something, you know, it’s better that you do at least a little bit. Rather than two perfectly like do a little bit all the time rather than perfectly one time and the effect will be much better

Josh DeTar: We’re like six minutes in this podcast. You’re already giving me a takeaway from this. I’m gonna start reading a book while I’m brushing my teeth now. That’s

Uku Tomikas: surprisingly effective. Yeah.

Josh DeTar: our marketing director, Kevin,gave me a similar kind of thing and he was like, yeah, cause he has a four year old daughter.

a teenager at home and same thing, like life is just crazy, you know, and he would probably also say his boss works him to the bone. So there’s probably that. But, he was like, no, one of the best ways that he has found to help him just like consume some content is he listens to podcasts while he’s in the shower. just literally throws his phone on speaker as loud as it’ll go right next to the shower, throws a podcast on and same thing. He was like, yeah, no, I’m not listening to a, you know, two hour podcast end to end while I’m in the shower. but you know, I get five to 10 minutes every single day and that starts to add up and it’s attaching it to an existing habit.

Just as he gets in the shower, he throws on a podcast, he gets another five to 10 minutes of the podcast. Right.

Uku Tomikas: there’s this surprising thing about that as well Is that when you then only read let’s say five pages or only listen to like 10 minutes of a podcast Your focus will be higher. Sometimes when you’ll do it for like half an hour an hour You’ll start, you know, if you’re not completely engaged by a podcast or not completely engaged by the book, your focus will start going one way or another way, which means that you won’t actually consume as much of the information or retain as much of the information if, is, if you did in like five to 10 minutes spurts.

So sometimes that 10 minute of doing something in, especially in terms of like information retention sometimes is more effective than going for like a, an hour focus session.

Josh DeTar: Yeah, I was actually just starting to think about that in my own head as you were talking about it. I wonder how, cause I haven’t used this technique of, you know, reading a book while I’m brushing my teeth and only getting a couple of pages or anything, but I, I totally see what you’re talking about.

Like I know for myself, right, if I am like, I’m going to dedicate one day a week to read a book. And I’m going to try and read the whole thing. I do. I find that I retain very little of it.because I find over that long course of time that, yeah, my brain wanders. I’m like, yeah, you know what? I really needed to respond to that email.

And maybe I even set the book down and I take a minute and I go respond to it. And, um, but if you’re super dedicated for those, you know, three to five minutes or whatever it is. And then it also kind of forces you, I would imagine, to have to retain it because you’re coming back to it so many times. And I feel like that’s a part of my problem too, is if I read a third of the book and then I don’t pick it up again for another month and I come back to it, I’m like, man, crap, I got to start this thing all over again cause I don’t remember what the first third of the book was anymore.

All right. But if you’re every single day, just getting a little bit of it and you’re digesting and actually retaining a little bit each time. I don’t know. That’s a really interesting concept. Like now I literally want to go brush my teeth and try and read a book and see what happens.

Uku Tomikas: Yeah, I mean, it’s, surprising as well. I guess one big part of it is letting go of our perception of what something needs to be like. What’s our perception of learning? For example, I do most of my learning in audio book form most of the time. Like I don’t even worry about the fact that. I haven’t sat down and properly read a book in a while because I go through three, four books in audio format because I learn more by listening, for example, or talking through things.

So it’s just a misunderstanding of what works for you. And just because, you know, we have this perception of book reading needs to be this kind of like an activity on the couch with a nice cup of coffee or a tea under a blanket, cozied up in the evening with slightly dimmed lights. Then doesn’t, it doesn’t have to be that for you to actually enjoy yourself.

You’re gonna enjoy yourself, you know, by reading a little bit at a time and still retaining the information and getting something out of it.

Josh DeTar: You know, I, I think it’s funny, we never intended setting up this podcast, go down this track. But, you know, I think the human brain is just so fascinating and like how we humans all work a little bit differently to,you know, one of the things that Uku and I were talking about before we started recording was, the concept of thinking fast and thinking slow,and how the brain kind of works.

So do you want to kind of maybe explain that concept as well? Cause I think that’s going to tie into a little bit of what we’re going to talk about today from an actual, what we said about, for kind of the conversation for today.

Uku Tomikas: Yeah, I guess one of the things that I always recommend, whenever somebody asks me, what is the book you recommend? It’s always Thinking Fast and Slow by, uh,Daniel Traversky, because it is one of the most remarkable books in terms of helping you understand that your brain is actively trying to deceive you half of the time or taking an easy route through something.

you know, a lot of people have learned about or heard about loss aversion, that people make a lot more conservative decisions when they have something to lose as compared to when they have something to gain. the situation is quite the same, or their gains could be much bigger when they have something to do with, et cetera, et cetera.

Uh, but you know, one of my own favorite principles about that, and this comes from, it comes into decision making and everything else is the idea of what you see is all there is, and that you only know what you know, and you don’t know what you don’t know. So every time you make a decision, you need to be cautiously aware about the fact that a new piece of information might come to the fold.

and completely change your perception of what’s going on. And it applies to any other topic in the world as well, because, you know, everything, even in the banking community, is constantly in flux between one thing or another thing. Consumer habits change. Understanding of how these processes work consistently change.

So you have to constantly be, diving deep, understanding what’s there. pinpointing different positions about that and always being aware of the fact that there’s probably something I don’t know. And then sort of marrying that with what you do as, you know, as a professional or as a person or whatever.

Josh DeTar: Yeah, so I want to use the example from the book that we were talking about too, to kind of illustrate this. So. So, you know, the question,that’s posed is, you know, simple question that gets you to start thinking about how your brain is, approaching solving a problem, right? And if you take the time to actually think through it, or like you were saying, sometimes your brain is just deceiving you and, you know, kind of leading you down the path of least resistance if you move too quickly through that, you know, analysis.

So the question is, if a baseball and bat. The total cost of the ball and the bat is 1. 10 and the bat costs 1 more than the ball. How much does the ball cost? And you know, go ahead and answer it for yourself. But what we found, we actually posed this question,to folks internally at our company too, just to kind of see how people reacted.

And it’s fascinating. The vast majority of people are going to respond that the answer is 10 cents. But it’s actually not the right answer, right? So you actually have to do the math to realize that if you say that the ball is ten cents, well, we said that the bat is a dollar more than the ball, so that means that the bat is now a dollar ten, and a dollar ten plus ten cents is actually a dollar twenty, so you were wrong.

But just very logically, you’re like, oh yeah, dollar ten, this one’s ten. Subtract the two remainder is this is our answer, right? But you have to actually think through it a little further. So I think where this becomes interesting is when we start talking about, you know, kind of what we went down the rabbit hole of earlier of just, know, people’s kind of habitual routines and how they go about doing things.

And sometimes we just get so focused in our routine or we do the same thing over and over again. And coupled with kind of this thought process of sometimes when we just think fast or we’re in a hurry, we don’t actually take the time to think through, is this actually logical? Does this actually make sense?

And is this actually correct? And when we apply that to the conversation, we really wanted to kind of talk about today, which is how people are, you know, or just kind of this, the. What we’re facing in terms of fraud and a lot around things like social engineering and messaging, a lot of it comes back to, we’re just always so in the habit of, I’d be, I just always respond to this type of thing, or I just always go to this place and do this thing.

And then if I don’t actually take the time to think through it, wow, was that link that I was just texted, did that actually come from my financial institution? Would they actually ask me for my credentials? Like, Does this make sense? And so, when we think about, you know, fraudsters are always trying to figure out the new best way to get through the system.

And we have to be right every single day. And they only have to get right once. And unfortunately, when you’re dealing with humans, it’s pretty easy to get right once in a while. Cause humans are pretty easy to deceive as a whole, right? so I don’t know, maybe kind of talk me through a little bit of your thought process on how we’re starting to see some evolutions of how people are approaching fraud based on kind of how people respond to certain things.

Uku Tomikas: Yeah, so I guess the big sort of, tipping point in terms of fraud and how it started becoming a lot harder to fight against, but simultaneously start generating much higher conversions is with the use of AI coupled with COVID because COVID created a whole new engine of Triggers and conversion points for fraudsters to use essentially something that people would react to that would trigger people that would create a response.

So the fraudsters have very much started going down the track, and these were kind of even like two very specific tracks. One is a very habitual track where the activity that a fraudster scam is associated with is something that you’re very commonly. up against or something that you very often touch upon.

And then the other one would be the highly emotional angle of fraud. So something that would create a very high emotional trigger. So I’ll take the emotional trigger one first, because that’s always kind of the, the, the kind of the most scary thing, less effective actually, or less used because it’s more resource heavy.

But. It’s very, very scary. So we’ve all heard about AI being able to actively mimic anybody’s voice nowadays. So one of the most common forms of scam that this type of AI is now used for is the help mom scam, where essentially your child’s voice. Is taken from social media, you know, from a Tik Tok, from a Reels, from some video they posted somewhere.

Their voice is taken from there. You don’t need a lot to synthesize pretty much a very close saturation of their, of their voice. So that is used with a custom script. And then most people have their phone numbers quite public these days as well, or at least it’s kind of easy to find out somebody’s phone number.

So what they will essentially do is they will use your child’s voice with a script as if they are in distress, have. That robot, that AI generated your child’s voice, call you with a very convincingly accurate voice of your child in distress, giving you some form of information or some form of a trigger point where they’re in trouble.

They need help for this piece. I’ve lost this, this, and this, please send this here, something like that. And they will essentially use that. Level of distress that is created in a parent to latch onto it and have them create some form of a trigger point. So either share their information or send some cash or do whatever, make a wire transfer, do something to then give more information.

So social engineering in a way has been around. For a very long time, voice modulation has been used very much as well. Like one of the most common things that used to be done is where you try to, by social engineering, you tried to create different points of,of conversion to get all of the data necessary from a person in order to create some form of a conversion in a bank, for example, you’d need quite a lot of the personal details.

So quite often what they would do is they would,use, some form of voice modulation to create a female voice and then play The sound of a crying child in the background. And then they would call, let’s say your utilities company or your internet provider, and then they would try to get one or another piece of information.

about the person that they were impersonating. And then they would use those pieces of details to go to the next service provider, get more details from there until they had a pretty strong portfolio of what that person specifically was, what they did, you know, what their social security details were, emails, addresses, phone numbers, et cetera, et cetera, et cetera.

And now you could use that information to then. Actually contact the bank or take a loan out under their name or do whatever because you already had their full information in the background and you could use those emotional triggers created by, you know, a crying child in the background with a frustrated mother, you could use that to then generate those information points.

So now with AI. You can make it even more personal because you can take that personal connection you have to a person and then apply it to that and Sometimes they will even go far enough that if you think about it people will be quite from one side very protective of the children, but simultaneously They will also know their children their best But what if it isn’t their child?

What if it’s their grandparent or their cousin or their brother or their sister that they don’t talk to too often? So if you put your research in and look at social media and in social media You’ll see quite a lot of posts about who you frequently communicate with and who you don’t communicate with so based on our social presence You could pretty build a pretty engaging understanding of who are our friends family and who are the people we associate most with so take a person that is Technically close, but you don’t talk to that often, emulate their voice, because it’ll be harder for that person to understand and then create an engaging story behind it.

And you’ll find a way to use those emotional triggers to scam money out of people. And then that is combined with, you’ll take some form of that robocall, or sort of AI call. Type of scam and then you’ll combine it with other touch points as well. So then they’ll send a text message afterwards or an email afterwards or something like that.

So they’ll combine multiple different forms of trying to scam people. But that type of scam is a resource heavy. And scammers aren’t going to spend that much time on that type of resource when there’s a way to do more damage in bulk. And that’s why the thing that they’re latching on to more is Our habitual sort of activities, most common type of scam you can see, is very, very broadly used is the.

courier scam or package scam or package notification scam. So essentially you will have, let’s say you order something from Amazon and then you’ll have a prime delivery. And then it’s related to some form of a time where a courier comes and you’re sent a text message. Or in Europe you use parcel lockers quite a lot.

So you will have like a parcel locker notification that your package has been delivered to a parcel locker. Very easy things to imitate and quite often we’ll forget. What we ordered like if it’s not same day delivery and if it’ll take like four or five We kind of forget and then sometimes you’ll have longer delivery times of like two weeks So you go like did I order something?

I must have ordered something. I don’t know what it is Ah, never mind, and then you’ll click And then by clicking on it and going to the website, the website is perfectly branded. It is completely identical to what your normal sort of banking establishments or financial service providers website would actually be.

It’s completely identical. The only differentiator is the URL. And in that you have to be so incredibly careful.and I guess we’ll talk about the URL stuff and why it’s so important to look at those things later on as well. But then it looks legitimate. Everything is legitimate. It’s high touch point.

It’s something that you’re used to getting. It’s very habitual. You’ll go to that website, your insert your details and hey, presto, you’ve lost a bunch of money. And that is quite easy to do., and the transition in during COVID times went from scammers using non legitimate message ways to deliver these type of messages to people to now using legitimate channels, because they realized that the operators don’t do a good enough job of filtering out scam.

So it’ll just get there. And now what they can rely on is all of the messages. They get a pool of numbers, buy it from anywhere, just use a scraper to get it off social media, whatever. We share our information everywhere. They’ll get a pool of numbers. Blasted out. Conversions between 1 and 4 percent.

Average damage, 800. Text messages cost nothing. In comparison, so just to highlight in terms of numbers for anybody who likes to do quick maths as well, you get 100, 000 numbers, it’ll cost you something akin to like maybe 100, 200, 300, maybe 500 to send out that campaign of 100, 000 messages, one to 4 percent conversion.

So you’re looking at about 1000 to 4000 people multiplied by an average of 800. So you’re looking at between 800, 000 and what, 1. 6 million in damages? 2. 4 rather, sorry, 4.

Yeah, so between 800,

Josh DeTar: lot of money.

Uku Tomikas: million dollars in damages from a 500 dollars spent and a bit of information scraping off the internet.

Josh DeTar: You know, it’s funny. I was, uh, literally, uh, just having like the outside, uh, in the neighborhood street conversation with all the dads and somehow we got to talking about this, [00:27:00] this, uh, I, one of the guys had just like tried to sell something on Facebook marketplace or something and was getting a bunch of these scammers and we were talking about it and, and it’s like, man, what am I doing trying to, uh, you know, work an honest job over here when I can make 2, 000, 000 off of a 500 text messaging scam?

I mean. You know, there’s a, there’s a reason people are getting into it and, you know, unfortunately it’s become so prevalent and especially in, you know, certain regions of the world, there’s virtually zero recourse. There’s virtually zero prosecution. There’s so low risk. Um, so yeah, why would you not? If there’s virtually no risk, there’s virtually no upfront cost and the upside is potentially significant.

Uku Tomikas: Yeah, and,

Josh DeTar: good business model, unfortunately.

Uku Tomikas: fraud in this sort of space or this type of digital fraud, it’s cross border. You don’t need to be in the states to scam people in the states. You can be [00:28:00] anywhere in the world and take their money and you don’t need any physical touch points. You don’t need anything to sort of do it.

You know, realistically, although talking to the Estonian police as well on this topic, because we’re, you know, cooperating with them because they understand Where the bread comes sort of end up going towards like we see kind of where the text messages come from, but we only see it to a certain extent.

The ones that you know, end up in our filters, but we don’t know what’s in the background. And one of the things that sort of struck me that was really interesting was they said that 80 percent of total fraud is done by 10 percent of organized sort of crime syndicates. So realistically still a majority of it.

Yeah, a majority of it is still done by a minority of organizations because they then pooled those resources. They buy a bunch of the domains. They know exactly where to source. It’s, it’s a very, very organized event and that’s why. It makes [00:29:00] sense that they are also then utilizing AI, that they have the understanding of how to build these things, how to utilize these things, how to AB test and consistently stay a step ahead of, you know, multinational authorities, global companies, et cetera, et cetera.

Josh DeTar: Uh, I’m curious if you’ve heard this or can validate it one way or the other, but I heard a, a statement, uh, not long ago where they were talking about How a lot of the, um, you know, unfriendly nation state countries, one of the ways that they’ve built such successful, uh, hacking programs and being able to get into things like military intelligence or, you know, whatever the, the actual, um, you know, objective of the nation state is to do, um, one of the ways that they’ve gotten the best talent is they basically tell them, Hey, Monday through Friday, you work for the government. your job is to go, whatever, try and breach the CIA and get, you know, sensitive documents. Saturday and Sunday, all those tools that [00:30:00] you used on Monday through Friday, you can use those for personal use. Go out and try and make some money on the side. And that’s where you see some of this organized crime coming from is, you know, these groups now have all of this incredibly sophisticated technology and Um, you know, resources and, you know, budgets that are through the roof that they may not even have, um, in a private sector. And they’re being able to use that for private use. I don’t know if you’ve heard that or seen that.

Uku Tomikas: I’ve heard a little bit about that. And the, the scary part about it is that. When it comes to like a text messaging scam, in the shape or form that I talked about, you could do it at home on your, on your laptop and it’s not even hard. It’s not even difficult to do it, you know, setting up a website, copying some logos, putting in some information scrapers together, getting a bunch of numbers, sourcing that quite easy, [00:31:00] signing up to whichever SMS platform, making a credit card prepayment.

And then off to the races you go, not that hard, but when it comes to the sophistication of. Like I’ll draw an example. We saw in a pool of 3000 URLs, there were 700 specifically personalized and targeted URLs for that person. Like that level of sophistication does not come with you doing it on your laptop at home that comes with.

Distinct knowledge and understanding also, like they will, like in Estonia, for example, they timed it a type of scram. They timed specifically to the period of tax returns, and then they were specifically targeting tax return information, like, you know, check your tax return here, or here’s how much you still owe the nation, you know, click to pay this here, et cetera, et cetera.

So. They also [00:32:00] understand on a regional level what trigger points are in terms of like, if you take Estonia and our neighboring countries, Latvia and Lithuania, then all of us have those tax returns different times, but the scams were similarly. Built around the same trickle with with national specifications taken into consideration like national wording links and Then targeted at specific times that were better for triggering that in that country That is not something an amateur does that is something a professional does somebody who knows who has resources who has understanding and also understands Uh, people’s vulnerabilities on like a higher, like a national level.

So that does allude to the fact of perhaps there are enough nation states, enough high level organizations, you know, spy networks that are interested in sourcing information during the day and then having a bit of fun scamming people out of their money during [00:33:00] the night.

Josh DeTar: Well, I mean, that’s what’s terrifying and fascinating is how many levels there are to this too, right? Um, and even same last time I sold a car, you know, you put an ad on auto trader and put it out on Facebook marketplace and things like that. And I mean, it was amazing to see, um, you know, again, I. know if it’s just because of what I’m exposed to in the world I work in and things like that but I mean I basically go into it expecting everything to be a scam and I’m trying to like decipher if it’s a real person versus the other way around but I mean it was really interesting to see.

Um, I mean, there’s some of them that it’s like, I mean, it takes you 0. 2 seconds and you’re like, that’s a scammer. Um, but I mean, there were some where, I mean, I’d like to think I’m a pretty sharp guy and I got really far down the path before I was like, you know what, this something finally smells fishy.

Um, and you know, so there’s, there’s layers to this and. To your point, there’s multiple different ways of, you know, going about and attempting to [00:34:00] fraud people. And, and two, there’s just such a barrage of different, you know, pieces of digital information that we’re accessing and different sites that we’re going to and things that we’re both habitual about or just thinking fast on.

And there’s so many different scams that are coming at us and they’re changing so frequently. It is really hard to keep up. I mean, for somebody who is just going about their life and doesn’t maybe necessarily think the way you and I do or work in an industry that causes them to think differently about fraud and scams, it can be really hard to spot this stuff.

I mean, uh, I want to kind of dive into the two different types of triggers that you talked about and kind of what types of fraud we’re seeing in each of those and both the emotional and the habitual types. Um, Um, you know, I’ll start with the emotional one just because I’m going to be honest. Like if you’re listening to this podcast and you’re not where I’m at at this point, which is absolutely freaking terrified, like, I don’t know, maybe there’s something wrong with you or [00:35:00] you know, something, I don’t know, but this stuff is scary, man.

Um, I actually just did a quick search in my email while you were talking. Um, and it was, um, Uh, about a month ago, our CEO sent me an email about what we’re seeing in conversational GPT data set and learning models now being available without contractual and technical guardrails, um, and how these are being used for sophisticated phishing attacks.

And, um, and he was talking about worm GPT and just how good it is at being able to fake a real person. And like what you were talking about with being able to fake someone’s voice. And I mean, you look at some of the deep fake videos. I mean, they’re getting really hard to spot. I mean, somebody with some decent chops could probably very easily convince me with a video of, you know, President Biden saying.

I don’t know, make something crazy. Like we’re about to wage nuclear war on Russia and there’s a really good chance. I would probably be like, Holy crap. We’re about to [00:36:00] wage nuclear war on Russia. Like, Oh my gosh, I can’t believe this is happening. Like what? Oh my gosh. And it might take a while to figure out that it was total BS, right?

I mean it’s getting that good. And so especially if you’re moving quick or you’re, you know, um, just not paying attention. Like that stuff is scary. And then when you kind of couple that with being able to add the emotional element, like, I mean, you were tugging on my heartstrings just talking about, yeah, like you get a phone call of somebody with, uh, in distress, that’s a family member that would be really hard pressed to not respond to.

Right. So, I mean, I want to kind of start with that one cause that was just freaking terrifying for me and totally honest.

Uku Tomikas: Yeah, I mean, you know, I can… I can draw up an even scarier scenario, and especially since you brought up deepfake videos. So, so, if you can already mimic voice quite well, you can make a deepfake video of somebody as well. Let’s say that you get to a position where you’re able to not [00:37:00] only just make a deepfake video, but you can make a deepfake call.

A video call, where you can mimic somebody’s appearance and likeness to a close enough degree. You don’t need to be very close, because all you need is essentially enough of a likeness, so that if I play on the distress angle and turn the quality of the video down, or apply a filter that just makes it more pixelated, you’ll see my likeness.

Your brain will fill in that it’s your daughter if… Or son or brother or whoever, if the voice matches, the name matches and the rough appearance matches, your brain will just fill in the rest. And if you then do a side to side comparison between the actual photo and the person you were presented, you will say, Oh, that’s obviously a fake.

But during that moment, you won’t, your brain will fill in detail. So now let’s say that somebody manages to create a fake profile, uh, with [00:38:00] your. You know, family member’s name and then video calls you up and you answer that and it’s them And it’s them in distress and it’s their name, their sound, their likeness That’s used to scam you?

The chances of you not falling victim to that are Absolutely minuscule because now right now what’s the big sort of downside of a of a call scam is the fact that what The script won’t mimic is how the person talks to a T, right? It’ll still be another person talking with your loved one’s voice, but their mannerisms will be different because it’s a different person essentially emulating them.

So it won’t be perfect to a T. So the longer the conversation goes, the more you can understand. That’s why whenever you get a call in distress, try to keep it going longer to understand whether it’s not. And it will come not from your Close family members phone number because they [00:39:00] can’t quite often spoof that so it’ll come from a different number With that name so that you can already see a trigger point.

Okay, there’s a different number calling me I pick it up and it’s my child. Why is my child coming from a different number? What happened to your phone and then you can always recheck by just calling your loved one on your phone and understanding Ah, my loved one picks up Turns out it’s not you. So you can understand these things.

So there’s triggers to do, but if it’s a video call picture is so much more engaging yet still than, than just the voices, you know, you’ll go from a text to a voice. If we then go to a live video scan, that’s where we’re in very, very deep trouble. And if you realistically think about it, we’re probably not that far off from that being a reality and a real capability.

Josh DeTar: Yeah, no, I mean, that is what’s crazy is, is you get so far down the path of solving for what would normally be our checks and balances. [00:40:00] Like I love the ones, I get them all the time, you know, uh, I get the text message from my CEO, Siva saying, I need to go buy a bunch of Google gift cards for customers.

And he’s in a board meeting and he can’t take a call to validate wherever I’m like, well, that’s funny. Cause I’m actually literally on the phone with him right now. So I know this is BS, but. You know, that would be my, if I got that text from Siva and he was like, Hey, sorry, my phone died. I’m using somebody else’s to send this or something like that would, that would just be my check.

I’d be like, you know what? I’m going to use a different channel that I know Siva would respond on. And let me just check with him and see if this is actually legit. But if he meets me on a Google meet and I’m talking to him and he’s like, Hey Josh, I really need you to go and buy 200 worth of Google gift cards.

I’m like, really dude, that’s usually a scam. Like. You really want me to do that? He’s like, no, no, no. I know this is usually a scam, but like, it’s not this time. I really do need you to do this for some customers, you know, and I’m looking at him and talking to him and it looks like him and sounds like him like, yeah, what’s your [00:41:00] check and balance at that point?

Right. Like drive over to his house and knock on the door and be like, Hey dude, look me in the eyes. Are we, am I really buying these gift cards on Google? Right. that’s terrifying. But to your point, like, so I think where this gets really. Both interesting and terrifying is, is that right now there’s still a significant amount of effort that would have to go into doing that, right?

And that’s not your everyday scam. Um, but like what I was just saying with like Worm GPT, like the tools are becoming available where it’s making it easier and easier. So it does not have to be some, you know, large, sophisticated organization that’s well backed. Um, it can literally be somebody. basement on their laptop and with access to all of these, you know, large compute resources, they’re able to do some pretty terrifying stuff.

Uku Tomikas: Yeah, exactly. I mean, especially if you think about most scam is also targeted at more vulnerable people. [00:42:00] So the elderly, uh, you know, younger people that just don’t have that experience or don’t immediately think of those checks and balances, especially if you use the emotional angle. The better it gets, it just becomes so easy to, you know, call up grandma and, and swindle her out of her money.

And that’s why, why this, this topic is particularly scary, uh, to me as well. And that’s why I, you know, that’s why I kind of made it my passion project because seeing The evolving nature of it in front of my eyes and then being in a position where, you know, I could at least advise businesses to not make it easier for them.

Because like this is one of the things that even banks do is like, you know, there’s a marketing team that thinks about marketing conversion. They don’t think about anti fraud activity. So they will use, you know, I’ll use one template this time, another template that time. I’ll create a custom landing page.

I’ll have another URL here. That’s [00:43:00] something, a derivative of the main bank, Bank of America. Right. And they will use Bank of America. Holdings, or they’ll use Bank of America dot debit and then whatever. So they’ll use a bunch of like sub domains or, or derivatives of the main domain, but you, what you essentially create is a habituation for the people or sort of like a, a habit of seeing the URL be different as long as it has Bank of America in it, but if I go on.

Any domain purchasing website. I could probably buy Bank of America hyphen Holdings dot net or dot org or something like something that looks visually incredibly similar like even worse We did this for a logistics company here in Estonia where theirs was www. link dot[00:44:00]

Company name or their brand name dot E E, which is our local subdomain. And I could buy www dot link hyphen, their brand dot E E literally one character difference in the character is just the spacing difference of being in the middle or being at the bottom. I could buy that if you’re a scammer, perfect.

I already know what their sort of blueprint for text message looks like. All I need to do is just send the same one out. No one, and here’s the worst part about it as well, and this is how social media companies have kind of screwed us as well, is they’re used to buying, , they buy a lot of messages per month, like Meta sends millions of dollars worth of messages every single month.

So obviously they’re not going to pay top dollar for all of them, and they’re not going to put all of the branding and everything behind it, because if you just logged in, tried to log into Facebook, for example, and you get a 2FA code. If that [00:45:00] 2FA code reaches your phone in like two seconds or three seconds with autofill and you see it, you’re not going to look at what the sender is that it came from.

Did it come from sender name header Facebook or did it come from a plus four four number or a plus one number? You don’t really care because all you care about is the code. So unfortunately people also don’t look at the header when a text message comes in from a brand. Because they’re used to getting different types of headers and all they care about is the content and if the content is absolutely identical to just one Singular character, how hard is it to not fall victim to a scam?

Quite hard. It’ll look identical It’s what you’re used to and then if you couple that with not remembering what did I order lately? The likelihood of you stumbling on a scam is, is so, so, so simple. So, you know, that’s where this sort of education of companies comes [00:46:00] into play as well as is putting it into their minds, that it’s incredibly important to keep a homogenous brand presence that people associate with your brand all the time.

So if you’re a bank, your communication across all channels needs to be. The same sort of like visually what the brand name is what the links are that you use because then you Get people used to a standard, a very specific standard that communication from this company will always look like this. And whenever there is a transition away from that, it will trigger a response.

People going, wait, but this usually comes as that. Why isn’t this that? And that will create that checks and balances. But if they don’t know, or they’re not sure how that communication might come from, if it comes from a million different types of headers or sender IDs, if it comes in 20 different URLs and.

60 different templates. They [00:47:00] will never know which one is real and which one isn’t real. And then they’ll just make the fast decision instead of checking. So you, as you know, businesses, especially in the financial services industry, need to be super aware of how they built their customer communication to not give advantages to fraudsters just because they’ve been a little bit careless in setting up their customer communication and haven’t thought it through to a T.

Josh DeTar: That is such a great piece of advice and that is such a tangible, actionable thing for anybody listening to this podcast today can take away from this. Um, Yeah, that’s a great point, right? I mean, you think about, um, some of the most recognized brands in the world, right? If I put something from Apple in front of you, you know it’s Apple, right?

And if I put something that’s a little off from Apple, you’re gonna know. Because Apple is, you know, obscene about how brand, um, Um, you know, crazy they are like everything for them is on [00:48:00] brand. Everything goes through that same filter. They communicate in the same ways with the same tone. it looks, it feels, it smells like apple.

And so it’s probably pretty easy to depict when something’s not apple. But I think that’s such a great point. Like if you’re, um, if your institution is using all sorts of different ways to communicate with people, no centralization of it. Um, you know, if the marketing team. If somebody is sending you a message, it comes in this tone and this voice and this font.

And if it’s coming from the security team, it comes from this platform and it comes with this tone and this voice and this font, then yeah, we do kind of set the precedence with our end users that, um, you know, anything and everything could look like our brand. And so it can be pretty easy to spoof that brand and just say, Hey, this is ABC credit union reaching out to you.

And we need you to, you know, log into your digital banking, click this link and log in. And it takes you to a page that’s [00:49:00] poorly branded. And, uh, you know, you have just a username and password field that you’re supposedly logging into that looks like your normal one and you insert your credentials and they’ve just stolen your credentials, right?

Uku Tomikas: Mm hmm.

Josh DeTar: If your brand is really scattered, that’s easier to do. I mean, even if you’re Apple, right, it’s still doable, but I think your point is well taken. Like, don’t give the fraudsters the low hanging fruit.

Uku Tomikas: Yeah, I mean, like if you ever want to try this out for yourself, find any domain purchasing website, there’s a million out there. Just, you know, go to GoDaddy or just go buy a domain, just Google it. And. Take a brand that you know, and think of like random derivatives that you would put together with them, like, you know, ABC credit union slash holdings or hyphen holdings or dot holdings.

com. net. org, whatever. Play around with it. See how many sites you can find. And you’ll be surprised [00:50:00] how many you can find that will look very similar to what you’re used to. So you can find out for yourself that, you know, just like buying a website. That looks exactly the same and then using that to scam some people is super easy because also like even in countries where the communication to try to take down a website between like banks and ISPs is very, very.

Like there’s a, there’s a thing called MISP in Europe, which is like a malware information sharing platform that’s like centralized so that there’s like, you know, multiple hundreds of thousands of data points that get put into that particular, you know, information sharing platform every month and then ISPs are connected to that or every day, rather than every month and then ISPs are connected to that so that if there’s a fraudulent URL that goes up, then the ISP can take it down quite quickly.

Okay. But a text message gets there in seconds, and it only takes a few minutes to you for you to fall victim to that [00:51:00] piece of fraud. Because unfortunately, SMS also has a super high read rate. Like it has a 98 percent read or open rate within the first three minutes. You know, so it’s, going to be acted upon very, very quickly.

And with like super high CTRs as well, you’re, you’re talking about essentially a tool. That is designed for instant communication, coupled with usually a website like that, like a, like a scam website. It’s going to take between, at best, at absolute maximum, a few hours to usually like 24 to 48 hours to take that.

You can send millions of messages in that time and do millions of pieces of information stealing from one single website. And then you go and you actually try buying domains yourself. You can buy 10 and they’re like 10 euros a pop. They’re 10 dollars a pop. So, you know, you’ll spend 100 euros, buy 10 domains, [00:52:00] blast out one campaign, gets taken down, blast in the second, the third, the fourth, the fifth, the sixth, etc.

And you’re good to go. And that’s, the scary part about it as well. It’s like, the ease of access to these types of things is, is not just on the AI side, but it’s even on the side of how easy it is to buy, um, a domain and build prod around it. How easy it is to build a website with like information scraping.

How easy it is to just Build get brand logos off the internet and just blast them on your website and create that it’s so easy to do You know if we have centralized service like Shopify these days how easy it is to just make a web shop That looks exactly like your own web shop You can even get the same template and just add a few logos on there and it looks identical.

It’s so easy To scam people these days because the availability of information, the availability of potential tools to create more legitimate fraud is so high. And then when you couple that with businesses, [00:53:00] maybe not being that much aware of why this is important and why brand homogeneity is such an important thing in terms of like preventing fraud from the very sort of instance it actually starts.

That’s why it’s a growing problem. Um, and unfortunately, I don’t see it slowing down very much in the near future, either.

Josh DeTar: yeah, you know, we, uh, literally just last week had a customer who, um, kind of shared, uh, some of their findings with us. It ultimately ended up not being digital banking related, but, um, you know, just understanding what kinds of attacks they were getting. Um, someone had done just that, right? Had sent out text messages with links to people to go to the credit union’s website.

And this is a large, sophisticated institution, solid brand and Uku. I mean the website, they sent us the website and everything. It was really good. I mean really good. I would not have caught it. Um, but what was fascinating was Their whole [00:54:00] scam was actually pretty good. It was pretty elaborate. It was pretty well thought through.

Grammar was on point. Like it was a very difficult to, um, you know, distinguish one. But what was amazing was the URL was garbage. It was like X, Y percentage sign 37 ABC. Do you know hashtag cu name at dot slash org ? I mean, it was a garbage jumble, and I was like, as soon as you looked at that, it was like, boop, that that done deal like that.

That sealed it. That one’s fraud. but again, if you’re not necessarily trained to do that, or if they had just. Um, and if you just bought a better looking URL that was closer, it was really convincing. So it is, I mean, they’re getting really, really good with this stuff. And that kinda leads us to, so we talked a little bit about just kind of the, some of the fears of how the emotional trigger type fraud attacks, um, You know, they’re going to be a little bit [00:55:00] more sophisticated.

They’re going to take more time to pull off. I think with that, the other thing that is interesting is, you know, even for myself personally, I’m like, ah, you know, I’m not that rich. Like somebody’s not going to go through all this work to go after me, but they might, and so I think sometimes, especially with those types of sophisticated attacks, a lot of us think we’re, we’re not going to be the ones that are going to get it, but that’s probably right about the time that you’ll actually get it. Um, but that one’s terrifying in its own right. But to your point, the one that you’re seeing more of and a higher success rate is just the simple stuff. And it’s the simple stuff that just gets you on a habit. So what are some of the examples that you’re seeing? I know you kind of just even talked through one, but what are some of the examples of what you’re seeing of how fraudsters are putting together, um, you know, ways to just catch people in the middle of a habit that gets them to just process something without thinking.

Uku Tomikas: So they’re quite often either like repeat habit related. So it’ll be anything related to, um, anything related to logistics is super, super [00:56:00] common because there’s so many touch points these days between different parcels and packages and everything else. So logistics is super common, but also. Uh, just spoofing banking, uh, websites, bank websites.

So even if I look at like we have a dedicated channel where we share with the police, like common examples, um, and very simple will be, you know, update your account, um, update your app, update your login credentials for this. Um, your visa card was used to do an unauthorized. transaction, uh, you can sort of cancel or authorize this transaction at website.

And that’s exactly where they used, uh, bank name, hyphen, internet, hyphen support. com. I mean, it looks very legitimate, uh, and then you will have, so those are sort of like the more habitual stuff and then you’ll also have like trigger based stuff, uh, that are like seasonal campaigns, so you’ll have anything related [00:57:00] to like tax returns, or you’ll have things related to, um, like major national events, uh, maybe they’ll use a blood drive, Uh, as a way to sort of get people to go there.

So they’ll use pretty much anything that could be a fairly legitimate trigger that might make you not think for a second, or that the timing is, is actually very legitimate. And then the most sort of insidious new form of scam that we just discussed, uh, with one of the biggest logistics companies in Estonia, um, is that they’re now seeing a correlation between your purchase.

In a web store and then getting targeted with a scam. So the hypothesis is that if you think about there are a lot, a lot of web subs these days, you know, you’ll go to WordPress, you’ll just build it up there. You’ll use Spotify, sort of Shopify to, to get the payments going, et cetera, et cetera, whatever.

But quite often, if you run a small web shop, it’s not [00:58:00] going to have like top line security. Quite often your plugins might not be up to date because they cost and you don’t want to really deal with the upkeep. You haven’t updated your code in a while. Some of it’s running on legacy. the webshop’s been up for like five years.

You don’t care as much. What you have is security loopholes. So what essentially we’re, you know, we’re not certain of this, but it feels quite close to what it probably will be is that there’s a probability that someone has found some form of access to that website and is simply taking data related to your purchase.

So let’s say you purchase something from a web shop and when they see that transaction go through, they’ll send you a text message an hour after that. With that scan saying that, Hey, I’m from this web shop. You need to finish this form, or I’m from the package delivery company. You need to do this. So they’ll send it like 24 hours after that trigger.

And then they will use essentially, and then [00:59:00] you are expecting it. Then you know that it’s coming and then they’ll spoof the parcel delivery company. That you used or another parcel company or the same web shop. So then they also have a custom trigger related to your actual activity. So that when that fraud is actually delivered to you, it’s that much more actionable.

So this isn’t verified, but right now seeing a few points of color, sort of correlations, seeing this happen with multiple different brands. There’s a pretty big probability that something like this is also being utilized. To make scam even more effective.

Josh DeTar: That’s crazy. Yeah. I mean, you think about how many things we order online these days, like you were saying, I mean, sometimes you do. I literally had you last night. I had a package show up and I looked, I was like, I didn’t order anything from these guys. Like, what is this? It took me opening the box to realize what it was.

Uku Tomikas: Yep.

Josh DeTar: So, you know, you start to get all these different orders going with all these different companies. Again, all these different types of messages and notifications, like one company [01:00:00] may call me, one company may text me, one company may email me, one company may tell me to log into my account for updates. And so, you know, we’re so used to just being in so many different places of getting and receiving communication.

And, and you’re right, like it is such a habit that, yeah, I mean, um, if somebody were to text me and say, um, Hey, your shipment has been canceled because of, you know, this order that you just placed with this company has been canceled because your address wasn’t up to date. We need you to log in and provide information and update your address so we can ship it to you.

I would absolutely click on that. Like, let’s be honest, I’m going to probably fall for that one, right? you’re just in the mode, you’re in the go, you’re like, yeah, I probably ordered something from them or I did actually order something from them. Um, and, and you do, you just, you were such in the habit of, Oh, I got to quick respond to that and just solve that.

And Oh, yep, yep. Maybe I just fat fingered my shipping address. I can resolve that really quick. And, um, To your point, like it really doesn’t take much to get us when, when it’s something [01:01:00] that is so commonplace that it doesn’t seem out of the ordinary to go through that workflow.

Uku Tomikas: Yeah. I mean, like if you know the trigger and if you know the trigger is that you just made a purchase, it’s so easy to then go, you know, you just entered your address incorrectly, or there’s something wrong with your address or there’s something wrong with your, with your payment details. You go, Oh, did I put the CCV in wrong?

Did I put in the wrong postcode? I knew that I, I think I pressed the zero one too many times, whatever, right? Like you’ll assume that, yeah, there probably wasn’t a hurry, made a mistake. It’s fine. And then you’ll log in and then the website you’re logging into will then look identical, of course, to the website you went to, and then you’ll enter your details and go, Oh, that’s done.

And then look at your bank account in, you know, in the evening and go, why am I specifically missing 2, 000? Was, how did that happen? You’re not getting that back.

Josh DeTar: Yeah. Um, [01:02:00] well, okay, that opens up a whole nother door. Um, I want to come back to, at the same time as we’re seeing more fraud, we’re also seeing, um, advancements in money movement methods.

Uku Tomikas: Yeah.

Josh DeTar: Which those two things combined can create some problems. But I wanted to just go back to, yeah, thinking about this from a financial institution’s perspective, right?

Like if these fraudsters are able to get sophisticated enough to be able to know that I just made, a purchase at home depot. com, right. And they may not even need to know what I purchased or what it was. But if I got a text message that looked like it came from my credit union and it said, Hey, we noticed you recently made a purchase on your debit card at Home Depot and you were overcharged, you know, please log in to dispute this.

Um, I’d probably log in and be like, Oh heck yeah. Home Depot doesn’t get any more of my money than they already get. Like. I would go dispute that, right? Like, so it’s really easy to be compelling if [01:03:00] you have just a little bit of information that’s timely and relevant and, and that lands and you know, the one recommendation that maybe I can add and, you can, provide your commentary on is, you know, when I get those types of things from my credit union, legitimate or, uh, or not legitimate, like asking me to go log in or verify something, Um, I just leave the email, leave the text message, leave whatever it is, open the app or go to my saved link in my browser that I know is my institution and then log in from there, right?

So there are also some low hanging fruit ways that we can do some education. Uh, but you know, like anything else, you can lead a horse to water. You can’t make it drink. we can tell our account holders to do these things all day long until we’re blue in the face. But unfortunately, like you said earlier, sometimes the brain just takes the path of least resistance.

And we’re like, Oh, I’m not going to go there. I’m just going to click the link and just follow through. I’ll be done.

Uku Tomikas: Yeah. And the interesting thing to follow up on that exact example. I just did a live webcast [01:04:00] today with a loan. Institution or a loan service providing institution and one of the things they said, you know, if you want to get your loan repayment conversion as high as possible, make sure you make loan repayments as frictionless as possible.

So add a link into the text body so that when they click on it, they will get to a website that’s already prefilled and they just have to log into their bank and make the payment. So. You’re simultaneously actually walking people down that garden path of trusting that path and that modus operandi while simultaneously scammers are sort of moseying right on right in.

Sort of behind them going like, yep, I’m going to follow that same track that you just laid down so beautifully. Follow me. So it’s like, that’s the irony of it as well, is that every single time you build a new version of, of better interaction with your customers, you’re potentially also opening up yourself to, to more scam.

And I absolutely agree with, with you on there as well. If you get [01:05:00] a link, if you get something from your, your credit institution saying that you should do this, this, or that. Absolutely go to the actual website that you know, that you always log in to go to your app that you log into, because if it is legitimate, it will always be there as well.

It will never just be in that link. It will always be there as well. And then you’ve just made two extra steps to verify. And that’s not that much. Usually, especially if like, if it’s, if it’s on your app, you can just, you know, pick up your phone, open it, check the app. It’ll probably be even quicker.

So in that sense, yeah, absolutely do that. The trust, but verify, uh, is super important these days. And it’s only going to be even more, more important as we go forward.

Josh DeTar: oh man, I’m going to get the sentiment wrong, but I think too, there’s also even just a shift of. Away from trust, but verify even to just like, don’t trust anything. And I didn’t prove it’s prove it’s real after the fact, but like just automatically assume everything is fraud and everybody’s [01:06:00] out for your money.

I don’t know. Like if we want turn ourselves into the tinfoil hat wearing like culture, but man, you kind of almost have to these days is what it feels like. I it’s just the amount of fraud and scams that you get. Um, and, it is, uh, it is just getting more and more prevalent and, you know, like I kind of said the very beginning, it’s like these guys only have to get it right once we’re trying to get this right every single time to protect people and I love humans, but man, we can be really dumb creatures sometimes, right?

And, and we humans are super susceptible to this kind of stuff. You know, you were talking about one of the, um. Uh, you know, just even using emotional triggers through the pandemic and how we saw increase in fraud. You know, we had one of our institutions who saw a ton of fraud from, um, you know, account holders that were, um, like, Hey, pandemic just sent me home.

I’m working from home. We’ve always wanted to get a puppy, but [01:07:00] I can’t get a puppy while I go into the office every day. Cause you know, how do I potty train it and all these things? I’m home now. Let’s get a puppy. So all of a sudden they started seeing, um, you know, puppy purchases go through the roof and so the scam was just a picture of a dog online.

This is a, you know, purebred, uh, you know, hypoallergenic, uh, labradoodle and it’s 4, 000. And people are buying it and there ain’t no puppy coming, right? It’s just a simple scam, but, you use kind of a trigger of a moment and an emotional response. You make it a super simple process. So what I want to pick your brain on now, you know, we talked a little bit about kind of the, the two common types of ways of triggering people to, you know, follow through the call to action of being a habitual or an emotional type of attack.

But. Talk to me a little bit about, so what is the downstream? So what are we seeing in terms of, okay, you, you got me to bite. I fell for your scam. What is the [01:08:00] like workflow look like and what are the, some of the things that we can do to identify that this now that I’m at least in the workflow, maybe I don’t finally process the end result.

Like maybe I don’t catch it as early as I should, but I catch it at least before I do the bad thing. Um, and then what are some of the things that we can do to think about, you know, kind of protecting those workflows, um, and keeping people from making those mistakes?

Uku Tomikas: yeah, I guess one of the things that I always recommend doing is that try Keep like an open line of notifications And this is contrary to my own personal belief because I’m a very much no notifications type of a person but keep on notifications related to whenever a purchase is made From your account, because quite often what is done is, is once that information, once you actually hand out that information, be it credentials, be it your credit card details, then the first purchase is [01:09:00] not a large one.

The first purchase is, will be a test purchase specifically to understand was that information provided legitimate because then a small purchase won’t ring any bells and it won’t fall under the radar. You know, you know, they will be able to understand whether or not. There are any limits on the accounts.

For example, another good example, they’ll do a small purchase like a 3, 5 one. So if you have notifications on, you will see a purchase and you can see I don’t make that purchase and then you can react because then you can already, you know, close an account, close a card, do something, immediately contact.

So you can limit the damage to that first sort of test scam that they were doing or test instance of conversion. But then if you don’t catch it, they’ll crank it up quite fast because then they will see, okay, it happened. It’s legitimate. The money arrived. Good. Now we’re going to start pushing the envelope and seeing how much we can actually [01:10:00] do.

And normally what, what, why they sort of go down the path of, cost increases and doing more smaller purchases than doing, you know, one large one is that they never know what your limits are. How much money you actually have on that account. Maybe you have 300 euros or 300 and then they’ll end up doing a 400 scam and it’ll be declined because you don’t, don’t have sufficient funds.

So it’s better to start from slower amounts and then work your safe way up and then try to suck as much out through that process from that account, doing multiple touch points rather than one. So when you have notifications on and to understand when a purchase is made, you can also. Get a better understanding and see, maybe catch those things a little bit sooner.

Um, and then, you know, one of the more common things you can do to protect yourself is, is also when you’re making online purchases, for example, have. Specific cards that have smaller amounts of money on them. Like if you have [01:11:00] like, you can always get a virtual card in most places. You can get like a virtual debit card or virtual credit card.

Have it with, you know, you’re going to make at max a 200 euro purchase or 200 purchase. Make it a 200 limited card. Don’t make it your main debit card that you’re gonna be paying with, or your main credit card that you’re going to be making purchases online with. Make it the card that has smaller limits, only up to the point where you have to pay for it, so that if you do give out that information, the damage is limited to that small amount that you were gonna make on those purchases anyways, instead of your main account, or your, like, your credit card that maybe has like a 5, 000, 10, 000 limit, and it gets pretty much spoofed quite quickly.

And taken out of, out of circulation. So it’s this question of if you fall victim to it and you maybe think to yourself, well, that didn’t look quite right, but you already gave that information, try to start checking those instances of where something has [01:12:00] been done and try to catch if something actually happened, or if it was just a, , poorly branded.

Landing page that also sometimes happen. So just being aware, being conscious, looking at your history, having access to your history is one of the things that can help you in terms of like downstream as well, uh, from the moment you’ve given information and second key piece of information, only share information.

Online about yourself that you think is absolutely essential, like the more you share, especially about your habits, about what your understanding of something specifically is, or, or where you maybe even where you lean and politically or where you shop or what stores you go to, or what restaurants you go to, or what every single brand you like, you don’t have to like follow and Publicize that you wear, own, follow, et cetera, because every [01:13:00] piece of information that you share is a piece of information that’s out there forever.

So if you want to use that information against you, or somebody wants to use that information against you, the more you give, you know, the more breech handy you are. So a lot of it is like, pre work, like think through. What you can do to limit damage if you get scammed, which kind of reverts back to what you said before is that we’re getting to that tin foil hat everybody’s trying to screw me type of a place where you’re pre building walls around you and sort of like, if I’m going to make a purchase, I’m going to make it out of a tiny window and have like 10 feet of concrete in my bunker around me just to make sure that nobody shoots me type of a thing.

so I kind of my take.

Josh DeTar: well, and that’s too, that’s where we get back to the just, we humans are simple creatures, right? And like the vast majority of people, vast majority of people are not going to add one. Layer of additional friction to their day, let alone the 10 they [01:14:00] probably need to protect that. Like you can make the recommendation all day long for people to have multiple cards with different limits for different things.

How many people in your neighborhood you think are actually going to go through that? I’m a bet zero in mine, you know? And it’s like, again, you’re, you’re kind of giving people the tools. Um, But I think, you know, one of the things that’s always fascinated me about how people view, especially their relationship with fraud and their financial institution, seems to be different than everything else, right?

Like, um, Um, you know, if, if I come and, um, you know, steal your dog, like that’s a, that’s a big gut hit. Like that’s not coming back. That’s a big part of my family. Like that’s not even something insurance is going to cover for. But if I steal your credit card info, I ring up thousand dollars of fraudulent charges.

All I had to do was tell my credit card company that wasn’t me. That’s over and done with. I’m not up a thousand bucks.[01:15:00]

Uku Tomikas: Mm

Josh DeTar: So there’s really low accountability with people in protecting themselves because there’s no risk to them really, right? They don’t sometimes realize the downstream effect of maybe what was also stolen alongside that was your identity and that gets used and You know, if somebody’s identity gets stolen, that’s very different.

But I’m talking about just stealing some money from a, you know, federally insured financial institution. The account holder is really kind of out nothing. You’re out the frustration of having to get a new credit card and a new credit card number.

But other than that, like, you’re not on the hook for the money.

So, why should I introduce an extra step of friction in my life? Um, to save you the money that you’d be out if somebody stole from me, right? Like that’s a weird relationship. Um, and you know, I definitely don’t think the answer is necessarily putting the onus completely back on. Well, if you got your credit card stolen and you lost a thousand dollars, like you’re out the thousand dollars.

But, um, you know, how do we go on back [01:16:00] to our, you know, how do we attach behaviors to people that puts them in a better position to mitigate the fraud? And then, you know, how does the financial institution also put things in place, um, to make it so that, you know, it’s, it’s, it’s easier to protect our consumers from themselves.

Um, you know, I think one of the big ones that we see a large fear around and for good reason is account takeover fraud, right? Because like what we were talking about earlier, you, you. For whatever, you know, you social engineer somebody, you get in to their account and then what’s the first thing they start doing?

They start changing over the different places that you get notifications, right? Oh, no. No, I don’t want my text messages going to the phone number ending in 3705 I want them going to the 7177 And all of a sudden now those triggers that I set up to alert me when you know a purchase is made I don’t even get So financial institutions thinking through, okay, well, how do we make it so a legitimate user, if they really do need to change their phone number [01:17:00] can, but how do we keep a fraudster from changing it?

And how do we notify the originally? So there’s a lot of things to unpack and being able to secure account takeover fraud. Um. Because if you kind of follow that workflow of initially, I just gained some information about you, um, and to your point, like social media is not doing us any favors in that arena.

It’s so easy to learn so much about people. I mean, how many of those stinking Facebook quizzes do you see that are like, we’ll tell you your spirit animal if you give us these things. And what they’re asking is all the information they need to breach your account or, um, you know, or literally all they have to do is try and log in and get posed with the security question of, you know, what’s the name of your favorite dog.

And all they have to do is go look at your public Facebook profile, find, you know, the most recent picture of you and your dog. And you’re like me and Sparky at the park. Boom. And I’m in the account, right? So now they, you know, they have all these different tools and that technology is only getting better and more [01:18:00] accessible. The information is also becoming more and more accessible. People are getting hit with a larger barrage of things and it’s harder to decipher what’s real and what’s not and not just act on the first thing that you see. So all of this is, you know, culminating to they’re starting to get access to your secure accounts and information.

And then they’re starting to be able to do things with that. And that was where I was going with. You know, now, at the same time as we’re seeing some, significant increases in fraud and the sophistication and the success of those attacks, coupled with, we’re also trying to make it easier to move larger sums of money instantly in the U.

S., that’s a perfect scenario for fraudsters, right? If they’re like, great, I don’t have to deal with limits anymore. I’m just gonna go gain access to this person’s account, drain the whole thing with an instant money movement method, and I’m gonna [01:19:00] have the funds available immediately, and you’ve got zero recourse.

Yeah, again, for the end user, that may not necessarily be a problem, but if you’re the financial institution, those losses can start to add up real quick.

Uku Tomikas: Yeah. And, and in many cases, uh, you know, it’s, it’s how systems differ as well. In, in us, for example, for in, in Europe, we tend to not use credit cards and mostly use. debit cards. So we’ll be using for any purchases made online. Most of the time we’ll use the accounts associated with either our savings or associated with our day to day banking account where our entire wage actually comes to.

So in those cases, when you get scammed from a debit account. You’re getting scammed off an account that isn’t insured quite often. So you’re talking about losing your actual money, using actual savings, not running essentially credit that you didn’t own and that was [01:20:00] insured. So that also puts quite often the people, for example, in Estonia under different kinds of risks, mainly because when they get scammed out of something.

They’re getting scammed out of not credit, but their own actual savings, and then those often aren’t secured. So there’s some ways, some money you can get back, and sometimes there are ways to do this, but quite often, you know, we have the police coming to us with court orders for information because somebody got, you know, scammed out of like 4, 000, 6, Um, And it’s, a criminal investigation has been started because of it and then, you know, it reaches all the way to us.

And that person lost all of that money. So it’s, it’s also this sort of difference in systems as well. And then when you also combine all of the, you know, delivery of all of these things we’ve been [01:21:00] talking about this before, and then you couple that together with. There being no repercussions for you entering your credit card details and nothing will happen.

You know, ah, you know, lost the money, got it back. Then that just opens you up to all of the other scam even more. Because now nothing happened if I entered my details here and nothing happened with that. But, if you don’t get damage from scam, actual damage, then you are even more likely to fall victim to it.

Up to the point where you actually start getting damaged by that scan, you start finding whole new pathways of utilizing that. Because if I know that you don’t really care if that purchase goes through, okay. What other pieces of information can I push out of you? What other instances to, can I utilize?

What else can I do? Can I get you to create, you know, okay. A loan application. Can I get you to okay. A mortgage application. Can I get you to okay. A [01:22:00] much larger sum. Of credit than I could get from your credit card and do something else with that. Is there anything else? Like if we’re talking about instantaneous large payments becoming much more available How soon will large credit deals also become available via much easier methods?

And then when you’re already used to just handing out information willy nilly thinking that nothing will happen And that gets translated into a large credit deal Be it a mortgage be it a large loan something like that gets taken up on your name That’s not probably going to be similarly insured, or the banks are not going to be willing to take a hundred K in just because you can’t be bothered to check a link or where you actually entered your credentials.

Then you’re gonna start seeing another tick up in terms of where that responsibility will start shifting again. So it’s going to be a game of when you also become aware or sort of used to getting scanned. [01:23:00] And not having repercussions, you start putting yourselves and everybody around you in very different, very difficult and very dangerous positions of having any type of scam trigger and be even more effective.

Josh DeTar: Can I, uh, can I get your prediction? Is the sky falling? Are we doomed? Like, what’s, what’s our recourse here? What do you think is kind of the path forward for, um, balancing, um, just all the growth in technology, automation, efficiency, and that being then used against us. In terms of fraud, like what are some of your predictions for, uh, how do we stay ahead of the fraudsters?

what’s our end game here?

Uku Tomikas: think it’ll get worse before it gets better. You know, it’s kind of as it is with everything. Um, you know, for the longest time we drove with. We’ve leaded gasoline in our cars, that was kind of killing us, and then [01:24:00] we got to unlead it and things got better. And now we realize that, you know, maybe we’re also destroying the climate.

So now we’re trying to find ways to fight that. Fraud will get worse, it’ll become very, very painful, and then we’ll get to a position where it becomes so painful that… We will find a solution to overcome it. So I’m always very positively minded about even the worst of things. And even though I, I sound like a doomsday machine myself, sort of taking down the ways, how the sky will be falling in the future.

I don’t think it will, it usually never does unless it’s like an extinction level event. That’s happened a few times in the history of mankind. And then we actually will bite the bullet, but

Josh DeTar: We probably so much about somebody stealing a few bucks out of our account.

Uku Tomikas: Exactly. Right. we’ll have

Josh DeTar: giant asteroid coming. We, you know, probably,

Uku Tomikas: Yeah, probably worse.

Josh DeTar: probably worse.

Uku Tomikas: yeah, this, you know, I probably couldn’t forget the credit card.

I’ll cut it in half myself. But, , I think it’s it. [01:25:00] Ultimately, I think the sort of the solution will quite well be in technology as well. They will be a concerted effort to try to curb these things. There will new ways of doing this. And at one point in time, if it gets too bad, then usually what will happen is legislation will step into one or another way.

They will make our lives more difficult for the sake of ourselves. And then we’ll scream about it, and then we’ll trample our feet, and then we’ll protest and do everything else. And then get used to it in two to three years and be in a better place. Like how it usually happens with most of this stuff.

It’s like, I don’t want to do it, and this is infringing, and this is this, and this is that, and then you get used to it, and then you’re sort of like three years later thinking, why did I even bother? At least I’m not losing all of my money all the time. So, you know, I’m, I’m, I’m always rather positively minded about these things, and there’s always people trying to fight it.

There will always be people trying to do fraud. There have been since, you know, I guess the birth of man. One, you know, Neanderthal was trying to [01:26:00] cheat the other Neanderthal out of their… You know, coconut by throwing a rock the other way and say, Hey, look, it’s still running away. So there’s, there’s always going to be one or another way of somebody trying to scam another person and another person pointing that out and fighting against it.

So yeah, I think that it’ll get better. But one of the most important things that businesses can do that people can do is just learn to pay attention. Just. Take a second. Like  if any, if you learn anything from this entire podcast, just take a second, look at the text, look at the URL. Does that look legitimate to you?

If it does look legitimate to you, if it’s so good that it’s legitimate, you would have probably fallen victim to it anyway. But if you just take a second to just look at it a little bit, there’s a pretty big likelihood that you will realize that it isn’t real, that it’s a fake, and you won’t fall victim to it.

Josh DeTar: I think that’s a big [01:27:00] takeaway for me from this is, um, you just mentioned, I agree, I think, you know, technology is going to have to be more of the answer to this, um, because unfortunately we can’t put our faith and trust in other humans, uh, to always take the time, but it’s, it is an important to take, uh, you know, a two pronged approach that we need to be looking for technology solutions and there.

Always going to have to be evolving. They’re always going to have to be changing. You’re never going to have the one security solution that prevents all fraud. It’s just not going to happen. It’s too evolving. So we’re going to need to look for technology to solve the problem and continually iterate on that.

But it is also an awareness piece, right? It is also getting consumers educated on how to at least spot the simple stuff. How to at least keep from making the really simple mistakes. And yeah, to your point, some of the stuff is getting so good, it will get you and it will get me. And it’ll get, you know, those of us who are trying to pay [01:28:00] attention.

Um, but man, at least don’t fall for the simple stuff. You know, there’s some simple education that can be done around that. So like a combined approach of, you know, trying to do education. Trying to remove low hanging fruit like you talked about in terms of just don’t make it easy for fraudsters to spoof who you are to your account holders, like make sure your brand is on point, make sure your messaging is succinct, make sure it’s unified, make sure it’s structured, make sure, you know, you build good habits of your account holders, understanding how you will communicate to them, what you will and will not ask them to do.

Thank you. Um, and then, you know, continually look at, evaluate and add technology solutions to help kind of stay ahead of the game. I think that seems like about as much as you can do these days, right?

Uku Tomikas: Yeah,

Josh DeTar: Well, Uku, I have really, uh, absolutely enjoyed this time chatting with you. You’re just a blast to talk to, man. Thank you so much for coming. Before I let you go, though, um, I have two final [01:29:00] questions for you. So one, where do you go to stay up to date on what’s happening? Um, and maybe actually even a, a special, uh, addition to that question for you in specific.

Like, where do you go to stay up to date on what are some of the kind of common, um, scams that are out there that we should be paying attention to? Uh, like you, you mentioned the help mom, uh, or whatever scam, like how are you staying up to date on those types of scams? Um, where are you going for information?

Uku Tomikas: So one of the places where I go to for most of my information is we’re a part of, like a larger cross telco organization, which is called the Mobile Ecosystem Forum. And they have a specific fraud working group where that meets up monthly and where all of those things are discussed. And then they will have, , summary reports, they will have presentations, there’s.

Yearly fraud report as well. And looking at the different dynamics and how it’s going in the samples. And then there are other businesses sharing those. So anything related to that is where I get a [01:30:00] lot of my information, just going to events, talking to the same people, talking to, you know, what other professionals are seeing, and then the other place where I get most of my business related Intel from rumors to opinions, to then.

Factual information to then links to more factual information usually tends to be LinkedIn, super active on LinkedIn, and then it’s all about who you follow there, who you, whose information do you look at, who seems like a credible source within any specific type of an industry as well, because then you also have to take it with a grain of salt, et cetera, but then I try to follow a ton of people on social media.

And it’s quite often, it’s not like. Okay. You know, if you take Credit Union ABC, it’s not gonna be their CEO who’s gonna be posting the most interesting content. It’s going to be… Like the regional product head or the head of the anti fraud division or the head of payments division or somebody like that will probably be posting [01:31:00] like stuff they find interesting things that they think are professionally engaging, doing some opinion piece and stuff like that.

So if you’re interested in like a specific industry, like banking, for example, look at major banking institutions. People on LinkedIn who are very active and follow them, and then you’ll get a ton of great information from there. And then you can also cross reference competitors against each other, see what version one is doing, what the other one is doing.

So not just a press release type of info, but the more sloppier LinkedIn post type of information where people might be actually sharing their own real information and their own real viewpoints and things as well.

Josh DeTar: Awesome. And then, uh, if people want to connect with you or if they want to learn more about, uh, Masenta and what you guys are doing, how do they connect with you and how do they learn more about your company?

Uku Tomikas: Easiest place to find information about our company, messanta. com, so M E [01:32:00] S S E N T dot com. And if you want to specifically talk to me, LinkedIn. First name, last name, LinkedIn, I’m very, very active. And I also share a lot of video content every single week, specifically on these types of topics, sharing our Intel, our experiences, mainly talking, not about, trying to promo our products, but more trying to talk specifically about like educational stuff and what to be look out for the same thing, you know.

What type of domain names you should be looking at and how you should approach how you do homogenous brand communication across all platforms. So stuff like that. Try to make it more practical and educational.

Josh DeTar: Yeah, I was going to say, and then, um, everybody listening to this podcast needs to go to, um, miscenta financial. com. Um, you’ll just be prompted to enter your banking username and credentials. I own the site. It’s no big deal. Just legit. I promise. Um,

Uku Tomikas: Don’t worry about it. You’ll

get a text about it.

Josh DeTar: Yeah.[01:33:00] Um, yeah, no, this has been fascinating, man.

Cause it is, it’s just, it’s both, it’s both terrifying in what can be accomplished and what some of the technology is able to do. And yeah, like I’m glad that we did this in the morning time for me. I’m sorry it’s the nighttime for you because I don’t know if I want to go to bed thinking about how much people could fake me out with deep fake videos and FaceTiming me as a loved one and I’m glad I’m going to have a few hours before I go to bed before I have to try and get that out of my brain.

but it is also fascinating to see. You know, how we’re looking at technology to be able to, you know, equip people to, um, you know, be protected against this kind of stuff. So it’s a fascinating topic and I really appreciate your perspective. Thanks for being a guest on the Digital Banking Podcast.

Uku Tomikas: No, thanks for having me and thanks for sort of engaging at the topic as well and asking a bunch of questions. It’s, you know, I’m obviously passionate about it. So, you know, I want to share more. So, you know, thanks just for giving me an opportunity to be heard.

Josh DeTar: Absolutely. Of course. Thanks, Uku.

Uku Tomikas: Thanks, man.

[01:34:00]