Can true crime stories about the internet keep individuals safe from cybercrime?

If you were to visit the office of Joe Carrigan, a senior security engineer at Johns Hopkins University’s Information Security Institute (ISI), you’d notice a television screen displaying a looping slideshow. Among the featured content in the loop is a 2022 article from The New York Times, which recognizes his podcast for delving into discussions about the “dark side of the internet.”

That podcast is Hacking Humans, cohosted by Dave Bittner, who is also a producer for the pod by way of CyberWire, a B2B cybersecurity audio network. Hacking Humans focuses on the human side of cybersecurity problems.

“The idea of the Hacking Humans podcast is that it’s not a very technical podcast,” Carrigan said. We don’t talk about vulnerabilities, you know — we mention them tangentially, we mention them as necessary.”

According to Carrigan, a University of Maryland Global Campus computer science program alum, many people believe hackers are only interested in high-profile targets like nation-state actors or penetration testers. But anyone can become a target if they don’t protect themselves.

The Columbia, Maryland resident cited a country-by-county pay gap as a possible influence for those who might be employed by “scam centers” in countries like India and Nigeria — both known contributors to cyber crime, he said.

“If you look at the two countries, the average American makes around 73 times what the people in Nigeria and India make per year,” Carrigan told Technical.ly. “… If these guys [scammers] can scam somebody out of 25 bucks every day, seven days or six or seven days a week, in a year, they make three to four times what the average income is in their country, and they’re doing well.”

The podcast aims to bridge the gap between more technical cybersecurity discussions and the general public.

On a recent episode of the podcast (Season 6, Episode 262), for instance, Bittner — who is also an alumnus of the University of Maryland system — sounds surprised as Carrigan presents findings from a survey about people’s understanding of cybersecurity, including the jargon commonly used in the field. The survey was conducted by ISI and commissioned by the Maryland Cybersecurity Council, with support from the National Cryptologic Foundation.

With Technical.ly, Carrigan noted that he did not share the same surprise. Consider the term “social engineering.”

“In cybersecurity, if I say social engineering, somebody understands that’s just people trying to get you to do something you shouldn’t be doing. They’re calling you up. They’re scaring you. They’re enticing you with some kind of greed thing or whatever. They’re going to get a person to do something they shouldn’t do — essentially, social engineering,” he said. “The problem with that term is, if I say that term to the average person who’s not living and breathing cybersecurity every day, they have no idea what that means.”

Amazon Mechanical Turk served as the data collection tool for the survey, garnering 549 valid responses. (Carrigan told Technical.ly he had some reservations about the initial survey sample, citing the necessity for further surveying.) The pilot also survey revealed two respondents who reported financial losses amounting to $100,000 each due to online victimization.

These findings emphasize the need for improved cybersecurity education and heightened vigilance for the general public. For some pointers on keeping digital valuables safe, Technical.ly turned to Carrigan for guidance. His suggestions have been edited for brevity and clarity:

• Implement multi-factor authentication (MFA) — According to Carrigan, using MFA for essential accounts is a step in how individuals might secure their online presence. He suggests hardware tokens that adhere to the FIDO Alliance standards, such as YubiKey or Google Titan.
• Stay informed — He advises people to regularly consume cybersecurity content, such as podcasts like Hacking Humans — which he admits is a “selfish suggestion,” but urges that whichever podcast an individual might listen to, they stay up to date on the latest threats and scams. Awareness could be a first line of defense.
• No inbound calls — The pod cohost said to be cautious when receiving inbound phone calls, especially if the caller requests sensitive information or payment. Never hesitate to hang up and verify the caller’s legitimacy independently. Avoid clicking on links in unsolicited emails or messages, and always aim to verify the authenticity of the source.

Follow these tips, and you’re more likely to stay on the light side of the internet.