Remote-control rickshaws and rogue book marketers • Graham Cluley

Smashing Security podcast #476: Remote-control rickshaws and rogue book marketers

GRAHAM CLULEY

I didn’t know that e-rickshaws existed.

GEOFF WHITE

Surely that’s an Eric Shaw. But it only gives rides to people called Eric. That’s a tiny market, particularly in India.

GRAHAM CLULEY

I suppose. I suppose.

GEOFF WHITE

I took an Eric Shaw here. I took a Geoff Shaw, but that’s fine.

Unknown

Yeah, yeah. Smashing Security, episode 476. Remote Control, Rik Shores, and Rogue Book Marketers with Graham Cluley and special guest Geoff White.

Hello, hello, and welcome to Smashing Security episode 476. My name’s Graham Cluley.

GEOFF WHITE

And I’m Geoff White.

GRAHAM CLULEY

Geoff, welcome back to the show. Always a pleasure having you here.

Now, you’ve been a busy chap, haven’t you, in the last week or two with your latest — well, do you consider yourself a content creator or does that gag slightly at the back of your throat?

GEOFF WHITE

Gags more than slightly. It is, it’s technically true in that I create something and it is content. But it’s like describing yourself as a mouth-breathing food tube.

It just sounds a bit clinical, you know, a real person.

But yes, I’ve been creating content, specifically a new series of what was the Lazarus Heist podcast and has now been renamed Cyber Hack.

We’re on season 4 of Cyber Hack now, actually. So just published, which is all about a gang that will be very familiar to you, Graham, the Conti ransomware gang.

It’s always irked me that there was this amazing leak of internal chats from Conti.

All the things they typed to each other for two years basically spilled all over the internet, for reasons that we go into in the podcast.

And I’d always sort of wondered — I’d seen people like Brian Krebs had done articles and people had sort of done things with it, but nobody seemed to kind of really do something exciting with it and get to grips with it.

So I thought, well, this is great. The podcast has got an opportunity to go back to those leaks and really mine them.

And I instantly realised why no one had done anything with it really impressive — it’s because it’s horrible. It’s all in Russian. It’s hacker slang Russian.

Instead of having the chats though, they chatted to each other, it’s just all in one continuous order. It is honestly eye-bleedingly difficult to go through.

I went through 47,000 of the messages before I gave up. I was like, I’ve done enough. I’ve done my job. But what you get is amazing.

You get the actual people talking themselves as they were doing the crime, bitching, slagging each other off, talking about their wives, their girlfriends. It’s amazing stuff.

It is genuinely amazing.

GRAHAM CLULEY

Fantastic. So that’s all in the latest episodes of Cyber Hack right now, which you can access via BBC Sounds, I imagine.

GEOFF WHITE

Yeah, and Apple Podcasts and Spotify and other places like that. It’s everywhere.

GRAHAM CLULEY

Fabulous stuff. Well, before we kick off, let’s thank this week’s wonderful sponsors, Arctic Wolf, NordLayer, and Vanta.

We’ll be hearing about them some more later on in the podcast.

This week on Smashing Security, we won’t be talking about how a ransomware negotiator has been jailed after working with hackers to extort clients.

You’ll hear no discussion of how users of LastPass and Bitwarden have been targeted with fake security alerts.

And we won’t even mention how a German textile firm has filed for insolvency, blaming a ransomware attack which shut down production.

So Geoff, what are you going to be talking about this week?

GEOFF WHITE

I’m going to be talking about something quite personal, something quite close to home. Attempts — I should say failed attempts — to try and scam me.

And what I’ve been doing back to the scammers.

GRAHAM CLULEY

And I’m going to be taking a journey to India and jumping on board an e-rickshaw. Find out what can happen there.

All this and much more coming up in this episode of Smashing Security.

JOE

This week’s episode is supported by NordLayer.

GRAHAM CLULEY

NordLayer. And before anyone says anything, no, it’s not NordVPN.

JOE

I wasn’t going to say that.

GRAHAM CLULEY

You were absolutely going to say that, Joe. They are both from Nord Security, but NordLayer is a completely different product. NordVPN is for individuals.

NordLayer is a network security platform built for businesses. Right.

JOE

So what does NordLayer actually do?

GRAHAM CLULEY

Well, think about how your team works today. People logging in from home, from hotel Wi-Fi, from coffee shops, from wherever.

JOE

From a sun lounger, hopefully.

GRAHAM CLULEY

You’d be lucky. And the moment someone logs into a company network over an unsecured connection, you’ve got a problem. Credentials intercepted, phishing attacks, unauthorised access.

It’s a scary world out there for travelling workers.

JOE

So NordLayer fixes that.

GRAHAM CLULEY

It gives you encrypted connectivity for your whole team from anywhere, up to 1 gigabyte per second with zero additional hardware required.

But it goes well beyond just encrypting the connection.

You get centralised control over who can access what based on their identity, their device, whether their device is actually compliant.

And if someone leaves the company, you revoke their access immediately.

JOE

No more ex-employees still wandering around your systems 6 months later.

GRAHAM CLULEY

No more of that. And it will block malicious sites, risky downloads, dangerous domains, and it can even detect shadow apps.

So if someone on your team has started using some AI tool that your security team hasn’t approved—

GRAHAM CLULEY

Yeah, well, whatever. NordLayer can spot that too. And there’s no complex infrastructure to set up. Apparently you can be up and running in just about 10 minutes.

GRAHAM CLULEY

10 minutes. Plans start from just $8 per user per month. And right now there is a summer sale. New customers get up to 20% off annual plans until the end of August 2026.

Use the code NLsummer26 at checkout.

JOE

Whoa, all I have to do is type in that code at nordlayer.com/smashing and I can get a great deal? Let me write that down.

GRAHAM CLULEY

Yep, go ahead, write it down.

JOE

What’s the code again? I forgot.

GRAHAM CLULEY

Oh, Joe. NLsummer26.

JOE

Got it. Off to nordlayer.com/smashingigo.

GRAHAM CLULEY

And thanks to NordLayer for supporting the show. Now, chums, quick question for you. Have you ever played a prank with a smartphone or somebody else’s smartphone, Geoff?

GEOFF WHITE

I have.

When somebody’s been stupid enough to leave their phone unlocked on the desk next to me, I’ve usually taken a couple of suspect selfies or something, or sent a stupid message to somebody.

Just to remind them that you should lock your phone when it’s not attended. That level.

GRAHAM CLULEY

I used to work with a guy in an office once who, if anybody left their computer unlocked, he would go on and do embarrassing things with it and change their wallpaper and stuff.

And I thought, well, it kind of makes the point, but at the same time, it’s a bit of a dickish move. I don’t—

GEOFF WHITE

You’re the office dick at that point. And I was entirely happy with that.

GRAHAM CLULEY

Okay, well, fair enough. I’m sure lots of people have done this, maybe just with their friends.

I mean, you could take someone else’s phone, you could change their autocorrect settings. So every time they type “regards”, it changes it to “love and kisses” or something.

One I heard about is you can take a screenshot of someone’s home screen on their phone and set it as their wallpaper.

So their wallpaper is all their icons, and then you move all their apps into a folder on their own. And of course they’re clicking on things, thinking, why doesn’t this work?

Why, what’s wrong with my phone? Is my screen not working?

GEOFF WHITE

I love that. I really love that. That is next level nasty.

GRAHAM CLULEY

All kinds of mischief you can do. And obviously from my lofty heights, the ivory tower of my podcast pleasure palace, I don’t advocate any of this.

I tut away and shake my head disapprovingly. It’s all very juvenile. You shouldn’t fiddle with someone else’s phone.

But what if people were to use their own phone to pull a prank on someone else? That is something which has been happening lately in India.

In fact, a few thousand people in India found out in recent weeks that something rather bad has been going on.

And it’s been rather worse than changing someone’s phone so it rings an alarm at 3 o’clock in the morning and wakes them up.

You know, it’s worse than that kind of dirty trick you can do. What they’re doing is they’re standing on a busy street, right? Imagine the scene.

You’re in North India, you’re standing on a busy street. Saw the traffic going past. And—

GEOFF WHITE

When you say busy, you should — I have been to Delhi and Mumbai. When you say busy, there’s busy, and then there’s Indian city levels of busy.

That is a really, really busy street potentially.

GRAHAM CLULEY

Wouldn’t you have loved the powers? A bit like Moses, Geoff. Wouldn’t you have loved to be able to part the seas of traffic so that you could walk safely across?

GEOFF WHITE

Yes, yes, I really would.

GRAHAM CLULEY

Bring all that traffic to a halt, you know, maybe at the press of a button.

Well, something a little bit like that has been going on because there have been people who found that all they need to do is open up an app and then with a single tap, they can stop a stranger’s vehicle dead in its tracks as it goes past them.

And they don’t need any special privileges. They don’t need any special permissions. They don’t need to know any passwords or anything like that. You just tap.

And the particular type of vehicle that they have been stopping dead in its tracks is an e-rickshaw. I didn’t know that e-rickshaws existed.

GEOFF WHITE

Surely that’s an Eric Shaw. It only gives rides to people called Eric. It’s a tiny market, particularly in India.

GRAHAM CLULEY

I suppose. I suppose.

GEOFF WHITE

I took an Eric Shaw here. I took a Geoff Shaw, but that’s fine. Yeah, yeah. Got a Graham Shaw. That’s fine.

GRAHAM CLULEY

Well, so this thing, a rickshaw, Geoff, a rickshaw. A rickshaw, obviously.

GEOFF WHITE

Electronic rickshaw.

GRAHAM CLULEY

It’s like an e-tuk-tuk, right? So I’ve been on a tuk-tuk. I don’t know what the difference is between a tuk-tuk and a rickshaw. Maybe it’s just different countries. I don’t know.

It’s the same kind of thing. But this is one which is powered by a battery rather than by a little petrol motor. And it’s a three-wheeled little vehicle.

And these are really popular in South Asia. They’re lightweight. They’re not very expensive. They’re powered by battery.

And for millions of people across North India, including Delhi and the like, they are part of people’s daily commute.

And for the drivers of these vehicles, that is their livelihood.

If their rickshaw isn’t running and they don’t earn a wage, that means they’re not earning any cash, not able to buy any food.

It’s pretty serious if someone can stop it dead in its tracks without you expecting it while you’re driving along.

Potentially also a safety hazard as well, because if you are going a fair clip on one of these things and it screeches to a halt, because of course, you know, think of what electric motors are like.

It’s not like, you know, you’re— it’s dead. It’s not moving any longer. So this is a prank which has emerged.

Teenagers standing near moving e-rickshaws open an app on their smartphone. They remotely cut off the vehicle’s power. Suddenly stops.

And may not surprise you to know that a lot of people think this is not something to be universally applauded.

Some people are even saying this is the worst thing to have happened since hoodie-wearing, happy-slapping teenagers started downloading ringtones.

This seems to be the new habit which has emerged, and it’s made all possible, Geoff, by an app called BatBMS.

GEOFF WHITE

Ah, I was wondering how they were doing this. Okay, right.

GRAHAM CLULEY

Yeah. So have you heard of BatBMS?

GEOFF WHITE

I have not. Not an app I’ve got on my phone?

GRAHAM CLULEY

No, not to be confused with BatPMS. That’s an entirely different issue.

GEOFF WHITE

The bat’s menstruating.

GRAHAM CLULEY

But BatBMS, that stands for Battery Alarm Telematics Battery Management System.

GRAHAM CLULEY

And this is a battery management app developed by a Chinese company. Wasn’t even designed for e-rickshaws.

It was actually built for solar panels and marine batteries, off-grid power systems. So if you, for instance, Geoff, I can imagine you going on very glamorous holidays.

GRAHAM CLULEY

So I can imagine you may be hiring— keep imagining, because it doesn’t happen, but I can imagine you going up and down the waterways of England, for instance, in a canal boat, a narrowboat.

GEOFF WHITE

Oh yeah, yeah.

GRAHAM CLULEY

Yes. And you may have a little battery there. That’s the kind of thing you might have for your power.

And you may have this app because what this app allows you to do is to control its management system via Bluetooth.

GRAHAM CLULEY

So it’ll tell you its charge level.

GRAHAM CLULEY

Its voltage, its temperature. And if you wanted, for instance, to do a little bit of maintenance, there is a thing for completely shutting off the power in the battery.

GEOFF WHITE

Ah, there’s the one. There we are. I was like, I wonder where we’re going. Okay. Now this is making a bit more sense.

GRAHAM CLULEY

That’s exactly it. And so these lithium battery packs, it turns out, are being widely used inside e-rickshaws in India, which are popularly referred to in India as thiris.

So they’re running on compatible hardware, same kind of thing which you’ll be finding in other places.

And so a perfectly respectable app, which you can use for checking your solar battery storage, can end up being a weapon in the hands of a pedestrian or the person behind you who wants to — gosh, you know, wants to cause your little e-rickshaw to come crashing to a halt in the streets of Delhi.

GEOFF WHITE

Makes perfect sense, because you think, well, I’m going to get my e-rickshaw, or erickshaw, as I’m going to call them from now on.

And you think, well, yeah, I’ll need to monitor the battery, and there’s probably a little light on the battery somewhere, but it’s much easier.

And you can imagine how the person who sold you the battery would say, well, don’t worry, there’s an app, you can just monitor the batteries on your phone.

And you think, that’s great, it’s like a dashboard readout of how my battery’s doing. I’ll install it.

But what they don’t tell you is, oh, there’s a function there that can kill the battery.

But how are the strangers connecting to someone else’s rickshaws’ Bluetooth to get to the battery. Is Bluetooth just connectable by anybody?

GRAHAM CLULEY

Yes. It turns out it is. It turns out there’s no password. It turns out—

GRAHAM CLULEY

Just being within 10 to 15 metres, which is a couple of car lengths maybe, is enough.

And then you can just simply scan for nearby batteries and say, which one do you want to connect to?

GEOFF WHITE

That’s brilliant, because it’s like war driving, only it’s war not driving. Yes, I couldn’t resist. The joke was there, I had to have it.

GRAHAM CLULEY

Yeah, so it will show you a list of nearby batteries, which are probably going to be e-rickshaws, if that’s where you are in that part of the world. You pick one and boom!

Well, hopefully not boom, but you’ve got full access to the control panel and you can instantly disable it.

And the firm that made this battery system, they obviously assumed that whoever was standing near the battery was the person who owned it.

And they thought, well, why would we put a password on it?

GRAHAM CLULEY

Not such a great idea. And people are finding this hilarious. Presumably not the people who own the rickshaws.

GEOFF WHITE

I was gonna say, yeah, some people find it hilarious, yeah.

GRAHAM CLULEY

Teenagers largely, I suspect. And there are lots of videos.

I’ve done a bit of searching on YouTube and Instagram and the like and the TikToks, and lots of people are posting up videos now of this going on.

And some of them are painting it as, I can get revenge now on these rickshaw drivers, ’cause I get fed up, you know, you get fed up with the other rickshaw drivers or how they’re driving or whatever.

And so you can stop them in their tracks. And some people are even reportedly paying strangers so that the drivers get stranded, right? They just think, well, what’s going on?

I don’t understand why my rickshaw keeps conking out.

GEOFF WHITE

I’ve got Eric in the back and he’s angry. He’s not happy anywhere.

GRAHAM CLULEY

I’ve got Eric, Derek, maybe Bo Derek. But some people are asking nearby people, you know, or someone will come up to them and say, oh, maybe I can help you.

And they’re charging 200-odd rupees or whatever for the fix. But of course, it’s them who’ve actually done the darn thing.

GRAHAM CLULEY

Very cheeky.

There’s a video of one guy, he looks like an elderly chap, he’s driving around his little rickshaw, and you see him pushing it by hand for about 3 kilometres in the heat of Delhi.

GRAHAM CLULEY

Because he couldn’t work out what happened. He couldn’t sort it out. And so people are making these videos.

I guess just for the clicks because people are sharing them and watching them and being outraged by them. All because of an app. An app, Geoff.

GRAHAM CLULEY

Which they downloaded from the official App Store or the Google Play Store. So it’s available to everybody.

GRAHAM CLULEY

So I wonder, you know, legally, where do you think they stand on this?

GEOFF WHITE

Well, I mean, that’s a good question.

The thought that goes to my mind is, if this was the UK, for example, you’ve got a vehicle on the street, vehicles on the street are under the Highway Code, they’re often licensed and regulated.

If there’s a component in the vehicles that’s that vulnerable, I think that would fall under some kind of UK legislation.

We have UK legislation about default passwords, I’m pretty sure that got passed recently. But immediately I’m thinking India. I mean, for a start, Indian states work differently.

It’s a federal, you know, thing. And secondly, from my visits to India, the writ of the government and its legislation enforcement does not run very far.

So the idea of regulating all the rickshaw drivers, I don’t know legally where you’d — and to be honest, I don’t think anyone’s got any legal comeback on anybody for this.

It just seems like one of those grey areas.

GRAHAM CLULEY

Some of the journalists who’ve been reporting this spoke to local computer security experts and they said, well, look, technically an e-rickshaw is a computer system.

There is some sort of computing device in there which is managing the battery, and anyone accessing it without the permission and knowledge of the owner of that device is committing an offence.

GRAHAM CLULEY

Now, good luck.

GRAHAM CLULEY

Identifying who it was and bringing them to justice and getting the police to understand what has happened.

GEOFF WHITE

It’s the guy standing nearby laughing hysterically with his phone in his hand. That’s the one who got your Bluetooth battery compromised. Yeah.

GRAHAM CLULEY

So apparently it can mean up to 3 years imprisonment. Apparently it can mean ₹500,000 fine, which is about £4,500. But whether that’s likely or not, I’m not so sure.

So technically it is a crime, so we have to do our tut-tutting. Yes.

GEOFF WHITE

Or tock-tocking.

GRAHAM CLULEY

Anyway, the government has actually stepped in because the government has now told Google and Apple to remove BatBMS from their app stores alongside a couple of similar apps which were able to do the same thing.

And the Chinese makers of this battery system have apparently pushed down an update which patches the app, and now requires a password to be entered to access the battery.

Now the problem is, the firmware on the rickshaws, on their batteries — how’s that going to get updated?

And are people going to know to update it so that it requires the password? So it’s all very well updating the app.

GRAHAM CLULEY

So it demands a password.

GRAHAM CLULEY

But you’ve got to do both sides of it, haven’t you?

GEOFF WHITE

Oh, I see. Because the battery communicates with the app, so there must be some Bluetooth transmitter or some connection.

GEOFF WHITE

Yeah, it’s got to be a Bluetooth transmitter from the battery, and within the battery there’s an operating system or something that’ll need updating.

GRAHAM CLULEY

That’s right.

GEOFF WHITE

To require the password on that side as well as the phone side. Now I see.

GRAHAM CLULEY

And what’s the likelihood of people knowing about this problem, or knowing how to fix it, of it being easy to fix? I suspect it’s pretty remote.

GEOFF WHITE

But can’t the phone, through the app — can’t the app require the firmware on the battery to be updated? So when you log into the app, it says, we now require a password.

And by the way, in order to communicate with your battery, plug in the battery and upload the — can you do something like that? I don’t know.

GRAHAM CLULEY

Oh, I see. I suppose that it would be possible as well. Although, of course, the companies may be nervous about, you know, people struggling to do that and work out how to do it.

And, you know, is this going to cause us more support queries? I don’t know if it’s going to happen or not. The good news is not all e-rickshaws are affected.

If anyone out there has even called Eric — yes, if we have an Eric Shaw listening.

GEOFF WHITE

Eric Shaw. Wait, I’m searching my LinkedIn now.

JOE

Graham, am I right in thinking that Arctic Wolf are sponsoring the show this week?

GRAHAM CLULEY

You are right, Joe.

They’ve just published a new report, 2026 State of the Cybersecurity Attack Surface, and they analysed over 800,000 real IT assets to find out how exposed organisations actually are.

JOE

And I’m guessing everything is hunky-dory.

GRAHAM CLULEY

No, not so much. The reality is they found 1 in 3 IT assets is missing at least one critical security control.

JOE

1 in 3? That’s terrible.

GRAHAM CLULEY

Isn’t it just? 10% of assets have no endpoint security at all. 17% are completely invisible to the tools that are supposed to be monitoring them.

JOE

So the tools don’t even know those assets exist.

GRAHAM CLULEY

Right. Ghost assets wandering around your network, unprotected, unmonitored.

JOE

Like a retired geography teacher who’s somehow still on the school network.

Nobody added him, nobody removed him, and he’s been quietly in there for 11 years downloading maps of Paraguay.

GRAHAM CLULEY

Yeah, I guess so, Joe. The point is your attackers will find him before you do, because they are specifically looking for the forgotten, the unpatched, the invisible.

That’s the path of least resistance.

JOE

So what does the report tell us to actually do about it?

GRAHAM CLULEY

Arctic Wolf’s report covers how to prioritise the exposures that actually matter, cut through all that noise and verify that when you fix something, it actually stays fixed.

And the report is free to download.

JOE

Free. I like that. Where do I get it? smashingsecurity.com/arcticwolf. That’s smashingsecurity.com/arcticwolf. And thanks to Arctic Wolf for supporting the show.

And please keep an eye on your IT assets and retired geography teachers.

GRAHAM CLULEY

Geoff, what have you got for us this week?

GEOFF WHITE

Well, a really intriguing thing has been happening to me recently, which I just want to share.

As you know, Graham, I am an internationally renowned author with a string of immensely successful books to my name. Which means, of course, I am swimming in money.

GRAHAM CLULEY

Yes, like all authors. Authors are very rich.

GEOFF WHITE

Yeah. Mainly my problem is where I’m going to park all of these Lamborghinis, you know, just running out of space for my Gucci suits.

GRAHAM CLULEY

The thing with writing a book is it’s very easy and quick to write a book, and you just earn a mountain of cash.

GEOFF WHITE

That’s been my experience. It’s just, I can’t believe more people don’t do this.

No, obviously this is all — look, I’ve written 3 books and they’ve done pretty well by all standards.

But if you buy a copy of my paperback book for like 7 or 8 quid on Amazon, I think I maybe get about 50p, 70p, something like that.

So, you know, you really would not make a lot of money, which is why it’s been intriguing over the last few months to start receiving message upon message upon message from book marketing experts as they declare themselves.

And they’re really interesting because they all kind of run to a pattern. Emails are clearly AI-generated because there’s loads of it.

I think one of the giveaways now with AI-generated messages is nobody writes that much, you know?

And it starts out with, “Geoff White, your books deal with the intersection of organised crime and technology.

You have covered fraud and money laundering and stuff.” And I’m like, yeah, I know, because I wrote them. I wrote that blurb.

And they say, “But Geoff, you’re missing out on a huge audience of people.

And we book marketing experts can, you know, link you in with this as well.” So I did go back to one of these people at one stage and sort of said, well, what does this sort of involve?

The reply to my messages again was so painfully AI-generated.

GEOFF WHITE

It’s like, “Thanks for getting back to me, Geoff. I love that question.

It’s one of my favourite questions to answer.” And basically it was a kind of stage one, pay us $500, we’ll do a book competition marketplace analysis.

GEOFF WHITE

And I was like, you’ll put my book into ChatGPT and ask for a market analysis and send it to me. That’s what you’ll do.

GRAHAM CLULEY

It’s a bit like going to the Amazon site and seeing other books a bit like this — “you might also like,” isn’t it?

GEOFF WHITE

Yeah, it’s completely shoddy. And then it goes up and there’s, you know, the next stage is a marketing campaign targeting people for thousands.

They’re basically trying to escalate you up. Now, reading around this, I wouldn’t say this is necessarily a scam per se.

Some of it is just shoddy, you know, you’re getting just bad service, crap service, and you’re paying through the nose for it.

Which already makes me think, why have they identified authors for this? We don’t have a lot of money, you know.

But interestingly, when I asked what titles this person had worked with, they gave me a whole bunch of Kickstarter titles, you know, authors who’ve gone on Kickstarter.

And I think on Kickstarter, some authors maybe do have the idea that if you pay for marketing, you’ll somehow sell loads of books and be the next Dan Brown or whatever, you know.

Anyway, I started seeing these coming through and I found them quite intriguing. And then one of them got in touch with me and said, “My name is Robert.

I run the London Wine and Dine Book Club.”

GRAHAM CLULEY

Right. Lovely.

GEOFF WHITE

And similar sort of thing, you know, you’re missing out on an audience. I’ve got a big audience. I can link you in with this. So I started corresponding with Robert.

Meanwhile, I found the real London Wine and Dine Book Club, which is a real book club and does exist and is run by a man called Robert.

GEOFF WHITE

Who I got in touch with and said, “Have we been messaging?” And he said, “No, no, no, this is a scam.

I have nothing to do with this whatsoever.” So I went back to Fake Robert and said, you know, how does this book club opportunity sort of work?

And Fake Robert said, well, what I do is I organise a Zoom meeting with all of my thousands of members and you appear on the Zoom meeting and you can talk about your book and then I will buy your book.

And I said, “Oh, right. Will you be at this Zoom meeting? Are you asking the questions?” And Fake Robert said yes.

GEOFF WHITE

I said, “Can I invite other people along to this Zoom meeting?” And fake Robert said, “Yeah, yes you can.” So the obvious next step is have the Zoom meeting pop up, but invite the real Robert and all of his members along and see if we can get some interaction going.

Now, frustratingly, what I wanted to do was obviously not pay them before this happened.

GEOFF WHITE

Because this is what’s called an advance fee scam, which is as old as the hills. The very, very classic Nigerian prince emails are an advance fee scam.

You know, “I’m a Nigerian prince, I’ve got a million pounds. I need to get out the country.

If you can pay me $1,000, I will get the money out and I’ll pay you.” I mean, these are literally hundreds of years old, these scams. So this is an advance fee scam.

They want money up front and then they’re gonna give me the Zoom session later on.

What I wanted to do was try and egg them along and see if I could nail them to do the Zoom session before paying them money.

GEOFF WHITE

So what I did was I said, “Oh, how am I gonna pay you this $300 for this Zoom session?” So they gave me a bank account and I went back and said, “Oh, sorry, that account, can’t make that work for some reason.

Have you got another way that I can pay you?” And so they came back and I kept delaying it, delaying it till the Zoom meeting got closer and closer.

Frustratingly, I said, “Look, let’s just do the Zoom session. I’ll pay you afterwards.” Right.

And they said, “No, there’s a whole bunch of preparation we have to do for this Zoom meeting.” So they’d sussed out they shouldn’t do the Zoom meeting before they got the money.

However, there is a sort of postscript to this, which is quite intriguing. They have so far given me no less than 5 different bank accounts and payment methods, right, to pay them.

All of which, of course, I have prima facie evidence, are being used to launder the money from a fraud. Clear evidence they’re not the London Wine and Dime Box Club.

And therefore, my next step, obviously, is to go and report each of these accounts to the relevant banks and get them shut down in connection with money laundering.

I then intend to contact fake Robert and say, “Did you Google me before you got in touch with me to find out the stuff that I do?” ‘Cause I’m pretty sure Robert is going to shit his pants — fuck off.

Sorry, you’ll have to bleep that out, but I just hate people like this.

This poor guy, Robert — he set up this book club and now his good name and his — I’ve met Robert, we met face to face in London.

I met the book club members and their name is now being used by some slummy scammer to defraud book authors.

I hate all of this and the more pain I can cause this person, the better. So for listeners, please watch out for my post on LinkedIn.

If you’re connected to one of the banks or know someone at one of the banks that I post, ’cause I’ll be posting the names of them.

Let me know who’s in the fraud department or the AML department so I can get these accounts shut down so we can at least cause this guy some pain.

GRAHAM CLULEY

Well, we’ll include a link to that LinkedIn post in our show notes so that listeners can — oh God, there’s another one.

GEOFF WHITE

I’ve got another one here in front of me. It’s another person who got in touch.

And again, I’ve done the same thing, but this time I said to them at the beginning, “Have you Googled me? Do you know who I am and what I do?

And are you confident you want to give me your payment details?” They came straight back with a bank account and I’ve gone back and said, “I need another one,” and I will keep rinsing them for bank account after bank account.

I know I can’t stop the problem. I know it’s a Sisyphean task, but damn it, if just to cause them a bit of pain and make their day worse, I just can’t resist.

JOE

This week’s episode is supported by Vanta.

GRAHAM CLULEY

Joe, what’s your 2 AM security worry?

JOE

Honestly, whether I remembered to hit the record button. No, no, no.

GRAHAM CLULEY

What’s your proper security worry? Like, do I have the right controls in place? Are my vendors secure?

JOE

Nope. I’m still worried we might not actually be recording. Okay.

GRAHAM CLULEY

Look, how about the really scary one? How on earth do I dig myself out from under all of these ancient tools and manual processes?

JOE

Okay. Fair enough. That does sound scary.

GRAHAM CLULEY

Well, enter Vanta. Vanta automates the manual misery, so you can stop sweating over spreadsheets, chasing audit evidence, and filling in endless questionnaires.

JOE

That’s right. Their trust management platform continuously monitors your systems, centralises your data, and uses AI to flag risks and keep you audit ready all the time.

GRAHAM CLULEY

So whether you’re chasing SOC 2, ISO 27001, GDPR, HIPAA, Vanta helps you move faster, scale confidently, and actually get back to sleep. So get started at vanta.com/smashing.

That’s V-A-N-T-A.com/smashing. And listeners, you can get $1,000 off.

JOE

And thanks to Vanta for supporting the show.

GRAHAM CLULEY

Joe, you did hit record, didn’t you? Me? Yeah, it was your job.

JOE

I thought it was you.

GRAHAM CLULEY

And welcome back. And you join us for our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like.

It could be a funny story, a book that they’ve read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

It doesn’t have to be security-related necessarily. Well, my Pick of the Week this week is not security-related.

My Pick of the Week this week is a little gadget which I have in my office. You know, I’m kind of against all this IoT stuff, Geoff, you know.

GEOFF WHITE

Given what we’ve talked about with the rickshaws, I think you’re right.

GRAHAM CLULEY

Exactly. It’s not that I now have a rickshaw on my driveway, but what I do have now is I have a smart plug.

GRAHAM CLULEY

Now I know this is — most of the geeks listening to this are saying, Graham, welcome to the 2010s. Congratulations and get yourself a smart plug.

Well, yes, I am a bit of a late adopter, but I found it rather useful. So I have a nice-ish DSLR camera, right?

Which I use as my webcam, which is back there somewhere, behind this screen. That’s fabulous, but it’s all the way back there.

And to try and turn it on and off, I’ve got to find the little on/off button.

And when I try and hit it on the camera, I inevitably change the zoom or I fiddle around with it or I knock it so it’s no longer pointing in the right direction, which meant that I was just leaving my camera on all the time and it was plugged into the mains or whatever, but it was just always on.

And then I thought, well, I don’t want my camera on all the time. That’s not a very good idea for a security professional, is it? Precisely.

And so I thought, oh, what I’ll do is I’ll have a smart plug which I can programmatically turn on and off.

And so I did a little bit of vibe coding with the old AI, and I wrote myself a little tool which can turn that plug on and off again.

I’ve got a little thing in my menu bar and it’s flashing a red camera icon in my menu bar at the moment, which says, your camera is on, Graham. And I can just flick it off again.

So with the smart plug, I can control this device and I’ve found it quite handy. So I’ve actually found a use for it. Whereas normally I think, who needs a smart plug?

But actually, yeah, it’s something that’s been useful to me. And so that is my pick of the week. It is from Tapo. Others are available.

I’m sure it didn’t cost very much money, but it was actually really the coding — it was doing all the work with the bits of string and the pipe cleaner.

That was the fascinating bit, actually getting the code to work properly.

With a lot of help from AI to do the coding for me, to programmatically get it to work efficiently and effectively and reliably as well.

GEOFF WHITE

Good for you. Kind of annoying though, Graham, ’cause the live feed I was getting from your camera, I was getting big numbers.

I was on OnlyFans with it, I had a couple of other platforms, and now the well has run dry.

GRAHAM CLULEY

Sorry about that. If you become a Patreon supporter, you can get access to all of that content. Not really. Geoff, what’s your pick of the week?

GEOFF WHITE

I had a couple of lovely days off last week, and I spent them with my wonderful niece who’s 9 years old.

And oh, it’s just brilliant when you have time off, because I got up in the morning, had a crumpet and a cup of tea, and I sat on the sofa with my little niece watching satisfying videos on YouTube.

Have you come across these, the satisfying videos?

GRAHAM CLULEY

No, what’s a satisfying video?

GEOFF WHITE

If you just search satisfying videos, there’s loads of different things. So for example, you might have heard of videos where people pressure wash their patio.

GEOFF WHITE

And you get to watch them. And it’s just really satisfying, you know, people cleaning their cars — there’s just all these satisfying videos.

It goes over into sort of slime and gunk videos because some of it’s about people digging their hands into slime or making slime.

There’s a whole rug cleaning YouTube culture where people get rugs that are dirty and then clean them with things.

And then there’s this whole other meta layer where there are people who have entire YouTube careers commenting on other people’s YouTube videos of cleaning rugs.

We are just through the rabbit hole, but I gotta say, it’s a hell of a way to spend 3 hours in the morning. It’s really, really great.

GRAHAM CLULEY

I can’t believe this. Just a couple of weeks ago, I pressure washed my patio, which was a very satisfying experience. I could have put that up on my OnlyFans account.

I can’t believe that I didn’t do that.

GEOFF WHITE

You’ve got a DSLR. You just sellotape the DSLR camera, Graham, to your head and then point it downwards as you— and you’re quids in, you’re monetised, baby.

GRAHAM CLULEY

You’re an influencer. So your pick of the week are these satisfying videos on YouTube.

GEOFF WHITE

Satisfying videos.

GRAHAM CLULEY

And hanging out with Anice and having a couple of days off.

GEOFF WHITE

Lovely family moments.

GRAHAM CLULEY

Good wholesome stuff. Well, that just about wraps up the show for this week. Thank you so much, Geoff, for joining us.

I’m sure lots of our listeners would love to follow you and find out what you’re up to — what is the best way for them to do that?

GEOFF WHITE

Best way is probably LinkedIn. Just search Geoff White. It’s Geoff with a G, G-E-O-F-F, and White like the colour, and I am there.

GRAHAM CLULEY

And you can find me, Graham Cluley, on LinkedIn as well. And you can also follow Smashing Security on Bluesky and Reddit and all sorts of places.

And don’t forget to ensure that you never miss another episode.

Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts — for episode show notes, sponsorship info, and the back catalog of 476 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye. You’ve been listening to Smashing Security with me, Graham Cluley. Huge thanks, of course, to Geoff White for joining us this week.

Marvellous stuff as always. Thank you, Geoff. And also big thanks as well to this episode’s sponsors, Arctic Wolf, NordLayer, and Vanta.

And also to the following fine folks who are amongst our fantastic Smashing Security patrons. So big cheers go to Saitel, Andrew Davison, Lisa.

Thank you to Robert Øjdegård — his surname looks like it was assembled by someone who really wanted to use up all their vowels.

Robert Martin, proof that you can have two Roberts in a shout-out, both equally appreciated.

Huge thanks also to Scotia, Greg Bailey, Christof Goossens, and final one for this week, Bravo Whiskey. We salute you in whatever phonetic alphabet you prefer.

Those are just a few members of Smashing Security Plus, which means that they get their episodes ad-free, earlier than the general public as well, by a couple of days, and they can have their names pulled out at random to be mercilessly mocked at the end of the show.

If you fancy a bit of that, just head over to smashingsecurity.com/plus for all the details where you can become a patron.

And there are other ways you can support the show as well, of course. Like you can, well, like the podcast, subscribe, leave a 5-star review — go on, why don’t you do it?

I know I say this every week, but it really does make a big difference. And tell your friends about the podcast as well. Go on, spread the word.

The more people who listen, the more encouraged we will be to get up to number 500. Not too far off, are we? So until next week, thanks for tuning in.

Until next time, toodaloo, bye-bye.

Leave a Reply