This week, Phia wonders what kind of person falls for phishing attacks. Is it only insanely gullible luddites, or can smart, tech savvy people get phished, too? To find out, she conducts an experiment on her poor, unsuspecting coworkers.

I've been wondering nonstop about the same question. The questions about this kind of hack fishing. I've always had the impression that fishing is something I shouldn't worry about, because nobody really falls for it, and even the your work in March, we were trying to figure out how Alex Bloomberg, Goober account got hacked am when Alex Goldman even suggested the possibility that he might. Gotten fished Bloomberg got genuinely annoyed. Nor fishing is yes to that happened. Now. He just leaves I I I I I imagine giving my password to somebody who wrote to me over email Bloomberg felt about it. The way I did fishing is for dummies, but then, a month later, news came out that the President of France, his campaign, got fish like some of his staffers ended up handing over their personal passwords, and actually I started to notice that a lot of the hacks than I'm reading about recently
They start with Fishing John Podesta that was fishing the Sony hack by North Korea. That was fishing in it. We wondering what kind of person gets fished. Is it just insanely, gullible people or could it happen to the smartest people? I know people like Alex Bloomberg so I called up this guy. I he's a computer hacking expert and I asked him like how Would it be to rig up a test to fish Alex. He said that be no problem, and I thought I can't sleep. Maybe we should try it on everyone at reply, all he said sure, so he sent every member of the reply. All team some kind of fishing test, and a couple days later, I asked Alex Goldman,
Pga vote and Alex Bloomberg to meet me in the studio. My situation should, I am MIKE they had no idea what it was about. Ok, so you know how I have been pretty obsessed with leg, how we could get hacked, and I spent a few weeks just looking into a bunch of different theories of white House. Somebody could happen to us. Peter into a Gmail account and one of the series that came up, that we didn't really spend any time on is fishing yeah, because when it came up, people got offended of ended. I associate fishing with, like a clumsy attempt to get you to reveal your password that I feel like I wouldn't fall for what so after you that offended. I got really curious and ended up tiny. This one guy he's a digital friends ex investigator.
Daniel about Piano Daniel Boatyard. Oh, I remember now good friend of the shell yell charmer, total charmer, so don't be mad at me but I ask Daniel if he would try a fishing test on staff of reply. All and on Alex Bloomberg up up up up up up. Oh, that is so devious, I'm so mad at you. If I click so, oh I'll just add one detail which is before I did any of this I went to president of Gimlet media Matt Labour and said: is it ok up up up up? If I ask this man to do this thing- and you said yes, Motley were said. Yes, he pointed out that without permission, somebody could be fishing us all.
Usually you, like I go to map for my nose and how it's for my, yes, you gotta get outta. This suspense isn't, however, say Matt. Lieber actually said during the whole goober thing that he suspected that Alex had been tricked by efficient campaign This is all personal for him years like he has a very low estimation of you. Apparently he liked not every relations it has to be a Peter out should have happened. What so, ok, so Daniels It is test on a Monday morning and by six p m the same day he had control of somebody's email This is moving slowly. Opening is that ok, so before we started, I had no idea how Daniel was gonna be able to do this by.
Watching him work just open my eyes to all these different things. Fishing was capable of, and the first thing that I saw is it Daniel can impersonate anybody and he said actually for this test to test. Like my coworker is he was going to impersonate me so to start with, let me tell you what happened our executive producer TIM because TIM was editing this piece he was the one person on staff who knew that this fishing test was going to be going on and he didn't know it was going to happen, but it just made him incredibly pair.
I'd so for the last week in a half he's been sending me slack messages like almost every day being like. I was just finished, I'm catching you is fishing himself yet so Monday morning, TIM slacks me and was like. What's the audio your emailing me about, and I have no clue what he is talking about, but I see him in the kitchen so grab my phone have record a meeting at which point its clear he's. Just realized what's going on well what why why? I just think you audio yeah sure the stair wrongness, ok you descended that was
It had had an audio files into me, Alex and strewed the so I click on it, and it says Gmail, you know one password to roll them all winter and it asked me for I passed I say fuck this and I wrote back any slackening the earlier, because I don't want two I'm already signed into Gmail see. I could tell you it's a fishing, a temper, some smart Asshole act, email messed up about, isn't like somebody. On the other hand, emailing me right now pretending to be you. Yes, your fucking looks like you really. I clicked on the thing in his ears, like he shows me the email and it's crazy, because it completely looks like it's coming from me like it looks like it's coming from fear at gimlet media dot com, but obviously I didn't send it is he guys do we are in
each year as a body art was looks like and we cannot rule out. Let me explain how this works. Daniel had fought a domain, he bought. The german gimlet are media dot com and he was sending the emails from there, but gimlet are media, looks exact
we like gimlet media and, after all of that time and I were walking, backed her desks and he was like so what's audio you were trying to SAM. Ah up up up up up up above these legged of mouse, you drawing a cheese, I've a trap, okay, so here's the second thing I ll end: you don't even need to fall for the scheme for Daniel to learn a ton about you, ok, so, for instance, Pga you received this email that look like an invoice coming from a consultant and when you click on the link in the invoice, it took you to a page that look like a Google login page and ask for your username and password yeah union put anything in, but over in Toronto, the hacker Daniel he was still watching. You interact with that fake page. Here's Daniel Records show that he
It's from an Iphone probably saw tat. It was something suspicious clicked on it, a second time from an Iphone, and then I have records showing that the same link is open to more times from MAC computers, but two different computers, so guessing pages saw that something was going on and he started digging a bit deeper in trying to find out what happened. The war were what's happening with this email yeah and I'm suspecting that after Pga, maybe sent an email internally, saying: hey guys. This is what I got just be careful. Don't click on this on this email? Why how he could tell that it so fast like knocking on, door of somebody's house like Enimie. Don't answer like a light turned, tonight. He can figures the re yeah like I opened it, I opened the email thought was real and then like I figured out what it was and I was really curious like I was like. Oh, I wonder if I can learn anything so I was like trying to lake examined the package to figure out of what was going on
at the moment that I was like definitively rise was fake. Was that in the signature of the email. There's a phone number, Google, the phone number and the phone number didn't go to like that made up company and I posted in gimlets lie saying hey, everybody watch out someone's trying to its eulogiums targeting gimlet, in particular rate, and the reason did no thought you had done. That is because he'd sent the same email to a bunch of members of the team and after you looked at it for the fourth time, nobody else clicked on it and that's ok for day no, because he can try like all different methods of fishing, the team and he can try to venture different times. So, since your sounding alarm bells, he probably won't include you in the next fishing attempt so Alex. What what did you get? I have no idea, I'm centre hooks. I haven't
all this also, you figured you think we got so you got an email that was just like TIM's, but was in the room when you got it in. You turned to me and you're like what is this. Why do I have to listen to this? Did I open it? You did not open congratulations. That is deaf We not because I was smart enough to recognise it was envisioning scan. You have been the room. This would have worked. I now and the end Daniel said the same thing he was like. If I was trying this fishing attempt in earnest, I would have tried him personally. Somebody who I thought wasn't gonna be an office that day right. Ok, so now, for the third thing I learned, which is my favorite thing, I learned even when you try to protect yourself like when you set up to step verification, you're still not safe, so this happened towards end of the day at this point,
nobody on the reply all team had fallen for it. I was a bit disappointed at first when I saw that I didn't work. Maybe we we we did this all of the email Kim. At the same time, we should have changed beings, but then we got the big tuna, so the big tuna. I think we all know that as well it worked on me, but I want to claim ah just got everything up for her. I waited Russia pass that now because I went I so I got the email and I wouldn't you say minds is Honan mentors whose it from run Pierre, and it says it says: Goober update how There's one eighth is if we're giving away too much of your personal information, the uber update tape with try, we listen. Let me know what you think not kosher. Question Mark Adele, those and then there's like this little thing. There's a little. You know we wrapped it and it's coming from fear at what I now realises. Gimlet earn media continent of Africa,
which is really amazing. Like you, don't you don't notice that I know Then that's what it isn't. So, if I give up mediates crazy so then, but I didn't open it cause. I was like a long time ago I might have. It might have worked anyway and then I was like up on the third floor. You are in a meeting with cities, Ruth and I saw you guys and I, whenever I like and if I could come in you in one of his glass conference rooms was ok. I got your email with that about and then you looked so confused and, unlike mad I thought you were telling, like I'm just being an asshole humbled into the meeting. I don't worry I'll, listen I laughed and then, was. I had this whole narratives like without what I've done, then. Is this like the use of power and have the highway island. Sometimes too, it's ok, so there's others guilds. There was like a sort of driving meta like complete the task of listening to the Saudi, and so that I went down there and then I clicked
listen to it and then, and then, if I get it personated googled I've? So then you have to go and like putting your password and stuff like that and at which? did because I was like I gotta help. I gotta listen to the thing for you, but if I I don't know you not only put him your password, you put in your near to factor authentication coda yeah so yea so weird we are fully be able to get into your email address. So how does that works? And what did he do he? He was like what what what was I pay, my actual to factor authentication code into what you put it into is his own little pay that, then is wireless router. Yet so that's on a server and when you put in your user name in your password on his page. He just immediately forwarded that too
real Gmail log in and from there, because he putting your username and password a to factor. Code was texted to you and when you then put that again into his fake page, he immediately put that into the real Gmail login page and he was completely into your gmail and the server he was using. Was they based in New York. So if you check where you recently signed into Gmail it'll show in New York base location, which is what Daniel says they really do if it was a target fishing attempt telegraph indicated it's really interesting. I do feel like if I hadn't, if you you ethically said using the email. I know you did you came in, and I said I don't know, and you know but your leg, and you said I didn't look you don't really remember I'll. Go back and check red gray like trying to help you out.
Get back to you on top of nearly a hundred rudely interrupted. I don't know. I don't mean it feels like. Obviously like yes, if you, if you haven't you your entire company conspiring to fish you, yes, they contribute to click gun, something. I don't think that anything if they know if they know every little bit of context around your life. I think that you are due care earlier about than can be tracked. Do you feel any differently about how offensive in an idea was that you might have been Oh no, I mean yes, I do, but I'm the I feel like this war and fairly euros. Solidify narrative about me that I'm not that I am not happy about it, Hence it is they that have not thought it was like when it was finished, is all conversation raider really, but yes, for the purposes of everybody out there, you you too, can be fished. Now we ve kept, you might take
a guy, I left the city of feeling, like my experiment, had totally failed and convince myself. The fishing was real and pervasive by I hadn't convinced Alex at all. All I've done is like made him feel sucker punched, so I decided to only reasonable thing. I could do now was to expand the experiment, the results of that after the break.
Does everybody have a microphone in front of them by okay? So the last time We were all in a room, TAT S. We talked about this fishing tests that I had you instigated yours, I obviously performed I got really salty, about which I am embarrassed You are correct. I felt like I left that room feeling so good and just like bad about. I was just it knows it was. It was me why you did you. You, need neither. You were making argument, which was that you felt lake cause what we were trying to say. Like a thousand felt fit into a false narrative about me. And in rather than it being about whether fishing works was about you felt like I was saying that you Alex Blumberg are like a. Bumbling I like everyone else's legs together on this year. Let go, you know somehow examine well, it's like You agreed on an intellectual level that I guess anybody
He is capable of getting fished by it. On an emotional level like this, didn't really demonstrate that right? What are you telling me that have been fishing efforts? No, no, no, weird emotive, now, remember you know I was just after we talked in this. The only way we were as a team like trying to figure out like how how come. We do something that, like actually at like animals, shall and an intellectual level felt like people get fished and without feeling like a murky test. So like, I am proof that, like it's, not just Mobutu who get fish like smart people get still up up up up up and, and so is leg is there's somebody that Alex thinks is really smart, that we could try the fishing test on and then it would feel.
We could do it like very poorly and man leg. That would certainly make make you feel better. You helped me feel better about helping. But he also put back. Lastly, I learned how more lies more people? Yes right like should we should we try to fish lake? I rent glass, sure, you're old by the US or maybe you're old colleague, David Kestenbaum, or your brother, in law, whose, like super super smart, but we connection permission to fish IRA or David, and it turns out that your brother in law doesn't really use Gmail, which we needed for this fishing test. So and as soon as I told him that he actually just started like crowing about at yeah, he viewed, he fell for it. Yeah smart, an leg and that person also as may be the source of part of why this feel so bad for Alex. So you look so confused rightly argues for smuggling
So I thought it might be interesting. So so yeah, so we thought what, if we try to run that labour, but this time. I wanted it to be very Paris. I was leg Daniel. Do not tell me leg leg, I'm not gonna be. Formed by anything that you're trying to do. Don't help me cook this up with you just try to fish, my labor got it. So exciting little, when was this so this was Monday, okay, so Monday in Africa and its now Friday. So on Monday, Daniel sent Matt the fishing test and literally
forty one seconds later, man had fallen for it, he was finished. So obviously I wanted to tell what had happened and I grabbed him brought him into the studio. I think this is the first time I've been invited you before I could tell him he'd been fished. I had to tell him that you'd been fished and as soon as I told him that he actually just started like crowing about at yes, he viewed. He fell for ya know, Oh, he fell. He got fished, yes, amazing, so you can t you see successfully fished Alex your boss. Yes, well, yeah booth. So when we started this whole project, did you think they're Alex like? Did you think that he was likely to offer it yes
why. How do I say this without being like out he's totally credulous dulled? he's engender he's over, you know, he's very he's a he always assumes the best in people, and he is generally like a very empathetic person, that's one of his superpowers and said I don't think he's like looking out for people who are trying to screw him ah I'm the more like skeptical person when it comes to other people's motives. Yeah, ok, but I just want. I don't wanna come off like I'm being a jerk about Alex because obviously Alex's like a great journalist his, which requires them to be sceptical, and that is the fact that he was fished, tells you that this could happen to any one who is targeted ray, and so I think the same thing you
I think, like everybody needs to be like crazy paranoid all the time and it is possible to fish anybody if you're targeting it but Alex felt like it was like not a clean test and therefore he like doesn't feel like I'm now and I'm now reversed horrified that you're gonna be like we also fish you we did so successfully. Did you? Why Have you received anything weird from anyone? I don't know like thing like today may be. Did you fish we allow this is like David murmured movie. I feel so. This is like the worst experiment I ve ever done.
I so earlier today, yeah you got an email from Alex Goldman at Oh my god. Goldman was weird because of the way the file was attached. Ah, the weird thing about it was because I kept having it the two factor have had occasion to say. Oh my god, This is just an oasis humiliating, because I have sat here and judgment of Alex nobody. You actually like this comparison. Does this confirm for you that it could happen to anyone yeah? It could happen to any one fear. An idiot like me, God he's sober disk Daniel. We should we need a higher standard as such get insight into what would tweak people. He sent me an email saying as though it were from Alex coalmines ain't. One of our producers found. This document
posted on line which reveals gimlets salary levels. Is this something you think, should be public and I was like I was. I got my because everyone salaries got out who would be like a nightmare re, so I click on it. It's a pdf in Iraq viewed a pdf have to log into my my you're Monica yeah, yeah you're. Trying to do I put on my username and password is now a need to change that I'm tired, and then it did. The two factor: authentication I responded to Alex and I see said Katy. Christians in her director of people are Who is the person who would like to know what the answer in the wise is how to her, and she said I can't see the fire and when I was back to download it again. I had to do the two factor again and, unlike that doesn't make sense I could. I just did that to factor authentication. Why would I have to do it for a second time? But of course I was, I
the middle of a bunch of things and I ll just like out whatever its Google. I trust Google yeah and I put it in such a jerk. I feel like a joke, because I was saying like Alex Bloomberg, whether what an old per and who doesn't know like protect like protect himself, world or online, but because he doesn't have me Mr Savvy, like MR savvy uptake, move like terrible while this was a real, come up its dominant antenna down. So that's what happened. A map had. I feel terrible now, because I feel better and like one of my goals, actually happened. Yes, I do feel better. You do cause. I do
like I do feel like mad is the way more suspicious one and in if I had to choose like which of us, his heart, a fish out of Jos Matt Fisher. Here's here's the one thing that comforts me a little bad I never fished. Anyone that I Should I wasn't going to fish. That is why we have been overcome. While is really so wanna say now. I promised to never fish anyone in this room again, just in this room
requires hosted by PDA vote and me Alex Coleman or shows pretty? really put him in any fear us and Domino Marconi. Protectionist students from China or edit. Write him, Howard and Jorge just where mixed by required? thanks to Kashmir, Hill, Emily Kennedy and a huge thank you to our Fisher Daniel Burton on it Our theme song is by the mysterious break MR cylinder and our add music is by build buildings that labour is Bubbletop applications are open to be reply or fall into the deadline for Africa. Genes is nine, a m on May twenty ninth and you can find out more on our website were piled up and you can more episodes of the show and apple pie, guests Spotify or where we gave thanks are listening we'll see next week.
