Brian Lehrer: Brian Lehrer on WNYC. Listeners, before we close out today's show, we want to let you know about a scam that's been taking place out there. It involves people posing as me or claiming to represent The Brian Lehrer Show as well as other WNYC hosts and shows. They're emailing listeners with what looks like a warm invitation to come on the air, but then they ask for money in exchange for the slot. Let me say this up front. Our interviews and our airtime are never for sale, nor do we collect fees from our guests for logistics, production or anything else that goes into making the show. We will never ask you to pay to come on The Brian Lehrer Show if you have a book to promote or for any other reason. We never have and we never will.

Impersonation scams like this are a much bigger problem out there than just our station, and there is something we've been keeping keeping an eye on as part of our ongoing cybersecurity coverage, but we didn't realize that this series would hit so close to home until some listeners reached out to tell us who was trying to scam them. We want to take a few minutes now at the end of the show to walk you through what these emails look like, what red flags to watch for, and what to do if you've already been targeted or even fallen for one yourself temporarily regarding this show or the station or any other such scam.

Joining us now, Rachel Tobac, co-founder and CEO of Social Proof Security, where she works on protecting people and organizations from social engineering scams, as they're called. We've also got our own Kenneth Atkins, assistant director of IT and data security here at WNYC. Welcome to you both. Hi.

Rachel Tobac: Thanks for having me.

Kenneth Atkins: Thanks for having me.

Brian Lehrer: Kenneth, you are our resident data security expert here at WNYC. Tell our listeners what's happening and what to be on the lookout for regarding us.

Kenneth Atkins: In the last month or so, we've seen a huge surge in emails coming in from people all over the country. These are mostly authors. They've been contacted by scammers who present themselves as either show hosts at WNYC or producers or even editors in our newsroom. They then invite the authors to come on the air for an interview. The important thing here is that, ultimately, they ask the authors to provide either some voluntary contribution or a fixed fee to be on the show to cover the cost of promotion and to cover the cost of production.

Brian Lehrer: Rachel, what kind of scam is this? What category do you put it in, the one that involves us? Put it in the context of the larger picture of what they call phishing- that's P-H, phishing scams out there.

Rachel Tobac: This is a traditional phishing email, so it's as traditional as it gets. Oftentimes when we see these types of emails, they are asking for money, they're trying to get you to click on a link, and when you click on that link, they might try to get you to log in so that they can steal your username and password and even a code to present as you later.

Brian Lehrer: How realistic can these be? To us, it looked obvious that they were using fake email addresses that weren't @wnyc or New York Public Radio, actual email addresses that they wanted people to reply to, but it wouldn't be obvious to everybody. How do they go from something that seems to include my name or the name of another host? How do you catch it?

Rachel Tobac: There are a couple of red flags you can look out for. First and foremost, you can look at who's actually sending the email. Oftentimes it'll say the name of the person and they're probably impersonating you or a member of your team. Then if you click the down caret, that little arrow pointing down, if you actually open that up, you'll see that the email address is a random Gmail or Proton Mail email address and it's not actually associated with your show.

From there, another major red flag is if somebody is asking you to pay money for something like being on your show, that is always going to be a phishing email. They can also happen in text messages, phone calls, social media DMs, but phishing emails are as traditional and classic as it gets.

Brian Lehrer: Listeners, who has a question about phishing scams and schemes? 212-433-WNYC. We can take a few of these in our remaining time. If you've been approached by anybody claiming to be me or another host on the station or somebody representing any of our shows or any other phishing scheme, 212-433-WNYC, text us. We'll see that text thread go by, or we can get one or two calls on the air as well. 212-433-9692.

Kenneth, what's the scope of this on our end? Has the same scam hit other hosts at WNYC? I know it's hit at least one other host. Roughly, how many of these emails have you heard about?

Kenneth Atkins: It's hit quite a few hosts at this point. We've received something like almost 100 emails in the last month or so, mostly from authors. The emails are particularly effective and concerning because they're AI generated. This makes them seem more realistic in that they don't have some of the things that we expect in scam emails. They're written quite well, they don't have any common typos or misspellings, and they're personalized or individualized to that author's particular book. They try to paint a picture that we're excited to have the author on the air because their book might correspond with a theme that the show will be covering soon.

Brian Lehrer: Pretty sophisticated. On that personalization, Rachel, one in particular that I've been shown, named the listener's book by title, referenced her professional background, even complimented her writing style. Is this thanks to AI? Is AI making scams like this more convincing?

Rachel Tobac: It absolutely is. What we see is that the goals of the scammer haven't changed. They still want your money, they want your data or access, but the scalability and the believability of the attack has increased. When they're using AI, they don't have to think and actually write out a fantastic email. They can get the AI tool to programmatically send out hundreds of these emails.

Now if you've gotten 100 reports, there are probably 500, 1,000 of these emails that have actually gone out because we know historically phishing emails, text messages and phone calls go unreported the majority of the time. The scalability has increased because AI can do a lot of the sending, the drafting, the research or the OSINT, the open source intelligence, finding information online and crafting a good email, essentially.

Brian Lehrer: Neil in Brooklyn has a story. You're on WNYC. Hi, Neil.

Neil: Hi, Brian. I have a relatively large address book because I publish a newsletter. For the first time in many years, I was hacked. Someone got in and sent out a dinner invitation using my name, not to everybody in my email list, thank God, but maybe to 100 or more. A few people got back to me and said-- a few said, "Regrets," a few said, "I don't think this is you. Something is fishy." My question is-

Brian Lehrer: Were they trying to get money from these people in some way?

Neil: No, they didn't ask [unintelligible 00:08:02] They asked them to click on something to get details of the dinner. The email did not ask for money.

Brian Lehrer: There you go.

Neil: It did say, "Click on something." I'm wondering was some type of virus downloaded? Was my computer infected even though I'm paying for Malwarebytes?

Brian Lehrer: Neil, thank you very much. Rachel, to his question, but also for the people who receive those fake invitations, what do you say?

Rachel Tobac: I just wrote a piece or I worked with The New York Times rather, to be interviewed for a piece about this exact type of attack where we're seeing that these scammers, they are trying to either collect your password. They get you to click on a link, log in to say whether or not you're coming to this dinner or this event, or they're trying to download malware on your device. I don't know for this listener exactly what happened, but probably what happened, the easier thing for the scammer is to steal your password from you whenever you go to log in.

What I would do is I would update your password. I would use something like a password manager to ensure you're using long, random and unique passwords on every single account and turn on multi-factor authentication. It also probably doesn't hurt to factory-reset the device that you ended up clicking or potentially even downloading from that invitation because there might be malware on your machine.

Brian Lehrer: Eileen in Montclair has a question specific to the scam that's posing to be us. Eileen, you're on WNYC. Hi.

Eileen: Hi. I've been instructed in the past to forward phishing emails, to report phishing at apple.com or report phishing at ibm.com. I'm wondering if we should do the same thing, report phishing at wnyc.org. Also, does anyone investigate these? Are there any consequences?

Brian Lehrer: Thank you. Kenneth?

Kenneth Atkins: Yes. Thanks, caller. We have set up an address specifically so that our listeners can report any scams or suspected scam emails that they receive. That address is scamreport@wnyc.org. That's scamreport@wnyc.O-R-G.

Brian Lehrer: There we will leave it with my guest, Rachel Tobac, co-founder and CEO of Social Proof Security, and Kenneth Atkins, assistant director of IT and data security here at WNYC. Let me just say one more time to be perfectly clear, with this scam out there, with people trying to pose as me and other hosts on the station or people representing some of our shows, our interviews and our airtime are never for sale. We never collect fees from our guests for logistics, production or anything else that goes into making this show. We'll never ask you to pay to come on The Brian Lehrer Show in any way. That pertains to the whole rest of the station too.

Rachel and Kenneth, thank you for coming on and helping to expose this and scam-proof people who are listening right now to the best extent possible.

Rachel Tobac: Hope it helps.

Kenneth Atkins: Thank you.