The “they caught me at exactly the wrong moment” part is crucial. No one is “too smart” to not fall for something like this if they’re caught in just the wrong moment-usually when they’re under some sort of other time pressure and stress and therefore aren’t thinking clearly. It happened to me with my Apple account on one particularly hectic morning when I was late for work, and I’m a 30 year veteran of “using computers on the Internet”. It only takes one perfect situation to catch you off your game to leave you with a mess to clean up. The good news is if you’re using a password manager and unique passwords for every service (including your password manager), it’s less likely something like this will totally ruin you.

If it makes anyone else feel better, my wife is now (today) the type of person to click on a text message link because "USPS" was unable to deliver a package and then proceed to enter our credit card information 😤 She told me to check the mail for a package that she was having an issue with and I asked her if she clicked on any links... Our cards are now cancelled 😂

There was a CEO of a cybersecurity company who got caught by their own internal Phishing testing and had to go for internal company phishing training. It can happen to anyone when their alertness drops. We have to be vigillent everytime, the hackers only have to be successful once.

one of my family members was part of a cyber test at their workplace and they clicked the phishing mail link. somehow the site didn't load and later the cyber security team congratulated them on not falling for the phishing attempt.

You guys should start a tradition of yearly pentesting, hire a company that does all the stuff, lockpicking, phishing, hacking, social engineering etc, and let them pick a time and date without telling anyone they don't need to, and have a separate crew to follow them (or have them carry bodycams or whatever and be interviewed later or whatever format works), to get an infosec documentary video as a bonus :)

Phishing can happen to anyone, its just human error. Glad to see its back!

For the first time in history, the grill has become an element of a hacker attack ))))

NOTE: Password resets should NEVER ask for old password.

This is among the reasons you use a password manager. Even if you know your password, your password manager will validate the URL.

It's important to mention that even if you try to navigate to the website manually, to never click on the "sponsored" result for whatever website you are searching for. I cant remember which company it was, I think it was MSI, but a phishing site was getting the top search result whenever people looked up a gaming peripheral company to download their application to control their peripherals and the site had almost exactly the same url and copy and pasted the real MSI api download site so it was virtually indistinguishable.

15:00 Also be careful that you're looking at the actual site for whatever business you're interacting with and *not* an ad placed by a bad actor nor an AI generated summary containing bad data.

I work in IT, some people are completely clueless. Once had a lady call me, not because she thinks she got a phishing email, but because the link in the phishing email wasn't working and she wanted me to make it work. /faceslap What makes it even more egregious, our internal email server automatically places a tag of [EXTERNAL] to the front of all email topics from email addresses that are from an external to the network address, and everyone is taught to never click links in external email addresses unless you know 100% it is legit, because you just requested that person to email it to you.

Don't even google the number to your bank. Check the back of your bank card.

I've been getting realistic paypal emails lately. They skip my junk mail folder and everything. Pretty much do what they say. I log in to paypal not using the link in the email, see there's nothing there, and forget about it. I could definitely see how someone could fall for it though.

Moral of the story is anyone can get caught if they catch you at the right time (wrong time). I almost got nabbed by one when I was at a party...it is so easy to have it happen if your distracted by something going on around you.

Some people say I’m silly for storing 2FA in a manager which can autofill it. But… it won’t offer to fill my 2FA automatically on a spoof site… Source: accidentally been there done that, wondered why the 2FA wasn’t offering to fill, realised the site was subtly not the right site.

Got a text message 2 years ago from the NHS saying I’d come into contact with someone with COVID and I’d need to test myself, I could have the test for free but would have to pay postage and packing . I got to the point of entering my card details when I suddenly fell. why would the NHS Charge shipping on a public heath issue. They still got my address and phone number and I’ve been getting scam calls ever since.

It's rough getting tagged with a phish. Thankfully, I've never taken the bait in the real. Internally, within our enterprise partner phish testing, I have absolutely clicked on two of our internal tests. It's super hard with the newer AI generated phishing tools. They're so GD official looking. Even hover checking links or exposing the full address is incredibly difficult unless you know absolutely every domain your company owns and which ones it doesn't.

Another thing is to ask the caller about the information they have on you, don't trust what they *are* who they say they are, but as you start looking for correct numbers to the bank or similar such, you might as well see what else they have on you, asking them to verify your social security number and name is correct, your bank number and whatever else you could think of that the caller might be able to supply, if nothing else, you'd learn what info they gathered/have about you.

Its hard when most scam email detection tricks dont work on a touchscreen when your on your phone. You dont always see where the email came from, if you could recognize the fake look alike address. its incredibly hard, if you can at all, see where a link goes before clicking it. On iphone you get a page preview if you click and hold but I don't recall ever seeing the address. And when was the last time you interacted with the footer buttons on a web page? You would have to scroll to even see them on your phone. And with the state of twiterX, wouldn't you believe part of the site is broken?

Really great that you guys were so open about this. Anytime this happens and people hide it we lose valuable information. I have not been fished yet but I know that's mostly because of training and hearing about stories like this.

>Linus: I was rushin... (russia pun) Me: If you're not rushin, you're goin' too slow. So quit stallin. lol

You should take a burner phone to Defcon.

In case anyone doesn’t know or doesn’t see these types of attacks much: these happen all of the time and are the biggest security risk in any organization. Poor memory management in code and phishing emails are the two most common attack vectors for attackers. Linus shouldn’t feel bad about this. It happens to everyone.

Luke teaches internet security for 25:44 haha. This is really nice to hear from the channel, as this is advice that we need to give to so many people who aren't as tech literate or knowledgeable as we are. Having a video to say that even the greats fall short sometimes, and then teach ways that many people can protect themselves would be brilliant!!

Got fished once, actually checked the DNS record of the site I was at, which seemed somewhat plausible.What got we was a perfect recreation of a Steamlogin in a emulated windows/chrome browser window.... Turns out that was not enough to do any serious damage so they tried to contact me to get more access, so I reset my password while stalling them sucessfully...

The amount of bots in the comments wtf...

“a whale is not a fish” unless you classify all vertebrates as fish, a there’s a very good argument for doing so.

8:30 lmao "fool me twice, shame on you" pie

Theory: Linus subconsciously fell for the phishing attack because his drive to create content and teach people runs that deep, as well as knowing it was an account that was sacrificable, especially for the sake of the videos.

Never Google a customer service number. Somehow Google also can give out fake numbers. Always use the official website for customer service contact.

24:01 Brings back memories of all those popular KZbin people back then, that we never see anymore. It was so different back then.

Hats off to Linus for falling on his sword, admitting that he done F-ed up and turning it into a learning experience for not him but his audience too.

Password reset emails seem to be training people to click email links. Usually that's the only way to reset as they send you the email when you request a reset. You're expecting a reset email during a narrow window of time so it's unlikely that a phishing one will fool you, but generally you are being trained to trust links in email. So when you get an email to reset your password outside this context, you'll be primed to not think twice.

16:04 "don't trust that the caller ID is valid" I have gotten caller ID as my own number. I was in class and couldn't answer, called it back later and got my voicemail inbox. I was very confused for a minute

Use password managers, people. On phishing websites, password managers won't autofill because the domains don't match. If it doesn’t autofill when you expect it to, that's a huge red flag.

Phishing scams are obvious on the surface, but given life coincidences and timings, anyone can fall for them

Its always funny how fast it is to reset 2FA yet everyone enforces it to give you a false sense of security.

If you receive an email like this never touch it. Always go to your account yourself and reset the password that way. Never just trust an email like this. Give every email the attention and respect it deserves.

Unless you are signed into a site it they will NEVER ask for your old or existing password Enter old or existing password for absolutely everything ive even changed a password on is only ever shown when signed in and going to change the password from inside the account settings Also resetting a password never asks for 2FA, 2FA is for signing in not for changing a password they are separated for this exact reason

I know its not common but search engines can be manipulated in terms of contact info. For banks specifically, if youre called or emailed by someone who claims your account is at risk for whatever reason you should ask for their name and extension, then call the number listed on your physical bank card.

Linus' privacy might be so dead, but he's done an ADMIRABLE job with his kids' privacy. Not even having their names shared on any video, repeatedly referring to his eldest as "boy" or "son" rather than by name, things like that. Can't even 100% say for sure I know the order they were born in, honestly. I think that's admirable.

Just goes to show, YOU ARE NOT BETTER. You are not smarter than hackers, you are not better, you do not know better. You may be those things most of the time, but confidence is gonna shoot you in your foot if the stars align. Just be careful and take threats seriously. Don’t be rash. Live by those rules and you can hopefully avoid some scams that would have otherwise caught you off guard or tricked you

The nice thing about my password manager is that it doesn't autofill unless the domain name matches, as another layer of swiss cheese

another justification for not using email on my phone except in an emergency. I always highlight the link to see the URL before clicking, on top of the server and thunderbird's own spam checker. and then PW manager is like "I have no memory of this place". This is also why I HATE that companies will use 500 domains. Is this microsoft? i have no idea. edit: OH, and you load a site and it's like "lol, here's 20 other services we use that you've never heard of before" so you can't implement a good domain whitelist without breaking EVERYTHING

Veritasium did it!

Timing is a huge part. The only phishing scam i hade ever fallen for was for a toll network that i had hone through the day before and was going to pay it off that day.

It happens, man. I've worked in IT security for almost a decade now and have seen some phishing emails where I'm just like, "damn...I probably woulda clicked that, too." Seen some REALLY good Apple imitations, but the best, by far, was a USPS "sorry we missed your delivery" one...not only did it look SPOT ON, they also sent it, no joke, to a shipping manager.

In Australia we have a lot of calls where they claim we owe a tax bill and that there is a warrant out for our arrest. The first time I had that call I nearly fell for it. But I did ask for their name, the place they work at, and how I can contact them back. They refused to give me a return phone number. That was what made me truly believe it was a scammer.

I didn't even know Luke had a channel of his own. 😂

A while ago my bank called me because I fell for a phishing scam, and I just wasn't skeptical at all. I definitely should have been, but thankfully it was real. They called me minutes after I actually fell for it, and then all they asked me was "was this you" and "do you want us to change your card". No identifying information at all. I said yes change my card and it was done.

missed opportunity to make the merch "got phished?"

Strangely enough, I've been stuck in a similar situation. End of a 16-hour shift, was expecting an important parcel, picked up an unknown number and typed the OTP. Spent the better half of the next day with the bank

Its because of the hair

Something I have been learning recently: Confusion means something isn't lining up with your mental model of the world. Yes that is the definition, but if you can recognize when you are confused, then you can start looking for what isn't lining up.

It was mentioned that hovering the hyperlink would show it not going to an x domain, however now a days it's common practice for all hyperlinks to go through a 3rd party cookie tracking service to measure engagement from emails. I don't think it's deliberate that many companies use it for their reset password emails too, but I have seen it plenty of times so hovering the hyperlink is not always applicable

"I wanna go home..." Yeah.... "...and start filming this immediately." WHAT?

The only time I got scammed in a MMO very long time ago was a day where I was doing 3 things in parallel. When you multitask things, your usual safety check and 'this is fishy' detector falls apart very quickly.

Just pointing it out as it wasn't discussed in this video but I ALWAYS check the domain in the browser address bar before entering any sensitive information into a website, 100% of the time - it really doesn't take any extra time.

I only check my email once a day, and i dread doing it because of all the spam. No matter how many i mark as spam, it just keeps flooding in. And I've opened new email accounts, and never used them, yet they get spammed. So the email providing services must be sharing our email addresses with advertisers or something.

My mum got very close to being scammed by people claiming to be from HMRC (the tax people of the UK). I came home one day and found the door on the chain, her crying and terrified because they had threatened to come round to her house after she was finally told by her bank that it was a scam The deepest circle of hell is meant for these sorts of people...

I love listening to tech from a guy that falls for basic phishing

A good point that I've learned about computer security: it's like a machine's efficiency. It can never be 100%, you'll always need at least one hole, which is the legit one, the one where you get in. You can always have due diligence and you can have extra steps for your internet security, but remember it can never be air tight.

This really shows that NO ONE is completely immune to being taken in. Probably one of the worst things you can do for your own Internet security is to let yourself think you wouldn't fall for obvious tricks. (Not saying Linus was guilty of this, to be clear.) Atomic Shrimp has made videos in his scam-baiting series talking about exactly this. It's a constant cat-and-mouse game out there.

It can be easy to be phished if the URL looks a lot like the real one.

I never click links in emails I always go directly to the site.

Sorry you got hacked but, happy about the team looking to jump from twitter lol

I think the wale not actually being a fish (but rather a "fake fish") is extra funny in the context of phishing

The whale on the "got phish" design should have a black fedora to represent "black hat" hackers.

If I had a nickel for every time a LTT account got hacked, I’d have two nickels. It’s not a lot but it’s weird that it happened twice.

we actively send out phishing Mails, in case, that something breaks through our security lines, our Users are so used to check the Mails, that they are trained to notice this kind of stuff. so important

It's so, so easy to say "oh I'll never fall for something like this". But there are two big things to consider. 1) Timing. As Linus said, this was such bad timing. Anyone can take their eye off the ball, and as mentioned being quick with something like this, if real, is critical. 2) Workload. How many people not falling for this have very little at stake being on-line? I mean I PROBABLY wouldn't fall for this, but I get boring emails, I'm not busy person and don't have a business that could be effected from hacks. Linus is a very busy person and even on an off day, is business aware but with very little concentration applied to it. In a rush and not "in the office", who is seriously 100% confident they would spot New Password, New Password, instead of Confirm Password. Anything that isn't 100% means you can be hoodwinked. If I were to get a banking issue, that's different. I'm dropping everything and calling them direct.

Dan's humor is the most under appreciated. I love his dry sense of humor!

I want a hubleberry pie shirt with the text "It's ok, my mouth does that anyway"

It really does feel like LTT is just starting a new peak era if not THE peak era

My company did a test once sending a phishing mail to everyone. 25% clicked the link. Twenty-fucking-five percent.

In the Bundeswehr, the S2 would send an email from an obfuscated account to everybody, telling them they were chosen to win an Amazon gift card. You're not supposed to click the link, obviously. Still, there will always be people afterwards with an appointment with the unit's S2 because they *did*. Me, personally? I'd just forward the link to one of our S2 officers with whom I was pretty friendly, telling them I didn't click the link and if that qualified me for actually receiving their Amazon gift card. "You're not supposed to forward the mail, and no." Every year.

Twitter is a hellscape anyway

I usually check the sender of the email, that's the first most important thing to me, as usually it will be from an email tied to their domain. Additionally, I keep a few different emails for different accounts. There's the "important" ones, and the actually important ones. Then there's an email I sign up to random stuff with, scammers often spam that one, and it's funny reading things there.

This is an informative case study. The only reason I knew about any of this before this video is that my employer takes phishing very seriously. Most people don't know what phishing is, how to identify it, or what to do about it.

I am genuinely surprised Linus fell for this. That's rule #1 never follow links through emails.

Only the paranoid survive - Andy Grove, founder and former CEO of Intel.

Twitter is an absolute dumpster fire. Just let it go.

I've managed to drill it into my elderly parents to NEVER click on a link or image in an email. If the email is legit, you will be able to access whatever it is trying to tell you to do, by going from the official website itself in a different tab without EVER clicking on the email.

With calls I really don't know anymore these days. I live in an EU country and got a call a week ago from a 'police' officer, who was looking for me, he had my full name, my address, and he asked me if I had been in "SET" place. I was kinda spooked, so I called the national and local police department which both informed me that is was fake. But when I checked the employees who worked at the specific station he said to be from his badge ID, everything checked out. Also he did an interview once and his voice matched up. Either they were actually looking for someone and didn't wanna tell, or it was fake. But it was hard to verify and it's one of those things where it's like 'why would a fake cop call me to ask if I was in "SET" city??'.

What's even funnier about the IP location is that you *can't* even access twitter from russia So, if you see that in an email you can be sure it's a scam

I like how they list future steps ignoring the most crucial. Stop, breath, think. if it is a breach 5 extra minutes won't make a noticeable difference.

I feel you. I also like to think I'm above this, but I had a slip up once. I got a work email that sounded like it was actually related to an IT support ticket I opened the day before (total coincidence). The login page looked legit (even the url, which was actually a real Sharepoint url, I checked even that). A major red flag should have been that my password manager failed to get the right credcentials automatically (because the login url didn't match), but I thought it was just a hickup. Luckily it wasn't a real phishing attack, but just a test by the company to see who would fall for it. And they did something quite clever: once you entered your real credentials, the system would use them to automatically sign you up for a cyber security awareness seminar.

Note for the future. If you EVER get a link like that in an email don't click it no matter how legit it seems. Instead go right to the website instead. In this case you would have seen if the information was real or not in the message.

10:01 I feel like the stupid name change is an underrated player here. Because, "well, I guess they could be using multiple random domains" is pretty valid when the website is LITERALLY JUST A LETTER and has changed multiple times

One of the reasons why I prefer watching waveform instead of the wan show is because even though they are similar I feel like they keep interrupting each other like 5 times a second

"just caught me at the wrong moment" sounds like something i might say to cover up my inebriation.

The major takeaway is. If it gets someone as tech savvy as Linus, it can get anyone. Please be vigilant people. STOP take a breath and slow everything down to double check the things going on. A few moments to clear your mind is not really going to cause too much issue

I literally felt like Linus was acting like Homelander "I am BETTER!"😂

There is a reason why I never click on links in emails I do not expect to get. If I do get an unexpected email I always go to the source website or phone app to make any necessary changes rather than using the email.

Acting fast is definitely important, a month ago my Sony Account was hacked and while I only have it for HD2 and didn't care much, they took maybe 3 minutes to completely take over my account and make a purchase. After finally finding a support phone number, the support was actually very quick to rerverse everything and get my account back. Sony can still f themselves for a variety of reasons but at least that experience didn't leave a bad taste.

The problem comes with being preoccupied with something and not paying 100% attention, and that's what they are hoping for. You want to rectify the problem as soon as possible to minimise the damage while busy with something else.

The only sure fire way to avoid this is just take up the practice of never clicking links no matter how legit it looks. If you get any email like that, just ignore that and go directly to the real website you know of and try to login and/or reset your password there, if it requires doing it in an email, trigger the reset email yourself and wait for that new one to come in. Emails are never a place to click links unless you were expecting that email from someone you know or its a 2 factor or rest thing you KNOW you triggered. Its just not worth taking that risk. I wish companies would default to not including links like that and just send the email to tell people to go to the website to reset their password, it would be more inconvenient but would have a huge impact on account security if people were required to manually trigger the reset themselves. Edit: Really though, very glad how transparent Linus and the whole LTT team is about stuff like this. Great teachable moment for everyone and the humble pie is great. I typed up the above early and Linus did eventually briefly mention navigating to the website manually to reset passwords, I wish he would talk more about that so more people can hear about it. The part describing how to tell if something is real is great but I'd just recommend these days to always assume its fake right from the beginning.

Uh, where's the link to guy's video about it? You said it would be below...

Link to John's video?