Easy Prey

It's easy to think scams only work when someone misses something obvious. In reality, most of them don't look obvious at the start. They show up as normal situations with just enough friction to notice, but not enough to stop. That small gap is where people tend to move forward instead of stepping back.
My guest today is Tali Sharot, a cognitive neuroscientist who studies how we form beliefs and make decisions. She's known for her research on the neural basis of human optimism, and her work has been published in leading journals. In her books, The Optimism Bias and The Science of Optimism, she explains why we expect things to work out and how that tendency can quietly expose us to risk.
We discuss what's happening in those in-between moments, why a situation can feel slightly off and still seem reasonable enough to continue, and how past experience lowers our guard without us noticing. We also look at that brief internal hesitation people tend to override, and why it's often the most useful signal they have. By the time something clearly crosses the line, the decision has usually already been made.
Show Notes:
[01:14] Tali explains her background as a cognitive neuroscientist and how her work blends psychology, brain science, and behavior.
[01:48] Her interest in the field began with a simple question about how the brain drives thoughts, emotions, and actions.
[03:00] She shares a personal story about renting out her apartment that turned into a scam.
[04:30] Early warning signs show up right away, including unusual requests and meeting conditions.
[05:30] Despite noticing those signals, she moves forward and hands over the keys.
[08:43] Looking back, she explains how she rationalized each red flag instead of acting on it.
[10:02] That uneasy gut feeling is often based on real information your brain is processing quickly.
[11:40] Repeated positive experiences can lower your guard and make risky situations feel familiar.
[12:30] The "truth bias" leads people to assume others are being honest unless something clearly proves otherwise.
[14:00] There's often a gap between what you feel in the moment and how you explain it afterward.
[17:45] The emotional impact of being scammed can linger long after the financial loss is resolved.
[20:47] The brain constantly predicts what should happen next and reacts when something doesn't fit.
[21:30] Subtle cues like timing, tone, and facial expression can signal deception without you realizing it.
[24:58] Repetition makes scammers more convincing by smoothing out inconsistencies in their story.
[26:18] Online communication removes many of the signals people rely on to judge trustworthiness.
[27:59] Setting simple personal rules can help you avoid engaging with common scam tactics.
[31:00] People are more vulnerable when they want something to be true, especially in relationships or opportunities.
[34:30] Even basic checks, like verifying an email address, can stop many scams early.
[36:43] A lot of scams succeed because people don't pause long enough to look closely.
[38:19] Familiar situations lead to less attention over time, making it easier to miss important details.
s on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 
Links and Resources:
Podcast Web Page
Facebook Page
whatismyipaddress.com
Easy Prey on Instagram
Easy Prey on Twitter
Easy Prey on LinkedIn
Easy Prey on YouTube
Easy Prey on Pinterest
Tali Sharot - Affective Brain Lab
Tali Sharot - MIT
Tali Sharot - The Optimism Bias
The Optimism Bias
The Science of Optimism
Books by Tali Sharot

Most scams leave a digital trail. A fake email, a spoofed number, a fraudulent website. You can trace them, report them, sometimes even reverse them. But what happens when the scam has no digital trail at all, because it isn't happening on a screen? What happens when the con is standing right in front of you, making you laugh, meeting your friends, and planning a future with you?
 My guest today is Tracy Hall. She's an author, keynote speaker, and senior marketing executive with over 25 years at some of the world's most recognizable tech companies including eBay, Virgin, GoDaddy, and Afterpay. She is sharp, successful, and by every measure, exactly the kind of person you'd assume would see it coming. She didn't. And neither would you.
 In 2017, Tracy woke up to a Crime Stoppers video of an unidentified man being arrested outside a Sydney apartment. That man was her boyfriend of 18 months. Except he wasn't who she thought he was. The man she knew as Max Tevita a Bondi surfer, a finance executive, the person she was building a life with was actually Hamish McLaren, Australia's most infamous conman, a man who had been running long game cons for thirty years across multiple countries, stealing somewhere between eighty and a hundred million dollars from victims around the world.
 Tracy was his last victim before his arrest. He had stolen her entire life savings of $317,000 and far more than that. This is a story about what happens when the scam isn't a phishing email. It's a relationship. And it will change the way you think about trust, manipulation, and what any of us are actually capable of missing.
Show Notes:
[1:03] With 25 years as a senior marketing executive behind her, Tracy shares how a year after separating from her husband she began online dating, where she met a man calling himself Max Tevita.
[3:25] Presenting himself as a Bondi surfer and chief investment officer, Max spent 18 months slowly and methodically guiding Tracy to invest her entire life savings with him.
[5:55] A crime stoppers video changed everything. The man Tracy knew as her boyfriend was actually Hamish McLaren, a professional conman who had been defrauding victims globally for 30 years and stealing an estimated $80 to $100 million.
[7:36] A masterful shapeshifter, McLaren adjusted his persona in real time based on Tracy's reactions, including quietly getting rid of his five cars after she called him out on it.
[9:54] Tracy breaks down the psychological mechanics of the con, including similarity bias, mirroring, and how McLaren constructed a character she was essentially telling him she wanted.
[11:05] Through elaborate "movie sets and scenes," McLaren built layers of authority and confirmation bias over 18 months, making investing her life savings with him feel completely logical.
[14:21] Some moments only made sense in hindsight, including a childhood friend accidentally calling McLaren by his nickname "Ham Bone" and his instant, convincing cover story on the spot.
[18:22] Humans default to truth, and Tracy explains how that biological wiring makes us uniquely vulnerable to manipulation, especially around emotionally charged stories.
[19:29] Every victim got their own version of McLaren barrister, triathlete, business strategist as Tracy describes meeting others who had each been conned by an entirely different character.
[22:53] Learning to trust other people wasn't the hard part. Tracy reflects on why rebuilding faith in her own judgment was far more difficult, and how shame dominated the aftermath.
[25:21] Through professional help and a conscious daily decision not to let McLaren turn her into a cynical person, Tracy describes how she slowly rebuilt both her finances and her sense of self.
[27:05] Understanding the psychology behind scams, cognitive biases, invisible contracts of trust, emotional exploitation is the best defense we have, and Tracy breaks down exactly how it works.
[31:33] The medium may be different, but the tactics aren't — Tracy draws striking parallels between her in-person experience and digital romance baiting scams, showing how the emotional manipulation is nearly identical.
[34:00] There is no demographic, age group, or intelligence level that is immune. Tracy makes the case that scammers hunt for vulnerability, and at the right moment, we are all soft targets.
[36:12] By subtly discouraging Tracy from socializing with friends, McLaren was limiting outside scrutiny and Tracy explains why getting a new partner in front of your personal network as quickly as possible is one of the most important protective steps you can take.
[40:24] No digital footprint is a major red flag. Tracy outlines key warning signs to watch for and recommends reverse image searches as a basic but powerful verification step when meeting someone new.
[42:08] Every single time Tracy speaks publicly, someone approaches her afterwards with a story they have never told anyone a reminder that silence is exactly what these criminals depend on to keep operating.
[43:45] Now fully dedicated to education and awareness, Tracy introduces her memoir The Last Victim and explains how she has channeled her experience into a mission to help others recognize and recover from fraud.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 
Links and Resources:
Podcast Web Page
Facebook Page
whatismyipaddress.com
Easy Prey on Instagram
Easy Prey on Twitter
Easy Prey on LinkedIn
Easy Prey on YouTube
Easy Prey on Pinterest
Tracy Hall
The Last Victim
Who the Hell is Hamish? Podcast
King Con: The Life and Crimes of Hamish McLaren

Every day, employees at hotels, restaurants, and resorts across the country are doing exactly what they were hired to do: being warm, responsive, and eager to help. It's what makes hospitality work. It's also what makes hospitality one of the most targeted industries in cybersecurity. When your entire workforce is trained to say yes, teaching them to be suspicious is an uphill battle. The smarter solution might be to take the target off their backs entirely.
Jasson Casey is the co-founder and CEO of Beyond Identity, a company built around one idea: making identity-based attacks impossible. With over 20 years of experience designing large-scale security infrastructure for global enterprises and carriers, Jasson has spent his career thinking about what happens when stolen credentials open doors they never should have. Beyond Identity's answer isn't better passwords or more authentication hoops, it's eliminating the credential that can be stolen in the first place.
Josh Johansen is the Director of IT Systems and Technology at Brandt Hospitality Group, an owner, operator, and developer of hotels under brands including Marriott, Hilton, Hyatt, and IHG. Josh came up through hotel operations, not a computer science program, and that background shapes how he thinks about security practically, from the floor up. He knows his workforce isn't looking to become cybersecurity experts. His job is to build systems that protect them anyway.
We talk about why the hospitality industry is such a rich target for phishing attacks, and what happened when one of Josh's general managers nearly paid a fraudulent invoice because she couldn't log in without a password she no longer had. Jasson breaks down how device-bound passkeys work, why most consumer passkeys aren't nearly as secure as people think, and what separates a real security system from one that just looks like one. Josh shares the lessons learned from rolling out this technology across a multi-brand hotel portfolio including what he'd do differently and what it means for an industry still wrestling with shared logins, high turnover, and workers using four different brand systems before lunch.
Show Notes:
[3:05] A cyber insurance mandate pushes Brandt Hospitality Group to find an MFA solution, and complaints about authentication fatigue make the obvious options the Brandt partners are already using feel like the wrong fit.
[4:03] After months of evaluating vendors and completing a full proof of concept, the leading candidate drops smaller accounts without warning, sending Josh back to square one and into a same-day demo with Beyond Identity.
[5:09] Beyond Identity moves fast, puts together a rapid proof of concept, and earns the business. Josh describes meeting Jasson in person for the first time at BeyondCon shortly after signing on.
[5:45] Hospitality is uniquely vulnerable to phishing attacks, and the industry's culture of helpfulness connects directly to the behaviors bad actors are counting on.
[6:49] A general manager calls convinced she needs her password to pay an overdue vendor invoice. When she can't get a login prompt, the situation is recognized immediately as a phishing attempt she nearly fell for.
[7:33] Reflecting on that moment, someone sharp and experienced nearly became a victim, and removing the password from the equation entirely turns out to be the real breakthrough.
[9:05] The conversation turns to the limitations of cyber awareness training, and why even well-intentioned employees with heavy workloads cannot be expected to function as a reliable last line of defense.
[11:13] Jasson describes how Beyond Identity works, using the analogy of a monkey in a jail cell to explain how a signing key stored in a secure hardware enclave can authenticate a user without ever leaving the device.
[12:06] The concept of stealable credentials expands beyond passwords to include API tokens, session cookies, SSH keys, and anything else that can be copied and lifted from a system.
[17:33] The discussion shifts to agentic identity and AI-driven workflows, with customers on opposite ends of the spectrum — some where agents make up the majority of their workforce, others who paused rollouts after discovering how easily prompt injections could expose sensitive data.
[19:17] The biggest mistake organizations make going into a passkey rollout is diving in without a clear understanding of how their identity environment is actually configured and what that means when things don't behave as expected.
[20:35] A lesson from their own deployment — initially limiting passkeys to senior staff and leaving line-level employees on passwords — makes clear that partial coverage leaves meaningful gaps.
[22:58] Most organizations under active phishing load will experience an incident during a mid-deployment window, and that moment often becomes the event that accelerates full adoption.
[24:33] The shared workstation challenge in hospitality comes into focus, along with how the device-bound passkey differs from the consumer versions employees may already be familiar with through Google or Facebook.
[29:14] Jasson draws a clear line between consumer passkeys optimized for conversion and enterprise passkeys built for security, explaining how sync fabric trades credential protection for convenience in ways that matter in a corporate environment.
[31:07] One enrolled device can cryptographically authorize the enrollment of another, allowing organizations to scale without moving keys or introducing new vulnerabilities.
[33:33] The passkey model changes accountability inside a hotel operation — device-bound credentials and role-based access make it significantly harder for well-meaning managers to share login access with staff informally.
[36:55] As the conversation wraps, a simple test is offered for evaluating any passkey system: if the passkey can move, it is not a security product.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 
Links and Resources:
Podcast Web Page
Facebook Page
whatismyipaddress.com
Easy Prey on Instagram
Easy Prey on Twitter
Easy Prey on LinkedIn
Easy Prey on YouTube
Easy Prey on Pinterest
Jasson Casey - LinkedIn
Jasson Casey - National Security Institute
Beyond Identity
Joshua Johansen - LinkedIn
Brandt Hospitality Group

Most security breaches don't begin with sophisticated code or elaborate technical exploits. They begin with a phone call, a convincing email, or someone at a help desk who just wanted to be helpful. The human layer is often the weakest link, and the criminals who understand that are the ones causing the most damage.
My guest today is May Chen-Contino. She's the CEO of Unit 221B, a threat disruption company that delivers actionable intelligence to enterprises, law enforcement, and government agencies. Her background spans cybersecurity, fintech, and SaaS leadership at companies like PayPal and eBay, and she brings a distinctly mission-driven lens to the work, shaped equally by a career in business and a background as a Krav Maga instructor.
Unit 221B operates less like a typical security vendor and more like a specialized investigative unit, with a team that includes tenured ransomware experts, incident responders, and former law enforcement, all focused on one outcome: criminal arrest. May has seen firsthand how ransomware gangs operate with their own codes of conduct, how a younger generation of cybercriminals is throwing those rules out entirely, and why paying a ransom is increasingly a bet that doesn't pay off.
We talk about why social engineering has overtaken technical hacking as the dominant attack vector, what organizations and individuals should never do in the aftermath of a breach, and how crimes against children online often go unreported for the worst possible reasons. May also shares a story from her own experience being scammed on eBay, and what she did about it, which tells you everything you need to know about how she approaches this work.
Show Notes:
[1:28] May shares her background and how she came to lead Unit 221B, a threat disruption company serving enterprises, law enforcement, and government.
[1:41] May traces her path into cybersecurity, explaining how a lifelong sense of justice and a friendship built through Krav Maga training led her to a team of investigators doing real criminal work.
[5:55] May recounts being scammed while selling luxury shoes on eBay, describing how a fraudulent PayPal email convinced her the sale had failed after she had already shipped the item.
[8:22] Rather than accepting the loss, May engaged the scammer directly, intercepted her own shipment through FedEx, and used a photoshopped payment screenshot to flip the situation on him.
[11:36] The story ends with May recovering her shoes, followed by a candid note that this approach carries real risk and is not something she would recommend to others.
[12:57] May outlines Unit 221B's core work, including criminal investigations, threat intelligence, pen testing, and incident response, all oriented toward federal prosecution and criminal arrest.
[16:52] The evolving threat landscape, contrasting professional ransomware organizations that tend to honor agreements with a younger generation of cybercriminals who operate without limits.
[18:44] May describes this younger criminal group in detail, noting members are predominantly 14 to 26 years old, English-speaking, and motivated as much by social status as financial gain.
[21:49] May explains why wiping systems and restoring backups after a breach is one of the most damaging mistakes an organization can make, eliminating evidence and removing any path to prosecution.
[23:04] She walks through Unit 221B's incident response process, covering digital forensics, insider threat identification, and determining who is behind an attack before advising on next steps.
[26:32] May addresses the ransom payment question directly, recommending against paying as a default while acknowledging that knowing your adversary is essential to making the right call.
[28:04] The discussion covers the legal and PR dimensions of a breach, including notification obligations and why some organizations choose to go public about what happened.
[31:08] May pushes back on the perception that law enforcement doesn't help, explaining that federal agencies are understaffed and must prioritize cases, but are genuinely committed to the work.
[34:08] The issue of victims deleting evidence before reporting, and how frequently this forecloses any possibility of investigation or prosecution.
[34:55] The conversation turns to crimes targeting children, including sextortion, and why open dialogue between parents and kids is critical to getting victims to come forward before lasting harm is done.
[37:18] May reflects on a keynote she gave at Harvard's Bold Conference for young women, describing the tension between advice to build an online presence and the real safety risks that come with it.
[38:51] May shares practical security guidance for young people online, including being mindful of what appears in video backgrounds, using strong passwords, and enabling two-factor authentication.
[40:35] May identifies AI-assisted attacks and social engineering as the two most significant forces reshaping the threat landscape, with technology now available to both attackers and defenders equally.
[43:45] May describes Unit 221B's invite-only intelligence platform, which brings together top investigators, law enforcement, and private sector experts to collaborate and move cases forward.
[45:10]Listeners can find Unit 221B at unit221b.com and on LinkedIn, and anyone facing a threat or needing guidance can reach out.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 
Links and Resources:
Podcast Web Page
Facebook Page
whatismyipaddress.com
Easy Prey on Instagram
Easy Prey on Twitter
Easy Prey on LinkedIn
Easy Prey on YouTube
Easy Prey on Pinterest
May Chen-Contino - LinkedIn
Unit 221B - LinkedIn
Unit 221B

Phone scams get dismissed as background noise or just annoying interruptions and unknown numbers with robotic voices we learn to ignore. But behind that noise is an industry built on psychology, automation, and staggering profitability. My guest today is Alex Quilici. He's an engineer, entrepreneur, and the CEO of YouMail, a company focused on protecting consumers and businesses from unwanted and fraudulent calls.
Alex has spent years analyzing how robocalls and scam campaigns are designed, how they evolve, and why they continue to work despite better technology and increased awareness. What began as a voicemail platform shifted into fraud prevention after users unintentionally revealed a powerful truth that even small friction can disrupt scam operations. He shares how his own father got pulled into a tech support scam which cemented his mission to move beyond blocking calls and toward tracing and stopping scams closer to their source.
We talk about how scam calls are engineered, the tactics that trigger panic and urgency, and how criminals use data breaches, AI tools, and impersonation to sound convincing. We also explore what's changing, including fewer random calls, more targeted attacks, rising text and messaging scams, and the difficult balance between stopping fraud and allowing legitimate calls through. Alex shares practical ways consumers and businesses can reduce risk, along with a candid look at why this problem is so persistent and where it's likely heading next.
Show Notes:
[2:23] Alex explains how YouMail shifted from a voicemail company into fraud prevention after noticing users using an out-of-service message to deter robocallers.
[3:25] Discussion turns to robocall volume, with Alex estimating billions of calls per day and roughly five billion robocalls per month.
[4:10] About half of all robocalls are unwanted, while the rest include legitimate reminders from doctors, hospitals, and financial institutions.
[5:05] Alex notes that legitimate telemarketing still exists but is now heavily overshadowed by sketchy and scam-driven campaigns.
[6:40] Scam calls have declined in raw volume, yet attackers are becoming more targeted and efficient.
[7:15] Scammers increasingly pivot to texts, email, and messaging platforms where third-party blocking is harder.
[9:27] Alex describes limited progress shutting down shady telemarketers but better success against large-scale illegal robocall operations.
[11:05] Sense of urgency emerges as the dominant tactic, often involving fake charges, legal threats, or financial panic triggers.
[13:10] Modern scams combine spoofed caller ID with breached personal data to create highly convincing impersonations.
[16:27] Scammers are compared to extremely motivated marketers who rapidly adopt AI and optimization techniques.
[17:30] The economics are startling, with scam campaigns generating enormous profits at extremely low cost per call.
[18:44] Alex advises letting unexpected calls go to voicemail and returning calls through verified, official channels.
[20:50] Panic-based bank account scams are highlighted as particularly dangerous because fear overrides logic.
[23:19] Businesses are identified as vulnerable targets, especially through employees' personal mobile phones.
[31:52] Enforcement efforts are increasing, and Alex predicts stronger regulatory pressure over the coming year.
[35:54] Impersonation scams tied to toll roads, DMVs, crypto, and romance schemes are flagged as growing threats.
[38:19] A simple defensive principle is reinforced: pause, disengage, and verify independently before taking action.
[41:44] Alex outlines YouMail's call-screening approach, adding friction that blocks automated scam systems while allowing real callers through.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 
Links and Resources:
Podcast Web Page
Facebook Page
whatismyipaddress.com
Easy Prey on Instagram
Easy Prey on Twitter
Easy Prey on LinkedIn
Easy Prey on YouTube
Easy Prey on Pinterest
YouMail
Alex Quilici - LinkedIn