Money Donuts® Episode 8: Don't Get Hooked By Phishing Attempts

Steve:
All right. So welcome back to another episode of Money Donuts. Like always I am joined by Cooper and James. Besides those two, besides my other sprinkles, I should say, we have a returning guest, our first returning guest. I think she should feel proud with this because her first episode was such a hit that the next week Cooper came to me and said, "We have to get Jody back on because she's just too good." She might become the fourth sprinkle. I don't know. We're in talks right now. We'll see how it goes. Jody, thanks. Thanks for joining us again.

Jody:
Talk to my agent, right? No, I'm happy to be back. It's exciting to be a repeat guest.

Steve:
James, we skipped this last episode. Let's start talking about the donut. What donut have we picked for this episode?

James:
All right. So the donut of this episode happens to be a donut that is often found in the box and you think it's something else, then you choose it and it turns out it's something different. And it is a flavor that not everyone likes. It is a lemon-

Steve:
Blueberry.

James:
... donut. No, it's a lemon donut.

Steve:
Oh yeah.

James:
You don't like... Blueberries are awesome. All right. So the lemon donut is in the box, it has white frosting. It looks like a regular vanilla donut. Then you pick it up and if you're not paying attention closely, it turns out to be a lemon donut. And you didn't expect that, maybe you don't even like lemons. So, that ties in with the theme.

Cooper:
I don't like lemon donuts, but I think if we added blueberry donuts to lemon donuts, that'd be a good donut.

Steve:
Blueberry and lemons. So you're saying our donut of the day is something that at first sight might look like something, but it might not taste exactly what you were thinking. And that's kind of why we brought Jody on the episode to talk about phishing. So Jody, let's just get into it. What is fishing?

Jody:
So phishing really is a category of social engineering, but it's typically an email or a text message by someone who is pretending, posing to be the blueberry donut, but in actuality is the lemon donut. So they're posing to be a legitimate business or legitimate person. And their whole objective is to lure people into providing sensitive data, like login username, password, or member account details, or other personal information that can be used to access accounts or basically impersonate you or steal your identity and do some sort of fraudulent activity.

James:
For our listeners who are looking for information about phishing, it's important to note that it's not fishing with an F, it's fishing with a PH. So if you're doing a web search for fishing emails, right, like fishing, that's what you do with a rod and reel, right? Like what?

Jody:
If you go to your... We got a whole bunch of people who came to hear about fishing with an F and actually had to learn about fishing with a PH. So we apologize. So social engineering is really just gaining the trust of another person so that I can obtain information about you. Maybe it's your name and your address and your phone number. Maybe it's your social security number. Maybe it's your login information for your bank account. Basically what I'm going to do, as a person, I'm going to use our relationship to try to gain access to your data or your systems or your private information, and I'm going to use that in a sort of a malicious way. So common scams include the email phishing, which we're going to talk about primarily today, but it can also include phone calls. If you ever get those calls saying, "I'm the social security administration," they don't actually call you, those people are doing phone phishing, but you can also get text messages that are parts of social engineering in addition to those emails.

Steve:
I want to trust people and believe people. What are some things that I should just keep in mind when I get some of those emails that maybe I want to believe?

Jody:
Phishing emails tend to follow a formula. They're going to follow maybe a high profile event. So things like the election or the coronavirus or a specific holiday or even a natural disaster. So there'll be some trigger event that can follow sort of this email storm. And they'll pretend to be common services, Amazon, PayPal, Netflix, financial institutions, and the whole idea behind there is that they're going to try to create an artificial sense of urgency. So maybe there's a warning about your account that is going to be terminated unless you act now, or maybe there's some it's too good to be true, sort of offer. Hey, click here and get a free smartphone or click here to gain access to some premium account to watch streaming videos. So they typically will have that timer, right? Do it right now because this will expire soon. Inside the body of the email, there'll be a link to a fake website or a plea.

Jody:
In some cases, we'll see financial fraud come from internal corporate messaging like Stephen or Cooper, do you really think it would be appropriate if the CEO or the organization were to email you directly and ask you to do a wire transfer right now? And so they're going to ask you to do something. And the idea behind that is to take over your computer maybe after you click on a link that installed some virus or malicious code, or maybe it starts a ransomware attack that encrypts your system, or it's asking you to log in, and it's really not the login page for your financial institution, it's capturing your credentials.

Jody:
So typically what you want to look for is that series of requests that are going to cause you to overreact, to not think it through. Like, hey, wait a minute, they're not going to email me. They would call me. Or if my grandson was in a financial situation where he needed immediate money, he would not send me an email. Right? It's that quick reaction response is what they're trying to leverage, right? By gaining your trust and then leveraging it in a way that bypasses your natural questioning and response.

Cooper:
So like when our CEO, Brandon emails me and says, Cooper, I need you to do a wire transfer I shouldn't be like, "Oh my God, okay, Brandon. So sorry," because he's the CEO. I should be like, "That's weird. Why would he ask me that?" Like, that's what I should do?

Jody:
Or, "Hey, Cooper, I need you to go buy me five, $500 gift cards for some place"

Cooper:
That happened to me.

Jody:
That's like totally, totally my job. That's exactly what I would be doing for XYZ person, that the request is really weird. Right? If you get a weird request or you get, "Hey, click here because your shipments delayed" or, "Click here so your Netflix account doesn't get suspended." So they're using these services or recognizable terms, it's FedEx, it's UPS, because so many people have those accounts that they won't stop and think before they click on it, because they're like, "Hey, I want to be able to watch my favorite show on series on whatever, Disney Plus or something." So they're using that familiarity and the trust that you have with that relationship with that vendor to get you to go someplace that's really not that vendor site.

Cooper:
I got one of those today. I got it, it says UPS. No, I lied, it says USPS. Okay? Which, it's funny I'm trying to show it to you because it says in transit now, your USPS package of two items is out for delivery, real time tracking here. And you can click on it. But I actually had two packages out for delivery today, but like, I know this isn't legit. So that's why it's so tricky, because I really wanted to be like, "Oh, that's weird. They already got delivered." Don't click on them.

Jody:
It's out of synchronization with when you expect it. Like, well, those two packages I just ordered today. And if they're coming USPS, I'm not expected to receive those until next week. And so that's why it's really-

Cooper:
Shall I click the link.

Jody:
... really slippery.

Cooper:
Like if I click the link, it's not going to be bad right away, right? Should I click it and see where it goes?

Jody:
Well, it depends on the device that you've clicked the link on.

Cooper:
It's an iPhone. Am I safe if I click it on my iPhone?

Jody:
Well, I mean, you can. The thing about clicking links, sometimes when you click that link, it can execute code and a lot of that.

Cooper:
Oh. So I didn't actually win the Amazon iPad Pro that it told me I won.

Jody:
But it could come back and say, enter your Amazon login information, and it might not be the Amazon site itself. It may be the URL, the address field on that website may be... they're playing tricks, right? They're substituting letters. They're tweaking it just enough that if you don't look at it very closely, it sort of looks like the Amazon website, right? So you try to log in, and if you have a credit card saved in there, someone could order a bunch of things and have it shipped somewhere else and then you get to pay for that. Not great.

Cooper:
Okay. But I only have three minutes and 34 seconds left to answer the questions in the survey. So are we saying I shouldn't. Because it looks like Amazon.

Jody:
Right? Right. And that's that false sense of urgency. Right? Hurry up and do this thing so you can win. A lot of the ones I'm getting now are, win an iPhone 12, right? Click here, click here. Same exact method that you're describing. So you probably shouldn't answer those questions and maybe just close that browser. Because you're not going to win anyway.

Cooper:
I see, but the comments look really legitimate because one says, oh, "I didn't win anything," and someone else said, "I thought it was a joke, but my iPad pro arrived this morning." Are we still sure it's not real?

James:
It's so cagey. It's ridiculous.

Jody:
There's a whole nother topic on the how to falsify product reviews in shopping sites, right?

James:
Yeah. That's for sure.

Cooper:
I would like to add that I would like to stop being the one to click those sketchy links or try and delete their phone app. I don't know why I'm always taking one for the team, but you two could step up.

Steve:
The type of phishing that always gets me is it's not so much like take action and you'll win something or, it's more of the if you don't take action something bad has already happened. I get ones from PayPal all the time, that are fake PayPal, I should say.

Jody:
Exactly.

Steve:
They always get me to look just for a second. I'm like, "What, did my PayPal get hacked?" And then I'm like, "Wait a minute you phishers, you got me this time." Well, not really got me because I... But it's about taking that second and taking a breath and being like, "Okay, what am I seeing that's that's kind of weird here?"

Jody:
Right. They're playing on things that are important to you. I was just reading an article yesterday about a photographer where basically his online gallery is his Instagram account. They were very targeted in sending him a phishing email that says your Instagram account has been locked for inappropriate use of someone else's intellectual property. Right? Somebody else's photograph. And it was an emotional reaction that this person had when they read that, because one, it played on their internal ethics like, oh, I would never do that. Two, it plays on what their exposure is to the market. It hinted upon damaging their reputation. And so they really can trigger that gut wrenching moment where you're like, oh no, I need to go fix this right now because this is going to affect me personally and professionally. And so even though this individual understood the fishing tactics, they went to that email and clicked on the link and it presented them a webpage that looked very much like the Instagram login screen.

Jody:
And they're like log in to resolve this issue. So they type in their username and password and they hit the button and it comes back and says invalid username or... And we are programmed to think, oh, well, I probably just mistyped my name or my password. And the malicious individuals are very wise, they send you to the correct Instagram page where you can then log in successfully so that capturing of their credentials, which then can lead to them actually taking over this individual's Instagram account. So they were able to perpetrate the fraud and do the damage with that individuals help, where if they would've just ignored that email and deleted it, it wouldn't have happened. So it's that gut wrenching feeling and that emotional reaction is exactly what these emails are designed to create.

James:
I was just going to say, that sounds like sort of the top tip for avoiding a phishing email, is just to wait, slow down and think before you act, right? Because I mean, email isn't that time-sensitive in real life, right? Like you wouldn't expect to have to take action. What if you were at work during that time or something? So.

Cooper:
We learned in our money mindfulness lesson to stop, take a breath and just think for a minute, right? Diana would be proud right now you guys. She would be.

Jody:
Right. And that is one of the best tactics to counterbalance this sort of emotional plea or this call to action plea is to just take a breath, slow down. If in doubt, don't click on the link inside the message, navigate to that site through a different mechanism, look up their real phone number through a secondary source and reach out and make that connection that way to validate that this is truly coming from the source that they're claiming it to be. So can you think of some other ways that you might detect how a phishing email might be a phishing email and not a really email? This is the quiz, the pop quiz.

James:
Ooh. Pop quiz.

Cooper:
Oh, it's the URL, is it right? Or it's from-

Steve:
Or the email.

Jody:
So yeah, exactly. Both of those. The sender, you can see who it came from, is that really their address or is it have some interesting, extra extensions between the dots or some strange substitutions for letters and numbers, right, or using a zero instead of an O. As you mentioned, Cooper, if Brandon was going to email you, would he really be emailing you from a Gmail account, or would it be an rcu.org email address? And then you said the URL. So that address of the website, is it really Facebook or PayPal, or is it something that's sort of approximately similar? Can you think of another one?

Cooper:
Spelling. I'm not good at that one. I'm a bad speller. So that's not how I figure out if things are fake, but some people are smarter than me.

Steve:
Certain businesses have a certain type of lingo or we refer to certain things. And so for us here at Royal, I know like there's a couple of keywords if it's in the email, it's probably not from a team member.

Jody:
Yeah. Language could be a great indicator. Is it too formal or too casual for the relationship that you have? Right? I would expect that if I'm interacting with the vendor, for them to not be super casual with me, right? I don't have a personal relationship with the people who work at Amazon or PayPal. So I would expect that language should be a little bit more formal, present. Same thing goes, if it's an email, sometimes they'll look like they're coming from a friend request from Facebook or a friend requests through some other social media channel. It's like, is that person really going to email me with that type of language or that style of grammar? I think, Cooper, you were talking a little bit about spelling errors. Certainly, grammatical errors and spelling errors can be a great tip off.

Jody:
Businesses hire technical writers and graphic artists and folks like yourself who are very well versed in the art of communication. They're probably not going to send an email off that isn't grammatically correct and doesn't have appropriate spelling and language use, or if it looks a little fuzzy because they've clipped the image from someplace else and tried to reuse it or resize it. So those can be indicators of suspicion and you should pay attention to those because... There's one more that I like to have people think of first. And I mentioned it earlier and it's that if it sounds too good to be true, it probably is. Right? You probably didn't win the car or the phone or the iPad or the free vacation. So instantly be suspicious of those sort of offers because more than likely that's the bait they're dangling in front of you from a phishing situation.

Cooper:
It's like that commercial where he's like, "Hey. Hey, got you a dollar." It's like, "Hey. Hey, I want your information. Can I have it? I've got a dollar." Get it?

Steve:
I think that commercial is about fishing.

Jody:
It is. It is.

Cooper:
No it's not. Isn't it about insurance?

Jody:
Well, oh yeah. Maybe. All I could see is the guy with the stick with the dollar on the end.

Steve:
Yeah.

Cooper:
Yeah. And his like yellow rain suit. I'm pretty sure it's about paying too much for insurance. It's for sure not educational. I mean, that's technically educational, but not like this type of educational.

Steve:
Has there been a whole new wave of people over thinking that they've been getting phishing emails? And so people constantly are not getting emails returned because... And can I use that as an excuse next time I forget to return somebody's email?

Jody:
Yeah. Can I be too cautious?

Steve:
Yes.

Jody:
Email is a great tool, but I don't think it's our only tool. And I think I personally find that if I send someone an email and I don't hear back, I'm going to use a different method of communication, because it can be unreliable. Even here, we have opportunities for people to report emails as potential phishing. We have the luxury of somebody looking at them, which is me, and trying to determine... giving them a deep scrutiny and saying, is this phishing or not? And coming back and say, "Oh, hey Steven, you reported this as a phishing email. This is actually a real email. So you should pay attention to it." But most people don't have that luxury in their personal life. And I think that's the challenge.

Jody:
And if it's really a critical communication, there's going to be other ways that those organizations are reaching out to me. Email's not the only way. Right? If it's my doctor or my auto mechanic, they'll call, right? Or send me a letter. So I think, understand that emails, even if we misidentify a real email is a phishing email, the outcome is a lot less severe than if you do the opposite and you click on a phishing email and now somebody has access to your financial accounts or your credit card or your email account. And then they can begin to harvest additional information.

Cooper:
Is mail the original phishing email? Is that how people did it before technology? Also Gmail, I want to tell you this, Gmail has a cool feature where it tells you if people aren't people or email addresses that you've communicated with before. And you're kind of probably like, duh, but this happened to me. So one of my other jobs, I use a Gmail email for like my work email. Right? And I got a email from the owner of our company. And so it was one of those like, "Hey, Cooper, picked me up $500 worth of gift cards." I knew our CFO would never allow that. So I was like, "Dale, I'm not going to buy you gift cards. Okay?"

Cooper:
But after I emailed it back one time, because it was he had originally was like, "Hey, I have something I need you to do." Okay? It totally sounded like him. He would just send me a really vague request like that. And so then finally, I had emailed it and it emailed me back and it flagged it and it was like, hey, you haven't ever corresponded with this person. And then I knew that it was fake. So, Gmail is cool.

Jody:
Much like everything else, there're many tools that different email vendors can... you can use to help identify the phishing emails. Gmail is good because it has some of those features, the outlook.com has some of those features, a lot of the email services if you're using their native connection through the browser, they offer a lot of additional tips and tricks to help you sort through that. But all those aren't the same and all accounts aren't equally well tuned. Those systems learn, and so some of the bad email has to get through before it realizes that this is potentially a phishing attack, right? So maybe the first three or four messages will come through and then the other 30 will get caught. And so it's not... there's no magic bullet, unfortunately. But I've seen a lot of phishing emails, and most of them, there's a hint. The hints and the tips fall into the categories that we talked about.

Jody:
And there's so much phishing that there's actually some really good sources out on the internet if you like to read webpages. And there're many sites that talk about the social engineering red flags around email fishing. The federal trade commission has a very good site that talks about how to detect phishing, gives examples and just recaps some of these detection techniques. And there's also a website called phishing.org. And it has a lot of helpful hints in, again, identifying those how to detect and protect yourself against social engineering overall, and certainly specific to phishing. And with all these tools people will ask, "Well, why do those malicious individuals continue to use phishing?" Well, they continue to use it because it continues to work. It continues to work in sort of spectacular fashion, in many cases. A lot of the big notable data breaches and notable malware insertion and random ransomware insertions are a direct result of email phishing. It is the single most effective attack.

Cooper:
Do you want to know a fun fact?

Jody:
I do.

Cooper:
So naturally I went to phishing.org. And the first time that the term phishing was used and recorded was on January 2nd of 1996. Isn't that crazy that this has been around that long?

Steve:
Jody, in your experience, have you seen phishing change from when you started to where it's at now? It seems like it's getting more intense.

Jody:
Used to be that the people behind the phishing were individuals and maybe lower levels of sophistication, the tools weren't quite as good. Much like everything else in the computing space, the tools have gotten better. The availability of graphic design software and the ability to replicate logos and websites has exploded, right? Anybody can stand up a website and make it look beautiful and make it look like the real company's website. So the tools have definitely improved behind the scenes, and the people behind the scenes have gotten much more technically capable. Instead of individuals we're seeing groups, organized crime groups, nation states. There's a lot of money behind fishing because there's a lot of money to be made through identity theft or financial fraud. As we get better, so do the attackers. And I also have really noticed that they're very quick to jump on the latest trend, right? In the last year or so the COVID-19 and pretending to be World Health Organization or the CDC or various state agencies, because people are hungry for information around those situations, and so they're more likely to click.

Cooper:
So there's a good reason for the use of the PH and place of the F in the spelling of the term. Some of the earliest hackers were known as phreaks. So phreaking refers to the exploitation, experimenting and study of telecommunication systems. Peakers, phreakers and hackers have always been closely linked. The PH spelling was used to link phishing scams with these underground communities.

Jody:
Right. So before there was email fishing, people were taking advantage of the phone system, the old wired phone system and doing phone phreaking where they be dialing numbers to try to social engineer people over the telephone. And that's still exists, but it's less prevalent than the email phishing today.

James:
Seems like that'd be a lot harder today, because you need people or you need a... At least today you can usually still tell if it's a robot that you're talking to. Not always, but.

Jody:
And your cell phone smart enough to know that it potentially is a telemarketer or scam call, so.

Cooper:
I always tell people during financial education sessions that you can never really be too safe. So if your financial calls you just be like, "Hey, I'm actually going to call you back," and find their real number, call them back. That way you just for sure know that you're talking to the right person. And I think we mentioned that, but it's important for people to know.

Jody:
That's a great point, I think. When you think about how do you protect yourself, going directly to the known source, either through a website or a phone call and not using any information that comes in that email is one of the best and most effective ways to identify if that's legitimate or not. I think we also talked about just slowing down, right? The act now requests and the whole sense of urgency are really designed to make you forget about the protective steps that we've talked about.

James:
I was just going to say, it's like you have to be an elderly Sherlock Holmes, right? You have to be kind of a slow moving detective, like-

Jody:
The turtle. The turtle. The turtle detective, right? And also understanding how people are going to communicate with you, right? Is your social media, shopping, financial institution, they all explain how they will contact you, what information they will send in an email and what information they want send in an email. And then there's always the plug for multi-factor authentication. We talked about that in the previous podcast for multi-factor authentication with your username and password. And if you have a username and password and a third authentication method, and you get presented with a website that doesn't ask for that third authentication method, that's also a clue that maybe that's not really the site that you're on. And it can also protect you if they do get your credentials, they don't have that extra piece. So MFA is one of those things that applies in most situations and it can apply to defense against phishing as well.

Steve:
My two-part question is, if you do happen to be go down the phishing hole, you click on that link, what kind of actions can you take to help protect yourself? And then number two, not... I mean, I wish everybody would listen to this podcast, but there might be a few people who are listening to it. What can people do to help their parents, their grandparents, their kids, anybody with this information?

Jody:
So if you click on a link that turns out to be the incorrect or... One, having antivirus software and those types of protections on your computing environment can protect against the download of those credentials. So download of that software in your environment. Two, if you have a computer, if it's a Windows computer, not having your machine that you're using have administrative permissions, and this is we're getting technical, right? You use your Windows computer, you're probably the administrator because that's how windows comes default out of the box. But there is a way to say, I don't want to be the administrator. I want that to be a separate account. And why that's important is because if you're administrator, you can do anything and everything to that account, including accidentally installing things you don't want, where if you are just a regular user of that computer, it will ask you to elevate to an administrator in order to install that potentially malicious software.

Jody:
So if your default operating mode is of lower privilege, it's harder for the code to get installed accidentally because you're going to get that pop-up or prompt that says we need to be administrator and give us another credential. That's the one biggest weakness, I think with the default configuration that comes with any Windows computer. If you have a Mac computer, that's the default configuration. You're not automatically an administrator. You have to give it that second password in order for something to install. So just changing the way your account works inside your computer can be a big protective measure. Having that antivirus software can add an extra layer of protection. Not just randomly entering your username and password into a website that is connected to a link that you get in an email, so that navigation. So if you do that and you do enter your username and password, at that point, you should go to the real site and change it, right?

Jody:
So don't give that collector process on the backside enough time to use that username and password that you so nicely provided to them. Like, go change it, right? Go change your credential, make sure you have that information recorded too. Like, go look at your, if it's your bank, go look and make sure that there's no fraudulent transactions. Your second question was, how do we help people help themselves detect and protect against phishing? And I think it's those same takeaways, right? Understand what the tactics are. Talk about it, right?. If we raise awareness like we're doing today, then people have more knowledge and are in a much better position to defend against those types of attacks, right? You play better defense when you know what the offense is doing.

Cooper:
Hey, Jody, I have a question kind of stemming from all of that. So I know for a fact that we have a high school business teacher who listens to our podcasts from Boyceville, Wisconsin, she teaches that high school age kids who are getting their first job, they might have a checking account, can make purchases online. What are like maybe three top tips that she could tell her class to help keep them safe at that age?

Jody:
Three tips. I'm a big believer in leveraging secondary authentication factors. If it's Google Authenticator or [Asbestex 00:33:13] or whatever your favorite multi-factor authentication option is, when it's available, turn it on. That's going to help you protect those accounts. Even if you were to get a phishing attack, trying to capture the credentials, that makes it very, very difficult to take over that account. Two, just the stop and think, right? Slow down enough to know that these attacks are going on. They're trying to prey on our emotional reaction or our sense of sympathy, or we want to win a prize, right? Slow down and think it through.

Jody:
And three, really understand how all these things that we're interacting with are going to communicate with us. We all clicked through that disclaimer, right? They're like read this five pages of stuff and then say okay. But every retailer, social media, financial institution, they have somewhere in their website where they're going to talk about how they will communicate with you and when they will communicate with you, and just having a high level of understanding of that will help you determine if they're actually going to send that email out that says, hurry up and contact us now or your PayPal account will get suspended. Maybe not. I think if you do those three things, it's going to create a lot of obstacles for you to become a victim of a phishing attack.

Cooper:
What about email attachments? Say I get a fake email from James because he wants to send me a really cute picture of his dog, that I don't think he has. Do you have a dog? I don't think you have a dog.

James:
No.

Cooper:
No, I didn't... Steve has dogs and children. You just have children. Okay. Besides the point. But so James wants to send me a fun picture of his non-existent dog. And so there's an attachment in the email that says, hey, look, click here. What happens when I click those attachments? Are they different than links? Is it essentially the same thing? I probably shouldn't.

Jody:
No, that's a great question. Attachments can act much like links. They're a way for code to become an executable in your environment. I think it's been in the news over the past several years, how both Microsoft Word documents can have embedded macros in them that can do things behind the scenes, PDF documents can also have code embedded in it that can execute on your computer. So attachments are, if you're not expecting an attachment from someone, think about it, understand what it is. If you do get that attachment that you weren't expecting and if there are other indicators that the source might be questionable, you may be better off to just not interact with it, and use a separate communication channel to reach out to James and say, "Did you send me a picture of your dog?" Send him a text message.

James:
I'll say-

Jody:
"Did you send me an email with a picture of your dog?" And he's like, "I don't have a dog." And then you know that you did the right thing by deleting it. So again, it's that stop and think through the evidence that's presented and determine if this is legitimate or not. So there's kind of a theme, right? Trust, but verify or don't trust and verify, avoid sense of urgency requests and know who you're interacting with.

Cooper:
We don't like feelings. Your emails shouldn't make you feel things. That's how you know it's fake.

Steve:
All the emails I write, I hope people feel something when they read it, though.

Cooper:
Oh, I made you feel something today. I offended you.

Steve:
Cooper said that she hates oatmeal raisin cookies.

Cooper:
I did not.

Steve:
She specifically went after oatmeal raisin cookies, after she talked about how much she loves lemon donuts.

Cooper:
Okay. So we have enough people here to take a poll. True or false. Is it not incredibly disappointing if you think you're going to get a really delicious chocolate chip cookie, and then you pull out a raisin cookie?

Steve:
You should be looking at your cookies before eating.

Cooper:
Whatever.

Jody:
Because an oatmeal raisin cookie really doesn't resemble a chocolate chip cookie that closely. And that's why you should slow down, right? Slow down and know your source to make sure that you really understand the clues that are... It's like the grammatical errors in the email.

Steve:
I know. I was going to say, this is why James is always sending my emails to phishing.

Jody:
Even though you say this is not a phishing email, people don't believe you.

Steve:
Well, you would think that would be like the number one thing that phishing emails would say is this is not a phishing email.

Jody:
Your bonus is ready to be claimed. That's the current, like the most recent phishing email that I've received.

Cooper:
I've clicked that link.

James:
But you know what you can click? If you're listening to this podcast, you can click a rating.

Cooper:
No, you don't click. Well, kind of.

James:
You can just tap it.

Cooper:
Stop. Stop stealing my spotlight. This is my thing. Maybe if you do it though, people will actually subscribe, rate and review. So like James said, if you can click that really great subscribe button, it gives you notifications when we release new episodes and I'm still at only 19 reviews, I like the five stars, but only 19 reviews on Apple podcast. So if you could give us another rating, that'd be really cool. Please, I'm begging you.

Steve:
I do this to help people. Cooper does it all for the reviews. All right. Jody, thanks for joining us. Cooper and James, it's always a pleasure.

Cooper:
All right, gang. Bye, Jody.

James:
Thank you, Jody.

Jody:
Cheers.