May 18, 2017

#97 What Kind Of Idiot Gets Phished?

by Reply All

Background show artwork for Reply All

This week, Phia wonders what kind of person falls for phishing attacks. Is it only insanely gullible luddites, or can smart, tech savvy people get phished, too? To find out, she conducts an experiment on her poor, unsuspecting coworkers.

Further Info

Follow Daniel Boteanu on Twitter 
Subscribe to our weekly newsletter 

Transcript

PHIA BENNIN: From Gimlet, this is Reply All. I’m Phia Bennin.

So, for the last couple of weeks, I’ve been wondering nonstop about the same question. The question is about this kind of hack…phishing.

I’ve always had the impression that phishing is something I shouldn’t worry about, because nobody really falls for it. And even here at work, in March, we were trying to figure out how Alex Blumberg’s Uber account got hacked. And when Alex Goldman even suggested the possibility that he might’ve gotten phished, Blumberg got genuinely annoyed.

ALEX GOLDMAN: Do you know what phishing is?

ALEX BLUMBERG: Yes.

ALEX GOLDMAN: Did that happen?

ALEX BLUMBERG: No.

ALEX GOLDMAN:: (laughing) You seem so mad!

ALEX BLUMBERG: I- I- I- I can’t image giving my password to someone who wrote to me over email.

PHIA: Blumberg felt about it the way I did. Phishing is for dummies. But then a month later, news came out that the President of France, his campaign got phished, like some of his staffers ended up handing over their personal passwords. And actually, I started to notice that a lot of the hacks that I’m reading about recently, they start with phishing—John Podesta, that was phishing, the Sony hack by North Korea—that was phishing.

And, it got me wondering...what kind of person gets phished? Is it just insanely gullible people? Or could it happen to the smartest people I know—people like Alex Blumberg?

[MUSIC]

PHIA: So, I called up this guy I know, he's a computer hacking expert, and I asked him, like, how hard would it be to rig up a test to phish Alex. He said, “That’d be no problem.”

And I thought, “Huh! In that case, like, maybe we should try it on everyone at Reply All.” He said, “Sure!”

So, he sent every member of the Reply All team some kind of phishing test. And a couple days later, I asked Alex Goldman, PJ Vogt, and Alex Blumberg to meet me in the studio.

[Studio audio plays]

And they had no idea what it was about.

PHIA: Ok...so, you know how I have been pretty obsessed with, like, how...we could get hacked?

ALEX BLUMBERG: Yeah.

PHIA: And I spent a few weeks just looking into a bunch of different theories of what--how somebody could hack into a computer, into a Gmail account, and one of the theories that came up that we didn’t really spend any time on is phishing?

PJ VOGT: Yeah, because when it came up s--people got offended. Like--

ALEX BLUMBERG: I was offended. I associated phishing with like a clumsy attempt to get you to reveal your password that I feel like I wouldn’t fall for.

PHIA: Well, so after you got offended, I got really curious, and I ended up talking with this one guy, he’s a digital forensics investigator?

PJ: Daniel Boteanu?

PHIA: Daniel Boteanu.

PJ: I remember him.

PHIA: Now good friend of the show.

PJ: Yeah.

ALEX GOLDMAN: Real charmer.

PHIA: Total charmer. So…don’t be mad at me.

PJ: Uh-huh.

PHIA: But I asked Daniel if he would try a phishing test on the staff of Reply All and on Alex Blumberg.

ALEX BLUMBERG: Alright.

ALEX GOLDMAN: Oh damn! (laughing) Ohhhhhhh…oh! That is so devious! I’m so mad at you, if I clicked on it!

PHIA: (laughs) Um, so. Oh, I’ll just add one detail, which is before I did any of this I went to President of Gimlet Media, Matt Lieber, and said, “Is it okay--

PJ/ALEX BLUMBERG/ALEX GOLDMAN: (laugh)

PHIA: --if I ask this man to do this thing?”

PJ: And he said yes?

PHIA: Uh. Matt Lieber said “Yes.” He pointed out that without permission someone could be phishing us also.

PJ: Huh. Usually I go to Matt for my “nos” and Alex for my “yeses.” (laughing) I’m surprised you got a “yes” out of Matt.

ALEX GOLDMAN: The suspense is killing me.

PHIA: I gotta say, Matt Lieber actually said, during the whole Uber thing, that he suspected that Alex had been tricked by a phishing campaign.

PJ: Oh, so this was a little personal for him.

PHIA: Yeah, he was like--

ALEX GOLDMAN: Yeah. He has a very low estimation of you apparently.

PHIA: He was like--

ALEX BLUMBERG: Yeah.

PJ: Not every relationship has to be a PJ and Alex relationship.

ALEX GOLDMAN: (laughs)

PHIA: Well, so, okay. So, Daniel started his test on a Monday morning, and by 6 PM, the same day, he had control of somebody’s email.

PJ: Alex is--Alex Blumberg is slowly opening his laptop (laughing).

PHIA: Well, so, ok, so—before we started, I had no idea how Daniel was going to be able to do this, but watching him work…just opened my eyes to all these different things phishing was capable of.

And the first thing that I saw is that Daniel can impersonate anybody. And he said actually, for this test, to test like my co-workers, he was gonna impersonate me.

ALEX BLUMBERG: Oh.

PHIA: So, to start with, let me tell you what happened to our Executive Producer Tim. Because Tim was editing this piece, he was the one person on staff who knew that this phishing test was going to be going on. And, he didn’t know what was going to happen, but it just made him incredibly paranoid. So, for the last week and a half, he's been sending me Slack messages like almost everyday being like, "I was just phished! You just attempted to phish me!"

PJ: (laughs)

PHIA: “I'm catching you!”

PJ: He's phishing himself.

PHIA: Yeah. So, Monday morning, Tim slacked me and was like, "What's the audio you're emailing me about?" And, I have no clue what he's talking about. But, I see him in the kitchen, so I grab my phone, hit record, and meet him there. At which point, it's clear he just realized what's going on.

TIM HOWARD: What did?

PHIA: What, what what, what? I just sent you audio.

TIM: Ahhh. Yeah.

PHIA: Should we go into the stairwell?

TIM: Yes.

PHIA: Ok.

TIM: Uh, yeah. So Phia, you don’t know about the email that you just sent me?

PHIA: (laughs) No.

TIM: So I just got an email.

PHIA: Uh-huh.

TIM: That was--it had a--it has an audio file. It was sent to me, Alex, and Sruthi. So I click on it. And it says, “Gmail, you know, one password to rule them all, whatever.” And it asked me for my password.

PHIA: Mhm.

TIM: So I said, “Fuck this!” And I wrote back, “Can you slack me the audio?”

PHIA: Uh-huh.

TIM: Because I don’t want to--I’m already signed into Gmail!

PHIA: Yeah.

TIM: So--

PHIA: So you--so you switched--

TIM: --I could tell that it was a phishing attempt for some smart asshole who’s actually emailing me.

PHIA: Uh-huh.

[Stairwell sounds]

TIM: What’s messed up about it that like, somebody on the other end--

PHIA: Uh-huh.

TIM: --is emailing me right now pretending to be you.

PHIA: Yeah.

TIM: And it sure fucking looks like you.

PHIA: Really?

PHIA: He shows me the email and it's crazy because it completely looks like it's coming from me. Like, it looks like it's coming from phia@gimletmedia.com. But, obviously I didn't send it.

TIM: Yeah, look at--there it is.

PHIA: “Hey guys.”

PHIA: Ahhh! Phia gimlet at R nedia. That’s so funny! R + N looks like an m! Okay, now I really want to fuck with this person.

PHIA: (laughs)

PHIA: Let me explain how this works. Daniel had bought a domain. He bought the domain gimletrnedia.com, and he was sending the emails from there. But, gimletrnedia looks exactly like gimletmedia.

PJ: Woah!

ALEX BLUMBERG: Damn.

PHIA: And after all of that, Tim and I were walking back to our desks and he was like, “So what’s the audio you were trying to send me?”

PJ/ALEX GOLDMAN/ALEX BLUMBERG: (laughing)

PJ: He’s like a mouse trying to get a cheese out of a trap.

PHIA: Ok. So, here's the second thing I learned: You don't even need to fall for the scam for Daniel to learn a ton about you.

PJ: Ok.

PHIA: So, for instance, PJ, you received this email that looked like an invoice coming from a consultant, and when you clicked on the link in the invoice, it took you to a page that looked like a Google login page and asked for your username and password.

PJ: Yeah.

PHIA: You didn’t put anything in. But, over in Toronto, the hacker, Daniel, he was still watching you interact with the fake page. Here’s Daniel:

DANIEL BOTEANU: My records show that he clicked on it from an iPhone.

PHIA: Uh-huh.

DANIEL: Uh, probably saw that it was something suspicious, clicked on it a second time from an iPhone. And then, I have records showing that the same link is opened two more times from Mac computers, but two different computers. So, I'm guessing PJ saw that something was going on and he started digging a bit deeper and--and trying to find out what happened or wh--what’s happening with this email.

PHIA: Yeah.

DANIEL: And, I’m suspecting that after PJ maybe sent an email internally saying, “Hey guys! This is what I got. Just be careful. Don’t click on this--on this email.”

PJ: Wow! He could tell that? It’s so funny. It’s like knocking on the door of somebody’s house.

PHIA: Mhm.

PJ: Like even if they don’t answer, like, a light turned on, and it turned off.

PHIA: Right.

PJ: Like he can figure stuff out.

PHIA: Right. Yeah!

PJ: Like, I opened it--I opened the email, thought it was real--

PHIA: Mhm.

PJ: And then, like, I figured out what it was.

PHIA: Mhm.

PJ: And I was really curious. Like, I was like, “Oh, I wonder if I can learn anything.” So I was like, trying to like, examine the package to figure out what was going on. And the moment that I was like, definitively realized it was fake was that in the signature of the email there’s a phone number.

PHIA: Mhm.

PJ: And I googled the phone number and the phone number didn’t go to like, the made up company that they were doing.

PHIA: Oh!

PJ: And I posted in Gimlet slack saying “Hey everybody, watch out. Someone’s trying to--it seems like somebody is targeting Gimlet in particular.”

PHIA: Right, and the reason Daniel had thought you had done that is because he had sent the same email to a bunch of members of the team, and after you looked at it for the fourth time, nobody else clicked on it. And, that’s okay for Daniel because he can try like, all different methods of phishing the team, and he can try it a bunch of different times, so since you’re sounding alarm bells, he probably won’t include you in the next phishing attempt.

PHIA: So Alex, what--what did you get?

ALEX GOLDMAN: I have no idea!

PHIA: (laughing)

ALEX GOLDMAN: I’m--I am on tenterhooks. I do not recall this at all!

PJ: So you didn’t figure out that anything was going on (laughing)!

PHIA: So you got an email that was just like Tim's, but I was in the room when you got it. And you turned to me and you were like, "What is this?! Why do I have to listen to this?!"

ALEX GOLDMAN: Did I open it?

PHIA: You did not open it. Congratulations.

ALEX GOLDMAN: That is definitely not because I was smart enough to recognize it was a phishing scam.

PJ: I feel like if had you had not been in the room, this would have worked.

PHIA: I know. And--and Daniel said the same thing. He was like, "If I was trying this phishing attempt in earnest, I would've tried to impersonate somebody who I thought wasn't gonna be in the office that day."

PJ: Right.

PHIA: Ok. So, now for the third thing I learned, which is my favorite thing I learned. Even when you try to protect yourself, like when you set up two-step verification, you're still not safe. So, this happened towards the end of the day. At this point, nobody on the Reply All team had fallen for it.

DANIEL: I was a bit disappointed at first when I saw that aw, it didn’t work. Maybe we--we did this, all of the emails came at the same time. We should have changed some things. But then, we got the big tuna.

PHIA: So, the big tuna. I think we all know who that is.

ALEX BLUMBERG: So, I--it worked on me but I want to claim--

PJ/ALEX GOLDMAN: (laughing)

PJ: Just skipping over (laughing)...

ALEX GOLDMAN: Yeah. Way to--way to brush right pass that.

ALEX BLUMBERG: So I went--so I got the email. And I was like--

PJ: What did yours say?

ALEX BLUMBERG: Mine says… uh… hold on. Mine says--

ALEX GOLDMAN: Who’s it from? Is it from--

ALEX BLUMBERG: It’s from Phia. And it says--it says: “Uber update. Hey Alex, I was wondering if there’s-- if we’re giving away too much of your personal information in the Uber update tape with Troy. Will you listen and let me know what you think. Not kosher. Question mark.”

PJ: Nice!

ALEX BLUMBERG: And so--and so it was just--and then there was just like this little thing, there’s a little, you know, Uber update. And it’s coming from Phia at what I now realize is gimletrnedia.com

PJ: (laughs)

ALEX BLUMBERG: Uh...which is really amazing, like you don't--you don't notice the--I know that that's what it is and it still looks like gimletmedia. It's crazy. So then--but--so I didn't open it, cause I was like I don't have time. Again. I might've--it might've worked anyway. And then I was like, up on the third floor, you were in--in a meeting with...

PHIA: Sruthi.

ALEX BLUMBERG: Sruthi. And I was--and I saw you guys and I went over, and I like motioned if I could come in. You were in one of those glass--

PHIA: Mhm.

ALEX BLUMBERG: --conference rooms. And I was like, "Hey, I got your email! What's that about?" And then you looked so confused and--and like, mad, that I thought you were like having--

PHIA: (gasps)

ALEX BLUMBERG: And I was like, "Oh, I'm just being an asshole. I just bumbled into their meeting like I'm the CEO.

PJ: (laughing)

ALEX BLUMBERG: I was like, "Don't worry. Don't worry. I'll listen." And so then I left. And then I was--I had this whole narrative where I was like, "Was that--would I have done that--is this like abuse of power?"

PHIA: Aw...

PJ: Aw!

ALEX BLUMBERG: And I was like, "No, I wave people in sometimes too! It's ok!" So, there was all this guilt that was like, sort of driving me to like complete the task of listening to this audio. And so then I went down there and--and then I clicked on it to listen to it. And then...and then it's like it--it impersonates a Google Drive.

So then you have to go and like put in your password and stuff like that. Which I did. Because I was like, "I gotta help--I gotta listen to the thing for Phia." But if, I don't--I don't know--yeah.

PHIA: You not only put in your password, you put in your--your two-factor authentication code.

ALEX BLUMBERG: Yeah! Yeah.

PJ: Whoa…

ALEX BLUMBERG: Yeah, yeah, yeah.

PHIA: So...so--

ALEX BLUMBERG: Which would--yeah.

PHIA: Daniel would fully be able to get into your email account.

ALEX BLUMBERG: Yeah, so how does that work? So what did he do? He--he was like--what- what--what was I putting my actual two-factor authentication code into?

PHIA: What you put it into is his own little page that then forwarded it--

ALEX BLUMBERG: That’s on his computer.

PHIA: Yeah. So, that's on a server. And, when you put in your username and your password on his page, he just immediately forwarded that to a real Gmail login. And from there, because he put in your username and password, a two-factor code was texted to you.

And, when you then put that again into his fake page, he immediately put that into the real Gmail login page and he was completely into your Gmail. And the server he was using was actually based in New York, so if you check where you’ve recently signed into Gmail, it will show a New York-based location, which is what Daniel says, they would really do if it was a targeted phishing attempt.

ALEX GOLDMAN: That’s hella sophisticated.

ALEX BLUMBERG: Right. That’s really imp--interesting. I do feel like if I hadn’t…you--you basically said you sent the email.

PHIA: I--no!

ALEX BLUMBERG: You did, though.

PHIA: You came in and I said, “I don’t know.”

ALEX BLUMBERG: You said “I don’t know,” but you were like…

PHIA: And you said, “I didn’t look at it, you don’t really remember. I’ll go back and check.”

ALEX BLUMBERG: Right. Cause I was like, trying to help you out. And get back to you in time.

AG/PJ/ALEX BLUMBERG: (laughing)

PHIA: I--I know you--(laughing) thank you.

ALEX BLUMBERG: After--after rudely interrupting your chat with Sruthi.

PHIA: Thank you.

PJ: (laughs)

PHIA: Sorry.

ALEX BLUMBERG: I don't know. Yeah. No, I mean it feels like obviously, like, yes, if you--if you have like your entire company conspiring to phish you, yes. They can trick you into clicking on something. I don't think that proves anything. If they know--if they know every little bit of context around your life, you can be tricked.

ALEX GOLDMAN: I think you are being a little too cavalier about this.

ALEX BLUMBERG: You can be tricked.

PHIA: Do you feel any differently about how offensive of an idea it was that you might’ve gotten phished?

ALEX BLUMBERG: Yeah. Uh, no, I mean, yes, I do. But, I’m--I feel like, this will--unfairly, you know, sort of solidify a narrative about me that I'm not--that I'm not happy about.

PJ: (laughs)

ALEX BLUMBERG: I f--(laughing) if you hadn't said the thing about how Matt that it was like--that I was phished--

PJ: (laughing)

ALEX BLUMBERG: Then I'd be responding to this whole conversation very differently. But yes, for the purposes of everybody out there, you--you too can be phished.

PHIA: Yeah.

[MUSIC]

ALEX BLUMBERG: Um. Ok.

PHIA: We've kept you more time than we should.

ALEX BLUMBERG: Alright. I gotta go. Bye!

PHIA: Alright. Bye!

PJ: Thanks, Alex.

ALEX GOLDMAN: Bye!

PHIA: I left that studio feeling like my experiment had totally failed. I’d convinced myself that phishing was real, and pervasive, but I hadn’t convinced Alex at all. All I’d done is like, made him feel suckerpunched. So, I decided the only reasonable thing I could do now was to expand the experiment. The results of that, after the break.

[BREAK]

PHIA: (clears throat) Ok.

ALEX BLUMBERG: Seriously, why are you all here?

PHIA: Does eh--everybody have a microphone in front of them?

ALEX BLUMBERG: Uh--I do.

ALEX GOLDMAN: Yup.

PHIA: Ok. So… the last time, uh, we were all in a room together.

ALEX BLUMBERG: Yes.

PHIA: We…uh, talked about this phishing test that I had--

ALEX BLUMBERG: Yeah.

PHIA: --instigated.

ALEX GOLDMAN: Surreptitiously performed.

ALEX BLUMBERG: Yeah, which I got--I got really salty about. Which I'm embarrassed about now.

PHIA: You are?

ALEX BLUMBERG: Yeah.

PHIA: Cause--

ALEX BLUMBERG: I think I overreacted.

PHIA: I--I felt like--I left that room feeling so guilty and just like, bad about it.

ALEX BLUMBERG: No…it was just--it was--no, it wasn't you. It was me.

PHIA: Well...

PJ: But you did--you--you--underneath the saltiness you were making an argument, which was that...you felt like--cause what we were trying to say--or what, like--

ALEX BLUMBERG: I thought I was gonna filt--fit into a false narrative about me.

PJ: And--and rather than it being about whether phishing worked, it was about--you felt like it was saying that you, Alex Blumberg, are like a--a bumbling--

ALEX BLUMBERG: A bumbling Mr. Magoo--

PJ: Like if everyone else is like yes on this--

ALEX BLUMBERG: --on the internet.

PJ: --you're like a no somehow.

ALEX BLUMBERG: Yes. Exactly.

PHIA: Right. Well, it--it seemed like, you agreed on an intellectual level that like, yes, anybody is capable of getting phished, but…on an emotional level, like, this didn't really demonstrate that.

ALEX BLUMBERG: Right. Wait, are you telling me that I've been phished again? (laughing) Is this all about---?

PHIA: (laughs)

ALEX BLUMBERG: (laughing) God!

PHIA: No, no, no, no! No! No.

ALEX BLUMBERG: You brought me here to murder me!

PHIA: No.

PHIA/PJ: (laughs)

ALEX BLUMBERG: To murder my--to murder my ego!

PHIA: No! It was just, after we talked in the studio the other day, we were, as a team, like trying to figure out like, how--how could we do something that like actually, at like, an emotional and an intellectual level felt like people get phished and, uh, without it feeling like a murky test.

ALEX BLUMBERG: Uh-huh.

PHIA: So, like--and--and proof that like it's not just Magoos that get phished, like smart people get phished too.

ALEX BLUMBERG: Ok.

PJ: (laughs)

ALEX BLUMBERG: (laughs)

PHIA: And, um--and so it was like, is there somebody that Alex thinks is really smart that we could try the phishing test on, and then it would feel--and we could do it like very purely, and then like, that would sort of make--make you feel better.

ALEX BLUMBERG: Help me feel better by helping somebody else feel bad (laughs).

PJ: There's like--

PHIA: Yeah, I've learned no lessons.

PJ: Tell more lies. To more people. Yes.

PHIA: Right.

ALEX BLUMBERG: I'm down.

PHIA: So it was like, should we--should we try to phish like Ira Glass, your--your old boss.

ALEX BLUMBERG: Yes.

PHIA: Or maybe your old colleague, David Kestenbaum, or your brother-in-law, who's like super, super smart. But we couldn’t actually get permission to phish Ira or David, and it turns out that your brother-in-law doesn’t really use Gmail, which we needed for this phishing test.

So…then we were like, maybe we've been thinking about this all wrong. We do know somebody that Alex thinks is smart. And like, and that person also is maybe the source of part of why this feels so bad for Alex. So...you look so confused right now!

ALEX BLUMBERG: Wait, did you guys phish Matt Lieber?

PHIA: So…I thought it might interesting…

PJ: (laughs)

PHIA: Um. So--so yes. So, we thought, “What if we tried it on Matt Lieber?

ALEX BLUMBERG: Yeah.

PHIA: But this time I wanted it to be very pure, so I was like, “Daniel, do not tell me like-- like, I'm not going to be informed about anything that you're trying to do. Don't help me cook this up with you--”

ALEX BLUMBERG: Right.

PHIA: “Just try to phish Matt Lieber.”

ALEX BLUMBERG: Got it.

PHIA: So...

ALEX BLUMBERG: Very exciting.

PHIA: (laughs)

ALEX BLUMBERG: So when was this?

PHIA: So this was Monday.

ALEX BLUMBERG: Ok.

PHIA: So Monday--

ALEX BLUMBERG: And it's now Friday.

PHIA: And it's now Friday.

ALEX BLUMBERG: Ok.

PHIA: So on Monday, Daniel sent Matt the phishing test, and literally forty-one seconds later, Matt had fallen for it… he was phished.

ALEX BLUMBERG: Wow.

PHIA: So, obviously I wanted to tell him what happened. And I grabbed him, brought him into the studio.

PHIA: I think this is the first time I’ve been in a studio with you.

MATT LIEBER: I know!

PHIA: But before I could tell him that he’d been phished, I had to tell him that you’d been phished, and as soon as I told him that, he actually just started, like crowing about it.

MATT: He--he fell for it?

PHIA: Yeah!

MATT: No. He fell--he got phished?

PHIA: Yes.

MATT: Amazing. So you--he--you--ok. So you successfully, um, phished Alex. Your boss.

PHIA: Yes.

MATT: Ok. Wow.

PHIA: Yeah.

MATT: Oof!

PHIA: So, when we started this whole project, did you think that Alex--like, did you think that he was likely to fall for it?

MATT: (breathes out) Yes.

PHIA: Why?

MATT: Um, uh, how do I say this without being like, "Oh, he's a totally credulous dolt." He's in general--he's a v--you know, he's a very emp--he's a...he always assumes the best in people.

PHIA: Mhm.

MATT: And he's generally like a very empathetic person, that's one of his superpowers. And so, I don't think he's like looking out for people who are trying to screw him.

PHIA: Uh-huh.

MATT: I'm the more, like skeptical person--

PHIA: Mhm.

MATT: --when it comes to other people’s motives.

PHIA: Yeah. Ok.

MATT: But I just want--I don't wanna come off like I'm being a jerk about Alex.

Because Al--obviously Alex is like a great journalist. He's--which requires him

to be skeptical.

PHIA: Uh-huh.

MATT: And the truth is, the fact that he was phished, tells you that this could happen to anyone who is targeted.

PHIA: Right. So I think the same thing you think. I think like, everybody needs to be like crazy paranoid all the time. And it is possible to phish anybody if you're targeting it. But, Alex felt like it was like not a clean test and therefore he, like, doesn't feel like--

MATT: I'm now--

PHIA: --anything's been proven.

MATT: I'm now of course terrified that you're gonna be like, "We also phished you! And we did so successfully." Did you?

PHIA: Well, have you received anything weird from anyone?

MATT: I don't know.

PHIA: Like, anything like today, maybe...?

MATT: (inhales) Oh my god. Did you phish me?

PHIA: (long pause, then laughs)

MATT: (laughs) Oh my god, now this is like we’re in a David Mamet movie.

PHIA: I feel so...I'm...this is like the worst experiment I've ever done. Um. So, earlier today…

MATT: Wait. Yeah.

PHIA: You got an email from Alex Goldman?

MATT: Uh-huh.

PHIA: At--

MATT: Oh my god! Fucking Goldman! That was weird. Because of the way the file was attached.

PHIA: Uh-huh.

MATT: The weird thing about it was because I kept having ih--the two-factor authentication thing (laughing).

PHIA: (laughs)

MATT: Oh my god...this is just th--this is humiliating.

PHIA: (laughs) Uh!

MATT: Because, I've sat here in judgement of Alex.

PHIA: No! But you actually like, this confirm--does this confirm for you that it could happen to anyone?

MATT: Yeah. It could happen to anyone. (laughing) It--If you're an idiot like me. God, he's so br--this Daniel! We should--we need to hire this Daniel guy!

PHIA: (laughs)

MATT: He has such good insight into what would tweak people.

PHIA: Uh-huh.

MATT: Because he sent me an email saying, as though it were from Alex Goldman saying: "One of our producers found this document posted online, which reveals Gimlet's salary levels. Um. Is this something that you think should be public?" And I was like (gasps). I was like, "Oh my god." Like cause if everyone's salaries got out it would be like a nightmare, right? So, I click on it. It's a PDF and in order to view the PDF I have to log into my--my Gimlet account.

PHIA: Your--yeah, yeah. Your email.

MATT: Which I do. I put in my username and password, which now I need to change (sighs).

PHIA: That's why I wanted to talk to you today.

MATT: (laughs) And then, I did the two-factor authentication. I responded to Alex and I cc'd Katie Christiansen, our Director of People Ops--

PHIA: Mhm.

MATT: --who, is the person who would like, know what the answer to like why is this out here?

PHIA: Mhm.

MATT: And...she said, "I can't see the file." And…when I went back to download it again I had to do the two-factor again and I'm like, "That doesn't make sense. Like, I just did the two-factor authentication, why would I have to do it for a second time?" But of course I was like, in the middle of a bunch of things, and I was just like, "Ah whatever, it's Google. I trust Google."

PHIA: Yeah.

MATT: And I put it in. I feel like such a jerk now.

PHIA: I--

MATT: Well, I feel like a jerk because I was saying like, "Oh, Alex Blumberg. What a--what an old person who doesn't know how to, like, protect himself in the real world or online! Because he doesn't have me!"

PHIA: (laughs)

MATT: Mr. Savvy. Like, Mr. Savvy Skeptic who like--ugh, terrible. Wow. This was a real comeuppance. (sings) Da dun da dun da dun (blows raspberry kiss)!

PHIA: (laughs)

PHIA: So, that’s what happened to Matt.

ALEX BLUMBERG: God! I--I feel terrible now because I feel better.

PHIA/PJ/ALEX GOLDMAN/ALEX BLUMBERG: (laugh)

PHIA: Ah! Then like, one of my goals actually happened.

ALEX BLUMBERG: Yes. I do feel better.

PHIA: You do?

ALEX BLUMBERG: Cause I do. Like I do feel like Matt is the way more suspicious one and in--if I had to choose like which of us is harder to phish, I would've chosen Matt. For sure.

PHIA: Here’s--here’s the one thing that comforts me a little bit...I never phished anyone that I assured I wasn’t going to phish. 

ALEX BLUMBERG: (laughs)

PJ: Wow!

PHIA: And that is a small comfort, but it is a comfort!

PJ: That is wild! That that is--that that helps you sleep at night.

ALEX BLUMBERG: Yeah.

PHIA: It does!

ALEX BLUMBERG: That is really… 

PHIA: So, I wanna say now: I promise to never phish anyone in this room again.

PJ: Just in this room?

PHIA: Yeah.

PJ/ALEX BLUMBERG: (laugh)

[MUSIC]

Reply All is hosted by PJ Vogt and me, Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, Chloe Prasinos, and Damiano Marchetti. Production assistance from Sherina Ong. We’re edited by Tim Howard and Jorge Just. We’re mixed by Rick Kwan.

Special thanks to Kashmir Hill, Emily Kennedy and a HUGE thank you to our phisher Daniel Boteanu. 

Our theme song is by the mysterious Breakmaster Cylinder and our ad music is by Build Buildings.

Matt Lieber is bubble tea.

Applications are open to be Reply All's Fall Intern. The deadline for applications is 9 AM on May 29th and you can find out more on our website, replyall.limo. And you can find more episodes of the show on Apple Podcasts, Spotify, or wherever you get your podcasts. Thanks for listening. We'll see you next week.

[BREAK]

PJ: Hey guys! Before we go, we just wanted to ask you for one quick favor. So, there’s a short survey at replyall.club that we’re asking people to fill out. Basically, it helps us put advertisers on the show and continue to make the show. If you’re looking for like a short, easy way to help us out, this is actually like, hugely helpful. And, we’re going to give a free Gimlet membership to somebody who takes the survey. Could be you.

If you’re interested, go to replyall.club. Thanks!