Identity/biometrics/technology marketing and writing services
These are the no-good characters from my Bredemarket blog post earlier today, “Why is Educational Identity Important?” That post quoted from 1Kosmos and Fischer Identity:
“Higher education institutions are increasingly targeted by identity fraud schemes, including “ghost students,” synthetic identities, and financial aid fraud.”
Don’t let these fraudsters rip your university off.
When you’ve been around long enough, zero trust is an attitude, not a technology. Which is how I reacted when I received an email from Substack yesterday and questioned whether it was REALLY from Substack.
How many of you received this email yesterday?
Hello,
I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission.
I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.
What happened. On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata. This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.
What we are doing. We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.
What you can do. We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious.
This sucks. I’m sorry. We will work very hard to make sure it does not happen again.
– Chris Best, CEO of Substack
My jaded reaction?
“Yeah, right.”
Yes, the email came from “Substack Standards & Enforcement” at security@substack.com, but such emails can be faked, and a few months ago I received an email processed by Substack’s servers that was NOT sent by the Substack account owner.
So last night I went to Substack’s own Substack account @substack to see what it said about the matter.
At the time…nothing.
As far as I was concerned, my email and phone number MAY have been breached, or maybe not. Perhaps some nefarious actor was trying to make Substack look bad.
So I forgot about it.
This morning I revisited the issue to see if any reputable organizations had written about it. Not finding a Washington Post article, I turned to TechCrunch. (I’ve been reading TechCrunch since the Arrington days.)
Newsletter platform Substack has confirmed a data breach in an email to users.
So TechCrunch relied on the same information I had. There was no indication that TechCrunch had reached out to Substack directly to confirm the authenticity of the email.
Then again, TechCrunch printed its article at 6:55 am PST, and it was still up an hour later at 8 am. If the email had been a scam, Substack would have contacted TechCrunch immediately.
So I guess the story is legit.
The story goes well beyond Substack, since sites are breached all the time. As far as I’m concerned, the issue isn’t “if,” but “when.”
(And yes I’m looking at you, all Workday-using sites that set the app to require account creation. How will you respond when a jobseeker asks you how you will protect their data WHEN your site is breached?)
There are three ways to inform your users of a breach.
[Bitdefender] surveyed over 400 IT and security professionals who work in companies with 1,000 or more employees. Bitdefender found that 42% of IT and security professionals surveyed had been told to keep breaches confidential — i.e., to cover them up — when they should have been reported.
Perhaps even more shockingly, 29.9% of respondents admitted to actually keeping a breach confidential instead of reporting it.
How will YOUR firm respond when you are breached?
I’ve previously noted that one possible sign of a scammer is when they don’t initiate a LinkedIn connection to you, but instead want you to initiate a LinkedIn connection to them. When a scammer is scamming, they can’t blow through a few thousand connection requests every day, so it’s better if the victims initiate the connection request themselves.
I immediately thought of this when I received an email from a Gmail account to one of my odd accounts entitled “Thinking of connecting.”
Um…why not just do it?
Here’s the text with the scammer’s alleged name changed:
“I saw your profile on LinkedIn and wanted to say hello. I’m Melania.
“I’ve always been interested in learning about different professional paths. This is just a friendly intro for the start of the week—no expectations on my end.”
Obviously I didn’t respond. Because I have no idea who the Gmail account holder REALLY is.
A day later, I received a second message that included the following:
“Things are actually pretty smooth and manageable on my end as the Operations Manager at Estée Lauder, so I’ve had some extra time to catch up with my network. I’d love to hear how your side of the world is treating you whenever you have a moment.”
Again, I didn’t respond. I didn’t even ask for “Melania’s” Estee Lauder email address (again, the emails are from a Gmail account).
Then we got to day three. Remember how Melania said she had viewed my LinkedIn profile? This was the next question she asked:
“Is it snowing where you are?”
Obviously she hadn’t read anything, and I was getting bored, so I blocked her from all email addresses.
When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.
Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.
But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.
As Biometric Update reported, Congresspeople Bill Foster (D-IL) and Pete Sessions (R-TX) recently introduced H.R. 7270, “To establish a government-wide approach to stopping identity fraud and theft in the financial services industry, and for other purposes.”
Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:
“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”
Why? As I type this the bill text is not available at congress.gov, but Foster’s press release links to a preliminary (un-numbered) copy of the bill. Here are some excerpts:
“9 (9) The National Institute of Standards and
10 Technology (NIST) was directed in the CHIPS and
11 Science Act of 2022 to launch new work to develop
12 a framework of common definitions and voluntary
13 guidance for digital identity management systems,
14 including identity and attribute validation services
15 provided by Federal, State, and local governments,
16 and work is underway at NIST to create this guid
17 ance. However, State and local agencies lack re
18 sources to implement this new guidance, and if this
19 does not change, it will take decades to harden defi
20 ciencies in identity infrastructure.”
Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.
But let’s get to the meat of the bill:
“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION
4 GRANTS.
5 (a) IN GENERAL.—The Secretary of the Treasury
6 shall, not later than 1 year after the date of the enactment
7 of this section, establish a grant program to provide iden
8 tity fraud prevention innovation grants to States.”
The specifics:
But there are some limitations in how the funds are spent.
The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.
So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.
But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:
These agencies are not ignored, but are funded under mandates separate from H.R. 7270. Or maybe not; there’s an effort to move Consumer Financial Protection Bureau work to the Department of Justice so that the CFPB can be shut down.
And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.
Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.
(And yes, I know that the Capitol is not north of the Washington Monument…yet.)
You know what the problem is with these AI medical bots? They hallucinate and do inaccurate stuff. When you use humans for your medical needs, they’re gonna get it right.
Um…right. Unless the humans are committing fraud.
The company that replaced a steel mill with a hospital is in a bit of trouble with the U.S. Department of Justice, in an action started under the Biden Administration and concluded under the Trump Administration.
“Affiliates of Kaiser Permanente, an integrated healthcare consortium headquartered in Oakland, California, have agreed to pay $556 million to resolve allegations that they violated the False Claims Act by submitting invalid diagnosis codes for their Medicare Advantage Plan enrollees in order to receive higher payments from the government….
“Specifically, the United States alleged that Kaiser systematically pressured its physicians to alter medical records after patient visits to add diagnoses that the physicians had not considered or addressed at those visits, in violation of [Centers for Medicare & Medicaid Services (CMS)] rules.”
Now of course you can code a bot to perform fraud, but it’s easier to induce a human to do it.
If your security software enforces a “no bots” policy, you’re only hurting yourself.
Yes, there are some bots you want to keep out.
“Scrapers” that obtain your proprietary data without your consent.
“Ad clickers” from your competitors that drain your budgets.
And, of course, non-human identities that fraudulently crack legitimate human and non-human accounts (ATO, or account takeover).
But there are some bots you want to welcome with open arms.
Such as the indexers, either web crawlers or AI search assistants, that ensure your company and its products are known to search engines and large language models. If you nobot these agents, your prospects may never hear about you.
And what about the buybots—those AI agents designed to make legitimate purchases?
Perhaps a human wants to buy a Beanie Baby, Bitcoin, or airline ticket, but only if the price dips below a certain point. It is physically impossible for a human to monitor prices 24 hours a day, 7 days a week, so the human empowers an AI agent to make the purchase.
Do you want to keep legitimate buyers from buying just because they’re non-human identities?
(Maybe…but that’s another topic. If you’re interested, see what Vish Nandlall said in November about Amazon blocking Perplexity agents.)
According to click fraud fighter Anura in October 2025, 51% of web traffic is non-human bots, and 37% of the total traffic is “bad bots.” Obviously you want to deny the 37%, but you want to allow the 14% “good bots.”
Nobot policies hurt. If your verification, authentication, and authorization solutions are unable to allow good bots, your business will suffer.
Time for another voice deepfake scam.
This one’s in Schwyz, in Switzerland, which makes reading of the original story somewhat difficult. But we can safely say that “Eine unbekannte Täterschaft hat zur Täuschung künstliche Intelligenz eingesetzt und so mehrere Millionen Franken erbeutet” is NOT a good thing.
And that’s millions of Swiss francs, not millions of Al Frankens.
Luckily, someone at Biometric Update speaks German well enough to get the gist of the story.
“Deploying audio manipulated to sound like a trusted business partner, fraudsters bamboozled an entrepreneur from the canton of Schwyz into transferring “several million Swiss francs” to a bank account in Asia.”
And what do the canton police recommend? (Google Translated)
“Be wary of payment requests via telephone or voice message, even if the voice sounds familiar.”
I read “Scam of the Day” on Scamicide…well, daily. And the January 17 edition discussed a scam I know all too well.
“A recent development is scammers using the name of legitimate companies that are hiring and approaching their victims through LinkedIn’s direct messaging feature. They then create counterfeit websites that look like the websites of the legitimate companies they are posing as and ask the job seekers for personal information…”
And you can guess what happens with that personal information. It doesn’t land you a real job, that’s for sure.
In addition to the tips that Scamicide provides, I have an additional one. BEFORE you provide your resume, before you send them a connection request, or definitely before you engage on Telegram or WhatsApp, ask this question:
“Can you provide me with your corporate email address?”
This usually shuts scammers up very quickly.
But don’t forget that while job applicants are avoiding fraudulent employers, legitimate employers are avoiding fraudulent applicants…perhaps from North Korea.
Don’t assume that if you pierce one layer of a fraud attempt that you’ll find the real fraudster.
Sometimes fraud uses multiple levels to make the fraud less detectable.
I was just talking about singers, songwriters, and one singer who pretended to be a songwriter.
Of course, some musicians can be both.
Willie Nelson has written songs for others, sung songs written by others, and sung his own songs.
But despite the Grok deepfake I shared last October, Willie is not known as a rapper.
Bredemarket