Brad Deflin on How to Stay Safe and Private Online | EP 639
In this essential episode of Passion Struck, John R. Miles sits down with cybersecurity expert Brad Deflin, founder of Total Digital Security, to explore why digital protection is no longer optional—it’s personal. As cyber threats evolve faster than ever, most people still rely on outdated solutions or remain dangerously unaware of their vulnerabilities.
Brad explains how cybersecurity is no longer just an IT issue—it's a human one. From protecting your family’s privacy to preserving your professional reputation, the stakes are higher than ever. Drawing from his background in wealth management and his work with high-net-worth clients, Brad shares a clear and empowering framework for taking ownership of your digital life.
Visit this link for the full show notes.
Go Deeper: The Ignited Life
If this episode stirred something in you, The Ignited Life is where the transformation continues. Each week, I share behind-the-scenes insights, science-backed tools, and personal reflections to help you turn intention into action.
Subscribe🔗 and get the companion resources delivered straight to your inbox.
Catch more of Brad Deflin: https://www.totaldigitalsecurity.com/
If you liked the show, please leave us a review—it only takes a moment and helps us reach more people! Don’t forget to include your Twitter or Instagram handle so we can thank you personally.
How to Connect with John:
- Connect with John on Twitter at @John_RMiles
- Follow him on Instagram at @John_R_Miles
- Subscribe to our main YouTube Channel and to our YouTube Clips Channel
- For more insights and resources, visit John’s website
See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Listen and follow along
Transcript
Why choose a sleep number smart bed?
Can I make my site softer?
Can I make my site firmer?
Can we sleep cooler?
Sleep number does that, cools up to eight times faster, and lets you choose your ideal comfort on either side, your sleep number setting.
It's the sleep number biggest sale of the year.
All beds on sale, up to 50% off the limited edition smart bed, limited time.
All sleep number smart beds offer temperature solutions for your best sleep.
Check it out at a sleep number store or sleepnumber.com today.
Moms and dads, do you wish you could know where your kids' shoes are at all times?
Now you can with Skechers' newest Apple AirTag compatible sneakers, Find My Skechers.
It's the latest genius invention from Skechers, the Comfort Technology Company.
With Find My Skechers, there's a clever hidden AirTag compartment under the shoe's insole.
You just pull up the insole and pop in the AirTag.
It's sleek, secure, and your child can't feel it or see it.
Then you can check where your kids' shoes are on the Find My app.
Imagine that.
Just one look look at the phone and you can see where your kids' shoes are.
No more wondering or worrying.
It's as easy as that.
Plus, they're machine-washable and durable, so they're long-lasting.
And Find My Skechers are available for boys and girls.
Look, we all know Skechers is famous for comfort, and now they're giving us comfort of mind when it comes to our kids.
Get Find My Skechers, Skechers' newest Apple AirTag-compatible sneakers at Skechers.com, a Skecher store near you, or wherever kids' shoes are sold.
Apple AirTag sold separately.
Coming up next on Passion Struck.
You have to be intentional to protect yourself in this digital age because nobody else is going to do it for you.
The
ISP, your internet provider, will not do it for you.
They're trying to help with certain things, but the fact is your internet provider is sucking up all your personal information with everything you do back and forth.
They're part of the game.
You've got big tech, right, and big business constantly looking to suck up our personal information, which
invariably ends up in the wrong hands and goes sideways eventually.
You have the government that really has not been a proponent down to the individual level, certainly on a national level or an enterprise level or a military level, but not on a consumer individual.
You must take the initiative yourself on behalf of yourself as a head of household for your family.
Welcome to Passion Struck.
Hi, I'm your host, John R.
Miles, and on the show, we decipher the secrets, tips, and guidance of the world's most inspiring people and turn their wisdom into practical advice for you and those around you.
Our mission is to help you unlock the power of intentionality so that you can become the best version of yourself.
If you're new to the show, I offer offer advice and answer listener questions on Fridays.
We have long-form interviews the rest of the week with guests ranging from astronauts to authors, CEOs, creators, innovators, scientists, military leaders, visionaries, and athletes.
Now, let's go out there and become Passion Struck.
Coming up next on Passion Struck.
Welcome to episode 639 of Passion Struck.
I'm your host, John Miles, and whether you're back for more or joining us for the first time, I am so glad that you're here.
This month on the show, we're exploring the power to change, a series about evolving, not just in your habits, but in your identity, your relationships, and how you show up in the world.
Earlier this week in episode 637, I sat down with cultural psychologist Stephen Heine to explore how our cultural programming silently shapes who we become.
And in episode 638, Michelle Chauffant walked us through the power of of emotional maturity and her adult chair model for self-leadership and inner healing.
But what about the power to protect what you're building?
Because let's face it, transformation isn't just about becoming someone new.
It's also about safeguarding the life you've worked so hard to create.
That's why today's episode is a little bit different.
Instead of a solo episode, I wanted to bring you this urgent conversation with cybersecurity expert Brad Deflin, founder of Total Digital Security.
A very good friend of mine has used Brad's services in the past and thought his message is so profound that he suggested that I do this interview for the benefit of the Passion Struck community.
In a world where cyber threats are growing more personal, more invasive, and more invisible than ever before, Brad makes one thing clear.
Cybersecurity isn't just a tech problem, it's a human one.
Together, we'll explore why digital risk is now a personal crisis.
We go into how scammers are using AI to mimic voices and hijack trust, and most importantly, the three steps you should take today to protect what you've built.
This episode is a wake-up call, but also an empowering toolkit.
And if you're ready to go deeper into intentional living and everything we do here at Passionstruck, then subscribe to the Ignited Life.
then subscribe to our sub stack at theignitedlife.net for weekly insights.
While you're there, join the Ignition Room, our members-only community, and show your support of the community by wearing apparel from our merchandise line.
You can also follow along on YouTube at either John R.
Miles or Passionstruck Clips for full episodes and bonus content.
Here's my urgent and eye-opening conversation with Brad Deflin.
Thank you for choosing Passion Struck and choosing me to be your host and guide on your journey to creating an intentional life.
Now, let that journey begin.
If you work as a manufacturing facilities engineer, installing a new piece of equipment can be as complex as the machinery itself.
From prep work to alignment and testing, it's your team's job to put it all together.
That's why it's good to have Granger on your side.
With industrial-grade products and next-day delivery, Granger helps ensure you have everything you need close at hand through every step of the installation.
Call 1-800-GRA, clickgranger.com, or just stop by.
Granger for the ones who get it done.
Audible ignites your next action-packed adventure with thrills of every kind on your command.
Dive into The Silent Patient by Alex Michaelitis, a psychological thriller that will keep you guessing until the very end.
Masterly narrated by Jack Hawkins and Louise Spree.
From electrifying suspense and daring quests to spine-tingling horror and romance in far-off realms, unleash your adventurous side with gripping titles, discover exclusive Audible originals, hotly anticipated new releases, and must-listen bestsellers that hook you from the first minute.
Because Audible knows there's no greater thrill than the one that speaks to you.
Discover what lies beyond the edge of your seat.
Start your free 30-day trial at audible.com/slash wonderrypod.
That's audible.com/slash wonderrypod.
I am so excited today to welcome Brad Deflin to Passion Struct.
Welcome, Brad.
Glad to be here, John.
As I talked about in my introduction, today isn't the typical episode that I do on the podcast, but I thought it was really important to bring you on today because I've personally lived the chaos of cybercrime.
And back when I was a senior executive at Lowe's, I was hired to deal with what at that time was the largest retail hacking incident of its kind.
Not sure many of the Passion Struct listeners know that.
So I know firsthand that the threat is real, it's evolving.
And on a human basis, it's deeply personal.
So I think this is a good starting point.
You walked away from a very successful financial career to build your company Total Digital Security.
And
what did you see as the shift that was coming before most did that made you leave that successful financial career?
So it was an aha moment.
It was a sudden realization that the world, the face of risk, as I called it, was changing.
When you are in the financial services business and you're dealing with ultra high net worth clients and families and family offices like me, like I was,
everything is about risk mitigation, risk management.
And that's not just
their investments, their stocks and bonds, but it's other elements of risk.
And so we always wanted to be value-added and bring up topics that weren't necessarily directly related to the market, but were related to our clients that, in many cases, would be targets in crimes that others might not be targets, like kidnapping, for example.
And so I was at JPMorgan at the time, it was 2012, managing some of the bank's largest clients around the world, multi-billion dollar families.
And we had a series of incidents with the clients where I noticed a pattern for the very first time.
And that was that they were being targeted by hackers
for a criminal transaction that is to fake them.
into sending them money, which was very different.
That sounds obvious today, right?
That's what happens.
That's what we see every day, all day long.
Back then, it was different.
In 2012, cybercrime was an enterprise-level problem.
It was around theft of intellectual property.
It was about corporate espionage, blackmail in some cases, state actors, Pentagon, very large enterprises, not so much a transaction for criminal gain.
These were called black hat escapades or exploits, if you would.
This was a very personal thing, and that was a little bit different.
And it was happening at this tier because that's where the money was.
But what we noticed with these clients is they were still using their AOL email accounts that they may have opened in 1996
or their Yahoo accounts or their MSN Hutmail accounts.
While they were captains of industry in some cases, and they had the best IT departments ever in their companies, that was not transcending into their personal life.
There were no defenses.
There was no awareness.
And I coined it, the democratization of cyber risk.
And what I meant was that those were the very first indications that there was a shift where it was going to begin focusing on anybody that was connected to the internet because At that point in 2012, we all were, which was a new phenomenon.
It was coined the the mobile revolution.
It was unpredicted by anybody, but when Steve Jobs pointed to his first iPhone and he said, this changes everything, he was spot on.
He wasn't talking about the iPhone necessarily.
He was talking about a supercomputer in the palm of your hand, connected to five or six billion others around the world.
That's what changed.
And people, the mobile revolution was all about people wanting to use
their personal computer, their device, their phone, wherever they were-the subway, Starbucks, the hotel.
They didn't want to have to come home and turn on the computer under the desk and then get to work.
So then we had clouds, and all of our information was dispersed and vulnerable.
And that was really the moment that kicked off this enormous cybercrime epidemic that we see today.
And so, we noticed some of those fact patterns.
We realized it was the start of something very big.
And that's when we started the company.
Well, on Passion Struck, we talk a lot about human flourishing and building an intentional life.
And the reason that you're here is because of a listener of the show who had a personal experience that they brought to my attention where
because of a threat to them, they had to chase down their autopays, they had to freeze accounts, reset passcodes, and it basically disrupted their life for almost two months
and i bring this up because that's who referred me to talk to you and i thought it was important
but
you go through all this trouble of creating a life with intention you start building the life you want and creating this massive wealth that you want to bring into your life And so, when you and I were talking about the need to do this episode, the thought to me was you have to be intentional about how you protect it as well.
So my question to you is, why do you believe cybersecurity and our own personal security is now a pillar of living intentionally?
What really attracted me to doing this podcast with you, besides having the mutual friend, the mutual client, When I looked into your podcast and understood where you were coming from and some of the value that you added to your listeners, I felt that it was very much aligned with the principles and what we see as our mission here, which we describe as cybersecurity for life.
Let's think about that a minute: cybersecurity for life, multiple innuendos there.
And the point is that you have to be intentional to protect yourself in this digital age because nobody else is going to do it for you.
The
ISP, your internet provider, will not do it for you.
They're trying to help with certain things, but the fact is your internet provider is sucking up all your personal information with everything you do back and forth.
They're part of the game.
You've got big tech, right, and big business constantly looking to suck up our personal information, which
invariably ends up in the wrong hands.
and goes sideways eventually.
You have the government that really has not been a proponent down to the individual level, certainly on a national level or an enterprise level or a military level, but not on a consumer individual.
You must take the initiative yourself on behalf of yourself as a head of household for your family.
as a person that works with a small group.
We deal with family offices, for example, because again, nobody's going to do it for you.
And if you think that the internet service provider with their antivirus is going to help, or if you think that the little features of the, it's not.
The perpetrators are so smart, are skilled at using state-of-the-art technology for efficacy, that the only way you stand a chance in this hostile environment is to intentionally.
protect yourself, to take the responsibility on behalf of yourself and those that are counting on you to protect yourself because probabilities are very high that something can go wrong.
And yes, when it does go wrong, recovering in two months is not bad.
I've seen cases where it's taken two years to recover.
There is a long tail to recovering.
We can talk about that in a little bit.
But my point is, to get to where I believe you need to be in today's hostile environment, much less the future with AI,
You've got to take the first step.
You've got to take the initiative.
You've got to do some critical thinking and invest
in being
protecting your personal information, having the privacy that you seek, and being able to enjoy everything the digital world has to offer, including the internet and artificial intelligence in peace, with a sense of peace.
It takes an intentional effort to accomplish that.
And I'm sure you see it on an everyday basis almost, but I have heard it from my parents and friends of my parents and friends of mine and other colleagues that they're hit by ID theft, financial fraud.
In some cases, they're even being harassed by these perpetrators.
From your view, how widespread is this epidemic and how much is it growing in magnitude?
We see it every day, all day, but at the end of the day or at the end of the week, we still shake our heads with, wow, this stuff is crazy.
And it just keeps getting crazier.
We just keep saying that over and over.
But from a higher point of view, beyond what we do all day, every day.
The current statistics are that somebody in the U.S.
has their ID stolen.
Every 22 seconds in the U.S.,
a citizen of ours has their identity stolen.
That amounts to something between 50 and 75 billion dollars in losses, those ID theft cases, according to the FBI.
And according to the FBI, it's growing at a rate of 20 to 25%
a year.
Overall, besides ID theft, cybercrime is now costing global GDP about 1%.
About 1% of global GDP represents damages or damages represent about 1% of global GDP, which is
almost $10 trillion.
Our estimate in damages just 18 months ago was $6.5 trillion.
That was adjusted by all the ones that run these numbers to 10.5 trillion now.
So it's an enormous element when you put it together.
And what's really interesting, John, and I think that has to be understood, is that when we started in the business,
99% of these damages were enterprise
state-level damages.
It wasn't even on the radar screen where the consumer damages are.
Today, when you look at damages in its totality,
about 70 to 80% of those damages are now consumer damages.
So the overall pie of damages and exploit is growing and growing, but the portion to consumers, individuals, everyday users of technology is even growing faster than the overall pie.
And that brings us to where we are today.
I think I shared with you that I have a very good friend who used to be the chief information security officer of a bank that was almost the size of JP Morgan Chase.
My understanding is JP Morgan Chase is still the largest bank in the United States.
This one was probably the second or third in term of size.
And he shared with me candidly that on a weekly basis, tens of millions of dollars would disappear out of people's accounts and that the government would come back in and fill it back up because they didn't want to create wide-scale panic.
Oftentimes the victim didn't even know it was gone before the bank replaced it.
Do you think that's going on across all the banks?
And this is just something that most people aren't aware of?
I don't know.
I don't have that inside knowledge.
It doesn't surprise me.
I wouldn't doubt it.
I do have a sense that broadly the level of damages, the volume of damages has been underreported.
I'm not sure exactly why.
On one hand, I think that if you can use a big company name in your headline, the headline is more interesting.
I don't know.
Or if you can say the exploit was $100 million
in damages, that might might be a better headline than I lost $10,000, right?
I don't know what the reason is, but we by all means feel that this is a massively underreported
situation,
certainly in the United States.
I would tell you that next time you go to a retail branch at a bank, if anybody ever does that anymore, look to see where the line is.
And you might see, they call them the private banker or the local banker where you might want to go in and talk about getting a mortgage, a car loan, whatever.
That line to get into one of those private offices at your local branch, more often than not, is a line of people that have just lost money.
that have are receiving texts that they don't know if they're real or not, are receiving emails and voicemails, and they're very confused about what's what's happening, and they need to talk to somebody about straightening it out.
Those indicators tell me that we have an underreported situation here at the current time.
I just closed on a house, and I have to tell you a couple of things
are always nerve-wracking for me.
One is when you wire the money, going through those digits so many times to make sure that you're sending it to the right place, especially if it's a lot of money.
For as much as people have gone to online banking, I was shocked this last time
how difficult it was to get an appointment in one of these branches.
And I bank at a well-known bank that had probably seven or eight branch offices within about a 10-mile radiance from me.
And I could only find one appointment on the day I needed to wire the money because they're all so busy.
So I think maybe what you're saying, you're onto something.
So for the average listener or average viewer of this, a lot of what we're talking about feels invisible until it's too late.
What are some of the most overlooked ways people are exposing themselves every day without even realizing they're doing it?
You're right.
It's a very abstract subject.
People struggle to see in their mind's eye the risk, what's going on.
It's very frustrating, very unlike traditional crime.
There really aren't forensics that you can speak of, or certainly not traditional forensics.
We are not taught certain life skills.
We're taught don't walk down the dark road, dark alley, don't cross a busy street, right?
But we're not talking, we're not taught necessarily about what's the right way to use social media.
What's the art and science of using passwords?
How do you optimize your browsers to defend yourself?
Are you using MFA on every single account that you have?
Have you transcended considering MFA an inconvenience to considering it an empowering element of protecting yourself, an empowering element of taking the initiative and the intention
to keep yourself safe on the internet?
So we try to talk to people in ways that they can build in their mind's eye the different elements that make a difference so that they can focus, they can pay attention, and they can develop what we call critical thinking skills.
But you have to go back to the fundamentals and anything you work with.
You have to go back to the fundamentals.
And the fundamentals here are: number one, email is a very popular attack vector.
When you are at your inbox, you've got to be on your toes.
You've got to treat emails as guilty until proven innocent, right?
And you've got to be really discriminating around how you treat your inbox.
You've got to use good passwords.
And I can talk about that in detail on how to use good, the art and science of passwords if you want, John.
You've got to use MFA,
okay?
Just before you go on, can you explain what MFA is in case someone doesn't understand?
MFA, 2FA, two-factor authentication, it all essentially refers to the same thing.
And what it is, it's an added proof that you're the right person trying to get into that account.
It assures through two methods that you're the right, two separate, completely separate methods.
One might be, well, they know the password, okay.
But do they also have the device they say they have with the phone number?
So they can send you a code.
So if you entered your password on the website and you also got a text and entered the code that you got on your phone, that's two factors saying you're the right guy.
Just adding that additional factor of getting that code mitigates the risk of somebody having stolen your password and getting into your email account immeasurably, like 90% is mitigated, right?
It's one of those easy things.
So any account that makes any difference at all to you,
apply and enable two-factor authentication, MFA, they may call it,
and get those codes before you get in to your website.
It will make your life much more secure.
Yeah, and it's not just that.
I've had some colleagues.
who are on YouTube who had successful YouTube accounts where they were making a lot of monetization on them.
They didn't have two-factor authentication on them.
Someone takes over the account and then holds them hostage and charges them a ransom to get access back to the account.
Are you also seeing things like that happening with other social media accounts?
Absolutely, all the time.
And so I think the default is any online account you have,
enable two-factor because there may be other information that could be interesting, personal information.
Maybe they won't won't hack the account.
Maybe there's no
ability to financially move money, but there would be the ability to gather more personal information, to
compose some sort of exploit because they know certain information that's on that website.
So just basic habit, enable two-factor authentication, MFA.
And I would say one more thing, especially.
if you're a crypto trader, especially if you move money in motion, right, is a a honey trap.
That's money in motion is what hackers are looking all over the internet for every day.
An estate settlement, a closing transaction on a home, a wire transfer, a stock option exercise that might be public, et cetera, et cetera.
If you are of
that type, that is moving money for whatever reason,
instead of getting SMS codes on your text, opt to get an authenticator.
That adds another level of security.
Microsoft makes an authenticator, Microsoft Authenticator.
Google makes an authenticator, Google Authenticator.
I prefer Google Authenticator.
It's user-friendly and it's easier when you get a new phone.
than Microsoft is.
However, some Microsoft products require you to use Microsoft Authenticator.
What happens, though, when you use Authenticator is it it lops off a whole nother element of risk, and that is if the phone company has been hacked or there's an insider at the phone company, there's a third party that somehow is able to get those texted codes to you, that's a risk.
When you use an authenticator, you eliminate that risk.
So again, if you're an investor, crypto trader, whatever you're wiring money around, whatever your duties are as a fiduciary, by all means, download an authenticator and start using it with these important accounts.
I use it for everything from my YouTube accounts to my social accounts to my major bank accounts.
And I also use services similar to LastPass and others that help me generate strong passwords.
What would be your advice on the password side?
So those are great habits.
And I think a password manager is essential.
You still have people that say, I don't want all my eggs in one basket.
And I understand that, but we have to think a little bit deeper.
If you keep a spreadsheet of your passwords, all your eggs are in one basket.
Whatever you're doing, you have that risk.
The fact is, though, that the best password managers, and I think most of them in the industry now, separate the keys
to the encryption of your passwords.
They're in two separate places so last pass could be hacked and last pass has been hacked but they're not going to get the passwords because the encryption key is someplace completely different
we prefer one pass there are other good password managers but one pass one password i should say is the name it's the number one password is consistently ranked and in our due diligence consistently is at the top in terms of governance technology user experience, and really importantly, innovation.
They're now making it easier to add pass keys.
So you don't even need to enter any SMS codes because you're taking the pass key approach built into your password manager.
So all you do is click a button without entering any codes or numbers and you're in.
without compromising any security.
So password manager is essential.
Pick one of the top ones.
They're They're all in the top two, three, four.
We like one password.
And let's talk for a minute about the art and science of making passwords.
First of all, when you use a password manager, you really only need to remember one password, and that's your master password to get in to the password manager.
That is your vault of passwords.
That should be long.
and it should be unpredictable.
And this is why.
We've always been taught that a good password should be long, should be unpredictable, and should be complex, that is lowercase, uppercase, numbers, symbols, right?
Honestly, complexity is not what drives a good password.
Only two things drive a good password, and that is length and lack of predictability.
Some websites still require you to add complexity, uppercase, lowercase, and that's okay, but you can make it easy on yourself by just putting an exclamation point and a one, two, three after a long password.
The science of passwords is this: if you use up to 12 or 14 characters, and that's a long password to a lot of people, but if you use up to 12 or 14, anybody can buy a password hacking software program or get it for free now on the internet.
They can hack a 12, 14 character password in less than an hour, sometimes even minutes.
But the law of large numbers helps us.
When we go to 16 characters,
that will take years to crack using these password managers.
It's simply much harder to do with long chains of numbers and characters.
How, though, can you remember?
Nobody, the human brain is not wired to remember 16, 18, 20, 22 random characters in a row.
Don't even try.
What to do is to use two, three, four words or a phrase.
It can't, don't make it predictable.
Don't make it, don't make it success in 2025.
All right.
Three or four words.
For example, a good password might be, and I used this in the past.
Think about this.
Cowboy, palm tree, moon.
and then a number one and an exclamation point because most websites require the complexity.
Now, in my mind's eye, when I try to remember that password, I see a cowboy leaning against a palm tree on the moon.
I capitalize cowboy, P on palm tree, M on moon.
It satisfies the needs for my master password.
I still write it down and put it in my sock drawer because the brain is a weird thing and you do not want to lose that master password.
You will have issues, right?
But that's the way to at least construct it.
Now, when you've got a long, good master password, you get into your password manager vault and everything else is done for you.
I have mine set to 22 characters.
My Amazon account has 22 random characters.
My other, all accounts have very long, complex.
passwords that nobody could ever guess or hack using any modern password hacking software.
And I will commit to you, any of the listeners, viewers, that if you just take a little bit of time to download the password manager, get used to the user interface and make a habit of using it for all of your accounts, I commit to you, not only will your life become vastly more secure online, your life will become vastly more convenient.
You go to Amazon and bing, it fills in 22 long characters and you're ready to go.
You're not looking around.
You're not, you eliminate all that frustration and friction and it works really well.
So we actually
hold one hour, we call them computer coaches to help people just ramp up the learning.
What?
Here's how you look at the user interface.
Here's how you get started.
That expedites.
the learning curve, the process for individuals, and then they're on their way.
And you've got a lifetime partner in your password manager to stay secure and be convenient.
Awesome advice.
Brad, I now want to take us to
a topic of what's really happening under the surface right now, especially the rise of something called the smishing triad.
What is it and why should every listener and viewer be paying attention to this emerging threat?
Well, thank you for that question, because it's a really big deal and it's something that we must be aware of.
And I'm going to tell you why.
First of all, smishing.
We all know what phishing is.
And that is, for example, an email comes in and it purports to be somebody else.
And we've seen the awkward versions from Nigeria, the prints, and all that.
We're not talking about that.
We're talking about well-engineered.
Gosh, that looks like it's from FedEx.
And my package is delayed.
I better click that link.
That's what that looks like.
Well, now that's happening in texts, SMS.
They're calling it smishing.
Smishing is also the term that's being used
to describe what we would call multi-vector phishing.
So not only are you getting the phishing email, but you're getting a text which corresponds to that email,
and you're getting a phone call that corresponds to, and it's all beautifully timed and engineered so that
your sense
of it being legitimate is fooled because of the timing, the level of engineering, the level of fact, and level of detail that's coming in.
You say, wow, this is a real deal.
And you lose the thought of this could be phishing or this could be smishing.
It's so authentic.
In addition,
they're adding the element of artificial intelligence to it.
The smishing triad is a group out of China.
It's three, maybe four
very successful hacking groups that we have to believe are supported by the CCP because of the level of technology they have and the amount of money they're making.
It can't be off the radar screen of the CCP.
I don't believe that.
The Chinese government, we believe, is fully aware, if not involved and supportive.
And they've added this layer of collaboration amongst themselves and artificial intelligence so that there are constant feedback loops.
For example, you get a text, you get a phishing email, you reply in some way, you engage in some way.
Artificial intelligence then adjusts the exploit according to how things are taking place, pulling new information that they have on you.
They have so much information.
Oh, we need this to make it look a little bit more real.
They'll pull it in real time.
And it will be very difficult.
They're going to be using using voice phishing.
It's going to sound like the banker.
It's going to sound like the attorney that's closing on the home.
There are going to be all of these elements put together, orchestrated by artificial intelligence for efficacy in real time.
And
our indicators are that they've got about a 60% success rate.
in these exploits.
Now, a great exploit might get three or four or 5%, which is high.
That means if you attack 100 people, three, four, five of them are going to become victims.
That's pretty good business.
And that's why every criminal syndicate in the world is retooling for cyber.
This, they're batting 600 with this mission triad as a result of AI and the way that they are so sophisticated in engineering these exploits.
It's like the goose that is laying golden eggs.
So we're going to, we're already seeing, according to some resources, a million of these attacks a day.
And with, and it is just starting.
So I will tell every listener, every viewer on the podcast, you 100%
should expect during the course of 2025
to see this type of exploit in some shape or form.
And that's where your awareness, that's where your critical thinking skills, and that's where your deliberate process of thought is going to have to come forward because it's going to be really convincing and it's going to challenge some of your basic survival skills that you've learned to date.
Yeah, just to give the listeners some perspective, the infrastructure behind this is something like 25,000 phishing domains active at once.
They're hosted through companies like Alibaba or Tencent,
and the operators are running walls of phones.
And my point here is this isn't some hacker that we see on TV in a hoodie.
It's organized crime with corporate-like scale.
That's right.
And it almost leads me to believe like we're at this tipping point of cybercrime becoming a parallel economy, which is a scary thought.
It is a scary thought.
And the numbers.
That's an interesting point, John, because North Korea got into the cybercrime business primarily for the economics, right?
Their currency isn't worth anything.
They have financial issues.
And when they can be in the business of cybercrime and taking in Bitcoin, North Korea, it's an element of their economic model at this point.
So I get what you're saying.
And with your experience in technology and your understanding of the risk, with what you're seeing from the smishing triad, I can understand how you could see that potentially could be a cybercrime parallel economy and digital currencies, no less.
Yeah, and I want the listener to understand how easy this is.
I right now could plug in a 10-megabyte
file that has me doing
a series of my podcasts into a tool.
And it does such a good job of
perfecting my voice and how I talk that I could create solo episodes and just put the text into this thing and it'll spit things out and the average listener would have no idea it was AI.
Now, what's scary for someone like me who's got so much content out there is some third party could take my voice and do the same thing and start mimicking my voice,
hijacking the trust that I might have from people in my community if they're starting to impersonate me.
And this is where I see this stuff going in the future and why I was so adamant about wanting to do this, because I think people need to wake up to how sophisticated this stuff is all getting.
And we are seeing that in the field.
A client is chairman of the board of a large New York Stock Exchange company over 100 years on the New York Stock Exchange.
primarily a provider to the Department of Defense.
So maybe that's an element of being targeted.
Had retirement accounts, 401k at a large firm, everybody would know on Wall Street.
And his voice was replicated using AI.
And I don't want to get into the mechanics too much.
But when Merrill called to verify that he wanted to move $400,000 out of a 401k to another account someplace else, his voice responded and approved that transfer.
And that $400-some thousand dollars was transferred out.
Yeah, it's unbelievable.
And especially here where I live in mid-Florida, we're close to an area called the Villages, which has become a haven for a lot of retirees.
And I hear stories of how many victims there are coming out of elderly communities like that, who are some of the most prone to not keeping up with what's happening with technology and thinking that these are well-intentioned people would end up stealing their life savings.
That's right.
And I think they also have a little more sense of a trust in the individual.
I live in South Florida.
Florida's the land of scams, like Southern California.
And you see the damage that's going on, especially in the elderly.
And it's really sad.
We have clients that are in their 80s and 90s that have really suffered.
And in these cases, in some cases, especially, they just trusted people and they just went with it.
And the exploits were so complex, so sophisticated that they really had no sense for what was real and wasn't real.
And before they actually woke up, they were done.
The money was gone.
The people were gone.
They were out, the funds.
Yeah.
So I want to shift to something else, and that's where the responsibility falls.
individual or institutional.
When I was at the bank, I asked the personal banker I was working with, if someone has a large amount of money in a bank, what is the bank's responsibility?
And they said, well, we're only insured up to 250,000.
And let's say a lot of listeners don't have 250,000 in their bank account, because that's a lot of money.
Many assume Apple, Google, or their bank, regardless of how much money has them covered.
What's your view on how much responsibility falls on the individual versus the institutional protection that we're expecting?
So it's a situation that's fluid and it's going from where the bank or the institution that was involved was really stepping up to help the client.
That goes back, call it pre-COVID, right?
And so you could feel pretty good.
that the bank was going to backstop you and was going to give you your money back regardless of whether the money was recovered or not i don't know up to what levels or what have you.
But that's shifting.
I think obviously because of the volume of damages, the amount of damages, I will tell you that the financial institutions in this country are really authentically,
genuinely
putting enormous resources into protecting their reputations, their infrastructure, and their clients.
They take it very seriously and they're putting all the money it takes to do that if somebody lose a client loses money because the bank made a mistake the banks have been really good about
helping the client recover the money getting the funds back to the client in some shape or form but when it's really the client's fault right the client took action that you know
he shouldn't have done or it really was external of the banking systems where the exploit took place, more and more they are not stepping up and i think for all the right reasons you can't backstop there it's not the model to backstop this risk and this is why you're getting all these emails and all this information from banks around we will not contact you by sms do not do this because they're going to have to tell you we're not going to provide the money that you lost because you took an action that we couldn't control was outside of our systems, and we've done everything we could.
Sorry, but it's your problem.
You've got to figure it out.
It is getting harder and harder to get the banks to attend.
to the individual's problem.
It's a massive situation.
A lot of resources are going toward all these incoming calls.
I've lost money because of this or this.
I need your help.
I need this information.
The bank won't say, oh my gosh, we're on it.
We're going to put all of our resources toward it.
We're going to stay here till we figure out where your money went and got it back.
That's not happening.
More and more, you've got to be the person that is pushing the case through the bank.
You've got to get the lawyer that is pushing the bank to find the money.
Where did it go?
How can we get it back?
You've got to be driving the progress of the case more and more.
So, to answer your question, John, I think that it is only realistic and it's just healthy to, again,
find autonomy, take the initiative, be intentional about not relying on the bank, not relying on a third party, not relying on anybody, but to secure yourself in a way where these things are not going to happen in the first place.
There's something, Brad, that I've always felt interesting.
When I was doing large-scale technology implementations in companies, everyone would always think when a project wouldn't go correct that it was a technology issue.
And
99 times out of 100, it was a cultural issue.
There wasn't enough change management, et cetera.
And when we had that huge hacking incident at Lowe's, it was the same thing.
This wasn't necessarily a technology collapse, although there was
some of that.
What it really was that the passwords at the access point were so easy to break that they were able to get in.
And then there was a lackadaisical approach to the whole password systems throughout the whole company.
And so the vast majority of the correction that we had to take once we bounced back from this
was we did implement better.
technology.
We implemented security operations command center that things.
But the thing that took the most time was we had to create a whole cultural element of explaining to everyone why cybersecurity was so important and that it wasn't just about their personal life.
It was about their self-protection and their personal lives as well.
And I found that it was almost this uncanny thing that the more senior the people were, the less that they took the threat seriously.
Very true.
Very true.
This is why we say cybersecurity for life.
This isn't about when you're in the office, you punch in and you punch out and it goes away, right?
This is about everyday, all day experience as a professional in your personal life.
It doesn't go away.
And to your point about senior people, so we deal certainly with a lot of CEOs, even three-star, four-star generals that are retired and may be on the board of a department of defense company, for example.
They've been isolated so much.
It's, oh, the IT department's got that.
Don't worry, boss.
You need a program download it.
I'll do it for you, boss.
And their critical thinking skills, their level of awareness and their sophistication as a user is often much lower than just the average employee in the organization.
And to your point around it being cultural, whenever you read a headline around a big breach, something went wrong, big losses.
When you get to the bottom of it, you'll almost always find that there was some human element, human error element.
It was not that their technology was breached.
More and more hackers are looking to hack you to get to your technology, to hack you first.
That's where this smishing triad comes in.
So cybersecurity, the technology is taking care of itself.
I will tell you that
so much capital has been invested in IT security.
including empowering it with AI, which is remarkable in terms of how that's used defensively, that it is up to the challenge of even the smishing triad and the most evolved exploits that we're going to see with AI.
It's up to the challenge.
Our challenge is to not only help people embrace and use that defensive technology, but to do that in a way where it also elevates their critical thinking skills and creates a partnership so they always have somebody to call.
I don't know whether to believe this or not.
Can I send you a screenshot?
Look at my computer.
I clicked a link.
Maybe I shouldn't have.
Is it okay?
It's going to take an ecosystem, frankly, to stand up against the level of risk and potential consequences that we see today.
So, Brad, what are the first three non-negotiable steps you would recommend for the listener to protect their digital life?
I think the basics we covered around passwords, password management, two-factor authentication, those things.
But to build out on that a little bit, we have what we call the three primary attack surfaces.
So again, we're building in your mind's eye how to think about these abstract notions.
If you protect these three primary attack surfaces sufficiently, you can mitigate this risk all the way to the margin.
You can really mitigate this risk all the way down to practically nothing.
The first is email.
All right.
We are big proponents of privatizing your email, and we help clients do that.
Get off of free email because it's not free.
You are the product when you're using free email and they're taking your information and we know that story.
So we say privatize your email, get off the grid, own your own email information, and that mitigates that risk tremendously.
The second attack factor are devices.
whether it's your laptop, computer, phone, or what have you, you've got to use enterprise grade, antivirus, data loss protection, intruder protection, a a whole stack of device-oriented protection to protect those devices from being hacked.
So, number one, email, number two, devices.
Third is the network, which is now ubiquitous.
Whether it's your home Wi-Fi, you're at Starbucks, you're in the lounge at the airport, wherever it is, and you're connected to the internet through some local network that is very much a surface of risk.
And so, we use things, the modern-day VPNs that will encrypt all information so it's invisible to anybody on the outside, that will firewall networks, even public networks anywhere in the world, so that when you're on that network, whether again, it's Starbucks at home or some foreign airport, nobody can see your device on the internet.
Nobody can see your contents, even over the local Starbucks Wi-Fi,
and nobody can download to your device a virus or spyware or something else nefarious.
Combined,
privatizing email, protecting your devices, and securing the networks creates an ecosystem which provides cybersecurity for life, works everywhere all the time across all your defenses, across all your devices, in real time, empowered with AI,
including threat intelligence, where AI can say, you know what, they haven't done
anything bad yet, but all the indicators are they're a bad guy.
If we think they're a bad guy, we're stopping them.
It's called zero trust.
We institute zero trust across all of this.
If it can't be authenticated, they're not allowed to play in the sandbox with your technology.
If you do that, you really can gain a lot of peace of mind and again, enjoy the wonderful internet and artificial intelligence and digital innovation that we're seeing today with a minimal amount of risk.
And again, lots of peace of mind.
It's possible, but it takes intention.
So, Brad, I always ask my guests what it is to live a passion-stuck life, but today you've redefined it that
it's something you got to intentionally create, purposely live, and securely protect, especially in the digital world that we now inhabit.
Yeah, Brad, it feels good to do it.
And it feels good to do it, and it feels good to help your family to do it, because our generations need help around the notion of privacy and personal information.
And we should be doing this now.
Brad, the last thing I always ask every guest is: if people want to learn more about you and how you might be able to help them, where's the best place they can go?
Sir.
So I think I'm the only Brad Deflin other than my son on the planet.
And you can find me anywhere on the internet because I do a lot of public speaking and writing and what have you.
My company is Total Digital Security, a mouthful, three words, total digital security.
And our website's total digitalsecurity.com.
Just look for me or look for the company and you'll find us.
Awesome.
And don't put in Brian Deflin because that person, which I mistakenly did, is a fitness coach.
Oh, no kidding.
I have to look him up.
Interesting.
Just one Brad Deflin.
That's me.
Brad, thank you so much for joining us today.
It was really an honor to have you.
Thank you, John.
I enjoyed it a lot and I appreciate being on your show.
That's a wrap on episode 639 and a crucial reminder from Brad Daflin that living intentionally means protecting intentionally.
Whether it's identity theft, deep fake scams, or the rise of cybercrime as a service, the threats are real, growing, and deeply personal.
Here are some takeaways I hope.
will stay with you.
You're not just a user, you're a target.
AI is being weaponized to exploit your trust.
Digital protection starts with awareness and using simple tools like password managers, multi-factor authentication, and network security.
And most importantly, no one is coming to save your digital life but you.
If this conversation sparks something, take a moment to leave a five-star review on Apple or Spotify.
It helps this show reach more people.
Subscribe to the Ignited Life for weekly strategies to live boldly and protect what matters, and catch the video version of YouTube at John R.
Miles.
Coming up next in episode 640, I sit down with Oliver Berkman, the best-selling author of 4,000 Weeks, to explore a question we all need to ask.
What if the problem isn't that we don't have enough time, but that we're trying to do too much with the time we have?
This conversation is a powerful wake-up call for anyone feeling overwhelmed, over-optimized, or quietly burnt out.
Imperfectionism is the stance that says the only thing that really counts is doing a bit of it today, this week.
Maybe badly, maybe too little by some standard, maybe with no confidence that you'll ever come back and do it again.
Maybe it's just a one-off.
Maybe you're not about to develop a wonderfully virtuous habit of writing your novel every single day, but you'll be doing it.
You'll be bringing it into concrete reality.
It will no longer just be an idea in your head.
It will be real.
And I think the big problem with a lot of ways that people think about productivity, personal development, spirituality, all sorts of things, is that it actually reinforces this notion, like, not yet.
Until then, live boldly, lead with intention, and protect the life you've worked so hard to create.
Live life passion-struck.