I Was Right! Jim Browning Fell for a Phishing Email

Jim Browning’s YouTube channel, with its over 3 million subscribers, devoted itself to exposing scams, typically those perpetrated by Indian call centers. The criminals that Jim exposes always depend upon social engineering techniques – posing as Microsoft engineers for instance – to lure their prey. If anyone can recognize a scam, it’s Jim.

And yet …

On July 30th Jim Browning released a video detailing how he was tricked by a scammer into deleting his own YouTube Channel. On July 29th I wrote this article –

https://dankioria.com/if-jim-browning-can-get-tricked-by-a-phish-anyone-can/

In the article, I bet that Jim had lost his channel as a result of phishing.

Turns out I was right!

The good news is that Jim’s YouTube channel has been restored. Before I start talking about how right I was, it’s important that I acknowledge Jim’s forthrightness and honesty in disclosing exactly what happened. He could have easily left it assumed that it was brute force hacking or YouTube did something wrong.

Also, Jim has been doing an incredible job. I’m sure his YouTube videos have helped countless people avoid getting scammed. He has contributed immensely to destabilizing scamming call centers in India. My two articles are not in any way meant to belittle Jim’s work. I think what he does is admirable and impactful.

Having said all that, this is the point I want to make:

All major security breaches nowadays start with phishing.

Think of any recent security breach and follow the story of how it happened. From the Colonial Pipeline hack to the Kaseya ransomware attack, they all started with phishing.

Jim’s recent video just goes to show that anyone can fall for a phishing scam. He explained how the scammer perfectly made it look like he had received an email from Google support. That first email drew him in, and from there, everything went downhill pretty fast.

I made that point in my first post about the story. Once you are drawn in by that first phishing message or link, you are already compromised.

Jim had built his YouTube account for 8 years. He had 170 videos on it at the time of the scam. It was an income-earner for him. That’s a lot to lose in just a split second. And the worst part is, it can happen to anyone.

Sadly, the security technology world has remained fixated on building the next “best” security patch, despite the overwhelming evidence that that’s not where the problem is. The problem is right in front of our eyes: We don’t have a way to measure trustworthiness in our current internet ecosystem.

Let me ask this again:

Who can confidently and truthfully claim that they can fully trust all the messages they receive on their devices? Absolutely no one!

And these scammers don’t have to sweat it out that much. They just have to include a small detail that you are familiar with, and you are in.

The security technology world talks of user education as a solution to social engineering. Jim’s case is a good example of how that does not work. The phishing email he received had a google.com domain. In his video, he explains how he’s usually skeptical about the messages and links he receives. After all, he deals with scammers, he must know all their tricks and always has all his guards up. That did not save him.

Jim's Message

One phishing email led to the deletion of an 8-year old YouTube account. What happens when such attackers target critical infrastructure? What happens when they target healthcare institutions? The Colonial Pipeline hack provided just a glimpse of the devastation a seemingly simple phishing message could lead to. Opening one malicious message is all it would take to bring down an entire corporation.

In my July 29th post,  I used an analogy of the security structures of physical buildings. If you understand how the security of a physical building works, you are in a better position to solve the internet security menace than security technology experts. The solution to that menace is:

Measurably reliable digital identity certificates that are owned by real people. People must be who they say they are on the internet. Everyone must be authentic.

Read my earlier post about the Jim Browning story to learn more about this solution . There I talk about why we need to rethink how we use the internet, and how authenticity and accountability are the solution to all our security challenges.