Why Are You Getting This?

You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

"Is it Live or is it Memorex?"

With AI, you can’t always tell!

That slogan refers to an old ad campaign touting how “real” recorded on a cassette could sound.

Listen to Ella!

As artificial intelligence (AI) takes hold in many other aspects of our lives, we may have even more trouble discerning between reality and technology-enhanced products, services, and communications. 

AI can be used in many ways (detailed below) for scamming businesses and consumers. As AI becomes even more sophisticated, we must apply that extra caution in all aspects of our lives.

Although that tune may play in your head after reading this, ensure you don’t get played by AI-powered criminals!

Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips. 

We hope you are finding all this information valuable. Let us know! We always welcome your feedback. 

Thank you for reading!


We would love to hear from you!

August Tips of the Month

  • Monthly Awareness Activity
  • Privacy & Security Questions and Tips 
  • Data Security & Privacy Beacons*
  • Privacy and Security News
  • Where to Find the Privacy Professor

Monthly Awareness Activity

August is Wellness Month. It “focuses on self-care, managing stress, and promoting healthy routines.” Being able to spot privacy and cybersecurity scams and knowing whether you are looking at or listening to something authentic and real, versus some AI-generated scam bait falls right in this month’s awareness wheelhouse! 

Being scammed takes a real toll on our mental wellness. Sometimes it can lead to health issues and even hospitalization! 

Help raise awareness among your family, friends, and co-workers to spot AI and other scams, and let’s stay well! 

  • Don’t stress about AI. Simply learn as much as you can about it from authoritative sources with verifiable facts, and become a resource and calming force to others.

  • Provide a list of videos and podcasts about AI and the associated privacy, data security, cybersecurity, and compliance risks. Here are a few to consider to get you started:

  • Minimize the personal data you put online. Take some time on a weekend or day off to remove what you can from online. Don’t provide accurate data on sites that do not need it for business, healthcare, or financial purposes. For example, on Facebook, I put my home as Elephant Island, Antarctica. I am not doing business with, obtaining healthcare from, or executing financial transactions with Facebook, so there is no need to provide my actual home location.

What other activities do you suggest for making your own Wellness Month? Are you planning to do one of these suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in August?  

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

August 2023

Artificial intelligence (AI) has not only been all over the news, but it has also been coming into our email inboxes often throughout the past several months! 

We received a variety of surveillance questions, as well as ongoing HIPAA and healthcare data questions. Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

giphy image

Q: I’ve seen those warnings about using AI for phone scams. Is it just for famous people? How would criminals even have a recording of regular people’s voices? 

A: Scams using AI-generated images, video, and audio that sound like someone else are quickly increasing. Someone you know may have even encountered such a scam attempt. (We hope it wasn’t successful)! I have received a call claiming to be…me! That was weird. And a business acquaintance recently wrote about getting a call purportedly from his wife claiming to be kidnapped that he almost fell for; it sounded so real!

This is definitely not just for the famous. Many people worldwide have audio and/or video clips of themselves somewhere online -- posted by themselves or someone else. 

That means that anyone, including crooks, can make scam calls. They just do simple searches and find targets.  

Criminals also use scam calls to gather voice recordings of targeted victims, which is a good possibility for how my acquaintance’s wife’s voice was replicated. AI is advancing to the point where it only takes a few seconds of someone’s voice audio to be able to “train” it how to replicate the person’s voice. 

For example, Apple recently provided a new accessibility tool to their new iPhones to replicate a person’s voice using as little as 15 seconds of a person’s voice. More AI-powered apps like these are becoming available.

Here are a few precautions to take now to prevent being a victim of this scam:

  • Speak with your friends and family about this growing criminal trend, especially before any travel. 
  • Choose a “safe word” that you and your trusted family members and friends can ask for if they get such a call. Make it unique, and don’t post it anywhere online; nowhere. Then, if you get a call from someone saying they are your mother, etc., you can ask, “What is our safe word?” If they don’t answer with the safe word, it is likely a scammer trying to extort money from you.
  • Don’t post your phone number online.
  • Don’t post a recording that includes you talking online. Obviously, this is difficult if you are a public figure or professional speaker. Be extra cautious when you get calls from strangers.
  • If you find someone else has posted audio or video with you in it without your consent, ask them to remove it, or at least block out the parts with you in it.
  • Consider mutually sharing each other's cell phone locations with a few trusted loved ones with one of the many phone tracking services. You can use this to verify any claims that someone has been kidnapped in city X, but then when you check the claimed victim’s location, you can see they are actually in city Y.  
  • If a scammer or someone who you think may be a scammer, calls, hang up. Avoid saying anything, so if the call is a scammer gathering voice recordings for later use for this despicable kidnapping (or other) scam, they will not have a recording of your voice to train their AI for later criminal activities. If it was a legitimate caller, they can leave you a voice mail or call you back later. 
  • Remove as many of your personal details about yourself as possible from publicly-accessible online locations, and minimize what you put online. These cyber crooks will then not have such information, which they use to make their stories and claims more convincing.
  • Since AI-generated videos are also becoming increasingly used in crimes, try to notice what your loved ones are wearing (clothing, jewelry, etc.) each day, if possible. You can then notice if any purported videos of them are shown, whether or not what they are wearing matches what you know they wore that day, or even if it is something they even own. 

Do you have more suggestions to add to our list? Let us know!

Q: What are the legal privacy issues related to AI?

A: The International Association of Privacy Professionals (IAPP) recently published a nice publicly-available article covering the legal issues of privacy and security for AI use. You can see it here. 

Q: My healthcare provider's hospital system sends out newsletters providing health tips. In their latest, they warned about not being fooled by “calls using AI pretending to be from us.” But they didn’t tell us how not to be fooled! Can you help me understand?

A: I’m glad your healthcare provider is warning you about these new tactics. Callers can easily spoof other people’s phone numbers so that the recipient thinks the call is legitimate.

Never trust that the call is real simply because of the phone number that shows up in your caller ID. If you ever get a call claiming to be from your healthcare provider, or any other business or organization for that matter, do the following, especially if the call seems a bit fishy.


  • Never provide personal or other types of confidential information to callers you are not expecting to call you. 
  • Ask the caller for their name, then tell the caller you will call them back. Then immediately hang up. A crook will try to talk you into giving them the information they need before you hang up. However, your legitimate healthcare provider should be okay with this, and most will now be impressed with your awareness of such phone scams.
  • Call the purported healthcare provider. Ask to speak with the name of the person who just claimed to have called you. They should be able to do this if it was a legitimate call. If it was not a legitimate call, the healthcare provider should be glad that you are letting them know that a caller was spoofing them. This will allow them to put out warnings to all their other patients about such scams. 
  • If you have a voice mail account make sure you have a strong password for it, ideally use multi-factor authentication (MFA). Some voicemail services are preset to allow access if you call in from your own phone number, which is very risky given how easy phone number spoofing is. A hacker could spoof your phone number and gain access to your voice mail if you do not set a strong password.
  • If you receive a call and believe the caller ID was falsified, or you think the confidentiality of your phone number was violated, consider filing a complaint with the FCC. By phone use one of the following: 1-888-CALL-FCC (1-888-225-5322); TTY: 1-888-TELL-FCC (1-888-835-5322); ASL Videophone: 1-844-432-2275. See their site for other methods.

Q: I was recently in the hospital for a few days. Each room had an Amazon Alexa/Echo Show screen, where patients could ask for help, food, etc. But the nurses/doctors also asked it to “record for patient <they say my name here>” and then my associated health data. This worries me. Isn’t this a privacy risk? Is this a violation of HIPAA? 

A: You are wise to be concerned. These types of personal digital assistants, along with a wide range of other Internet of Things (IoT) devices, can definitely be beneficial, if all the necessary security and privacy safeguards have been implemented. Without them, though, it not only would put your personal and health data at risk, it would also be a violation of HIPAA to use such devices where your protected health information (PHI) is involved. Without strong security and privacy controls, it also creates vulnerabilities that could allow hackers and other types of malicious people and tech to infiltrate the provider’s network system and not only access patient data, but it would also put the safety of patients at risk if any unauthorized access interfered with the provisioning of care to the patients, such as by changing prescription information, or even shutting down equipment such as that used in surgery centers

If the hospital implemented these types of devices with strong security controls, it may not be creating significant (or any) privacy or security risks and could be meeting HIPAA requirements. The best way to determine this is to ask your hospital about it. They should be able to provide you with verifiable information that they have strong security and privacy controls in place to protect the security and privacy of your health data.

giphy image

Q: People have often surreptitiously recorded others in compromising positions. They recorded up women’s skirts as they went up staircases and on escalators and took pictures in bathrooms and dressing rooms and on beaches. Are new privacy laws helping to reduce these occurrences? 

A: With new technologies that make it easier than ever before to record others, the problem actually seems to be getting worse. Although we would hope new laws would be more stringent, they may not be addressing certain types of criminal actions.

In the U.S. most of those new privacy laws are covering what businesses and other types of organizations can and cannot do with personal data. In other countries, such as in the EU with the General Data Protection Regulation (GDPR), regulations cover individuals and organizations


In the U.S., though, these personal privacy invasions are often handled at the state level through state codes. For example, two cases were reported in June here in Iowa. In one, a man was arrested and charged for allegedly videotaping his roommate while she was in the shower, and asleep in her bed, on multiple occasions. He was charged with four counts of invasion of privacy and one count of assault, and held in jail on a $10,000 cash bond. In a separate case, a different man admitted that he had secretly recorded women in a tanning salon owned by his father. He used his cellphone to take videos of female patrons of a tanning salon in Clear Lake without their knowledge. In both cases, each man was charged with invasion of privacy and interference with official acts under Iowa Code Chapter 1099 709.21 Invasion of privacy — nudity. Each count of invasion of privacy is an “aggravated misdemeanor” and is subject to a maximum penalty of up to two years in prison and a fine of at least $850 to $8,000. It does not appear that, based on our research, either has been sentenced. We are seeing more of these reports from other locations throughout the US, and beyond, as well.

The codes for invasion of privacy vary from state to state and territory to territory, if they exist at all. To find out the legal codes for your state, territory, or country, start by searching “[iowa] state code invasion of privacy,” replacing “[iowa]” with your applicable location.

Q: What are your thoughts about “Scammer Payback?” Legit or not? The videos seem staged.

A. When I checked it out, I found the site purports or implies the incidents were real-life. However, I was a bit concerned that all the scams I saw were from India or committed by those from India who were located in the U.S. In actuality, scammers come from all over the world. A report in Tech Business News in Australia shows the scammers come from the following countries, from the most scammers to the fewest of the top five: 

  1. Nigeria
  2. India
  3. China
  4. Brazil
  5. Pakistan

Analytics Insight, based out of India and the U.S., indicates the following are the top 10 countries launching scams:

  1. Nigeria
  2. Ghana
  3. India
  4. Indonesia
  5. Philippines
  6. Romania
  7. Russia
  8. South Africa
  9. Ukraine
  10. United States

And other analytics sites from other countries show other countries of origin. The key point is that scammers from many different countries are targeting people throughout the world. If all these scams, shown in over 532 videos since May 2019, on the Scammer Payback channel, were real-life scammers, statistically, many would have come from other countries, and not almost all exclusively from India or Indians.

Along with from the U.S., which is also a large source, especially for U.S. scam victim targets, I’ve received many scam calls, texts, emails, and social media contacts that originated from the U.S. By just showing Indian scammers it is creating a bias, possibly by accident, and hopefully not by design. As a counterpoint consideration, though, perhaps Scammer Payback was baiting primarily scammers they know are located in India to get them to call them organically, which creates elements of staging within the incidents.

And many of the calls seem staged. Some scenarios I watched, and even conversations, were nearly identical to reported phone scammers from years ago; I’ve been tracking phone scammers since the early 2000s. Scammer Payback seems to be primarily, or in part, a marketing vehicle for its products. Scammer Payback was only created in 2019 but has already recorded over 532 scammer situations and is considered an entertainment business.

I decided to go to Scammer Payback directly. I posted to the LinkedIn page of a Scammer Payback employee, asking if the videos were staged. The employee did not reply, but I did get a direct mail message from an individual who claimed to be a former employee, corroborated by their LinkedIn profile, who indicated that yes, most but not all of the calls are scripted and staged.

Ultimately, I see nothing wrong with videos that are provided to be educational and awareness-raising, with creating scenarios to represent situations that could happen in real-life to educate and make concepts clearer and more memorable for cybersecurity and privacy topics. But representing to millions of subscribers on a video channel that all the situations are real scam situations may be misleading. For full transparency to their viewers, it would be good for them to label the staged videos to communicate when the video is staged to provide an educational lesson, and when the situation in the video happened organically.


The law-related portions of the Scammer Payback site state, “This visual production contains original artistic content and ideas and is protected by U.S. and international laws.” That implies that the videos are not all real-life in an area where typically few subscribers look. I also sent an email message to Scammer Payback asking about this, but I have not received a reply as of the publication of this month’s Tips. So, I will reserve a final opinion about legitimacy until I hear back from them. Reader Paul also had a great suggestion (thank you, Paul!) for me to have them as a guest on one of my VoiceAmerica radio/podcast shows. That would be an exciting episode, I’m sure!

giphy image

Q: I'm very careful with my ATM (debit) card. It never leaves my wallet except for paying at retail stores, restaurants, and doctor's offices. So I was shocked when my bank alerted me that someone had attempted to buy $200+ worth of wings and pizza (two separate transactions) using my card number. The good news is that I got a replacement card via FedEx within 48 hours. Now what can I do to ensure people don't try to snack on my dime (or many dimes)?

A: I’m glad you got your debit card replaced so quickly and that your bank stopped the crooks before they got their dirty mitts (and hungry stomachs) on your money! This is an important topic, especially during the summer travel season. Using different techniques, criminals can obtain debit card numbers, expiration dates, and security codes. See some of them described in the July Tips and associated PDFs. (e.g., using skimming devices placed on ATMs and point-of-sale payment terminals, phishing scams, USB skimmers, hidden cameras at ATMs/payment kiosks, etc.) 

U.S. federal law limits your liability for unauthorized debit card purchases to $50, but you must report the fraud within two business days of discovering it. You could be liable for up to $500 if you report debit card fraud after two business days but less than 60 calendar days after receiving your account statement. If you report the fraud after 60 calendar days of receiving your statement, you could be liable for any amount stolen from your account.

Now, to address how, if possible, to keep the crooks from using your debit card numbers once they’ve gotten hold of them. 

  1. Banks need to have debit card fraud protections in place. In the U.S., most banks and credit unions have advanced protections for credit cards in place. Many do not have such protections implemented (like those you described from your bank) beyond the legally obligated minimum requirements for debit cards. So once your money is gone via a debit card, it is gone. It is good to see that your bank has alerts and stopped such fraudulent charges from happening. Check with your bank to see if they have additional protections in place for debit cards, like setting up alerts for certain types of debit card use. If they don’t, request that they implement them. If they do not, consider moving your accounts to a bank that will. Or if that will be too much of a hassle or you simply cannot do this for some reason, stop using debit cards from that bank, at least until they implement some protections.
  2. Review all your bank and card-issuer statements promptly after receiving them. The sooner you detect and report fraud using your debit card, the more likely you will receive back some or all of your money.
  3. Check your bank balances and transactions regularly; most banks and credit unions have online portals to make this easy to do. Debit card transactions hit your account virtually immediately. I check mine daily. Once you get into the habit, you’ll spend just a few minutes, saving you much lost money and potentially long-term time to recover from fraud.
  4. Irreversibly destroy old debit cards by shredding them, or at least cutting up the portions with the numbers, magnetic strips, and chips to the point they cannot be reconstructed.

Do you have additional tips for this topic? Or real-life stories to share? What are the laws or rules in your country? Let us know.

Q: I recently heard on a radio news show that the U.S. military was warning that protecting against cyber threats in space satellites is “urgent” and needs “immediate attention,” especially because of “AI capabilities.” Sorry, I just heard these snippets while doing something else, and now I’m concerned. I realize that satellites are run primarily by computer programs. But how can hackers get to them and hack them in space? What does AI have to do with them? And they aren’t attached to the Internet, are they?

A: Great questions for an important topic! Satellite systems play a crucial role in our world. They support communications, weather monitoring, navigation, Internet access, and more. However, these systems indeed face numerous threats that compromise security and integrity. And, with most of them increasing their dependence upon AI, it also becomes of utmost importance to ensure the accuracy of the AI algorithms used to support and control them. To address these challenges, it is essential to implement a robust cybersecurity framework to protect satellite operations, which starts by understanding the threats to satellite systems.

Even though satellite systems are not connected to the Internet in the same ways that most folks connect computers online, they still need to be very secure. Those that do not connect to the internet still have wireless (obviously!) connections to systems on earth that also must be secured. Those connections could be compromised through mistakes made by those with authorized access to the satellites, from authorized users who have “gone rogue” and, for some reason, decide they will take malicious actions against the satellites. Connections can also be compromised when the access credentials of those with authorized access have been obtained by malicious actors, such as nation-state hackers, competitors of the businesses supporting the satellites, or those with some other types of malicious intent. Security vulnerabilities within the satellite systems, wireless connections, and applications, could possibly also be exploited and used by hackers to wreak havoc 13,000 miles above the earth’s surface.

The diverse threats range from denial-of-service (DDoS) attacks, data exfiltration, and malware infiltration to the risk of unauthorized access. For satellite systems, these critical threats can corrupt sensor systems with insufficient data resulting in harmful actions based on incorrect data. For example, if a sensor system is corrupted, it could change the orbit path of a satellite to collide with another satellite or natural space object. If a sensor system becomes unusable, it could result in the failure of other space and terrestrial systems that depend on those sensors. Jamming or sending unauthorized commands to guide and control satellites could also damage other orbiting space vehicles. And data collected from military or other types of defense satellites could be extremely damaging.

DDoS attacks can render satellites unresponsive or, even worse, shut them down. This would create physical safety risks and could damage other countries’ space vehicles or cause ground damage from satellite debris fallout. Additionally, planting malware within the systems through insufficiently secured access points could impact the satellite and spread to the other systems with which the satellite connects.

Considering how quickly AI is being adopted within all industries, validating the accuracy of any AI used within each satellite system is essential. Then it must be thoroughly tested before being put into production. Given the potential threats satellites face, a comprehensive cybersecurity framework is necessary to mitigate these risks. It will also be important for engineering universities and tech organizations to work collaboratively to create and implement a comprehensive cybersecurity, privacy, and resilience framework to regulate the industries expanding the use of space vehicles.

Data Security & Privacy Beacons*

People and Places Making a Difference

We get many suggestions for beacons from our readers and Rebecca’s podcast/radio show listeners; thank you! We include many of them when the suggestions are for businesses other than their own that the suggester feels deserve recognition or for other people other than themselves who do something noteworthy about data security and privacy. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.

  1. Recognizing online scams: A tragi-comedy in 4 acts 
  2. Online scams: 3 rules to prevent being taken 

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News

Visit the PSB News Page often!

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other helpful information on our site. Our goal is to post 3-4 times a week. We’d also love to see your comments and thoughts on our posts.

Check It Out!

Check It Out!

We have excellent feedback on our course, “HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Similar statements about ourHIPAA Basics for Covered Entities 2023 Edition course have been made. The real-life experiences we’ve included within the courses, and also the many supplemental materials, which we update as changes occur so our clients and learners can use their Privacy and Security Brainiacs portals as a source of not only learning but also to keep up with regulatory changes, and even where they can store their organizations’ security and privacy policies. Please check them out! 

Students of each Master Experts “Online Education” course receive certificates of completion showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class and much, much more. Have questions about our education offerings? Contact us!

Where to Find the Privacy Professor

Kathy Walters

April Helm

Rebecca is Speaking at CornCon in October!

Consider attending the highly prestigious while never pretentious CornCon, on the Mississippi River in Davenport, Iowa, October 5-7, 2023. Rebecca will be delivering a talk intriguingly titled:

It’s Not Always a Rattlesnake Just Because It Rattles: Everything I Learned About Risk Management I Learned on the Farm.

Rebecca’s Radio Show

If you haven't checked out Rebecca’s radio show, Data Security & Privacy with the Privacy Professor, please do so. We discuss many real-world topics within the data security and privacy realm.

Next Episode

First aired July 1, 2023

Tara Taubman-Bassirian

GDPR Stats: Penalties & Most Violated Articles

The EU GDPR has been in effect for 5 years now. What have been the impacts to organizations that must comply? What have been the penalties applied? And for what specific non-compliance issues? Rebecca speaks with Tara Taubmann-Bassirian, a well-known GDPR expert and award-winner to get answers to these, and more questions

Next Episode

First airs August 5, 2023

Kathy Waters and April Helm

A Romance Scammer Took All My Dying Mother's Money

April describes the horrific harms that romance scammers caused her mother while terminally ill with cancer, and Kathy describes the upcoming World Romance Scam Prevention Day that her organization established.

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Facebook  Twitter  Linkedin  

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. August 2023 Privacy Professor Tips


NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:


1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com


If you wish to unsubscribe, just click the SafeUnsubscribe link below.