With 2.4 million TikTok followers, Cathy Pedrayes is a social media influencer who gives mothers expert safety tips for the cyber world and the real one, too. Because in the course of her career, she has found that – especially for women and children – security in both realms tends to overlap.
An environmental scientist by background, Pedrayes moved into TV presenting in 2015. But during her time at shopping channel QVC, she discovered that few, if any, measures had been taken by the media giant to guard against cybercriminals. That revelation inspired Pedrayes, aka the “Mom Friend,” to put her technical mind to foiling threat actors, especially those who might come after women and children.
I reached out to Pedrayes, who recently published The Mom Friend Guide To Everyday Safety And Security, and we spoke about using social media responsibly, the dangers the internet poses to women and children, and the need for government regulation to make it a safer, better place for everybody.
The following link is a YouTube version of the original interview that was conducted at a later date.
To begin with, tell us about your journey to becoming a cybersecurity professional, influencer, and author.
I was a scientist, and only recently became interested in cybersecurity and safety. And part of it was because I started working in television as a national host [on QBC]. Because of that, I was exposed to how much information is out there on the internet, and what that could mean for your physical security. My company wasn't doing anything to scrub information – even though it's a $20bn-a-year company! [laughs] So the onus fell on us to suddenly become experts and protect ourselves – it happened very organically, where I would see something and be like: “OK, how can I prevent this?” I slowly started becoming more aware, and then for the past two years on social media, with COVID and all of that, I started really posting about it.
You published a book as well. I take it that covers all kinds of security topics, including cyber?
Yes. There's a whole chapter on cybersecurity. Sometimes it double dips with things like travel, for example: the rest of it is regular physical safety. But the biggest section is cyber.
Do you have any other books in the pipeline?
No, this one just came out April 12, so it is brand new!
You've been quite outspoken about what not to do on social media. Talk me through your top tips.
One of the things I've talked about a million times, but nobody does [laughs] is multi-factor authentication. Step one is going through your privacy and security settings of all your different applications and making sure you're doing the best you can to secure that. I always recommend an authenticator app, but not a lot of people do it. But of course, all these newer kinds of scams on social media trick you into bypassing the authentication…
You’re talking about social engineering?
Exactly. One that's been really hot recently – you'll get a direct message from somebody, saying: “I got locked out of my account, Instagram is asking for a friend's phone number so I can get back in, they're going to send you a code.” And you think you're helping your friend, your mom, your whoever, and you're screenshotting the code and sending it to them. What they're really doing is resetting the password on your own account. I can see when it happens to my followers, because suddenly, I get that message. And I'm like, “Come on! I post about this all the time!” [laughs]
Part of it is being familiar with what's happening in the scam world, so when you see it, those red flags go up, and you're not caught off-guard. Something that people are less aware of refers to when they send photos and videos to each other. All the major apps remove the metadata. But when you're sending these things via email or text, oftentimes, your geographic location is still tagged in it unless you have it disabled. That applies not just to texting and emailing, but also if you're dabbling in newer apps – because they rush to the market and the software developers are not necessarily cybersecurity experts. I mean these things are built in three to four months.
It's interesting from a journalism perspective, too. Nowadays journalists are expected to put themselves out there, to build their Twitter following – because that's where you get your book deals, how you get the jobs at the big publications. But journalists also sometimes talk about things that upset people. People on the internet can dox [publicly out] you, so journalists have to be extra careful with encrypted emails and also what you are posting. But even if you're dealing with sources that are giving you confidential information, you have to be familiar with encryption and all of this stuff. We don't really get training in that.
What's the worst personal account of a cyber scam you've heard?
I think one of the worst was from a friend who owns a cybersecurity firm. Two companies were merging. There were millions of dollars being exchanged, and it was one of those where the scammers took over the emails and started emailing: “Oh, the deposit didn't go in the bank, let me...” That whole thing. Very scary. But another one happened to a friend of mine, his daughter's middle school. Because the kids weren't using passwords and multifactor authentication, a hacker got into one of their accounts and started going into the classroom group chat: “I made this for you, here's a link.” Or: “You're on the Top Ten Most Ugly list at school, here's a link.”
So that last one is playing into cyber bullying?
Yeah! It's obviously a phishing link, it prompts you to log into your Instagram or something like that, and then they hack it. One of the things that happened was a girl's Snapchat account was taken and she had images in her private drafts. You can have your drafts on Instagram, Snapchat, TikTok: they have like a private camera roll. And some of these images were more “risque.” This hacker wasn't trying to extort her for money or anything like that – they just made these images public because they could. And this is a middle-school girl.
Remember that we don't own these apps and should not be keeping anything private in any of our draft folders: whether that's images you don't want public, or medical stuff, weight loss pictures, whatever it is. Because so many times I see this thing happen where – because people aren’t familiar with the most common scams – their accounts get taken over, they get extorted and threatened, and it's very stressful.
I am genuinely shocked by how many intimate images the younger generation seem to keep on their phones. It's like they don't care – they're just quite blasé about it…
Millennials were the last on the cusp of technology/no technology. But once you're growing up with this phone in your hand 24/7, it becomes an extension of you. You don't realize that it's not like your personal journal that you keep on your nightstand, it's something that's connected to the world. Maybe a year and a half ago, a woman took her phone to get repaired, and the service tech – this was obviously totally inappropriate – accessed her images. So people definitely have to be careful. I just posted a video about how to protect your nudes! [laughs]
I must be naive, because when I saw you had spelled it “noods” on your TikTok page, I immediately wondered why you were posting about noodles! Did you spell it that way because you didn't want to get the wrong kind of traffic?
Yes! Also, because of moderation. What is kind of funny is how people intentionally misspell things to get around the moderators! [laughs] Ideally, you don't want cloud storage for things that are intimate, but if you are going to use it – because it is super convenient – you ideally want it to be encrypted.
But what about people who say they don’t care if intimate footage of them gets out there, because it would essentially just be lost among all the millions of other pornographic images on the internet nowadays – is that something you are hearing from your viewers?
I think it's 50/50. When people have never thought about their private things becoming public and then it becomes public, there's a lot of trauma. I've seen girls in tears because their phones were accessed. Of course, eventually, you can come to terms with it when you realize this happens to a lot of people, but the problem is once these images are out there people can Photoshop them into other things… And so that's why even with children, people are hesitant to post their kids online. Because there are people that do bad things with these images.
That was one of your videos that jumped out at me, about parents doing the “back to school” social media posts…
Yeah, absolutely. Whether you want to post your kid online or not, I think absolutely you should never do those back-to-school chalkboards.
It actually did shock me. I cannot believe parents are doing that!
Right! [laughs] If the chalkboard just says “first day,” that's not so bad. But a lot have the teacher's name, favorite activities, foods, sport – the whole thing. That's a lot of information that you may not want on the internet. Similarly, some of those pictures could be in front of the school, maybe with signs in the background. I'm also hesitant with school uniforms, you know, the emblems.
Because they can identify which school the child goes to?
Right. The same with sporting uniforms, sometimes that will have the school name. When you're in high school or college or anything like that, a lot of these sports teams' rosters are public. And so if you're posting even a jersey with just the number and your school, it's very easy to look up the roster and pull your name [and] now I can see your classmates… it becomes a whole creepy scenario.
It just seems like an invitation to a kidnapper or worse… And there must be other ways a child’s personal details can be misused, not as horrible but still highly stressful?
There are a lot of threats now. People don't realize that a baby's identity can be stolen. It happens to tons of kids every year. Something as simple as freezing their credit – so many parents are like: “I never thought of that.” They did it because I posted a video about that.
OK, talk me through how that works – and why you’d need to freeze your child’s credit?
The credit freeze is like a two-factor authentication: you need this extra password if you want to get a loan or whatever. But obviously, a child wouldn't be getting a loan, they wouldn't be doing any of these things. You freeze their credit because sometimes these criminals can take social security from this one, a name from that one – and they create these fake identities that then get all these loans. You don't want your kid growing up into debt: it's a terrible thing to try to prove “this wasn't me.” It's hours and hours on the phone dealing with this and that company.
I had a credit card go missing from the mail and the company alerted me to a bunch of purchases. I said: “These were fraudulent and I never received the card.” And they said: “It was activated on such-and-such a day. The person who called had the last four digits of your social security number.” We closed the card account, but that's when I found out about freezing credit. Because somebody out there has my social security – that's scary.
For kids, who knows how long before it's noticed – if you see credit card offers show up at the house, you might think “why is my kid getting this?” and that's definitely a red flag. But oftentimes, it takes a year before you realize anything. So it's just better to be proactive. It's three phone calls – I did it a couple of years ago, it's free.
Going back to social media posting, a lot of those precautions are essentially an overlap between cybersecurity and traditional security, aren’t they?
If you're not active on social media, then it's easy. But if you're somebody who's posting every day, somebody like me who has followers, it's kind of like a job – it's practically impossible not to. Social media has this thing of being in the moment. We've seen even celebrities make really big mistakes and post where they're at, a restaurant or hotel, and they've got this jewelry and stuff with them, and then things happen.
For example, I was in New York City at a very popular restaurant called Red Farm. And I happened to be walking by, on my phone, and I noticed that one of my A-list celebrities that I follow – she is HUGE! – posted a picture of herself at the bar of this restaurant on Instagram. And there's windows and everything, and I thought: “I wonder if she's actually there?” And she was! What if I was a crazy person!? I would have tried to sit at the bar next to her! [laughs]
I suppose it's a great leveler, cybercrime – it can happen to anyone.
I think that's the big misconception, people think: “This just happens to my grandma or grandpa.” Younger people are just as susceptible. For example, the crypto scams: younger people fall for that all the time.
Because they're more likely to invest in it than older people...
And know what it is! [laughs]
A cybersecurity pro I spoke to recently said he'd choose Facebook – even though he'd been criticizing it for its data policy – over TikTok because it's American as opposed to Chinese. Do you think that's fair, or is there too much criticism of non-Western platforms?
I would be inclined to agree, only because China has a reputation of overstepping the bounds with data, at least from a Western perspective. That said, TikTok's my main platform…! I just accepted that they are harvesting my facial recognition and voice data. But I think that really speaks to the need for international consensus when it comes to security.
In the US, we don't have the best laws regarding these things – in the UK, they are much more protected. Our phone numbers, addresses, emails, all of that is posted publicly on the internet for anybody to look up. Let me look up Cathy's cell phone number, and ta-da! Yellow Pages just gives it to you. And so, I think that's really where legislators have to come in and say what's appropriate. People are starting to become more aware of it, but it's still in the early stages.
So you think the state needs to start regulating the internet more?
I think it's gotten to that point. It's hard because when you think of the internet, of the creed of hackers, it's no kings, no rulers. I get that, but I think we've come too far. We've gone past the point where people can ethically regulate themselves. I say that from a perspective as a woman. There are a lot of domestic violence situations out there, and where you don't want your personal information on the internet – and we don't have control over how it gets there. Some hacker gets into some database, there's a breach, and now it's public forever.
We have some control – what we can download, what kind of scams we fall for. But there's so much that we don't – your college being hacked, your loan companies, your hospital. I just had a baby. My hospital asked me for pre-registration forms via email. I was like: “I don't want to send you this via email.” But I had to. I was like: “Can you please at least confirm that you've deleted it afterwards?” And even that I had to ask three times. They just didn't care. And hospitals are one of the highest-targeted industries.
You mentioned your point of view from a woman's perspective, and that ties into another question – would you like to see more women in cybersecurity, and what are the obstacles to that?
I think people like me help to change that because my audience is 86% women. Sometimes when we talk about these things it gets super techy, you're talking about the code and all this stuff – and that's not fun, nobody can relate to that! [laughs] Put it in the simplest terms – and tell me why I should care. Ransomware is bad for hospitals. OK. But why do I care? I'm not a patient there.
I think that women, we're the matriarchs, we have kids and tend to be very protective of our families. So if you tell me that posting something online or my bank not doing what they're supposed to do with my information can put my family at risk… I'm going to have a problem with that and become very outspoken. And I feel like we see that time and time again whenever there's some kind of injustice in the world. Oftentimes, women are in the front line – they may not be in the battlefield, but they're putting pressure on legislators and stuff like that. So I think this is going to be another one of those fronts. Or I hope – because it would make it easier if people started caring a bit more!
Well, women are half the population – so the more that get involved, the better it’s going to be for the whole human race, you'd imagine...
Exactly. Women also tend to care about how the digital world affects their physical world, because of things like cyberstalking: they get a lot of these gross messages in their Instagram. The body shaming: “You're too fat or skinny or whatever, I want this bad thing to happen to you or your kid.” Not to say that it doesn't happen to men also – it does, especially if you're not a man that fits in that traditional “this is what a man is” box. But I feel like women are definitely more vocal about these kinds of things on social media. Once one person starts talking about it, it does spread, and people start caring.
You talk about getting more involved – would you consider joining a campaign, trying to get the ear of the US government and telling it to step up?
It's not in the pipeline, but I've definitely thought about it! Because it's something that I'm so passionate about, and it upsets me when there’s a hearing in the US with the heads of Facebook, and these Congress people are like: “I got an email the other day, and I couldn't open that – why is that, Mark Zuckerberg?” Nobody cares about your stupid email, this isn't tech support! Can you please get to the questions that actually matter? I find that happens a lot. It's only fair: they did not grow up with Facebook, or Instagram, or Telegram, or Signal.
I know, but when a Congressman starts asking Mark Zuckerberg how he makes his money, and he has to say: “Senator, we run adverts…”
[laughs] It's embarrassing. It would be nice to have somebody in there with a bit more interest in what privacy really means for people! I've heard that the reason why Europe has stricter privacy guidelines may go back to World War II and how they saw the extreme case of what happens when you abuse data. In the US, we haven't experienced that to that extent.
You might be right about that, but even in Europe, freedom of information and the right to privacy clash from time to time. For instance, there have been big problems in the UK with the press being caught hacking phones and whatnot…
I think when all of this technology, the internet, got started, it had very good intentions. Enabling people to communicate, democratizing information and access, and all these really fantastic things – but those few bad actors...
Speaking of bad actors, you strike me as quite benign, but are you concerned that some influencers might be peddling hidden agendas? I’m thinking in particular about the spread of uncorroborated information: you’re from a journalistic and scientific background, but let’s face it, any wild-eyed conspiracy theorist can become an influencer – some might even be Kremlin-backed agents. How do you feel as an influencer about that “social media is power” set-up?
As a journalist, you have ethical standards that you abide by. And I've been thinking about creating an ethical standard on my website for my [TikTok] page so people understand where I'm coming from. I feel like maybe all influencers should start doing this kind of thing. Because as an influencer, you are not traditional media, but you are media, and you should abide by the same kinds of things: fact-checking and stuff like that. You may not have the same kind of access to investigative reporting, you may not have that budget, but there should definitely be an effort – and a disclaimer if you're not able to.
Just this week, I saw a big account – almost half a million followers on Instagram – and they did paid ads for two well-established scams. I messaged the account because I thought for sure this account got hacked. So I said: “I don't know if your account was hacked, but when you get it back, your account posted two scams – you may want to take that down.” The person said: “Those are just paid promotions.” I have the screenshot of the messages. I shared it on my page, saying: “This is a reminder that cybercriminals also have advertising budgets.”
Do you think the influencer was legitimate but got duped by threat actors posing as regular advertising clients?
It's difficult to say if they know it was a scam or not. I did tell them it was, and they didn't say: “I didn't know.” They just said: “They're promotional posts.” But I know that they're scams because I've seen accounts on Facebook get hacked, and they post the same thing. And I also went to the Instagram account it was pointing to. It says it has a hundred thousand followers, but all the comments are off – you could tell it's a fake profile.
It's a meme account called the Introverted Struggle. I like their content – but I'm also a conscious consumer. I was empathetic with them, and it turns out that they were just paid to post it. I know it happens to a lot of influencers: how you make your money is by getting paid to do advertising. You can do due diligence, make sure that the app hasn't been sued, but we don't know how these apps were built. I've even tried asking companies: “What did your product development look like, what was your timeframe, how much testing did you do?” But sometimes even they don't really know!
Going back to regulation, do you think there needs to be a law saying influencers must link to a legitimate website stating their fact-checking and other principles – to create those red flags by their absence?
The only challenge is: if it becomes heavily regulated, the barrier to entry is higher. You make it harder for the average person to start posting information. So I guess it depends on how, but I think there is an opportunity for an organization or association – like public relations industry professionals, journalists, maybe there should be something for influencers. There could be some kind of certification program – you go through training, and you can say you are a certified influencer. Then maybe companies will trust you better when it comes to working together. There is an opportunity for that – because right now, it's just every man for themselves.
NB: A few days after this interview was conducted, Cathy Pedrayes reached out to tell Cybernews that the Introverted Struggle had reposted the scams on its TikTok page.
More from Cybernews:
Subscribe to our newsletter