You may be shocked to know that master manipulators utilize special tactics to impact human behavior and emotions by more than just instilling a sense of urgency. The art of persuasion can be used for both good and evil. Today’s guest is Chris Hadnagy. Chris is the author of five books on the topic of social engineering. He is a professor of social engineering at the University of Arizona as well as the CEO of Social Engineer LLC, the Innocent Lives Foundation, and the Institute for Social Engineering.
“We see malicious social engineering using trust and rapport building, but it also tends to focus on manipulating other emotions, like fear, anger, and lust.” - Chris Hadnagy Share on XShow Notes:
- [0:57] – Chris shares his background and how he found himself in the field of social engineering and understanding human decision making.
- [2:38] – It is not the case that only stupid people fall for scams and phishing emails.
- [4:04] – There is good social engineering and Chris gives some examples.
- [5:47] – The release of oxytocin is researched to show that it is linked to trust.
- [7:58] – You can have oxytocin and dopamine separately but together they build a bond.
- [9:17] – Marketing and advertising land in the gray middle area of social engineering. Is it being used for good or bad?
- [11:14] – It is important to look at things through the lens of purpose. What is the intent behind it?
- [12:35] – All social engineering, good and bad, use the same principles. But malicious social engineering triggers different emotions, namely fear.
- [14:37] – Preying on fear is one way people are socially engineered, but Chris gives an example of how a company as large as Toyota was impacted by the sense of urgency.
- [17:12] – There are so many stories of social engineering that are extremely plausible and believable.
- [21:04] – The trend now is to use social media data and information to target people for spear phishing.
- [22:30] – If you feel any strong emotion after a request, it is a great time to pause and consider if you are being manipulated.
- [24:21] – If you ever fall for something, don’t let embarrassment make you sweep it under the rug.
- [27:31] – The idea of an authority figure is a principle to remember, but it doesn’t always work.
- [30:10] – In some countries, fear of authority isn’t present. But social engineers will look for the weaknesses to exploit in different environments.
- [31:16] – Voice phishing is currently on the rise.
- [33:21] – Chris shares about the uptick on LinkedIn requests that even targeted the US military.
- [35:28] – Although we will see some good from AI, Chris has many concerns.
- [37:33] – Chris describes some of the classes he teaches at the University of Arizona specifically about Social Engineering.
- [39:17] – You can take classes online from Chris on Social-Engineer.com.
- [40:21] – We need to understand social engineering to keep our children safe. Start having conversations early.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Chris Hadnagy on LinkedIn
- Social-Engineer LLC
- Innocent Lives Foundation
Transcript:
Chris, thank you so much for coming on the Easy Prey Podcast today.
Thanks for inviting me. It's great to be with a fellow Chris.
Yes, it is. The transcriptionist will have a horrible time with this. Chris said this, and Chris said this. Can you give myself and the audience a little background about who you are and what you do?
Sure. I'm a field security consultant. Way back in the day, I worked doing exploit writing and training in network pen-testing. I realized that that was not a skill that I was going to excel at, so I started to focus on human vulnerability.
I ended up writing a framework for something called social engineering. That led to my first book in 2010, which led to my company that I now run. My whole focus since then has been understanding human decision making, why we're vulnerable because of decisions we make, and how we can help people be more secure.
Awesome. One question I've started to ask at the beginning of my episodes, and feel free to work it in later if it's appropriate later, really trying to destigmatize people who have fallen victim to cybersecurity incidents, phishing, hacking, social engineering, because it's easy to say, “Hey, they blew it. They’re a bad person.” When most cybersecurity experts have begun to fall for something, we've been tricked to do something because I think we're going to talk, it's human nature. Have you ever fallen victim to a cybersecurity incident or probably, more importantly, in your field of social engineering?
A hundred percent. I tell people this all the time because I hate that phrase. There's no patch for human stupidity because it makes it sound like only stupid people fall for these things, and that is not the case. I don't think I'm the smartest person in the room, but I also know I'm not the dumbest.
I've sent 90 million phishing emails in my career. My third book was all about the psychology of phishing, and I fell hook, line, and sinker for a phishing email. I got phished with an Amazon email. I was rushed trying to get to an airport. I fully clicked on that link, and I got saved last second, but almost gave all of my credentials over. I believe it 100%. I'm the guy who sends phish. That was a real incident.
I appreciate you sharing that because I think it really helps people to realize we're all in this together. We need to get it right most of the time. But we're all human, and we're going to make mistakes here and there. Let's talk about social engineering. How would you define that?
I love that question, by the way, because I know when people search for it, the definition online is the malicious use of this, this, or this. When I started doing that framework I told you about, I realized that there was good and bad to social engineering. My definition is any act that influences a person to take an action that may or may not be in their best interest. That broad definition helps us to encapsulate both the good and the bad side of what social engineering is.
My definition is any act that influences a person to take an action that may or may not be in their best interest. That broad definition helps us to encapsulate both the good and the bad side of what social engineering is. -Chris… Share on XLet's talk about working from good social engineering to bad social engineering. We'll just work our way down through it and ask questions along the way. How would you define good social engineering? Hopefully, parenting is good social engineering, but how would you define it?
I love that—parenting. Imagine if you had a really good friend that was doing something really bad for their health, maybe they were smoking too much, drinking too much, or they were overweight and not wanting to exercise, and you were really concerned about their health. You can walk in and go, “Hey, fatso. Come on. You’ve got to go to the gym. That's not really social engineering. That's insulting.
You can think of, “What can I do to motivate my friend to want to come work out with me? What tools can I use? Maybe I'll ask him for help.” “Man, I'm losing motivation lately. I can really use a workout buddy. Would you want to do that?”
Now, you're influencing him to do something good for his health without walking up to him and saying, “Hey, you're really disgusting. Why don't you go to the gym with me?” I think of times where my daughter has gotten me to do things that are crazy, like getting my nails painted and having makeup on my face. Like what? Now that she's 18, 19 years old, she gets me to ride these rollercoasters that I'm deathly afraid to ride.
People go, “Ask because you love her.” I'm like, “Yeah, but there's something more about it.” When my daughter makes a request, my brain goes through the same process that would happen if you make that request. If you said, “Hey, can we have a princess tea party on the podcast here?” My brain would go, “Well, that's a request,” and I go, “No, thank you.” But if my daughter asked me, I get oxytocin released in my brain because I love her and trust her and then I want to make her happy because I need that dopamine. By saying yes to her, I know I'm making her happy.
That chemical process allows me to say yes to things that I would normally say no to. That's positive social engineering.
What are the mechanisms of oxytocin and dopamine?
A wonderful researcher, a guy named Dr. Paul Zak wrote a book called The Moral Molecule. I had a chance to actually chat with him on my podcast. He did this research into this molecule called oxytocin. It's the molecule that's released in our bloodstream that creates the feelings of trust and rapport.
It's very heavily seen during moments of intimacy, a mom breastfeeding her baby. But he also found that if you and I have a great conversation like we are, and let's say an hour from now, I trust you, you trust me, we're having a great convo, an hour from now I'm on LinkedIn, and I connect with you, my brain will release oxytocin again because it says, “Hey, that guy. You liked him. You had a good conversation with him. You want to be happy when you think about Chris.” My brain releases oxytocin, because we have that rapport and trust relationship.
And then dopamine?
The dopamine is the happy drug. It rewards us. Dopamine has been studied heavily by so many, so many different outfits. They use it in video games to reward for a certain action. In nature, you get a hit of dopamine when you do something good. When your brain says, “Oh, that was good for you, or you enjoyed that. That makes you happy, and we feel excited.” Those two things together, when I trust someone, and then I want to make them happy, that's like a chemical soup of goodness inside your head.
This is from the guy who didn't do well in biology and chemistry. Do these two compounds, if they're mixed together in your brain, is there more than just a combination of the two? Is there a not necessarily a third chemical, but is the effect magnified when they're both present at the same time?
That's actually a great question. I don't actually know the answer to that, so I'm going to say I don't know because I would hate to say an answer, and then someone from the science committee listening to this goes, “No, that's not right.” I'll tell you my guess, though. I'll tell you, the honest answer is I don't know, but I'm going to tell you the guess is that you can have them separate.
You can have oxytocin, and that can be studied in the bloodstream alone. You can have dopamine without oxytocin, but you can ride a rollercoaster and get dopamine. There may be no oxytocin involved in that because there's nothing about trust and rapport with that rollercoaster; you just got hit with a good drug because you're all happy, because you did a thing that made you happy.
Those two together, according to Dr. Zak's research, builds a bond. What he found was that oxytocin is stronger not if you trust me. If you trust me, that's great. But if I say, “Hey, you know what, Chris? I'm going to tell you something. I haven't done any podcast before, and I'm going to tell you, you're the first to know.”
Let's say I do it. I tell you something. Later on, you find out, “Wow, that was the first. He wasn't lying to me. Your brain goes, “Whoa, he trusted me.” Your brain releases oxytocin about me, because you felt very special to have that trusting relationship. I’ve got to imagine, those two things together are probably more powerful than separate.
Got you. We've talked a little bit about the good in social engineering—family building, relationships. We talked a little bit about this in the “green room.” Is there a middle ground before you start getting too malicious?
I think there is. That can be the same story, the same accounts we just gave—friends, family, all of that. I think of marketing. Right away, you probably will know this commercial. A famous singer comes on. Her sad song is playing in the background. There are pictures of malnourished dogs living in squalid, terrible conditions. Then, for a dollar a day, the music lifts, and then you see healthy dogs running onto the screen. They’re licking people, and kids are happy.
That dollar a day is now being linked in your brain with happy dogs, but you not paying is linked with these squalid, terrible conditions and starving dogs. That is influenced principles. That's what social engineering is, basically, being used to help try to motivate you to donate to this charity.
here's a fine line because marketing can also be very manipulative in the sense that there's been a ton of studies, like in shopping malls, where they'll pump certain smells through air vents because those smells will make you either shop longer, take slower time, or want to buy something. Like, can you walk past Auntie Anne's without wanting a pretzel? That smell is like crack. You smell it from them, and you're drawn towards it.
We know this smell now. I say it, you start laughing. Why? Because we've all had that experience. I think that would be the middle ground to me because it's influential, but it can also be manipulative.
I guess it's a question of once interests are no longer aligned, it crosses over to manipulation, when it's not in your interest anymore.
What is the intent? If my intent is I want to help you, and I use positive forms of influence, then I look at that as the positive side of social engineering. -Chris Hadnagy Share on XI think intent. What is the intent? If my intent is I want to help you, and I use positive forms of influence, then I look at that as the positive side of social engineering. Marketing has intent. But if their intent is, “I don't really care if you need it, if you want it, or if it hurts you, I'm just going to sell it to you.” I think of fast food companies that all of a sudden, you can't get a small. There is no such thing as a small drink anymore.
They have them, but it's the same exact price as the one that's 44 ounces of liquid sugar. Why? Is there a benefit for them? I don't know because they're selling the small for $0.99 and this giant tub of it for $0.99. They're getting rid of more products, but why would they push it this way?
I look at that and go, that kind of marketing borders on the line because they're not really caring about if it's good for you, if it's going to hurt you, if it's going to hurt your health or finances. They just care about their end goal, which is moving product.
Yeah, and it helps move other products. If you got the sweet, then you have to have more fries or the salted fries to go with it.
You have to.
Probably the bulk of our conversation here is going to be the bad forms of social engineering because that's what the podcast is about. Let's talk about how people are being social engineered in a bad way.
Again, it's the same principles. We see malicious social engineering using things like trust and rapport building, but malicious social engineering also seems to focus a lot on other emotions, like fear, anger, lust, and things like that, where if I can get you afraid, then you're more likely to take an action that you shouldn't take because fear makes the amygdala take over our processing.
Critical thought, frontal lobe shuts down. The limbic system kicks into gear. Amygdala, which is triggered by fear, creates an environment where we start to react based on our experiences and feelings, not on thought. If you really think your credit card got hacked, or your account’s been breached, you have to click here right now. You have to do it. Or the IRS is really on the phone about to come and rescue, you may take an action.
There was a terrible story I just read about this woman who was called, and the voice on the phone sounded like her daughter.
I remember this news story.
She said that, “Mommy, I made a mistake. They have me, and they're going to hurt me. Please save me.” It sounded like it was coming from her number. The guy comes on the phone—the man's voice—and demands money.
I don't know about you, I do this for a living. But if that happened to me, and I didn't know if my daughter was safe, and they were asking for something like $5,000, $10,000, I may just do it just to make sure she's not going to get hurt.
That fear took over for that mother. There was no rational thought ability at that point. You're talking about a mother saving her child. That, all the way, is 100% malicious social engineering because it focuses on creating an environment where your critical thought is not even possible.
Got you. Is it really about subverting the choice, the decision-making control of our brain?
It is. Let's use one that's maybe not so personal and scary. Let's look at one of the other biggest scams going on—BEC scams—where people at companies are being told they need to do a wire transfer.
“Chris, I'm your vendor, and you haven't paid me. I'm going to stop shipment on the next supply. I need to get paid today or I can't do it, and plus your 30 days. Look, I'll waive the late fees if you could do it right now.” Now you're talking to a company like Toyota that fell for this to the tune of $34 million.
A single incident or multiple incidents?
Three transfers over three days that equaled $34.2 million. You look at that, and you're like, “Well, was it fear?” No, it probably was some AR person, some accounting person sitting there who got the email and the phone call at the same time thinking, “Oh, my gosh. If the plant shuts down because we didn't pay this bill, my head's going to roll.” Now they're just like, “I've got to take care of this—transfer’s done.”
The next day, they're like, “OK, well, it didn't get stopped, and nobody's calling the cops.” The guy calls back and he's like, “Listen, we got this other invoice that is just about to be due, third day.” Finally, someone upstairs comes down and goes, “Where is this $34 million going?” The guy's like, “To our vendor.” “That's not our vendor.” The money's gone. No way to get it back.
Same emotional state. But now, instead of fear for your child's life, it's, “Oh, my. I don't want to get fired because I didn't do my job.” That environment creates a situation where the person is not thinking. Also, giving them enough believable facts, then it could make sense that it could be true.
I remember a news story of a gentleman that would do landscaping for fast food restaurants, just the regular landscape maintenance. Got a bunch of clients, and one of the clients stopped paying him or was late. That happens from time to time, so he's like, “Hey, whatever.”
They're 60 days late, 90 days late. The client says, “Hey, you haven't paid me.” They say, “Oh, well, you called us. We paid you. Here’s a copy of our invoices, copy of our payments.” He's like, “Well, that's not my bank account.” “You called us and changed the bank account.” He goes, “That's not my bank account.”
I haven't heard this one.
The rub is that he's like, “OK, well, you still need to pay your bill.” They're like, “Well, it's not our fault. We have a paid invoice.” He's like, “But you sent the money to the wrong person.”
I don't know how I'd feel about that. It's terrible.
Again, it was a fairly simple social engineering, but the company was like, “But we've paid the bill.” He's like, “No, but you didn't pay me.” Of course, it turns into a big legal mess of whose fault is it? Of course, the landscaper's going, “How could any of this be my fault?”
Honestly, the landscaper should be paid, right? He's owed the service. He should be paid. But wow, I feel bad for those companies because they got social engineered, and now they're going to double pay.
It wasn't like we're giving you a fictitious bill. It was, “Hey, we're just going to pay it. Just send it to a different account. Mail the check to a different address.” To me, some scammer thought a little bit about like, “Let's figure out how to be less dramatic. How do we make this more plausible?”
I hate to give them any kind of respect, but it's the thing that constantly fascinates me about the bad guys. They are so ingenious at coming up with ways to do this. Let's dissect that particular attack.
Most likely, there was some landscaping company. It was very proud to have all of these companies. They put it on their website. “We are the vendor for Taco Bell, KFC, McDonald’s.” Some attacker out there says, “Oh, they're that. We can use that.” They come up with this ruse to call these fast food joints and say, “OK, we're just changing our accounts because we're moving to a different bank. Can you update it in the system?” Somebody does it.
Let me tell you, this is one of the reasons why we don't have any of our clients on our website. We don't do it. I do not brag or talk publicly about who we work with because of this exact story. This reason, it scares me.
Yeah. It's interesting how you think fairly innocuous information could be used against you. I was interviewing somebody. We weren't talking about social engineering or whatever the scam was. In the middle of the conversation, I realized I have the name of my security company—or I did at the time—on a sign in front of my house. It wasn't the world famous ADT.
I realized, “Oh, my gosh. That sounds good for them because they get advertising.” It's not good for me because someone can say, “Hey, I'm calling from […]. There's a fault with your alarm system. We need to come in and service it.” I wouldn't necessarily think twice about it.
You would want them to fix it.
I'll definitely come on in and fix it.
Yeah, now he needs your code so he can disable the system and check. Now you're giving some random stranger your code.
I hadn't thought about, “Gosh, this is a security platform. I really shouldn't be publicizing the name of the security platform that I'm using.”
Yeah, I know. Crazy, right?
This didn't happen, but it's absolutely ingenious to think that someone would. The more targeted, the more intentional it is, “I'm going after Chris,” versus, “I'm just going after anybody….”
And proceed more and more of, by the way.
More targeted?
Yeah. There was actually a report from the FBI that said that what they have found is that over 80% of all the spear phish that are reported to them are using artifacts from the target social media. That means that the people who are attacking them actually went out, went to the social media, looked at the accounts, collected data on you, and then used that data in an attempt to spear phish you. That's a lot of work if you think about it, but we're seeing it because think about the payout. The payout is so much higher if you get someone emotionally invested. It works.
What are some of the red flags that we should be watching out for if someone is using social engineering techniques on us? How do we distinguish that from marketing or some real situation happening?
If you feel any strong emotion after being asked for a request, that is a great time to pause and think, “Am I being manipulated? Am I being influenced?” Because attackers will always want to use emotion against you. -Chris Hadnagy Share on XI love that question. Here's a few tips I give people when they ask me this. First and foremost, if you feel any strong emotion after being asked for a request, that is a great time to pause and think, “Am I being manipulated? Am I being influenced?” Because attackers will always want to use emotion against you.
That doesn't mean that every conversation shouldn't have some emotion. But if you think about it, if somebody calls you, they're really pleasant, they'll ask for your help, they sound really nice on the phone, they got you laughing, and then some weird request comes in, that's a good time to say, “Well, that was weird. That's an odd conversation.”
If somebody calls and says they're the IRS, you haven't paid your taxes, and you're getting arrested, that's a great time to pause because this is a strong emotion, which leads me to my second tip, which is critical thought. Think to yourself and your whole life, has the IRS ever called you for anything? No, and they're not going to, ever.
If anything, you're going to get a certified letter in the mail that you have to sign for. That letter will tell you that you are late and you have 30 days or you're going to be fined. The IRS is never going to call you and demand payment with ApplePay cards or anything like that. A little critical thought could help.
That doesn't always fix the problem because one of the other big personal scams going on is what they call the grandparent scam, where someone's calling my grandma and saying, “Hey, this is Chris. Look, I was at a bachelor party. We went over Mexico, I got mugged, I got in a fight. I have no wallet, I'm in prison. Can you give me $5,000 for bail? I'll promise I'll pay you back as soon as I get home.”
You have to do some critical thought ahead of time. What I did with my grandma on that is we set up a two-party authentication system. Right by her phone, I put a sticky note and I said, “Grandma, this is our password.” Let's just say it was a unicorn. “No one should ever know this is our password. You never say it, grandma, ever. I'm the one who says it.”
“If I call you and I said, ‘I need money,’ you'll say, ‘What's the password, Chris?’ If I don't know it, you hang up on me. If I'm too drunk to tell it to you, you hang up on me. When I sober up, I'll call back. Whatever it is.”
Call me back when you sober up.
Yeah, that's it. She's like, “Great. This is awesome.” It kept her from getting scammed because that was it. OK, you have to worry about emotion, critical thought. Then I always tell people, if you fall for something, don't let embarrassment make you sweep it under the rug. That's what a lot of people do. They're like, “I'm embarrassed, I fell for it.”
I hear so many folks, especially older folks, who fall for these romance scams, and they don't want to tell anybody. There's a two-way street on this. As a family member, I think it's important for me to make sure I never tell my family, “Well, how can you be so dumb?” That makes them not want to reach out.
Calling your bank, calling your financial institute, calling whatever it is that you lost and reporting it right away can help you at many times get that problem fixed. I know it's not an exhaustive list, but I tell people try those three things.
Listening to podcasts like this are super important because sometimes we don't even know that these things are happening. If you don't know what's happening, then you can't possibly defend against it. You have to have that knowledge first and foremost, and then following those three tips can really help.
I think we've talked about two of these. I won't ask you about the third because this is my own interpretation of things. We talked about the emotion, we talked about the urgency. Is there any neural mechanism behind the association with authority? “I'm the IRS.” “I'm law enforcement.” “I'm from your bank.” “I'm your boss.” How much does that play into most of the social engineering scams?
We don't want to change this about society. Let's say the majority of us, we know that there are some that aren't, but the majority of us were raised in households where we were taught to respect authority, respect your teachers, respect your elders, respect the police, respect your boss.
We're ingrained with that process in our mind already, that authority does exist, and it should be obeyed. When you're learning to drive, you teach your kids a stop sign means you actually stop. Why? Not just because you're afraid of getting a ticket, but because not stopping could create death. You can get hit by someone who doesn't have to stop.
Stopping is actually a very important part of the process. When a police officer pulls up behind you, it's very important to follow these steps. Roll down your windows, keep your hands where they can be seen, be respectful, don't have an attitude. These things are important.
Authority plays a huge role, because now we're in a situation where somebody malicious may be using that very knowledge that we’ve all been taught from childhood against us because they're saying, “I'm the IRS. If you don't pay, I'm going to have you arrested.” “I can't get arrested. I can't go to prison. That will ruin my whole career, my job, my life. I can't afford that. I need to work.”
That fear creates the environment where your brain just starts to think about, “How do I get out of this? If they're telling me the only way out of it is to pay, OK, I guess that's what I’ve got to do.” It shuts down critical thought.
That fear creates the environment where your brain just starts to think about, “How do I get out of this? If they're telling me the only way out of it is to pay, OK, I guess that's what I’ve got to do.” It shuts down critical… Share on XI wonder if maybe we're getting a little anthropological. In cultures that have, maybe, a more inherent distrust in authority, I wonder if there's something else that supplants authority as another mechanism.
Yes, hundred percent. Depending on the environment, it may be that authority won't work because, like you said, maybe this group of people don't respect that authority, or they don't have that authority in their country.
I'll give you a great example. We found a vishing network that was coming out of the country of Georgia. Once we exposed them, they were very vocal about, “We don't care that you've exposed us. Our country will do nothing to us for this. They don't care about you rich Americans. They don't care.” They were saying all these horrible words to me.
There was no fear of authority for them. They knew that the cops weren't going to go kick their door and throw them in prison for ripping off a bunch of Americans. That wasn't important to them. Authority wouldn't have worked there.
You look at other principles. Robert Cialdini, Dr. Cialdini, did a great job at defining the principles of influence. You have things like social proof. Maybe that can work. What does the crowd say? What do people say is OK?
You have reciprocation where I give you something, you give me something back. You do have the scarcity principle. That's one that's used in a lot of countries that don't have a lot of authority where they say, “Look, we don't have much food. If you want food, you have to do this or that. You have to buy this stamp. You have to have this political mark. You have to do this or you don't get the food you need for the day.” All of those types of things are influenced principles that could be used in a negative sense and be manipulated to.
Yeah, that's interesting. It's one of the challenges of running a podcast from here in the US is that it's easy to be very US-centric in our perception of how these things are carried out. I'm sure there are people elsewhere in the world that hear this will go, “Well, I would never fall for that because I don't trust authority. Therefore, I can't fall victim to this.”
Yeah, but there's so many other things. Think about it. All those principles of influence, the goal is the same. It's to create an emotional environment that stops critical thought. I'm trying to think what the country was. I think I was doing some work in Brazil. In Brazil, I was doing some work with the government, and the government was saying that one of the biggest problems they experienced down there is men in the Brazilian military cheat on their wives.
Honey pots were a huge deal down there. They're not using authority. They're not using that. They're using actual lust as a motivator. They send in very beautiful women to seduce these men and to get them to engage in intimate activities in more risky and risky places, where eventually the ask is, “I want to be in your office.” That's when USB keys get planted, listening devices, or other things that now create a nation-state vulnerability.
That's not using any of the principles we just talked about. That's using a whole separate tactic for that. Malicious social engineers will look at the environment that they want to breach. They will find, “What is the weakness in this environment?” Then that weakness is what they exploit.
Got you. Are there any new emerging trends and social engineering? Obviously, if you’re target-specific, your methodology is going to change for that particular individual, but are there any broad trends?
Yeah, vishing, which stands for voice phishing, has increased 554% in one year. All of us probably got a few scam calls here or there. Now, I don't know about you, but it's daily. Between text messages and calls, it could be dozens that I'm getting to the point where I don't even answer my phone if your name does not come up in the caller ID.
If I don't have you in my contact list, you're going to voicemail, and I'll call you back if it's important. If you don't leave a voice message, I'm never calling you back. I even tell some of my friends, “Look, if you call me from a new number, you better leave a message because there's absolutely no way I'm going to call you back.”
I can't answer all these calls that come in. Why? Here in this country, T-Mobile and AT&T in the last 12 months were breached. Previous to that, Verizon was breached. There's our three major phone networks breached. Millions upon millions of phone numbers are dumped out there with all of our contact data. Now we're in lists being sold to get called.
That's not just this country. Major breaches for telephone networks were in the UK, Ireland, Italy. Other parts of Europe had major phone breaches to where we're seeing this data just being dumped everywhere.
Interesting. One of the things that I've seen recently and haven't figured out what the end goal is yet, both my wife and I saw a significant uptick in LinkedIn requests. Normally, either there's no custom message or it's very specific. If they were sent to me, the picture will be a young, attractive woman. If it was sent to my wife, it was a young, attractive man.
It was, “Oh, I've seen what you do in your profession.” Of course, not naming the profession, which was a good giveaway. “I'd really want to grow my career in this field. You seem like an amazing person. I'd love to connect and chat.” The kills always get killed before I can ever figure out what the end game is. Have you seen that one as well yet?
Let's go back about four or five years. This is probably when it got popular. There was a major attack on US military that somehow just never made major news using this very attack. A group in Iran—we believe it was Iran—had went out and started LinkedIn accounts for very attractive female reporters here in the country. They would contact four-star generals that were at retiring age and want to interview them about their illustrious career in the US military.
During a series of interviews, one group would ask questions down this line, another group would ask questions down this line. Together, they can combine those data points and create an environment where they knew so much about operations, operation names, things got leaked and slipped. It was a big deal. That happened.
All of a sudden, we started to see other groups go, “Wow, wait, hang on, never thought about that one. Fake social media accounts?” It just blew up. Now, I'm with you. I get a dozen a day. The last few years, I recently became a professor of social engineering at University of Arizona. That is what's on top of my LinkedIn.
It's not my job. I do one semester, two semesters a year at that. But now I get these things that are like, “Chris, I see what you're doing at University of Arizona, and I would love to be able to connect with you and help you with University of Arizona.” I'm like, “God, if you read down, it would have been more realistic. I'm an adjunct professor at a university. I don't have any control there. Get better. I feel it right in the back. Please attack me smarter next time.”
I'll ask one more question before we begin to wrap up here. Do you see a role of technology? I definitely don't believe technology is ever going to solve social engineering issues, but do you think there are roles in technology that could help, maybe give us that pause?
I do, as a matter of fact. AI scares the daylights out of me. It really does. It scares the daylights out of me. I think, even though we'll probably see some good out of it, we're going to see a lot more bad before we do.
I think about from corporate perspective, there are tools out there now. I know Oracle has one. We're partnering with them on this, so I can mention it. They have a tool that is like a firewall for your phone network. A call comes in, and it analyzes the call. Of course, the caller ID says it's coming from Texas, but the trunk is coming from Africa somewhere, Chad. It's coming from somewhere else.
Now, a light can be on the person's desktop that says, “Hey, the call that's coming in is not originating from where it says. Caution.” You could have a caution light. Or if it's from an area in the world—let’s say Georgia—where we've identified a number of vishing rings, you can have that call black hold. You could say, “I never want that call to hit Chris.” That call comes in, done. Black hold.
Even if it has a US caller ID associated with it, it's coming in on a line?
Yes.
That's interesting. I'd like that technology.
There are some technologies out there that are trying and that are successful. They're not available to the consumer. That's the only problem. While we're able to look for technological fixes, or let's say not even fixes, technological helpers for corporate America and corporate global, we're not yet seeing those same technologies.
You can't put it on your cell phone. You can't install it on your home landline if you still have one of those. We're still relying on critical thought and education to be the thing that helps mom, dad, uncle, grandma, grandpa, and our kids.
Got you. I know you guys provide resources on how to train people in that critical thinking.
We do. Again, we gear it towards understanding social engineering. I have a number of training classes that we teach. My primary class is called Foundational Application of Social Engineering. When I wrote it, its first name was Social Engineering for Pen Testers. I quickly realized after a year, that there's so much more to social engineering that I can't limit it to pen testers, so we changed the name.
I've had salespeople in that class, psychologists. I got hired to teach that class to MI5 and MI6. I taught that class to SOCOM. I've taught that class all over the globe because it's more about everything we just talked about. How to use communication tools to understand human decision making. And then how we can not only make ourselves better, but understand that if we are an adversarial simulator, that we can use these skills better for our customers and clients.
Interesting. Is your class available online through the University of Arizona?
No. Thank you, that's an interesting thing. University of Arizona class is I am teaching a seven-and-a-half week semester class on social engineering, and it's very unique. If you join that class, it's in a cyber drill curriculum, where you'll learn OSINT.—this is not from me—from different teachers, with the goal of getting you into the industry.
By a particular class there, we have a deal with a local government agency. They gave me all of their employees as living targets. My students get to phish, vish, and OSINT actual real people for the class. It's a class like none other. There's no other university doing this.
The foundational class is done through my website, social-engineer.com. The practical class, which is much more like the one I just described, is also there. The foundational class is always done live in person, but the practical class is a virtual class. We do that anywhere you are.
Got you. If people want to find you and connect with you on social media in a way that is not trying to social engineer you to do something that's not your interest, how can they find you?
LinkedIn is the best way to do it. I'm very active on LinkedIn. I used to say Twitter, but Twitter turned into a cesspool kind of thing. I don't really pay much attention to it anymore. But on LinkedIn, I still have some really great valuable connections. As long as you don't write me a chain email that’s missing information, we'll probably connect.
Any parting words of wisdom before we close up shop here today?
No, man, you asked a lot of great questions. I would just say, one of the things I focused on because I run a nonprofit on the side called Innocent Lives Foundation is understanding these things to keep our kids safe. Social engineering is being used against our kids each and every day. People are trying to groom our children, get them to do things that they definitely should not do.
Having these conversations with your children, even when they're very young, could keep them safe from things like that. I encourage parents to have age-appropriate conversations, but to include your children in these kinds of discussions so they can be aware of what's happening out in the world.
I see a future book title for you, Social Engineering: Prevention for Kids.
I like it. Not a bad idea, to tell you the truth. Not a bad idea at all.
We do that with money. Hopefully, we do a good job teaching kids financial principles. Maybe it's critical thinking for children. Maybe that's another title.
I love it. It's great.
Chris, thank you so much for coming on the podcast today.
Thanks, Chris. It was fun.
Leave a Reply