Creating habits of healthy skepticism when receiving texts or emails can prevent you from clicking on phishing links. Everybody is vulnerable online, especially when distracted or in a hurry. But cultivating critical thinking and self-awareness can enhance protection against manipulation.
Today’s guest is Perry Carpenter. Perry is an award-winning author, podcaster, and speaker with over two decades in cybersecurity, focusing on how cyber criminals exploit human behavior. As the Chief Human Risk Management Strategist at KnowBe4, Perry helps build robust, human-centric defenses against social engineering-based threats. His latest book FAIK: A Practical Guide to Living in a World of Deepfakes, Disinformation, and AI-Generated Deceptions, tackles AI’s role in deception.
“It’s basic behavior science. We’ve been conditioned in a lot of ways to take the easy way out. All the platforms and apps want to make the behavior they’re encouraging the easiest thing to do.” - Perry Carpenter Share on XShow Notes:
- [1:02] – Perry shares his background and what his career has entailed.
- [4:01] – Regardless of how much people say, spend, or do on security-related issues, the people side of things is hard to control.
- [5:25] – Perry has always been interested in deception and misdirection.
- [6:59] – Even as a security professional, Perry has experienced enough distraction to click a phishing email.
- [9:43] – It is easier to be distracted and not follow usual healthy security habits than being on a computer.
- [12:24] – We fall into habits easily, especially when the behavior is simple and easy.
- [16:00] – Technology based deception is more available to anybody than in any other time in history.
- [18:10] – Security professionals and often pushed in the roles of giving advice.
- [19:40] – Reflection questions like “Why is this in front of me?” might prevent someone from falling victim to a scam.
- [26:58] – Everybody is vulnerable. Even though cybersecurity professionals know more on the topic than some others, it is still possible for them as well.
- [30:40] – Pig butchering and crypto scammers sometimes actually do send money back as a tactic to earn trust and increase hope.
- [34:42] – We have to have a healthy skepticism of the information environment that we live in.
- [36:39] – There are very few situations in life where you won’t benefit from slowing down and thinking things through.
- [38:41] – Perry suggests a family activity that will help boost understanding of pressure tactics.
- [40:17] – The narratives or tells that work for someone might raise a red flag to others.
- [43:25] – As a society, we’ve gotten to a point where we don’t like to introspect.
- [45:59] – Perry discusses the content of his most recent book and how it is information without the “easy way out”.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- FAIK: A Practical Guide to Living in a World of Deepfakes, Disinformation, and AI-Generated Deceptions by Perry Carpenter
- Perry Carpenter on LinkedIn
Transcript:
Perry, thank you so much for coming on the Easy Prey Podcast today.
Thanks so much for having me. I’m looking forward to it.
This will be a blast. Can you give myself and the audience a little bit of background about who you are and what you do?
I’ll give the quick version. My name is Perry Carpenter. I’m a technology professional specializing in cybersecurity and have lived at the intersection of technology and the human condition for the past 20 years. What that means is that I focus on why people do the things that they do, think the things that they think, and how technology either helps or hurts that.
That’s a nice, simple explanation. How did you get into the field? You’re like me, that at the age that we were going through school, these fields didn’t really exist. What was that road that you got to where you’re at now?
God, yeah this field did not exist. I was a philosophy major in college and a biblical languages major, and I had no idea how to get a job after you get degrees like that. I started to go into law school and realized I would hate being a lawyer for the rest of my life.
I dumped out after year two and tried to reevaluate. It’s like, what would I really be interested in? And I’d always loved computers. I’d grown up as the field of computers started to grow as well. Even in law school, there was this nascent field of computer and cybercrime law. People were trying to figure it out, and I was really interested in that. But I’d much more enjoy tinkering with the machines than dealing with the legal aspects of it in that way.
I started a master’s degree in computer science. As part of that, I also needed money, so I went for an internship, ended up getting hired in the R&D group doing computer development for a company called J.B. Hunt. In the middle of that, they just said, “We’ll hire you and pay you what you would be paid if you had your degree,” so ended up doing that.
That was at the forefront of a lot of things. Me and a small team developed the satellite email program that trucks would use to send email back and forth, back before the year 2000. Did some automated routing and stuff like that, got hired by Walmart after that to write the email system that they used in their stores and clubs for several years. That was a gateway to security for me.
Back in that day at least, when you worked on security, you also had to work on groups, which means you had to work on security groups, which means that you were into directory structures and security permissions and everything else. That was a deep dive into security.
A few years after that, I really realized that regardless of how much people say, spend, or do on security-related issues, there’s always this factor that’s hard to control and hard to account for, and that’s the people side of things.
That really started my journey into understanding why people do the things they do and think the things that they think, and why even when we’re trained and fully believe that we will never do X in any part of our life, or we will always do Y in any part of our life, why we can go passed those boundaries that we think really exist, and how we can get pulled in directions that we don’t really believe we can be pulled into.
Speaking of that, with the experiences that we have, and knowing what we know, how have you been pulled into doing something that you didn’t want to do? I tell my guests in cybersecurity and counter fraud/counter scam, that if you and I can’t get it right 100% of the time, should the general public feel like, “Oh my gosh; it’s hopeless for me”?
I know that’s not the case, but also they need to hear stories about you and I getting it wrong to destigmatize the public when they get it wrong. They shouldn’t feel ashamed. They shouldn’t feel embarrassed. Has that happened to you?
I’ll give a couple of examples. One is non-security, non-fraud, non-anything, then I’ll give a security example. One of the things that I’ve always been interested in since as far as I can remember, was just the field of what I’ll call professional deception. By that, I’m speaking about magicians and people that do sleight of hand and misdirection.
The very fact of the matter is that all of us have felt our attention pulled by a really good magician or somebody that understands misdirection. Or you can take a coin, seemingly put it in one hand, and just by the body language and everything else, you really believe that that coin is in a hand that they never put it in. Just based on the way our minds work, we get pulled in directions where we think we can suss something out.
Biology and psychology would say differently. I think that that is a part of it. Then you take that and you bring it into a field like cybersecurity or fraud, and we see it over and over and over again. It’s the same pattern. It is taking advantage of human nature and the way that our minds work at its core.
One example that I’ll give is early on at the company that I work for, which is a cybersecurity training company. As part of that, we specialize in sending these simulated phishing emails out. I had worked at the company for maybe a week when I fell for my first one. I’m somebody that specializes in this. I had somebody that measured the entire market for this software and had received probably hundreds of these before.
But the thing that got me in this company was the randomness of it. It just hit right. I was in my car. I was waiting for a DocuSign that should have been coming to me to sign, to get part of my compensation signed off on. I was expecting this thing, like with bated breath, I needed to sign it.
The same day, they send out a phishing email that is a simulated DocuSign for HR benefits to everybody in the company. For me, it just landed at the right person, right place, right time. I justified it in my mind. I was on a mobile device. I was not on my regular computer where I have all these good habits about hovering over links and looking at senders. I’m expecting it. I’m on a device that will make falling for that way easier. I just click on it and then boom, I find out I was wrong.
Similar thing happened. I was at a conference, I’m in a line, I’m distracted. I had received a phone call a few minutes earlier, because I’m one of these people I get calls all the time, and then I get an email that says, “You missed a call.” We have this Voice over IP system. When you get a voicemail, it sends you an email.
I’d gotten an email that said, “Your voice message is waiting for you.” I basically clicked on it and fell for another one. Again, the right person, right place, right time-type of situation. Just the randomness of the way that things would fall and my own distraction, and the fact that I had not built good habits on that mobile device yet were the thing that got me multiple times.
Now, I have a completely different habit set, and it’s been over seven years at this point, and I’ve not clicked on any of those. Trust me, at our company, we get multiple of those per week now. So not falling for those in over seven years is a good thing. It also probably means I’m due.
Due for another distraction.
Due for another distraction, a thing where I’ve not built the right habit yet, or I’m just in the wrong frame of mind and everything falls together in the wrong way for me.
What was the habit that you built on your mobile phone that has allowed you to be successful in that respect?
If I get a notification for anything in email that I cannot directly verify on the mobile device without clicking on the thing, then I’m not going to click on it. I’m going to wait a couple of hours until I can be in front of a computer and properly look at it.
If I get a notification for anything in email that I cannot directly verify on the mobile device without clicking on the thing, then I’m not going to click on it. I’m going to wait a couple of hours until I can be in front of a… Share on XThe other thing is if I get a notification that is related to a service that I also have an app for or a website for, something like that, I’m not going to click on the notification. I’ll open the app and see if that notification is there. Or if I can just log into a website that would tell me that, I’m going to do it that way. Take out the convenience factor of clicking on the link within the email in order to save myself a little bit of hardship if that thing is not legit.
So for example for the voicemail notification, you’d go to the VoIP app, click on that, check your voicemail, then go, “Huh. Oh, there’s a voicemail there, there isn’t one,” as opposed to…
Exactly. We had a voice system at the time called RingCentral. There was a RingCentral app on my phone. I would open that instead and look to see if there’s a voicemail there.
I’m very familiar with all those mechanisms as well as all the voicemail systems that I don’t have.
One of the great things is that when you get a notification for, let’s say you use Gmail as your primary system, and you get a notification from Office 365 saying that you’ve got something, it’s like, oh, okay. There’s a red flag there. I don’t have access to Office 365. I don’t touch Office 365. I have negative feelings about Office 365, all of those things can let you know that that’s probably not real, and I can take a look at that a little bit deeper later on.
You can almost be dismissive of it, but when it’s your email platform telling you something in a format that you’re used to…
Implicit trust, yeah.
Oh, yeah. I’m sure. Just another one of those.
It’s basic behavior science. All of the platforms, all of the apps, everything else, want to make the behavior that they’re trying to encourage the easiest thing that they can do, which is a notification or a link that you can… Share on XAnd the other thing is we’ve been conditioned in a lot of ways to take that easy way out of just clicking something. It’s basic behavior science. All of the platforms, all of the apps, everything else, want to make the behavior that they’re trying to encourage the easiest thing that they can do, which is a notification or a link that you can click on that sends you something.
Cyber criminals and scammers also want to incent the behavior that they’re hoping for in the way that it’s easiest for you to do, because our minds are naturally a little bit lazy, and we fall into habits very, very easily.
Cyber criminals and scammers also want to incent the behavior that they’re hoping for in the way that it’s easiest for you to do, because our minds are naturally a little bit lazy, and we fall into habits very, very easily. -Perry… Share on XI’ve talked with a number of other guests about this. From a business perspective—your business, my business—we try to introduce the least amount of friction in our process. If it’s RingCentral, make it as easy as possible for you to get your voicemails. If it’s your bank, as easy as you can to send money.
We don’t want to make life difficult for our customers because they’re going to switch and go to a different company if we make things difficult. It seems like they were almost at a stage in cybersecurity and scams that we need to introduce friction into the process.
You used the word that I used in that too. I remember back when I was an analyst at Gartner and I would be consulting with people. One of the areas I focused on a lot was this field called identity management, which is authentication authorization. How do you prove who you are, and then also how do you prove that you should be doing the thing that you are trying to do?
In some environments, you want as little friction as possible. You want it to feel almost automatic for the person. Especially in areas where there’s not a lot of risk. In some areas where there’s risk and the person understands and appreciates the risk, then you almost have permission to introduce friction to the point where if there’s no friction there, people don’t feel safe.
If you get in your car and you don’t have the seatbelt on, you probably feel a little bit incomplete, a little bit naked at this point. I think that there are certain environments like your online banking now, if you don’t feel a little bit of friction just the right amount, you have to dial that up as somebody who’s managing the app. How do I make somebody feel just the right amount of friction where they’re going to feel safe and secure, and they’re going to do the thing I need to do, and also not bail out on the service because it’s too much friction?
If I’m wiring money to somebody, I still want to be able to send the wire, but I also want to know that my bank’s got my back and say, “Do you want to send a test transaction first?”
“Are you really sure you want to send this to an account number you’ve not verified and you probably can’t call back those funds?”
“You’ve never sent money to this account before. Are you sure you want to do this,” which is a good thing to ask.
Yeah. It’s like rightsizing your friction is a big deal as somebody who’s building those experiences for people.
So has this over the last, let’s say, 10 years, this interest in deception welled up at anything interesting in your life?
I always have an interest in the misdirection and the social engineering side of things. One of my good friends before he passed away was a fairly well-known hacker by the name of Kevin Mitnick. We shared a lot of the same interests. He grew up fascinated with magic as well.
He had taken some dark turns early in his life that led to that curiosity and that fascination with deception. It led him to a dark place, ultimately was arrested, and then finally released and tried to make a good life after that.
The social engineering side really is the misdirection, but it’s built just around the way the human mind works. I think when you take misdirection or deception in the way the mind works, and then you infuse that with technology trends, we’re now squarely in the space where technology-based deception is more available to anybody than at any time in history.
The specific thing I’m thinking about right now is generative artificial intelligence, viewing all of that from deepfakes of videos to voices, to text, image, and everything else. It’s all the same deceptive principles. The scale and the ease of the ability to create these things is unprecedented at this point.
I think it used to be when I first started the podcast, I was perfectly comfortable giving people the advice of unless you’re the CEO of a Fortune 500 company, or you are a high-level government official, if you get a video chat with someone, that’s good enough to at least confirm that you are video chatting with somebody. You can make your decision on whether this person is really who they claim to be. That’s a different issue. But yeah, you’re actually video chatting with somebody.
I don’t feel comfortable giving that advice to people anymore. It just seems that the technology’s gotten so easy for someone to alter their voice, alter their appearance in real time, that that’s just not safe advice anymore.
No, it’s not. A lot of the advice and the tendencies, again if we’re talking about human nature, one of the things that people really want is encouragement, and they want to feel like there’s an easy way to detect something. We, as security people, are constantly pushed into advice mode. Somebody says, “Well, how can I tell if something’s a deepfake?”
I really like your tact on this right now, which is not necessarily giving them that easy way out. Not saying if you can talk to somebody on video, it’s great. One of the things that I see over and over and over is somebody will present on something like a deepfake and then you’ll see this little slide about things like, “Well, if it’s a deepfake image or video, try to look at the fingers, try to look at the hair, look at text in the background, and see if things don’t look right.”
Right now, that’s only going to help you detect the really bad ones. Even if it’s the really bad ones, what does bad look like six months from now? Those things are going to be taken away. Or what if somebody just has a little bit more patience and they roll that generation three or four or more times and they get one that doesn’t have those tells?
I don’t give people the easy way out on that because the easy way out is not going to exist. Instead, I’ve shifted and I say the fact of whether it is “real” or not is secondary. The big question I ask is why does this thing exist, and why is it in front of me? What story is it trying to tell? What emotions is it trying to evoke? And what actions or beliefs is it trying to push me to take or to do?
The big question I ask is why does this thing exist, and why is it in front of me? What story is it trying to tell? What emotions is it trying to evoke? And what actions or beliefs is it trying to push me to take or to do? -Perry… Share on XWe’ll dive into psychology. Isn’t that a bit of a challenge, is that when we’re in this space, we may already very well have been shoved past where we can cognitively make those assessments?
I think that that is one of the biggest things. It almost comes back down to your basic phishing training again or social engineering training. We always tell people the biggest thing that you can do to get an upper hand on these things is just to stop and take a breath. I think with deepfakes and all the AI-generated deception that’s out there, we’re going to have to cultivate that to the nth degree.
We always tell people the biggest thing that you can do to get an upper hand on these things is just to stop and take a breath. I think with deepfakes and all the AI-generated deception that’s out there, we’re going to have to… Share on XStudies are showing that even people that believe that they can tell if something’s fake or not, they’re only right about a quarter or less of the time; 21.3% was the number that seems to be coming to my mind from a study last year. We’re way past the crossover point where most people can tell what’s real or not.
The problem is that in a news story about deepfakes or in a presentation about deepfakes, people feel like they have superpowers; they’ll make up tells in their own mind. Or somebody will show them that easy one. But when it’s one out of a hundred things in your social media feed, or your inbox, or your Zoom call calendar, well then you’re operating in a completely different mental frame where everything is real. Then that thing that comes to you, your assumption isn’t that it’s fake. Your assumption is that it’s real.
We have to cultivate this pleasant skepticism where it’s not taking you down and not making you depressed, but just to where you’re like, “Before I do anything, before I react emotionally to this thing, I need to introspect just a little bit.” Then start to, again, ask, “What story is this trying to tell? What am I feeling? What does it want me to feel? And what’s it hoping that I do?”
Kind of training yourself before you even get down the road on those things.
Yeah. Or if you feel yourself revving up, then go, “Why am I doing this?” You can still have that secondary thing once you’re in the middle of, about to do something, or you’re starting to feel that emotion. Well I’ll go, “Why is that?” And then, “Now let me slow down a little bit.”
We know people can do this because people throughout history have been trained to recognize and then learn to put their emotions or actions in check before they’ve gone too far on things.
It was interesting. This morning I got an email, basically a woman saying, “Can you help me figure out whether this person is who they claim they are? I’ve been chatting with this guy online, and he’s a general in the US Army.”
It sounds like a romance scam.
And my very first thing goes, “Oh, yeah. That’s all you need to say. It’s fake.” Clearly to me, it’s a scam. “He’s currently been in Syria.” And I’m like, “Oh, OK.”
He needs you to wire money so that he can get on a plane out of…yeah.
It gets better. “He’s about to retire back to Los Angeles next week.” And I’m like, “OK, I see where this is going.” “But he was just kidnapped by the Syrian army; they’re trying to get me to pay his ransom.” I’m like, for me, being objective on the outside, it’s easy to see. Well, every sentence is clear to me that this whole thing is fake.
But I always wondered what she had said. “I have been talking with this person for, I think it was over six months.” I’m like, “How subtle has the creep”—not the creepy as the weird creep, but the scope creep—“how this person has so subtly been maneuvered to the point where your summary is obvious that it’s a scam, but that you’ve been so subtly moved through this process over the course of months, and you’ve built that trust that you aren’t able to see now that it’s that?”
That is heartbreaking.
And it’s heartbreaking, yeah. And hopefully she won’t send them any money, but…
For people like us that sit on the outside and hear these all day, it’s just immediate red flags. But you’re right. For somebody that does not live in the world that we live in, and they just get that random message, and maybe they’re at a dark, sad, lonely point in their life, and that is the lifeline of hope that they’ve been wishing for, praying for. Man, it takes a special kind of person to perpetrate that.
But the process of the psychology of that is interesting to me from the outside, but in the same way you clicked on a phishing link because it seemed appropriate in the context at the moment. There was enough context that your mind decided to irresponsibly build for you. “I’m expecting something from HR, so obviously this is it. I expect a voicemail notification from RingCentral. This is obviously it.”
I think I’ve told this story on the podcast before. Someone claiming to represent an advertising network contacted me a number of years ago. “Hey, we want to integrate with your platform, and here’s the rates that we pay.” Seems perfectly reasonable. No obvious red flags, and got to the point where I was supposed to get paid.
Lo and behold, they weren’t really who they claimed to be. They weren’t working for that company, but there was just enough truth throughout the process, and it was not so divergent from what reality would be. My regular due diligence checks were like, “Yeah, it’s a legitimate company. I know who they are, blah-blah-blah.” Then it was like, “Gosh darn it.”
Yeah. Man, that is rough. I think that the biggest thing as security professionals that we have to do is we have to be honest with ourselves and with everybody around us. Everybody is vulnerable. Just because we live in this space and are “experts” in this stuff doesn’t mean that we can’t get caught. The right pretext, the right scam, the right story at any given time can get somebody, even us.
Everybody is vulnerable. Just because we live in this space and are “experts” in this stuff doesn’t mean that we can’t get caught. The right pretext, the right scam, the right story at any given time can get somebody, even us.… Share on XIt’s a really humbling thing to remember, but I also think that we don’t win any converts into the security field or to the mindset of security by holding ourselves out and saying that we’re these impenetrable castles.
And I think the real positives that we see in terms of, we get an email and it’s, “I’m a Nigerian prince. I know that you’re a good person. I want to send you $100 million.” I think that in our minds, we build up these—“Well that’s what all scams look like.” They’re so over the top that, “Oh, I can easily spot them.” We get a false sense of security—pardon the pun—that, “Oh, it’s easy to identify these things.” But in the moment—clearly both you and I have had experiences—where it wasn’t obviously outside of what we were expecting to happen.
The big thing is that our minds, and I guess just humans in general, thrive on story. If anything fits within a narrative that we would understand or expect or would even hope for in some way, then the person on the other side of the scam is already halfway there.
That’s the way I see it with meeting the general online is that we’ve seen so many stories in movies and books of these things happening. Not in a weird way we want this to be true, but there’s some part in our heart and mind that this is now my time to have this story because we’ve been told through books and movies this is just what happens. This is normal.
That’s the same thing on one hand, it could be relationships. On another hand, it could be a financial windfall. Maybe it is that. Maybe an evolution of the Nigerian prince scam where you’re like, “Oh, man. I just can’t even figure out how I’m going to pay my rent next month or buy groceries for my family.” Then all of a sudden this email or text comes through.
There’s just enough hope and enough seed of credibility with it for something that snaps into a narrative that you would understand, that you pull on it a little bit and you don’t get immediately turned off. Then you go a little bit deeper and a little bit deeper. The story becomes more and more credible until all of a sudden at the middle or the tail end of it, you realize it’s not a story of hope or anything else. It’s a tragedy that you’re involved in.
And I’m starting to see more and more the pig butchering crypto scams where you send them money or crypto, but then they actually in reality send you money back at some point. Just enough for you to go, “Oh, it is legitimate.” Your mind doesn’t say, “You sent them $10,000; they only sent $1,000 back. They still got 90% of the deal here.” In your mind, it’s like, OK, that dampens down the spot of our brain that says this is a scam, because if it was a scam, they wouldn’t have sent me any money back.
Because again, if we’re all functioning based on story and narratives, it doesn’t fit the narrative that we believe exists.
You and I get on a podcast and say the narrative the scammer’s never going to send you any money back. If you ask for your money back and you don’t get any money back, well then it’s a scam. Well, now that they give you money back, you and I have now supported this other person’s claim of truth.
I think the biggest downfall of any profession, especially those of us that get on microphones or in front of cameras and give advice, is that we do it without nuance. We tend to be very binary. “Yes, this is right. Yes, this is wrong. This is the way it always happens.” In reality, so many things within every aspect of life go across this wide spectrum.
People are comforted by black and white, right and wrong, all that. They have a hard time embracing the uncertainty that comes with the shades of gray and all those different areas. But at the same time, if we can give examples of these times where it’s not necessarily been the you ask for your money and they could just go, “No, I’ve got you.” Then they laugh at you and run away. But no, they give you a little bit of your money back to keep you on the line for a little bit longer, because that increases your hope.
Do you see this getting worse as technology evolves, or getting better, or it’s going to be this constant ebb and flow of who has the upper hand?
I think that there’s the arms race aspect that you allude to with this. In the same way that we’re talking about the nuance or the different ways that scammers will maybe give a little bit of money back or keep you on the line a little bit longer, that means that we’re participating in our side of the arms race by giving the right amount of information.
Other people participate in the arms race by making the tools for detection and response a little bit better. At the same time, because it’s an arms race, we level up our side of the playing field. And then the other people, because there’s always a financial or power dynamic interest, they’re going to level up their side. Potentially because they’re so motivated and because there are so many of them out there that are motivated, they’re going to come at us from an angle that we haven’t prepared ourselves or anybody else for.
That leads to the question, what the heck do we do?
Again, I’m a little bit against easy answers on these things.
What’s the complex answer?
The most complex answer that I think we can still digest is that we have to have—again, without getting depressed—a healthy skepticism of the information environment that we live in. That skepticism needs to come with the fact that we’re always being sold stories.
Whether that’s a deepfake that gets in front of you or a piece of disinformation that lands in front of you, or maybe somebody giving you legit information. At all times, you need to go, “How do I know that’s true?” If I now live in an information environment where fiction passes for true over 75% of the time, what questions do I need to ask myself anytime this thing might lead me to make a critical decision or to believe something a certain way?
If I now live in an information environment where fiction passes for true over 75% of the time, what questions do I need to ask myself anytime this thing might lead me to make a critical decision or to believe something a certain… Share on XIf I can start to understand the fact that my mind works on story and I’m driven by emotion, and that every scammer, hacker, influence artist that’s out there is either after money or mines, well then now I can start to go, “What’s the story there? What is it trying to make me feel? Are the sources credible? Is the story verifiable? What is it wanting me to do or believe?” Once I can start to play with those kinds of questions in my own mind, then I can say that no matter what I do, I’m doing it in a more informed way, in a way that’s not just base-level brainstem reflex.
Like asking ourselves, “If this goes awry, what are the consequences to me?”
Exactly. Let me pre-think through the situation downstream a little bit. There are very few things in life where we pay a price for slowing down and asking some critical questions.
Well, people will like to tell you otherwise, but…
“Well, you’re a used car salesman. Your broker or your whatever is going to have to jump on this now or you’re going to lose.” But you also have to realize that’s an influence tactic.
It is funny when you’re thinking of storytelling and narrative. I think of real-world, legitimate examples, I think Subaru. They do such a good job of—there’s always a dog in every commercial. I don’t think I’ve ever seen a Subaru commercial where they’ve talked about the 0–60 speed of the car, or they’ve talked about the active suspension. It’s lifestyle, it’s safety, it’s experience.
They’re selling you the vision of life that you want, yeah.
I think the more I’ve done the podcast, I start to see these things more of, they’re not really telling me about the product. They’re trying to connect with me on an emotional level. That’s one of the things that I always say: if you’re feeling emotional about something, they may do it slowly enough, you don’t feel an emotion about it in the moment.
They’re trying to hack your mind very subtly. If you want to see the best and worst examples of that in a year, just tune into the Super Bowl. Look at the Super Bowl commercials because you will see the very, very best examples of that. Then you’ll also see people with a lot of budget, but not a lot of good planning skills or understanding behind it.
I think it would be fun for families that are out there to make that a family activity one night. “I’m going to look up 10 different Super Bowl commercials, and I’m going to analyze what is the product, what’s the narrative, what are they trying to make me feel?”
You already understand the do. The do is they want you to buy or to give their brand a higher place in your mind so that the third, fourth, fifth time that you hear about it, that you’re likely to buy. But starting to say, “Here are the things that work within my own mind. Here are the things that I see people trying that don’t work.” That’s also pretty interesting.
I suppose it’s also a value of understanding that what works for you and motivates you to go down a path is not the same thing that motivates me. We’re joking about the email of a US Army general reaching out. That’s not a motivation for me, but that is a motivation for somebody else.
It’s clearly a fake advertiser. Because it hit me where what was valuable and important to me in that moment was the advertiser. The pig butchering scam of someone offering me $50 million, that doesn’t work for me. But having to work for my money, that does work for me.
It’s really, really interesting. I think the sooner we realize that the narratives or the tells or whatever that work or will give something away for us are not that ubiquitous, they’re not the same things that somebody else would’ve fallen for or the things that might raise a red flag for them, the better we are.
If we’re people that are giving advice or trying to help other people in this space, the last thing that we can do is make it this big monolith and say, “This is what we’ll always be. Here’s what you should always look for,” is to recognize that people are complex and scammers are also people. They’re very complex as well.
And they pivot when you and I say on a deepfake video, “Look for the ear.” “OK, we need to tune our software better so that the ears look better.” When we say, “Watch out for someone who says I’ve got $10 million.” “OK, well, what about $1000?”
Exactly. I think that that is the most critical thing that we can do. That’s the most critical thing that people need to realize. If they’re just living their life and they’re out there and something is tickling their emotions, it’s not necessarily about the tell that is in the piece of media or the email that you’re getting. It is about what’s happening internally to yourself.
It is, “Oh, I’m feeling an inordinate amount of hope about this. Or the fact that a general is speaking to me, that appeals to a certain part of me.” Maybe there’s a high appreciation for authority, a high appreciation for status, an intrinsic hope to be rescued from the situation that I’m in, where I may be running out of money or lonely or something like that. Once we start to realize that, then we can go, “Well, how might somebody misuse that thing that I’m feeling against me? How might they weaponize that in different ways?”
I think that that makes us ask a lot of different questions about what’s possible with deepfakes, but also what’s possible with what we would call cheapfakes, which is just taking something that’s legit and then editing it or taking it out of context or positioning it or something that they just may fabricate and make up that has no technology behind it. It’s just story.
That would never happen.
And again, so for me, it’s always coming back to you right now. I don’t care if the thing is fake or not. I care about what is wanting somebody to believe or to do.
And, “Why am I responding this way to this opportunity?” Or, “Why am I responding this way to this piece of news or this interaction or this situation?”
Or to this photo or anything? Yeah.
Ah, oh gosh. It’s all introspection.
It is. I think, as a society, we’ve gotten to the point where we don’t like to introspect. Instead we just like to doom scroll, or we like to project rather than introspect. Whenever we’re doing that, we’re probably in the most vulnerable spot we can be.
It’s not lost on me that at the same time that I’m saying all this, there’s another movement around that typically I think we can discredit because it gets a little bit woo woo every now and then. The whole mindfulness movement. There’s something to it around the introspection part, the being aware of what’s going on in your own body and mind, I think is important.
I think you can take all the spiritual stuff out of that and you can say instead, “I, as a person living on the earth, where I know that my emotions and everything else can be hijacked very easily, how can I introspect in the right way and be aware of what I’m thinking and feeling more in the moment rather than in a reactive way?”
Taking whatever techniques from that movement and applying that to cybersecurity could be pretty important. We might even be able to talk about adopting a zero-trust mindset, or having situational cognitive awareness around things. It doesn’t have to be “mindfulness,” but it’s taking the thing that some people are figuring out and bringing it into a domain where it could also be useful.
Oh, that’s exciting. I look forward to seeing a book on that in a year after our conversation here.
I have a colleague that’s doing a lot of research in that area. Her name is Anna Collard. She’s doing a lot of work in bridging those disciplines and taking the practices and the mindsets from the mindfulness space and bringing the appropriate bits of that into other areas of life.
Interesting. How does all of this gel with your book, FAIK? If we said we’re not creating a to-do list and we’re not creating a watch-out-for-this list, how does that square with your book?
Again, I shied away from giving easy answers in the book, and instead gave frameworks and modes of thought.
The very first few chapters—three chapters of the book—are just around what AI really is and how it works. Because there are a lot of people talking about it right now without a lot of information. I want to give people the right footing to have intelligent conversations about the topic of the day in a way that gets them credibility rather than somebody going, “Oh, you used the word wrong, or you’re talking about a different kind of AI,” or something like that.
The first few chapters are grounding in that and a grounding in what are the fundamentals of deception, how are our minds hacked, and how have they been hacked for thousands of years. And then it bridges into the fact that humans adapt very slowly. Technology is advancing very rapidly. That creates this weird area that I call the exploitation zone, which is that gap between adaptability and where technology’s taking us very rapidly.
In that exploitation zone, I think the first thing to realize is that all of us are there in some form or fashion. Even those of us who are technologists by trade or focus on AI by trade, we don’t know everything that’s going on. We can be surprised by something. Anytime we can be surprised by something, somebody can take advantage of our ignorance, complacency, or overconfidence.
Anytime we can be surprised by something, somebody can take advantage of our ignorance, complacency, or overconfidence. -Perry Carpenter Share on XRealizing that we’re there then means that we have to be able to forecast out in the future into things that are possible and the ways that AI and technology and algorithmic enforcement on social media platforms and distribution networks that are out there and all that, how they can be exploited to weaponize those bits of disinformation and mindsets that have always existed in human nature. There are a lot that explore all the different facets of that.
Then the very last three chapters of the book are extremely practical. They’re games that families can play. They’re mindsets that I try to push you into in different ways, really so that you can even say something as simple as embracing your evil side for a minute and saying, “If I wanted to create a piece of disinformation, how would I do that? How would I frame the narrative? Who would I target with that? How would I inject the right emotion in that?”
I actually walk people through that in some very fun ways, because as soon as you’ve gone through those processes, all of a sudden you start to view the world a little bit differently, or you view the information in front of you a little bit differently.
You start to see, “Oh, that might be manipulated in some way because that’s how I would’ve manipulated it.”
Exactly. That’s how I would try to make myself mad, or feel afraid, or to click a button really fast, because I’ve actually gone through that process. So developing a fun, jovial, adversarial mindset, I think, is key.
I love it. Perry, if people want to find you online, where can they find you?
I’m most active on LinkedIn, so you can just look up Perry Carpenter on LinkedIn. I’m probably going to be the first one that shows up. Way less active on Twitter these days, or X or whatever we’re calling it, but I am still there. And still monitor the AI community. There are still some good, thriving communities on X. Then the website for the book is, thisbookisfaik.com. If you go to thisbookisfaik.com, you can get more information there.
Awesome. Perry, thank you so much for coming on the podcast today.
Thank you so much for having me. It’s been great.
Leave a Reply