Social Engineerios: How AI Changed the Flavor but Not the Recipe

Well, thank you everyone. I appreciate you coming out today. Welcome to Bsides. It's 1:00, so I'm sure you've all been very well uh inundated with wonderful talks at this point. I appreciate you coming out to mine. Um I almost didn't make it as it turns out. Funny story. Uh, I saw on the list of times 1:00 and then next to my name 45. So I figured my talk starts at 1:45. Not that I have a 45minut talk that starts at 1. So thankfully someone texted me a little earlier in the day and like hey wait can't wait to see you at 1 1. It's 1:45. No it's 1. You better get there on time. So thank you for knowing what's going on

and being here on time. Um yes. So we were talking about social engineerios. It's a whole new flavor of scams now with AI. We'll be talking about how social engineering has and and hasn't changed now that AI is upon us. So, I want to kind of start out our story back in 1906. And in back in 1906, our two main characters are John Harvey Kellogg and William Keith Kellogg. And does anyone know what these two gentlemen were doing back in 1906? >> Fighting each other. >> Fighting each other. Making cereal. But if you had guessed, they were running a sanitarium in Battle Creek, Michigan. You win the prize. They were actually running the sanitarium. Um, Dr. John was

in charge. Had some interesting ideas. Some ideas that probably should have landed him in the sanitarium as opposed to running the sanitarium. Uh, but that's for a different talk. Uh, one of those ideas was he felt that the way people ate, the foods that they were taking in was leading to what he considered adverse actions or adverse uh social interactions with other people. And he felt that if he could change the way people ate, he could potentially socially engineer those bad traits out and inject good ones back in. So he and his brother in the dungeon of their kitchen came up with this a very interesting serial idea. Something very simple. Something that wouldn't have all of the extra,

I guess, bad things that he was talking about. And I mean, here it is. Look, it's it's pretty boring. It's pretty bland. It did the job. No one was really excited about it, but it allowed parents to get their kids out the door really fast because they just needed a bowl, a bunch of milk, and bam, it got soggy immediately. Uh, but the kids were out the door. They didn't have to make the eggs, the bacon, the the the pancakes, toast, whatever else it was. But no one was really excited about it, but it did its job. And then things started to change in 1964. Does anyone know what happened in 1964? >> THEY ADDED SUGAR. YES, THEY DID. They

revolutionized everything and Lucky Charms came out. They added sugar and kids thought that they were cheating with breakfast, right? Cuz oh, I'm getting candy now. We've got four wonderful little marshmallows. And you know, things have changed over the years. They've added extra marshmallows. They're up to eight now. But it's still the same idea. You've gotten sugar and kids got excited about it. It had changed. We've got something new. But when you look at it, it's still just a very dry food sitting in a bowl with a pool of milk getting soggy almost instantly. So, did it really change or did the way we perceive it just change? That leads me to my first really big

question. Why on earth am I talking about serial at bides? And it's a very good question, but the reason I bring that up is to kind of create a parallel between social engineering. Because if you look at social engineering at its beginnings, it was boring. It was bland. It was the prince in Nigeria saying, "Hey, I've got a bunch of money. If you wire me money first, I'll give you a bunch back." It was poorly worded. It wasn't very well done, but it worked. No one got really excited about it, but it scammed a whole bunch of people and a whole bunch of people lost money. There it is. There's social engineering in serial form, right? It's bland. It's

boring, but it did its job. It got things done. And if you looked at the nutrition facts, what did social engineering basically get built up from? These are these seven uh principles of persuasion, right? Ways that people try for either good or for bad to try to make you do something. You know, they'll use reciprocity of I give you something, you give me something in return. scarcity. Move quickly because you might miss out. Authority, social proof, liking, consistency, unity, all of these things are ways that people use to try to influence the way that you do stuff. And that is at its base what makes up social engineering and makes it work. And then 2002 came along. And just like

with 1964 when we had the uh uh sugar being added to the cereal, we added our own little sugar, so to speak, with open AI. And now all of a sudden, you have generative AI. You have the ability to create things that you wouldn't have been able to or not been able to quite as easily. And people got excited because now you could do so much more. Now with social engineering, now you can add AI. It's guaranteed to fool people, right? It's part of your daily dose of online nonsense. People started realizing what you can do by taking artificial intelligence and injecting it into these what used to be bland and boring social engineering techniques.

It's got six fun new marshmallows. It's capable of voice cloning, image manipulation, video creation, face swapping, language translation, grammar and punctuation correction. I need that. Uh chat bots, writing content, and then just plain old scalability, being able to push content out at a very, very high scale. It's a whole new world, right? It's changed everything. It's changed the way that social engineering works. So, talking about a few of these new techniques with fishing, for example, and I apologize it I know right now this isn't going to be able to be seen. First off, these are supposed to be marshmallows. Um, artificial intelligence is still working on making marshmallow pictures. That's as close as I could get. But anyway, fishing has

changed simply because now you can write in different ways. Before everyone always told you to look out for bad punctuation, for misspelling, basically emails that I am sending. But now you don't have to worry about that anymore. You don't even have to be able to speak the same language. Rachel Tobach, who runs social proof, said that after so or after Open AI came out with chat GPT, the island of Iceland saw a gigantic surge in social engineering attacks. simply because people could now write in Icelandic, which up until that point it had been isolated to basically the people that lived on that island, but now anyone anywhere could sound like they were a native Icelandic speaker.

And so it caught people off guard because now it's something that sounded like it was maybe from a neighbor, from a colleague, for someone else because they spoke the same language is no longer the case. Perfect example, I don't speak Bulgarian, but my uh my realtor does. I didn't realize that there's a lot of nuance that goes into Bulgarian. So, I put something together and said, "Hey, can you just take a Sorry about that. Can you just take a look at this and tell me, does this sound kind of like a native speaker?" I just put in a a quick prompt and it spit back something. Sent it off to him and he kept back to me and said, "Yeah,

actually, in all honesty, it sounds pretty good." This is Bulgarian. The training set here is pretty small. So if you consider something as big as English or Spanish or French, how much better it's going to be, then it just shows how how how much more difficult it's going to be to spot social engineering simply by looking for those misspellings. Vishing, uh, voice fishing. Now you can change the way that your voice sounds. My CISO came up to me about a month ago and said, "Hey, what can we do? what can we try to to do something to uh emulate our CEO? This could be fun. So, I went online and I found a quick interview

that he had done on YouTube. Just pulled it down, grabbed all the audio that was his, put it into a a website that I won't name. Uh that that took his voice, processed it, and spit something back. I owned his voice at that point. took two minutes of audio from the internet and and I basically had him. So, I was able to pull something together. And I will preface this. This is not the the clip I'm going to use is not my CEO's voice. I was asked not to use that clip. So, I reprocessed it in just a generic voice, but it was basically this. Oh, is it going to work? No, it is not. All right. We don't have

audio. But anyway, it basically came back and it was a video that or a piece of audio that said, "Hey, this guy Aaron, he's been doing great work for you. I think uh we should reward him. Add few commas to his to his uh to his salary. What do you think? Let's let's go ahead and do something for him." Um, and I sent it off to my uh to my CISO, which he found very funny because a he knew that it was fake. Um, and and b it was the CEO calling on my line. So he he obviously knew that this was going to be fake. But imagine if it wasn't someone calling from my line or it wasn't

something as ridiculous of a message as that, something a lot more believable. The voice that I had created was good enough that it probably would have taken most people in our company and they would have believed it because it was that just that close to what he sounded like, his cadence, his voice, his accent. Now imagine the same sort of thing, but now it sounds like your spouse. It sounds like your parents, your child, your your your grandparents, someone calling you in the middle of the night saying, "Hey, we've got a problem. We need you to take care of this right away. Your your guard is going to be down at that point." So fishing has been

something that has drastically changed because of AI. Moving on with uh smishing. Same idea as what I was talking about with with um fishing. It now sounds that much more believable. It now looks that much more believable because again it's written well. But at this point scalability is what kind of comes into play because now you can push out messages that are tailored to the right people for the right area and be able to do that at scale. Then not only that, but the landing pages, let's say you've got a link in there, you the landing page, you can use artificial intelligence to create a website that looks pretty similar. You don't have to be able to

have all these skills anymore. You can quickly push these things out. And who hasn't gotten a a message like this or this or this or this or this or this or this or this? They're everywhere now, right? And the problem is is you can do it so quickly and so easily that it's just it's it's at a a scale that we've never seen before. Continuing on with business email compromise. This one's incredibly difficult to spot simply because it it pretty much starts with having an email account that you've already trusted taken over by somebody else. But at at that point, a lot of times those emails wouldn't necessarily sound correct because you've got someone that doesn't speak corporate America,

right? You're talking about someone that that hasn't worked in inside of your company, doesn't really know. So those emails might sound a little bit odd. Well, with artificial intelligence, you can just say, "Hey, tell me a little bit something about Cinnverse. It's where I work." And you can see here it says, "Oh, look. They just got a new chief financial officer. Fantastic. That's what I'm going to attack with this company. I didn't have to do a lot of research. I just said, "Tell me something about this company." Well, they've got a new uh CFO. So, great. I'm going to craft messages that go after the the the finance team, but I don't necessarily know Oops, I am going the

wrong direction. Goodness gracious, it's a new clicker. Sorry. I don't know necessarily how to speak corporate America but chat GPT can create tone for me. I can say hey make it sound like I am writing to a financial team from another financial uh team member. Make it sound correct. So I no longer even have to know how to sound. I can just tell it to do it for me. And what about this QR codes? We see them everywhere. They're in restaurants. They're on websites. They are in airports, train stations. My wife found this one for Panera. They're just downstairs. Uh this is a code for a free muffin or cinnamon roll. If you've never had their cinnamon rolls, they're

phenomenal. I suggest it. Absolutely. Um and so yeah, so she sent this to me. I was like, "Hey, grab yourself a treat before you go out." Um and so I did. You know, I went downstairs, got it. You scan the code, it gives you a whatever. And uh here's it a little bit larger if you want to see it. But the problem with QR codes, just like with the smishing, is you don't necessarily know where you're going, cuz this is what you're going to see. You're going to see this. And a lot of times you're doing stuff on on your your mobile device, so you wouldn't be able to see where you're going. And the landing page again might

look exactly right. So you're more apt to put a username or a password or some sort of identifying information in there. The problem is when you scan it, and if you did scan it, you also realize you're not at Panera's website. you're on my LinkedIn page right now. So, I prom I uh apologize for socially engineering you and making you go. Um there is no free muffin or or cinnamon roll. That is the bad news. But if you're not too upset with me, please go ahead and connect. Um but that's the problem with quishing. I hate that name, too. That's another problem with it. And then finally, a name even worse than quishing. Zishing. I don't know if this

is exactly what we're going to call it, but we'll go with it for today. Who hasn't heard this story about the finance worker in Hong Kong, right? They get a phone call and Eric Cron, who I saw here today, uh he actually did a talk about this last year. So, if you get a chance, go back and find that on YouTube. Uh and he touched on this. It was a fantastic talk, but basically the long and short of it is someone gets a phone call saying, "Hey, we need to transfer $25 million." They thought that doesn't sound right. Let's get on a let's get on a a Zoom call. Perfect. They jump on a Zoom call. There's the

CFO and there's two or three other executives and they're all saying, "Yes, this needs to happen. This is immediate. We really need to do this. Please send out the money." So, they do. The problem was no one on that call other than the finance worker was who they said they were. They were all faked. The voices and the faces were all faked. So, now you can't trust what you hear. Now, you can't trust what you see because it can happen in real time. I keep hitting the wrong button, man. So, Microsoft also came out with a program that can take a single photo and create movement. And if we had audio, you'd be able to hear that they've actually

married it up with with voice as well. Now, the problem with this is who here has a LinkedIn page that has their face on it? whose company has their CEO or their board of trustees faces on their websites. Yeah, this doesn't look 100% correct, but we all know that it's fake. So, you're able to look for those things. Whereas, if you just get a video that you see online that someone posts, it's going to take a whole lot of people because it looks like the right person and they're moving around, but that just came from a single photo. In the same vein, here's an individual showing how quickly and easily it is to in real time swap

your face. Now, if you look, he's touching his face, he's eating, he's touching, he's pulling on his cheeks, he's moving his hands in front of his face, and there's no break. Now, this granted this takes a little bit more capital to get started, but if you're going to make $25 million in one swipe, a couple thousand is not something you're going to sweat, right? So, this is all showing you what we've been able to accomplish because of artificial intelligence. So, what used to be pretty bland and boring now looks a whole lot different, right? It's a horrible new world. There's all these awful things out there that we now have to look out for that we

as practitioners need to teach our friends, our family members, our co-workers. There's a,65% increase in uh fishing attacks from 22 to 23. 45% success rate for AI generated content as opposed to roughly 18% I believe is what it was for non AI generated. So it just shows it's just that much more believable. People fall for it. There's a 442% increase in fishing in 2024 because things have been getting so much easier. And lastly, we lose about 12 billion dollars to generative AI scams annually. That's just Gen AI. That's not all scams. That number is far larger and far more depressing. But that's just for generative AI. So now what do we do? How can we stay

ahead? How can we anticipate what that next big thing is going to be so we can tell people this is what they're going to do next. Watch out for this. We need to stay ahead. We need to know what it is that they're going to be doing. Right? The problem is is we can't you can't anticipate what everyone is going to do. We may be able to make some approximate guesses, but you're never going to be able to guess everything. At that point, you're playing whacka hacker. You're constantly swinging and missing and swinging and hitting. And you can see how well it worked for that that person. They put the mallet through the game. It's that frustrating.

We can't anticipate every single move. So what do we do? Well, the good news is we don't need to. We don't need to anticipate everything. And simply because we just need to focus on on the basics. I read an art I read an article with Jeff Bezos. they that uh it's a little while ago and the interviewer was asking him what is it that Amazon does to stay ahead of the game? What is it that they do that allows you to stay in front of everyone else and anticipate what your customers want a year down the road, 5 years down the road, 10 years down the road? How is it that you're able to stay ahead? And this

was his answer. Almost never am I asked the question, what is not going to change in the next 10 years? And that is actually more important than what will change because you can build strategy around the things that are stable in time. That strategy around what's stable in time is what we need to start doing. We need to go back to what has been, what is, and what will be at the basis of social engineering. Just like with the cereal, it's still that dry cereal at the base. You can add as many other wonderful things on top, but what makes cereal serial? What makes social engineering social engineering? So, what's going to stay the same? Urgency.

They're still going to need to make you move faster than you want to go. They're going to try to make you feel like you're missing out on something. And so, you know, there's limited time. There's limited resources. They want you to stay quiet. They don't want you to commit to and talk to other people. threats, peer pressure, odd requests. And what I mean by this is if Bob normally gives you information, but now Alice is starting to ask you for stuff, or if Alice normally gives you financial information, but now she's asking you for financial information back. Things that are out of the blue. That's what I mean by odd requests, things that things that don't normally

happen. And then finally, things that are just too good to be true. No one's giving you a Maserati. I don't care what the email says. I don't care how good it looks, it's not happening. Don't click on that link, please. So, the question is, has AI really changed social engineering? I say probably not because if you look at the nutrition facts of the new AI social engineering, it's all the same things. It still uses that basis of persuasion. It needs to persuade us to do something before anything else works. It doesn't work if it doesn't try to get you to move quickly or it doesn't use authority to try. Think about this. The summer intern sends you an email saying,

"Hey, we need about $5,000 of gift cards. Get to it when you can. Doesn't really matter. Go ahead, find Frank down in accounting. Ask him if it's okay. Don't worry about it. Um, we'll get to it when we can." It would never work. It needs these principles of persuasion to get you to do something quickly. And that's what we need to continue to focus on and teach people about because that's what's going to continue to stay the same. And I keep hitting the wrong button. So, what are those newest red flags? Yes, we always talk about the the bad grammar. Look for this, look for that. Here's what I want what I tell people in my company. If you get an

email that asks you to move quickly, that there's limited time or there's limited resources, if there's going to be a punishment for an action or an inaction, if they're requesting secrecy, if their requests are abnormal or unusual or things are too good to be true or things seem out there, stop. At that point, stop and think. Because listen, there will be legitimate business emails that contain some of these things. Business moves quick. You might have to move quickly. Things sometimes change. So, a request may feel abnormal. Not every single message that has one of these things in here is going to be malicious, but you should stop and think about it anyway because every single

social engineering email will have one of these things in there. So if these things make you pause, you're going to catch it. So look for those red flags. Give yourself that extra time. So how can we stop the attack? Learn what's correct to spot what's incorrect. If you're running a company, you're you've got rules in place. Make sure that something happens one way and one way only. Or make sure that something touches multiple people and it has to touch those people. And if someone's requesting, hey, listen, I know we normally go through these four people, but this is really we needed this to be done really fast. Let's circumvent them and just get right to the end of sending

payment out. Great. Well, that's not normal. So, we need to wrap at least one other person into this conversation. If you know, I can't tell you all of the wrong ways that people are going to try to get us to do things. But if we only do it one way every single time, any deviation from that is going to send those spidey senses on the back of your neck and make it stand up and think, "This doesn't seem right. I need to look at this a little bit longer." So, make sure that they know how things should be done correctly. Any deviation there will change. And by all means, stop, think, and reflect. So often I hear people say,

"Oh, but I just have, you know, I get x amount of emails in my inbox every single day. I just have to fly through them." Well, that's that's true. We do get a lot of emails and we do have to go through them quickly. But the amount of time it takes to recover from a breach or an attack is so much more than the short amount of time it takes for you to just put a little bit of time and effort into looking at that email or looking at that request and saying, "Does this seem right?" or reaching out to somebody and saying, "Hey, did you send this to me?" Don't give out personal information. So

often we post way too much about ourselves and we just give that information out for free. Whether it be on social media, whether it be in LinkedIn, whether it be wherever it happens to be. You don't We give away pictures of what the office looks like. We give away our home office, what sort of machines we're using, when we're on vacation, what our kids are doing, um where they go to school. All of that information can and will be held against you with social engineering. You're giving them you're giving them attack ammunition. Stop. That's making it so much easier for them as well. And then finally, this is the thing I always hammer the most is

verify. Verify that information. If someone reaches out to you, verify that it's true. Ronald Reagan said, "Trust, but verify." And I always say, "Don't trust, always verify." Because this is the day and age we live in, right? Reach out to the person, but do it differently in how they reached out to you. If if you send me an email and it sounds a little odd, I'm going to go ahead and I'm going to reach back out to you through Slack. I'm going to reach out to you over the phone. If you send me a text message, I can email you back. Or if if you send me an email, I'll reply, but I'm not going

to reply through the email itself. I'm going to type in your actual email address and send something back to you that way. That's a brand new email just saying, "Hey, Dennis, did you just send me something? It seems a little bit odd." And if you come back and say, "Yeah, that's that's exactly what I need. Can you please send me that information?" Fantastic. Now we verified in a different way that this actually is needed. Otherwise, dentist may say, "What the heck are you talking about?" And at that point, I know we've got a problem right? Use confirmed methods of communication. Always use if your company has you the their um all the their emails in in

Office 365, use that. Don't use, hey, here's my personal email. I need you to reach back out to me this way. Use the the information that you know is verified and correct. If you're using something for a a vendor outside of your company, make sure that things are correct through if you're using SAP, for example, that you're using that information to reach out to the correct vendor and it's not somebody wrong. And don't, like I said, don't ever use the information that they give you. Hey, here's my phone number. Give me a call. Hey, here's my email, my personal email address. Use that information that you know is correct. And if you have to go

online and look it up. Perfect example, a few years ago, I got uh an email saying "Hey Aaron congratulations. You won tickets to Black Hat, which I had a few weeks prior entered into a raffle to win Blackhat tickets." But it's just it was really cool. I don't generally win things like that. It seemed a little bit odd. I had no way of communicating with this company in a way that I knew was verified. So I went to their website and at the bottom of their web page was the contact me or contact us link. I just filled out an information said, "Hi, my name is Aaron Strong. I was just contacted by such and

such from your company. If this individual does exist, can you please have them reach out to me and just verify that I indeed won black hat tickets?" And about 30 minutes later, my email pinged. And look at that. There was an email from the individual saying, "Hi, Aaron. Our contact team just sent me this email. It is true. You did win black hack tickets. Congratulations. Can I finally get your information so I can close this out?" And then I was very excited um because I knew that it was actually a legit thing. You can go to the website and find it that way as well. Don't tell me you can't find verifiable information. There's always a

way. Now, I work in GRC, so if I didn't talk about policy, I would probably start to burn a little bit. So, we're going to talk about policy. Create policy as a firewall. And what I mean by that is it gives your employees a way to say no and a way to get out of a situation that they may not feel comfortable in. Cuz why? Almost always these social engineering tactics are purporting to be somebody in authority to somebody down below them. That is what works. Nobody that's a junior employee wants to say no to someone in a sea suite. But if you've set up policies that says we will only do things X, Y,

and Z way, and someone's asking, well, let's try it a different way. Let's try it the ABC way. They can say, I'm sorry, but we all know that policy states we can't do it that way. And if we are going to divert, we need to bring somebody else into the conversation. It allows your employees to be able to say no and not have to fear repercussion for what it is that they're doing. They don't need to apologize. Oh, I'm so sorry. I can't do no policy states this. We can't do it this way. Set up your policy as a way to be a stop gap for people so that they don't feel like they have to do something otherwise they

could, you know, they could get in trouble, they could lose their job, they could they could really make things bad for them. And and another thing is use onetime passcodes as well. Perfect. Dennis, you just reached out to me. There's this there's our internal site. What's the code that's currently up at the moment? I've got it up as well. Let's let's see if you know what that information looks like. And if you can give me the code back, beautiful. You sir, Dennis, I can believe what you're saying. Make sure that buying comes in from the top because if people up top aren't doing it, the people down below aren't going to anyway. And just like I stated,

it's the people at the at the lower rungs that get hammered the most because they're the most susceptible. So if you don't if you're your executives aren't doing this, no one else is either. So make sure that it comes in from the top. And talk about it a lot. The more we talk about it, the more people get comfortable about talking about these things, the more they're going to come to you and say, "Hey Aaron, I just read this article. I just saw this story on the news. What do you think about X, Y, or Z?" talk about it often because it normalizes the conversation. It makes people want to come to you and be able

to say, you know, hey, I may have done some boneheaded move here. What should I do? The last thing you want is after somebody makes a boneheaded move is to try to hide it because they're afraid. That's the last thing you want. You want them to feel comfortably, I may have just done something. Please help me out. Normalize those conversations. And part of that is don't vilify failure. Because just like I've got three kids, if you punish them every single time they make a mistake, they're never going to come to you when they actually make a mistake and there's a real problem, right? You want them to be able to come to you. Yes. Some sometimes there needs to be

repercussions for actions with parenting as well as as in the workplace, but if you just hammer down on every single failure, people are going to hide things from you. And that's again, like I said, the last thing that you want. Don't vilify failure. Use that as teaching moments. I wish I could give you one of these a silver bullet, but there are none. I'm sorry. What I can give you are these final thoughts. And these are thoughts for your employees and then I'll give you some for for for corporate uh as well. Teach your employees to know and again use this for family, friends as well. This isn't just uh for employees. teach people to know what's correct so they

can identify this is the only way that it's supposed to be coming in anything that diverges from that that suspect we need to take a look at it be careful what you click on or as I would love to say now don't click on anything don't click on a message don't click on an email go to the website itself log in go to the app log in verify the information there sometimes you do have to click on things unfortunately but if you And don't ever click on anything. Just log in, verify that information, pick up the phone, call somebody, verify that information out of band, like we were saying, if someone reaches out to you, reach out in a very

different way. Verify that the information is correct. Slow down and ask questions. It's it's should always be okay to slow down and ask questions. Don't ver don't vilify that. And then learn to report problems. This is another big thing. So often I hear people say, "Oh, well, I clicked on something. Nothing happened. We're good." Boom doesn't happen the moment you click on something like they show you in the movies, right? Sometimes you click on something, boom happens, but you don't realize it until 3, 4, 9, 10 months down the road. So if you do something crazy and you think something may be wrong, report it immediately. Don't wait for something wrong to go, "Oh yeah, you

know, 10 months ago, I clicked on this really weird looking email, but nothing happened, so I didn't report it. Sorry." You don't want that. You want people to be able to come to you. Now, for your company, educate people on new threats and trends. By all means, please continue to do that. People need to know what is new out there so that they can keep their eyes out for things. But also create those policies as a firewall. Train your employees often. Show them what's going on. Do fishing simulations. Run uh, you know, run other simulations as well that shows what can happen. Normalize the conversation. The biggest thing is just get people talking. Have people talk to you and with you. Don't

vilify failure. And then this one I really like is reward the successes. It doesn't have to be big. Here's what I do. When you report an actual in the wild fish or you do something great, I send you a Zoom background. You can put that up there. People love it, people hate it, but I send it to you anyway. Like, hey, great job. Here you go. Put that up there. So that way other people when you get on a call, they can see that and say, "What? That's not the normal background I'm used to seeing. What's that all about?" Same thing. I send this out as well. The security rockstar award. People I've seen, they

print it out, they put it in their their cubicle. I've seen people put this in their email as their signature. Again, it gets people to start asking questions. What is that and why did you get that? Security teams are small. Companies are big. We have a very limited amount of people that we can work with. So, if you can get stuff out there like this and get other people talking, oh well, I reported a uh an email that I thought was kind of suspicious and Aaron then sent me this and said, "Hey, congratulations. You reported a a fishing attack." Well, now I've basically deputized somebody else in the company to be a security person for us, and they're going to keep

getting the word out for us as well. So, you you've created a security team that's security team plus one, plus two, plus eight, however many because they're starting to talk about it and they're telling other people about it and then they will tell other people. And plus, people just love to feel rewarded for things. The more you reward, the more positive behavior you get. That's kind of social engineering but in a good way. So if we take all these things, this is our social engineerios at the moment. We strip away all that extra stuff and just focus on the basics. What is it that people are going to try to do? They're coming after you. They're coming after

me. They're trying to persuade us to do other things. That's what we need to focus on. And if we can continue doing that, we're going to have success because that's what worked 10 years ago. That's what's working right now. And that's what's going to continue to work in the next 10 years. And that's what we need to focus on instead of all the extra fluffy little marshmallows. Thank you. I'd be happy to answer I don't even know what time it is, but I'd be happy to answer questions or send you to some other fishy little website. So, any questions whatsoever? Perfect. Oh yeah. >> Um how much more um efficient might be might it be to have to take a top down

approach to have people in those higher positions and not use like urgency and scarcity as legitimate ways to get them to do something? >> Yeah, I mean that that's a good certainly is good. If it's not needed, don't force urgency by all means. But but like I said, in business sometimes things have to happen quick, you know? Oh my gosh, this needs to this payment needs to go out. It somehow fell through the track uh the cracks. Please send this payment out immediately. Like it's it's just going to happen. So that's why if it does happen, that should be a thing that makes you pause and and and double check on on things. So yeah,

that's a great question. If you don't have to, please don't use those those social engineering techniques for legitimate business reasons. Yeah. >> Uh the voice fishing. Yeah. Something that's being found against just like highle targets or going for >> everybody. It's going after it. I mean highle targets certainly because if you can if you can pop a a seauite they've got keys to the kingdom basically or they then have the leverage to be able to really hammer down hard on everyone down underneath if I can leverage your email address now I can send out all sorts of things but they will also they'll also purport to be anybody so it could be a mid-level it could be a

junior employee and it could even be family members you know it it could be anybody body that um is so easy to do at this point to be able to fake someone's voice. You could take audio from anything any anything online and be able to to get a pretty decent version of their their voice, at least something that's going to really be hard to pick up on. Yeah. >> Yes, sir. >> Um I work at a company called uh automation platform for compliance. And one of the categories of tools that we typically work with is the like noble for fishing simulation training platforms. >> So we get a lot of customers that um obviously have it. We also get

occasionally the SISO that pushes back on something like no before because they think that um employees spend too much time worrying about the emails they're getting because they think that it's a fishing then you know like they spend too much their their claim is that they spend too much time worrying about the emails that they're getting because of doing these constant campaigns. What do you have to say about that? >> I would say that really goes back to don't vilify failure. I think if you were to take a look at the way that those companies um and the question is for um to just restate it, there's a lot of uh upper level executives that push

back and say, "Oh, doing these simulations just makes everybody scared and they spend too much time in their email uh worrying about what it is that they're going to do." And and to that point, I I was I was saying it probably is that they have very strict rules and punishment for failing uh fishing simulations. And so people do worry too much about oh my gosh, I don't want to I don't want to click on the wrong thing. Um and that's, you know, that's you certainly don't want your workforce to be scared for their own job because then they're not going to be effective in what they're supposed to be doing. But at the same time, I want my people

thinking about their emails because email is one of the largest threat vectors or attack vectors that criminals use because it's the easiest way in. If I send an email to 5,000 employees, law of large numbers is that someone will probably click and I might be able to get a foothold. So, I want my company to be thinking about their email in a way that makes them take pause, but what I don't want to do is make them take pause because they're afraid of losing their job. I want them to think, well, this doesn't seem normal. I do want them thinking about it. So, I don't know if that answers your question. >> Yeah, completely. I think you're pretty

much saying, let the the failure doing during simulation be not a like a detriment to >> Yeah. Yeah. If you fail a simulation, let that be a learning moment for you. Take that time to be able to teach that employee, here's what you missed and here's what I want you to look for. Now, that doesn't mean that there should never be a a a penalty for continued failure. I people shouldn't just be able to click on everything all the time and just be a huge risk to the organization. And at a certain point, you kind of do need to draw a line in the sand. But what I want to do is use that as much as

possible to try to teach you and train you so that you can learn from things and be a better, more secure employee than an employee who's terrified that they're about to, you know, lose their job because they click on one simul. I I've heard of companies that one simulation failure and you could potentially lose your job. a personally I think that's a horrible idea. Um but you know, who knows? Maybe maybe that company is really really good when it comes to click rates. Who knows? Um but yeah, that's that's what I would come back with for for that. >> Yes, sir. >> Great presentation. Thank you. Your uh your little certificates. It's great for getting buy in.

>> Um real quick question. Is this going to be on your YouTube channel or online your presentation? Because I'm going to steal some of your stuff. >> Yeah, absolutely. Yeah, the uh the presentation will be Bides is going to be putting it up. Um and I may steal it from them so that I can put it up on my channels, but uh but yeah, it'll it'll be out there. Um so just keep an eye out for for Bides. They'll be posting it once they they edit it down. >> Yeah. Any other questions? You've got one minute left before they kick me out of here. >> Perfect. Well, thank you everybody. I really appreciate you coming and have a

lovely rest of your uh bides.