Social Engineering is Bull*hit: Call It What It Is

so did this work everyone hear me okay do i need this No okay great well need for my my presentations got some audio in it so we'll try that alright thanks I am surfer Dave we have a group called Charlotte hackers anonymous I thought I just plugged that real quick it's kind of our new group we get together on Saturdays and hack and drink and stuff like that so anyone that's interested you're welcome to come we have actually a little table out there that's horribly staffed and no swag because we're we don't have any money so so anyway social engineering is something that I do for work and I'm not going to say that I

don't not a social engineer the idea behind it those is a misnomer is for in my opinion so that this talk came about before Carolina con the CFP was closing and there wasn't enough speaker so one night after working with a very prominent social engineer in the technology field I had a few Bourbons because I was a little upset about things and came up with this talk and then forgot what I came up with and actually had to email them back after they accepted so this kind of forced me to get out of my comfort zone and do some research that I've been wanting to do so the standard disclaimer is these are my views and opinions obviously i do

work as a red team ER for a large international bank in the charlotte area so obviously those are not their opinions they're mine and much like the title of this talk citations are needed but i do provide a slide deck at the end or slide at the end with some of the books that i use for reference so just warning you now so this talk might contain some of the following things it might have triggers like this is a trigger this is the humuhumunukunukuapua'a it's the Hawaiian state triggerfish there might be kittens there might be Chuck Norris there you know the usual stuff that ends up in security talks a lot of times and of course at and most besides

there's alcohol involved at some point of the day so if you hear anyone mention anything about advanced persistent threats or any of the thing with a c-word or someone telling you that as hackers the world is going to end if we don't protect it no it's not the world went on for eons before hackers showed up on the planet so anyone talking about fear uncertainty and doubt really take a drink or make them take a drink actually so a little bit about me I thought who introduced me but me at 14 years old we're going to see if this audio works because we're kind of I'll so I'll have to hold up to the microphone that's

water guys though

you guys hear that we're recording

alright so we were actually building things from the Anarchist Cookbook in the basement and thought it was smart to put it on video a 9 site the internet didn't work that back then now it's on the internet so FBI please just remember that was when I was 14 sacchi limitations has run out so let's get let's get started let's let's kick this off let's talk understand a little bit more about why I kind of want a rail on social engineering so what's social engineering social engineer all right so basically I the way we use social engineering in the media and as people and we're not the only ones that use social engineering and everyday speech

its kind of like polar vortex was a thing I really would like us to move away from it so we're going to go through a few things we're going to define what social engineering is we're going to look at really what it is some history behind it and then some techniques that work from a sociology perspective now this isn't a technical talk i'm going to be dropping zero days and things like that but this is more about the human element involved in information security and just being humans and really how we relate to each other

so let's break it down let's talk about with what the word social and engineer mean so social is an adjective it describes somebody means it's relating to it activity spending time with each other doing enjoyable things together so they lock Phil guys are out there right now we get together quite I'm not completed with those guys we get together once a month at a bar and pick locks and drink beers and things like that same thing we do with Charlotte hackers anonymous same thing we're doing right here right now something we do together it's a social gathering we would like to be with and talk to people now this one's for us as a group at

least for me and some of my friends relating to people or society in general doesn't really work I don't know about you but as the big guy in school I was picked on because I was one playing D&D at the lunch table instead of like hanging out with the jocks and stuff like that but so sometimes we don't necessarily relate to being social butterflies now an engineer is a person who has scientific training who builds all these awesome things that's brought us in the 21st century now this is a female engineer she's working on a power plant and by far this is the hardest picture to find on the internet ever because the internet doesn't think that

engineers can be women or if they are they have to be in like some kind of skimpy costume but she definitely you know it can be either gender it's also a definition of a person who is in charge of a ship or airplane or so these guys or a guy that runs a train like that guy an engineering as a whole is the professional art of applying these things these knowledge is it's at the bottom there it says a special knowledge is associated preparation for professional practice involves extensive training and application of that knowledge now do we think that the word social and engineer really work here I think not personally engineer kind of like a my title at work I have engineer

in title but I don't have a degree in engineering I don't even have a degree so why am I called an engineer these people went to school for years and years and years but yet they're called engineers social engineers so I think we really need to break it down and call it what it is we're not social engineers we are manipulators and we're we use manipulation and deception to help protect our environments so how do we do this in information security well we use fishing to test people's response to possible phishing attacks that are very real threat on the internet phone calls also known as fishing we're calling up and trying to solicit information password social security numbers and so

forth dumpster diving you're looking for information about businesses and people to use that information to leverage against them daxing where we find information that is available on people to use against them and then open source intelligence and this slides kind of small I apologize but this is a tool called multi go mal t go will pull information from multiple different sources on the internet to find out more about people and you'd be surprised what people put out there that leads to making using for manipulation so if you're on Facebook and Twitter and all these different things if it's on the internet it never dies so just keep that in mind and and using tools like this

make it very easy to plan targeted attacks against people through manipulation okay let's switch gears now and talk about the history of manipulation and deception why these things work why is it possible why as humans do we allow ourselves to get deceived and manipulated well the first story arguably the first recorded story during creation in the Bible was the first thing that happened involving humans was deception so just to recap that story real quick God is puts Adam and Eve in a garden of eden and he said they cannot heat this from fruit of this tree they can eat for everything else Satan he's checking this thing out and he's like wait they serve him I want

some of this attention i'm going to go down and heat and then satan turn himself into snake he deceived Eve and the interesting thing is that Eve actually went and took it back and use deception on Adam Adam never saw the snake never talked to him so that deception was actually passed down so arguably that's the first written history of deception in ancient times false waits was a big problem still to this day it happens but people in marketplaces would think that we bind like a unit of grain it might be actually half of unit because the weights would be falsified so they actually in Roman times enacted tax collectors to go and check the weights

that people are using not to defraud the people we still do this today if you go to a gas pump you'll see a sticker on the gas pump that says it at this certain date somebody checked to make sure that the measurement of gas from this gas pump is accurate and it still happens today in other countries yes you will get deceived out of gas just FYI and from experience clothing makeup and smells the things that we hardly think of as being deceptive but archaeological evidence shows about 70,000 years ago our ancestors started adorning their bodies with ochre a reddish powder that purposely was used to manipulate men into thinking they were ovulating and obviously procreation is a big thing

otherwise the humans would die off so this this thing these techniques were used ancient Egyptian women would use different pace and things to make their eyes big they would use paint to color their lips and Greek and Roman ladies would die their heads their hair blond they use makeup and lighten their skin and remove unwanted body hair sounds familiar it happened back then it's still happening now nothing wrong with it it's just something that's happened it started off as something to continue the appropriated process of the human race so that deception all these things are ingrained in us so as kids were told at a young age and and this is to me when I

read this in during my research is really at home for me they were house supposed to be polite we'll just have a manner not supposed to point out to somebody if they are acting rudely or inappropriately like this guy here you probably just crossed the hall I'll never say anything to him because he's acting out of not normally for people in society so we're taught to do these things but what are we doing we're actually not telling the truth we're thinking ourselves that's disgusting what's wrong with that guy must be like from some you know backwater town he's never known these things but we're really teaching art we were taught to be polite the politeness is actually a type

of perception because they're not speaking our truth speaking away we think now the origins of Santa Claus and Easter and the Easter Bunny and those types of things our deception and we continue to propagate to our children so Santa Claus actually came from Germanic people the this is a picture of the Norse god Odin and at ye olde Tom Odin leads a great hunting party through the sky celebrations so this kind of leads to comparisons with Santa is reindeer there's actually there's other HD ities and rode across the sky and chariots drawn by goats and gave presents to children at the end of the year and that's kind of fed into that legend as well this is Easter OST or stara is a

dramatic timidity that was the one of radiant dawn the uprising of light and it's that's why Easter happens around the same time every year it's the spring equinox and this was celebrated every year in her honor the Easter Bunny and rabbits and chickens and things like that these things reproduce really quickly you have these animals as a sign of procreation as a celebration of fertility so all of these customs and things like that don't have origins and Christianity they don't have origins in the Bible they are they were woven in to help make the people more likely to not rebel against the government's that we're taking away those pagan traditions okay we're going to look at some of the

techniques that that really work when it comes to manipulation and deception and and how because as humans we follow these techniques in our day-to-day life so this an awareness of them really good help help us identify them and also use them for for testing our own environments so the rule of reciprocity or ruler reciprocation it's basically the Golden Rule do unto others as you would have them do unto you now the Hare Krishnas found an excellent way to exploit this the hairy Christmas would be worship being in public and they would walk up to a person and they just hand that person to flower and to stand back and obviously with someone hands you something for free you don't

understand why they say well I don't want this flowering the Hare Krishnas no that's yours it's a gift from the hairy Krishna but if you'd like to make a small donation to our cause we'd be willing to take it so the rule of reciprocity and what we're used to doing you don't receive free you know it's usually reciprocating so someone gives you something you give them something in return so those worked really well for many many years from the seventies into the 80s now a days most of our sinaa chol about doing things like that we've heard about these types of things and how they work so it's not as effective as it was previously but the next

example it's still and this is a legit reason why the rule of reciprocation works so I was in New Orleans for conference one time went to Jackson Square is watching these guys doing some breakdance because I like that kind of stuff but this any kind of street performers I notice the way that they were getting donations for what they were doing they actually had one guy that had the money but another guy in the crew right next to him would be the first one it would dropped by five or six one-dollar bills into the bucket now everyone sees that and they walk around one is donating so you know we saw something cool in that that's perfectly

fine because I enjoyed their performance give them a couple bucks I want them to keep doing it so that that is actually reciprocation that works correctly now this example when I was doing my research I came across i recalled something that I used to do when I lived in New York I used to take people when they come to visit all around town New York we'd go on the subway but we take them all over the place there's this olive bar up in the upper west side and a cool thing about this olive bar and in New York City it's unheard of is you could have as many olives as you wanted while you're in the store like 50

different types of Olives as much as you want it there's no one standing around watching years no one like Costco hovering around giving you free samples so we would you know spend some time in there but inevitably every single person that took up there nine out of ten times they would buy olives and these are people that flew in or staying at a hotel and no refrigeration and we're taking the subway and walking all over the city why would these stupid olives I don't know how I says I don't know why I didn't think of it before but they the rule of reciprocation says that you know they went in there next sample these olives it's not because the olives are

super good it's because they were pressured into doing anything they thought well you know subconsciously hey I i bought some of these all right i sampled some of these olives might as well buy some so it worked really well in that case and the next story can't tell this I might just skip because it's if you want to hear this story about Las Vegas come talk to you later I don't want to offend anybody if there are here that in this story actually one of them is in the story in larkfield okay anyway we'll just bypass that for now it's a good story I just don't want to always look at that another technique that

works is commitment and consistency racetrack betters when they go to the racetrack they look at the the track record the odds of the horse and they're not you know usually not to decided when they go in there as to who they're going to pin once they pick that horse and put that money down on that horse now they stand by that horse you see people cheering they're cheering for that horse that they put the money on but why because they committed to that course and if they started cheering for another horse or booing the horse that they already picked their up staying consistent that commitment another way to illustrate you straight this is that of abuse spouses I wanted I don't want

to downplay this isn't a joke this is an actual service message from Australia so it doesn't matter what gender there's abuse on each side I'll give you example of commitment and consistency here you have men and woman they're living together the man's an alcoholic drunk he doesn't do much he's not interested in getting married the woman wants him to stop drinking and they want to eat what she wants to get married but what happens things keep going on he doesn't want to change she wants some change she finally says I'm done with this I'm out of here so she leaves she finds someone else falls in love with that person they get engaged because it's what you really

want to do what happens the first guy first guys says well he comes up to ghost ghost to her and says you know what I've changed I went to rehab I stopped drinking I bought a ring we can get engaged and married you know in six months if you come back to me ultimately she really wanted to be with this guy so what does she do she breaks off the relationship with him with her through fee on current feelings that goes back to live with this guy this is all theoretical this is all this story that was in one of the books about commitment and consistency I don't want to use real life examples when talking about this

but so she goes back to him and what happens after a few weeks he starts drinking again she mentions when are we gonna get married well I don't know I kind of changed my mind on that what happens now she is even more committed to him than she was before because she was getting married to another person and she had to defend herself she had to tell her family hey I'm with this guy I'll never this guy was an [ __ ] I'm not gonna go back and Jim ever well now she's convinced people that he's not that bad and I'm going back but she's now she's committed to him to him again now she has to stay consistent to that

commitment so it's kind of reinforced that commitment and she has to defend the way that she thought another way commitment commitment and consistency works us during Christmas time during the Christmas the toy companies were saying well we queue for us is amazing we're selling all these toys are selling all this stuff he one comes around and nobody's buying toys so how do we fix this problem well if you've ever gone through the console wars in the 80s nintendo and sega and all those things you know that trying to get one of those things around christmas time was damn near possible but as soon as the first quarter roll around you can get one why did why is that toy comely

figured out that if they push the product really hard all the kids would want that product and so the parent says the kids like yes dad this is all i want for christmas I don't care about anything else that says of course some that's only thing I promise I'll get that for you what happens that present is not available for him to get so he buys a whole bunch of other stuff for the kid just say as a nice Christmas comes around next year but he's promised that he was going to get this thing now he goes back to the store spending the exact same amount of money he already spent to buy what the kid really wanted

because we have to be consistent in training our children right otherwise you know they don't have that that up bring that we didn't grain with since human time so parents want to show children consistency and the toy companies have taken advantage of that as well so now we're going to move on to NLP and I've already talked to somebody today and they said LLP is a bunch of crap but that's fine everything it's a way of identifying certain things at least in that I've been able to identify certain things to get inside someone's head and the whole idea that I use it for is to actually gain rapport with the person so we're going to go through a

few few neuro-linguistic programming techniques you'll see this a lot in movie shows and things like that but things that you can pick up on about a person that really can kind of aid in your understanding more about who they are and how they're feeling at that time so pacing and matching is the first one is similar method acting and Johnny Depp says here that if you don't if you're part part if you're acting if you don't put some of yourself in that acting that character it's not acting it's just lying so that's true you're trying to match your you're trying to match another person's body language basically in their speech in order to build a poor

it rapport is the most important part of Norland Wisty programming because once we gain that once we close that gap and able to talk to somebody then we're better able to manipulate them or find out information about them so this method actor you can see by the different expressions on his face you can discern a lot about what he might be feeling at that time if you saw a real person with those expressions you naturally you can have to see when someone's upset or someone's happy or someone's drunk or whatever so you can tell a lot about a person by their fingers so pacing and matching is not mirroring itself it's integrating parts of their

personality into yourself so this girl here you can tell when speaking with her you can tell by her parents somewhat but you could tell when speaking with her that she's probably from the country she probably won't understand a lot of big fancy words they come from like New York City or things like that she might not be able to relate to those things whereas this person doesn't speak any kind of language that makes any sense at all so speaking to her speaking of her you'd have to bring yourself in line as well and use vocabulary that she would not find it inappropriate to hurt the way said she speaks however that is yeah we'll just leave that alone mirroring is

another NLP technique there's three different types of mirroring behavioral mirroring it mirrors things that I have a symbolic meaning and just an example of this a lot of men might not realize this but when we speak to women our pitch goes up a little bit because we're matching that person's tone and makes it a little bit more disarming we do that naturally a lot of men do because it is something that we've learned as an instinct to keep the human race going to match somebody else to make them more comfortable symbolic mirroring there's there's a couple different ways the symbolic narrowing works one's wardrobe i lived in austin texas and i work for the local governments association there

so as all the old commissioners judges all these guys from all these very rural counties and then all were Stetson hats and boots and wrangler jeans and things like that I walk in like this how do you think I get received not as well as another person from Texas so I said what's the O'Neill I'm changing my personality to move to Texas but after a while I thought well let me try this out and see how I'm received sure enough got a hat got some boots but not that uncomfortable I thought they would be it started dressing more like them now I'm seen as being one of them now I'm welcomed into the boys club that is

Texas and I never thought I never owned a gun before I went to Texas now i know many guns and i joined I'm you know so it works both ways if you actually become and start mirroring someone long enough parts of their personality and their ways of thinking will actually rub off on you writing is another way of doing somaliland symbolic nearing an example what of this would be for a liberal person writing to conservatives what type of language would be most effective liberal language or conservative language so there is a paper that was written in the late 70s about Cuba and Fidel Castro but it was a liberal trying to express his message to

conservatives so he wrote in a conservative language if you think about we all have different sets of language that we use with each other like our security language of dropped in sight metasploit or popping boxes and dropping shells and things like that we talked to normal people they have no clue what any of that means that's our language so he used conservative language language that they're comfortable with and normally are used to reading and writing this article what happened all the Liberals went crazy because they're like what is this liberal writer writing as a conservative the language there that he used to mirror that mirror the Conservatives was more powerful than the message itself exchanged matches it's

not mirroring exactly it's a trade off so say you're trying to understand how a person's feeling or trying to calm them down with their breathing you can notice how how their breathing and actually match it with with your arms moving back and forth and things like that so your training off different things that they're doing so if they have their hand on their face like this you might give you this you know something here so you're not nearing them exactly but you're exchanging one part of the body for another what happens is you both fall into a rhythm because of you matching their their body language now I give you an example of how this works so

the guys get super pissed off or very frustrated and like you know he's going to explode any second what do you do a man just calm down calm down this is an exchange match you're trying you're using your hands and trying to bring his his level down trying to bring his breath down so we all done exchange matching we didn't make maybe didn't even realize that we were doing a type of mirroring to help someone bring someone back down building at maintaining before it is showing interest in another person is not just the the only way it's it's a positive connection between you and another person or group so it's not just showing interest it's something that really has

to be taught you really have to learn so being someone that might not be a socially like a social butterfly something that we have to practice us manipulation professionals not on what I call in any new terms will just keep keeping all random but sensory acuity is the ability to recognize about something about a person's disposition and it helps to close that gap so in this particular instance what do you think would happen if this shy guy at a party if those two girls behind him went up talk to him it probably would end up being pretty bad he probably run off and hide or something like that personal experience I I know that's what I did

feel I got over that but what if this guy shows up anyone's to talk to him as well very flamboyant outspoken how do you approach to talk to that shy person well you don't you don't become these people you become more like him you look at me shy you go and more model mannered and and your posturing and things like that will more replicate what he's feeling how he's doing things to gain the report I mean who knows that looks like probably the guy that has all the passwords to the network that's the guy you're going to go and want to be friends with so once you start picking up on some of these things you can

understand more about how a person's feelings so this guy you can tell he's obviously had a hard day he's stressed out a little bit so understanding that becoming sympathetic to him you can actually close that gap with him as well speech is a great indicator as well some people say that a pause or delay might indicate someone being deceptive but i can ask Matthew what were you doing seven years ago today right you don't know yeah you have to think about it but I ask you seven years ago today did you rob a gas station maybe alright of course I picked on the guy that's going to be cynical but anyhow so generally speaking that person's iono

robbed a gas station if they are you might be hanging out with like the wrong people you know but but so you can you can tell just apologizing necessarily mean deception so you have to kind of way those circumstances they come up dry mouth can show anxiety on the stress level the voice can show what the person's thinking or what how the person is reacting to what you say the accent also not only could tell them where they're from and also their educational level or go back to these two and if you notice when speaking with them that then I'll use a big university level words that it's more like a high school level or in Snooki's case whatever planet

she's from whatever level there you can tell more about their education for example i live in Bessemer City which is outside of gastonia and when I go to local establishments there I don't use big fancy heavy-duty university level words because they'd look at me and they think I'm being a pompous ass they're a lot of it's a working-class town a lot of you haven't been through much more than high school if they even made that far and that's fun there's nothing wrong with how people live their life but understanding their accent and their vocabulary level allows me to adapt so that I don't offend somebody once again we're talking about building that rapport there the best way to piss

someone off is to talk about their head body language you can look at body language for clues about how to proceed so stress levels are pretty instantaneous we have that fight-or-flight response that really can can tell that that switches on automatically that we all have as instinct so we can tell a lot about a person's face facial expressions tension rigid body language language so on although I think this guy's face is permanently stuck like that now here is a good example like what are they seeing off off you know off camber you know Barack looks a little disgusted and Michelle looks surprised as you can tell that there's something happening off camera that wasn't expected no Lance

Armstrong we are familiar with his drug use and coming and being banned from from the sport but this interview happened at South by Southwest before any official allegations come out and you'll notice he's doing something called shielding okay a great indicator for persons not telling the truth is that they instinctively will cover parts of their bucket their face or dark their eyes or look away so as to not directly tell you that lie so that's a great indicator someone's being deceptive if you're if you're speaking with them and then there's this guy um but you can tell that there's something wrong here this is an extreme example but pupil dilation thinning of lips is a real

thing and something each you can actually look for and dropping in some information see you drop in some information on somebody that they might be uncomfortable with is it's a great indicator once you're going to flight or fight response kicks in and the body automatically makes these changes calibration is using sensory acuity to gauge the state of persons in and once you understand the statement that person then you're able to cultivate that state in yourself so for example this this actor here he uses various techniques to kind of an method acting so that he can become different people depending on the role she's in so say you came up to somebody that looks very upset and you

want to calm them down do you become very upset so that you can calm them down or do you become the opposite of that so this is this calibration is gauging how the other person's feeling and then making yourself turning yourself into what would change that situation maybe you do really want that guy to get more pissed off I know a particular person that I encounter with and that's all I wanted to do is get him even more out of them so I got in his face and ended that so it depends on the situation how you calibrate yourself to the other person body language can tell you a lot the posture now in this little

and this look if he changes his posture and the stance in a sitting position quite rapidly and every frame is it tells a different story so you could tell a lot about a person by their posture and whether or not you can adapt that posture for yourself so if someone standing rigidly and straight up you could present yourself like that if someone's being casual you can tell a lot about how a person's feeling that way gesturing how fast or how slow often open and closed will tell you how to approach that person so if you're used to working with somebody that speaks for their hands a lot it's very normal to come and speak with your hands a lot

i'll allow you to build that rapport without them even knowing that that's what you're doing but you don't want to be open and things like that with somebody that is like this or doesn't feel like having a conversation very closed now breathing is harder to master and there is scientific evidence of this because there's an entire field of hypnosis that uses breathing to to put someone in a hypnotic state but what this does I instead of trying to match breathing and things like that when I used breathing techniques I notice a person as they're breathing they're going to have to take a breath in and a breath out and usually you speak on the way out so you match your breathing and

try and find out when you can interject into the conversation so you match your rhythm with theirs so that you can bring your point across as well so just a quick wrap-up of everything's what we think about social engineering in my opinion needs to change when you start looking more at the human element I know its technical folks we like to be y'all hacker and all that cool stuff and gain gucky pop shells and get people to click on stuff but really we're trying to secure the human not necessarily just the technical so we can use these these things in all aspects of our life we help our family our friends understand that these people that are performing

these manipulation techniques really help them identify these things so that they can protect themselves and we can take some of this information back to our companies and help protect our companies as well anyone have any questions do you use these as part of your actual day job

so the question is do I use these things in my day job yes I do to an extent one time on a red team member and part of our mission our Charter is to test our security controls so whether or not our social engineering awareness program works so I might use a phishing email that cheap someone click on blank but for me personally I'm more effective over telephone when I you know I'm not just waiting for someone to click on something I actually like to call and engage somebody it's easier the phone as well than in person because you're more comfortable because you can't see what that person's reaction you use more of it to detect from their tone of voice

and and how they're responding how that you can proceed and how you can better get information from them that answer your question because in a quick follow you don't mind happen what percentage of cases would you say leads to uncovering of a gap in the education of your corporate users in other words how often does someone develops how often is someone divulge information um where I previously was with another large bank I was getting around seventy percent where I'm at now i'm ninety-five percent and it's it's a it's a change for an entire organization to really understand those things because a lot of these trainings get it buried down in emails and things like that i do another

presentation on building your awareness program at the Charlotte is a summit a few weeks ago but what happens is you have emails that get sent out for awareness training but they are part of another huge email newsletter so they get lost or it's not mandatory training or something like that or people are able to next X finish and click through it really quickly but you know you offer someone a free dinner or some tickets to a sports game generally speaking people will give you more information so you make it enticing for them and basically you're feeding on what they're saying or what they're doing in order to give you no respond so you end up with a lot of

people especially if you're targeting it's very difficult to stop the targeted manipulation attack I mean how its social engineering but that's what we call it as a turn but and ironically I think John's got something for me to give away but is there any other question state-by-state different states regulate the use

the question is states by States and if I heard of anything I honestly I haven't I would love to find that out because there's a lot of people that are called engineers I'd like to throw that law North Carolina does have statutes in terms of the professional use of the term engineer I know the case in the early 90s guy was charged he was in New York State for calling himself a tortured engineer for doing some unpopular research and so it's interesting the rise of the term social engineer I would love for that to happen I love for that to happen because I've been a Microsoft systems engineer since from 15 16 years now come on it's a piece of

paper that says I passed the test it's not an engineer degree I know a lot of Engineers i went for years and years as much as you know doc doctors and things like that i go to school to get that engineer title for us to throw it around like you know it's kind of you know I just don't like anyone's big pet peeve of mine yes so what are you so 95% impact rate what I do for follow-up so in doing so I take a multi-tiered approach so we start off so if I'm doing running out of fishing campaign start off with a level one fish is very plainly obvious that it's a fish so if

they click on that link they're going to have to go back for additional training in remediation if they report that link then they go to level two level T is a little harder the spelling isn't you know better it's not coming from Nigeria up to where everything looks legit except for you know the link is actually going to the wrong place you teach people to think if it's not something that they're used to seeing so that multi-tiered approach kind of helps graduate people up and make it more difficult more secure unfortunately getting buy-in for a major organization to to do that type of training is very difficult it's still unsuccessful where I'm at now but we're working on it so

smaller organization I think might be able easy to remediate if you can go talk to the person but with you know hundreds of thousands of people programs makes it difficult yes

so the question is using only ASCII text and email and and then to only what you can say on the over the phone one ASCII text I would never be able to do that because marketing every marketing groups maybe Brad everything and they stick links on everything there's no way that they would let that happen and two I think there are things that you're supposed to give out but once again it's one of those things that sits on the side of the computer desk and if it sounds like you're legit from tech support no one does any kind of authentication there because I especially if you say if you mess with someone's computer remotely and then you

call as your tech support like say if I said a phishing email they click on a link that does something malicious on their computer and now I follow up with a tech support call it's going to sound legit because I've actually targeted that person when after so if people would use that that'd be great but it's like this disaster preparedness Flyers that get some workplaces you put it up so you know exactly the procedure if this happens then you do this well if you don't read it and it just sits there forever it gets forgotten about so unfortunately there are scripts in fact in the computer a lot of these will love screen pop with the customer information

which spoofing and I caller Ids pretty easy to do call it customer information and they have a script on what they're supposed to say and a lot of times you can get them diverted off of that script yes

um the question is is there a specific age group that is more susceptible to social engineering actually I don't think I've done any kind of analysis over that that would be interesting i would say Millennials and you know Gen Xers through Millennials would be more susceptible because we are what they term digital natives we grew up around this stuff we're used to seeing it we're used to putting stuff and and tweeting things as they've been developed I would say that they more susceptible because I know some of the boomers in our company I mean they still you know mess up emails and things like that so that would be an interesting analysis but that's just my opinion off the top of my

head any more questions I think we got like a time for running one more now okay cool where's that uh I can do it or you can do it that's all I do it okay