IamA professional social engineer. I get paid to phish, vish, scam people and break in to places to test security. I wrote two books on the topic. Feel free to ask me about anything. AMA!

How can you assure me that this isn't a data-mining operation to determine which Reddit users have an interest in social engineering?

I can't assure of you that. LOL but I can say - its not. trust me.

Kidding, there is no benefit in me doing that, but thanks for the laugh

What tips could you give someone to better avoid falling prey to any of your tactics?

Great question. Thank you. Depends on the type of attack. But let me first say that critical thinking is key in staying safe, as well as education.

With Phish: Hover over link, don't click suspicious, don't reuse passwords With Vish: If the call gets suspicious don't be afraid to say "I DONT KNOW" With impersonation: Always ask to see badges. Don't let people tailgate.

There are plenty more but just a few tips here.

Could you elaborate more on tail gaiting? What could happen when someone tail gates?

Yes sorry. Tailgating means to follow someone into the company. If I dress like you and your fellow co-workers then come and walk with the crowd at lunch return, I can get past security many times with no badge.

That is tailgating.

Or entering a door that has been opened by someone with a badge before it locks again.

I assume you don't mean to not let people follow your car too closely; what do you mean by "tailgating" here?

following someone through an access-controlled door without showing your own credentials

like at an office building where doors require that you swipe your badge to open them

[deleted]

HAHA

Ah, that makes sense. Where I work I'd say an average of 3-4 people go through the badge-locked door per swipe.

I've worked at several big tech firms and only at this last one is there a sign above the reader that says "no tailgating". It is surprisingly effective. Nowhere else I've worked does everyone badge in as a matter of habit. We'll hold the door open for each other but we wait to hear the telltale beep and click of the lock for everyone.

That is what I mean!!! simple education makes people aware. Awareness leads to less breaches. I love it, thank you for sharing!

How gullible are people when it comes to not asking questions or reporting suspicious anomalies at their jobs? For example, I recall hearing that a study was conducted where a sign would be placed on a normally secure door to a facility that said "Please leave unlocked", and the door would actually be left unlocked in several cases. Is this a problem you often encounter when conducting scams? I also hear it's fairly easy to walk in and inform somebody your're there to fix ___ computer, and they'll normally leave you to it if you look professional enough. How much is this a case in your job?

Recently I walked in the executive level of a building and sat in the presidents conference room by just saying I was there to do a quote for pest control.

In another job I roamed a warehouse containing millions of dollars worth of mercy by stating i was there to inspect the trash bins.

It is unfortunately, very easy. People feel weird asking questions, especially if you are friendly and nice. People don't want to be rude.

Why is this considered to be an avenue of exploitation for malicious individuals? I mean, getting into anything unauthorized is undoubtedly a problem, but oftentimes offices and executive levels especially are heavily under surveillance. If you could get in and slip a flash drive into a PC, or do something else to their hardware, wouldn't you be quickly caught?

Have you ever gotten into some place, only to be apprehended later? (As in, their current security standards held up)

OWatch, yes I have been caught. In one case we had a fake "get out of jail letter" that had the guard who caught us lead us to a secure area. In other places I have been caught or stopped thanks to people following policy and protocol.

Why is it an avenue? It is the weight of info held by the person. If I can get to execs over the front desk, I am more likely to find more damaging info.

Does that make sense?

Yeah it does! Thanks for answering. I feel like most of my questions are sort of bland, I just am not sure what to ask. I'm not involved in that sort of security much at all, but I do love to listen in on podcasts here and there, and I find it a really interesting field. It sound's like quite a fun job, although I'm sure there are a lot of cringe-worthy aspects to it. (As in, why did you just tell me that information, now I can do XYZ).

Would you consider yourself to be a "Red Team" operative? Do you work alone, or with other people?

I'm sort of all over the place, but do you do any work with stuff like Gas Station card exploits? Apparently people will pay attendants to look the other way while they install hardware to collect card data when it gets swiped, then get's downloaded over bluetooth when the criminal parks nearby. Might you have attempted to gain access to any supposedly secure card swiping systems at places ordinary people might not look? (Shopping centers, gas stations, ect)

Owatch, my whole team is not listed here but take a look https://www.social-engineer.com/about/

this is some of us.

I have not tried to gain access to those systems. My goal many times to find the methods where those things COULD occur, but to not do them. So we create the environment, then report and help fix

Cool! Thanks for the AMA.

Thank you for joining and asking great questions

When I've talked to people about this sort of thing, I've often heard them say "I'm not doing anything wrong and I have nothing to hide, why should I worry about that?", How do you respond to people like that? In other words, why should we pay attention to this sort of thing?

Oh i like this question a lot. Yes I hear this a lot with clients. So lets use Target breach as an example. Yes, true, your credit card company will make you whole financially… but what about the phishing emails and scam calls afterwards? Smart scammers are not going for the quick win of a few dollars on your CC, they want the long hall. Opening credit accounts, loans, visas, passports, stealing your identity… sure you are doing nothing wrong, but you can be a victim.

Do you have any advice for someone who is interested in working as a social engineer? I'm not even sure where to get started

FullMetalJoint, great question. First let me say this: it is hard.

There are only two ways I know to tell people to try You have to start at the bottom of the barrel and work up. Start as a data collector, help a pen test company with some menial tasks then work up to a phisher and social engineer.

The other way is to make a name by research, writing or projects and break into the industry by meeting those in the industry and greeting them and working with them on projects. It is not the easiest in either path but it is the best ways I know.

A few articles we wrote that might help: http://www.social-engineer.org/social-engineering/a-lesson-from-a-young-social-engineer/

http://www.social-engineer.org/how-tos/characteristics-of-an-effective-and-successful-social-engineer/

Very cool, thank you for the info!

you are welcome

Some other pointers can be your education

Info Sec study is important Psychology and then courses like the one we offer can help: https://www.social-engineer.com/certified-training/

What's your Password?

password124 of course see what i did there?

Is there anything that you're amazed still works?

Elivsthegreat, love this question too.

There are many scams i see that I am amazed still work. Like a new version of the 419… where people get emails claiming to be from a rich widow in Africa and if you marry her she will split her wealth.

People still fall for these and I wonder why and how? Then I think about how people make decisions and I understand it, although it is still disturbing.

This needs more visibility.

Have you even fallen for a scam? Phishing or otherwise? What happened? What should you/would you have done in hindsight?

What do you suggest? I agree with you. We need more visibility on this topic.

Oh my, I have fallen for a phish before. I was so busy one year I clicked on a phish that looked just like an Amazon email. I ALMOST logged in, giving them my credentials, but fortunately saw the .RU instead of .COM and realized it was a scam.

I have also falling for other scams in the past. It is human nature. The difference is that I know what I see now and can stop, think and correct my course.

Might seem unrelated, but are you familiar with Paul's Security Weekly Podcast?

Its not unrelated. I was just on that. So yes, love those guys

Is there anything I can do to fuck with companies that sell or misuse my information ? I often give my dog's name or give myself a spurious title like "Doctor" or "Lord" when I have to sign up for things on websites to see where my info goes to. Any other, better advice?

The best solution is to opt out of what information you give. I have an email set up that i use JUST for this type of stuff. I don't care what goes there and there is not much personal data tied to it.

But you can also check data aggregation sites often and cleanse your info.

Hey Chris, it's mum! I'm stuck at the airport in Zambia. Can you quickly send me 2000$ by wire transfer ?. My phone does not work here. I need the money quick and will give it back to you when I get back !

Ok, other question: do you sometimes have fun with fraudsters like they do on 419eaters.com ?

Edit: Oh My God Thanks For The Gold! :))

HA… Yes I do. I once recorded a session from fake Microsoft support.

I like to see how far I can get them and how much info I can get from them.

Have you ever found yourself in a situation where breaking through security was difficult? If so, how did this place protect itself from your techniques?

Yes I think of two scenarios I can think of, i will share one...

We had a very polite and nice security guard that had one rule - If your name is not on the list you do not pass. My name (fake) was not on his list and he was not letting me pass. He used policy with politeness and professionalism to win.

I've been following the social engineering podcasts for a while and saw the SE-CTF at defcon last year, what you guys do is amazing, keep it up.

Everybody always says you can read all you want but the real learning comes from practice. How should someone ethically practice SE skills? Thanks!

SoEuro, Thank you for being a fan!!

We try to teach in our classes to practice both verbal and nonverbal skills without malicious intent in the public. Chat up a neighbor or stranger. See how much they will tell you. Learn how to suspend your ego, active listen and ask good questions - the core of elicitation. Use those skills with family, friends and strangers.

Then when it comes time to use them as an SE it is second nature.

Does that help?

Can you elaborate on the concept of ego suspension? How to check one's self, the hazards of failing to do so, and how to put "I" on hold, if you could.

WonTheGame, I love this question. Ego suspension is in essence suspending your need to be right or important and allow someone else that privilege… even if you are right.

It is a VERY powerful method of building rapport.

Here is a great newsletter we wrote on it: http://www.social-engineer.org/newsletter/Social-Engineer.OrgNewsletterVol.04Iss.48.htm

And a great podcast about it too: http://www.social-engineer.org/podcast/episode-020-rapid-rapport-for-social-engineers/

Do you think we are too over-reliant on tech?

Yes we are. We use social media on EVERY DEVICE. It is even on scales, refrigerators and stoves now a days.

We have become a truly connected society and although that is cool to some extent, it means we are opened up to serious attack.

This is why we do constant writing on the blog https://www.social-engineer.com/blog/

and monthly podcasts too to help people learn

During a face-to-face social engineering engagement, what is your most hilarious "fail" moment?

I had the privilege of taking Chris Hadnagy's class last year, and it was a life-changing experience. Not only do you learn essential tactics to build rapport, influence those around you and build these insanely strong 5-minute relationships with others...but the long-lasting effects are so much more gratifying. He teaches you how to better communicate with those around you, but more importantly, how to modify your form of communication to help you relate to whomever with you're speaking. Basically, his course turns you into a dynamic conversationalist who's equipped with a multitude of tools at your disposal to gain almost anyone's trust. I with I could explain it better, but it's phenomenal how much better your personal and business relationships will become. Anyway, just wanted to throw in my 2 cents! If anyone is interested in his course, I'm happy to answer questions about my experience (I do have an NDA about the class-specifics and material that I cannot disclose; more of general purpose questions I can answer). Well worth the investment any day of the week!

TL;DR His class is the most (legal) fun and thought-provoking 5 days you'll ever spend.

WOW thank you. This is one of the nicest things I have heard about our class. Seriously, thank you!!

My best fail moment, I was video taping my engagement for a physical break in and using a hidden camera in a button. As I entered the server room I got the network admin with the secretary in a compromising …. situation. That was embarrassing.

Another personal fail, is I was asked by the client to tell the staff before i left this was a test. Despite my objections they wanted it done. So I did it, I was taking and locked in a closet while they verified my details.

Reading through this AMA, damn engrossing/informative, I can't help but ask the least insightful question here: Have you seen Sneakers?

ThatSteeve

"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons."

Does that answer your question?

I love that movie… it is my job. :)

Great information in this thread, thanks for doing this. At what point does being secure move from "safe" to "paranoid"? I save my passwords with LastPass, for instance. Would I be paranoid to quit doing that and try to memorize large strings of random characters for all my passwords? What about surfing the surface web with an anonymous proxy (such as Private Internet Access)?

This is a great question!!

So I try to tell people that we have to live in this world. We can take the paranoid route, the super critical thinking route or somewhere in between.

Now I am not talking about the INTENDED attacker here… but the average attacker is looking for the low hanging fruit. So make your self not that… good idea to use LONG passwords and a password manager that doesn't store in the cloud or web. Good to do back ups and make sure they are encrypted and to use VPN's when you travel.

I say that the level of paranoia you display should be commensurate to the info you are protecting. Does that help?

You might want to read this http://www.social-engineer.org/social-engineering/stealing-credentials-via-social-engineering/

What was the catalyst that sparked your interest in social engineering? Mine was reading The 48 Laws of Power at 16 and finding Robert Greene's number to get advice from him. Do you have a similar situation?

I had the pleasure of working with the team that creates BackTrack (now Kali) and the mastermind behind that, Mati, was my mentor and friend. He nurtured my skill set in this. I guess I was always an SE but never knew it…

After working with them on pen testing, I started to write about it and develop my framework and course, which lead to a book.

Along the path I have talked with, met and worked with some of the greatest minds on earth to help perfect this.

Thank you for the great question

Most recently I have to say my work with Dr. Paul Ekman has changed my life though:

http://www.paulekman.com/paul-ekman/

My first podcast with him is here: http://www.social-engineer.org/podcast/episode-032-non-verbal-human-hacking/

[deleted]

Wow this is such a huge question.

I don't think you can mandate this type of education. But here is what I would do…

First, I would teach critical thinking to all our children. They need to learn how to spot danger, and too many times they are not taught how to think.

Second, I would help people get motivated to want to stay secure. Loose the attitudes that "its not that bad" or "it won't happen to me".

But mostly, I try to make these topics more readily open for people to discuss and understand so a change can be made.

What's your mother's maiden name?

Smith or Doe… chose one

What's the best social engineering insight/hack that you know? Second, what are some books and ways to get better at social engineering?

Hello and thanks for the question.

The best hack I know? There are so many to mention. There is on particular devastating one I know of, but i don't want to call it the best. AS it is disturbing. But it involved 3 day campaign using a fake website, a phone call and then phish and another call to get someone to give over their whole identity. It was terrible, real and worked!

Of course I want to recommend my two books, Social Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Side of Security.

but we have a list of great books on our site here: http://www.social-engineer.org/resources/seorg-book-list/

If someone threatens to SWAT my house how do I avoid that from happening?

You really can't. All you can do if you know when, is to call them first and tell them you were told someone will prank you. Most likely they will still send police since this may be a great ploy to have police avoid your house for a crime.

Either way, you are gonna get attention.

As far as home security is there a huge difference between completely wireless and hardwired systems?

That is hard to answer because there are many factors. ie. does the wireless system allow for WPA or better encryption? What happens if someone can disrupt your signal?

I usually prefer hardwired systems over wireless when I recommend, but sometimes a wireless cam that works with the system is a nice way to protect remote areas.

how many people have you phished?

Last year I phished 275,000 The year before about 200,000 This year slated for over 1.6 million.

Crazy no?

What's your educational background?

Interesting question because it wouldn't seem like i would end up here.

I was a programmer. Went to school for programming. Ended up with networking, security and computer applications.

But my only two degrees are OSWP and OSCP. Yet I loved studying psychology.

Recently, I have graduated from Paul Ekman's MFE Classes with an expert level.

That is about it. Mostly self taught and the school of hard knocks.

Do you think the details of Frank Abagnale's book are completely made up or just mostly made up?

*edit - spellnig

I don't think they are made up at all. I have spoken to Frank before and a few of my friends know him personally, I would say he is really that ballsy and good. We reference our thoughts here http://www.social-engineer.org/framework/general-discussion/categories-social-engineers/identity-theives/

What sort of training do you have?

Did you study?

What made you choose this career path?

Is there much money involved?

My training ranges. I am not degreed in psychology, but I studied it for years.

I also have only two certs, both from Offsec. OSWP and OSCP

I study people, I study nonverbal and verbal communications and I study how and why people make decisions.

I chose this path because I am good at it, and I enjoy it too. Right now security is very good as a job. There is lots of work and many companies learning they need help.

What does one have to do in order to be in a career such as yours? I'm starting college this fall and this intrigues me.

I think psychology is good as well as info sec. The blend of the two makes for a good SE.