WEBVTT 1 00:00:00.080 --> 00:00:03.040 Imagine this, right, You find a USB drive in the 2 00:00:03.080 --> 00:00:07.679 parking lot, just lying there. Seems pretty harmless, Yeah, just 3 00:00:07.719 --> 00:00:10.400 a lost drive exactly. So you pick it up, maybe 4 00:00:10.439 --> 00:00:12.759 you're curious, maybe you want to return it. You plug 5 00:00:12.759 --> 00:00:15.720 it into your work computer and boom, just like that, 6 00:00:15.800 --> 00:00:20.640 an entire company's network potentially compromised. It's kind of scary 7 00:00:20.679 --> 00:00:21.679 when you think about it. 8 00:00:21.679 --> 00:00:22.280 It really is. 9 00:00:22.719 --> 00:00:26.120 Welcome to the deep dive. We're pulling back the curtain 10 00:00:26.160 --> 00:00:29.920 today on something both fascinating and frankly a bit chilling. 11 00:00:30.519 --> 00:00:34.159 We're doing a deep dive into social engineering, the art 12 00:00:34.200 --> 00:00:38.200 of psychological warfare, human hacking, persuasion and deception. 13 00:00:38.479 --> 00:00:40.240 It's quite a title, bit it fits. 14 00:00:40.039 --> 00:00:43.159 It really does. Our mission here is to basically break 15 00:00:43.200 --> 00:00:47.640 down how attackers use human psychology, not just software bugs, 16 00:00:47.880 --> 00:00:49.840 to get access to sensitive. 17 00:00:49.359 --> 00:00:51.799 Stuff, and crucially, how you can spot these things. 18 00:00:51.600 --> 00:00:54.960 Exactly, how you can protect yourself, your organization. All our 19 00:00:54.960 --> 00:00:58.479 insights today they come from this really comprehensive document that 20 00:00:58.520 --> 00:00:59.799 details all these techniques. 21 00:01:00.240 --> 00:01:04.319 Yeah, it's eye opening stuff because at its heart, social 22 00:01:04.359 --> 00:01:08.719 engineering it's about getting access to systems, data, even buildings 23 00:01:09.280 --> 00:01:11.920 by playing on our psychology, right. 24 00:01:11.959 --> 00:01:16.120 Using clever non technical tricks instead of like complex hacking. 25 00:01:16.200 --> 00:01:19.359 Precisely, an attacker doesn't need to be some coding wizard. 26 00:01:19.400 --> 00:01:22.519 They could just you know, call you up, pretending to 27 00:01:22.560 --> 00:01:23.799 be it support and. 28 00:01:23.760 --> 00:01:25.159 Try to get your password that way. 29 00:01:25.319 --> 00:01:29.040 Yeah, the main goal always is getting trust, making you 30 00:01:29.040 --> 00:01:29.640 want help them. 31 00:01:29.519 --> 00:01:32.200 Out, So it's less about the code itself and more 32 00:01:32.200 --> 00:01:36.000 about well, the conversation, the persuasion. This idea has been 33 00:01:36.040 --> 00:01:40.200 around forever basically, but it really hit the mainstream in 34 00:01:40.239 --> 00:01:41.799 the nineties, right with Kevin Mitneck. 35 00:01:41.879 --> 00:01:44.480 That's right, he really popularized the term. But yeah, the 36 00:01:44.519 --> 00:01:47.840 concept is ancient, and what's worrying is it's a growing. 37 00:01:47.599 --> 00:01:50.840 Threat because companies are spending fortunes on tech. 38 00:01:50.640 --> 00:01:55.480 Defenses exactly, firewalls, anti virus, all that, but social engineers 39 00:01:55.840 --> 00:01:57.799 they just find clever ways around it. They go for 40 00:01:57.799 --> 00:02:01.799 the people, the human element, which, unfortuate, yeah, often the 41 00:02:01.840 --> 00:02:03.799 weakest link in the whole security. 42 00:02:03.439 --> 00:02:06.200 Chain, and they've got this whole like arsenal of tactics. 43 00:02:06.239 --> 00:02:10.159 One you mentioned in the source. Pretexting sounds kind of serious. 44 00:02:10.719 --> 00:02:11.759 What is that exactly? 45 00:02:11.800 --> 00:02:15.400 Pretexting is, well, it's more than just telling a lie. 46 00:02:15.400 --> 00:02:19.439 It's creating a whole fabricated situation a completely made up scenario, okay, 47 00:02:19.680 --> 00:02:23.400 all designed to steal personal info or gain access. Yeah, so, 48 00:02:23.680 --> 00:02:26.719 like an attacker might pretend to be an IT auditor 49 00:02:26.759 --> 00:02:27.719 from outside. 50 00:02:27.319 --> 00:02:29.479 The company, with the whole backstory and everything. 51 00:02:29.520 --> 00:02:32.759 Oh yeah, really convincing enough to talk their way past security. 52 00:02:32.919 --> 00:02:37.400 Or there's a really disturbing case we found people pretending 53 00:02:37.439 --> 00:02:38.879 to be from a modeling agency. 54 00:02:39.120 --> 00:02:39.840 Oh wow. 55 00:02:39.919 --> 00:02:43.599 Yeah, manipulating women into sending compromising photos, all based on 56 00:02:43.719 --> 00:02:47.560 fake promises, fake interviews, just building trust to exploit them. 57 00:02:47.759 --> 00:02:51.879 That's deeply unsettling how they prey on trust and aspirations 58 00:02:51.960 --> 00:02:52.240 like that. 59 00:02:52.360 --> 00:02:55.240 It really is. The goal is always creating that fake 60 00:02:55.599 --> 00:02:57.960 but believable sense of trust. 61 00:02:58.000 --> 00:03:02.120 But sometimes they're less subtle, right, using like fear or urgency, 62 00:03:02.520 --> 00:03:05.280 which brings us to maybe the most common one, fishing. 63 00:03:05.479 --> 00:03:07.560 I think most people listening are probably run into this. 64 00:03:07.840 --> 00:03:10.719 Oh absolutely, Fishing is definitely the most common. And you 65 00:03:10.759 --> 00:03:13.560 know the signs, right, trying to get personal info, names, 66 00:03:13.639 --> 00:03:16.080 social security numbers, addresses. 67 00:03:15.639 --> 00:03:19.159 Right, using threats or making it seem super urgent. 68 00:03:19.280 --> 00:03:22.280 Yeah, you need to act now. And those suspicious links 69 00:03:22.400 --> 00:03:25.479 taking you to fake websites that look surprisingly real sometimes 70 00:03:25.520 --> 00:03:26.000 and it's. 71 00:03:25.879 --> 00:03:29.599 Weird even emails with bad grammar can still trick. 72 00:03:29.439 --> 00:03:32.800 People, It's true, and they often bundle fishing with malware now, 73 00:03:33.000 --> 00:03:37.680 like getting people to install cracked software from dodgy sources. 74 00:03:37.360 --> 00:03:39.960 Which is actually loaded with malware. 75 00:03:39.439 --> 00:03:43.400 Exactly like those fake Google playbooks apk's mentioned in the source. 76 00:03:44.000 --> 00:03:46.400 So far, it sounds like they're mostly taking stuff, But 77 00:03:46.879 --> 00:03:50.000 do they ever offer something to get what they want, 78 00:03:50.319 --> 00:03:51.120 like a trade? 79 00:03:51.319 --> 00:03:54.599 Definitely. That's where quid pro quote comes in. Literally something 80 00:03:54.639 --> 00:03:57.560 for something, okay, usually offering a service not really goods 81 00:03:57.800 --> 00:04:01.759 in return for information. So the classic is fraudster's calling 82 00:04:01.800 --> 00:04:04.800 pretending to be it offering help. Yeah, offering a quick 83 00:04:04.800 --> 00:04:07.120 fix for some made up computer problem if you just 84 00:04:07.120 --> 00:04:08.599 disable your anti virus first. 85 00:04:09.560 --> 00:04:11.199 I see where this is going right. 86 00:04:11.599 --> 00:04:14.639 Then they install malware, calling it a software update. We 87 00:04:14.719 --> 00:04:18.279 even saw examples of attackers getting office workers passwords for 88 00:04:18.720 --> 00:04:20.199 like a chocolate bar. 89 00:04:20.399 --> 00:04:23.399 Chocolate bar seriously for a password. 90 00:04:23.000 --> 00:04:25.800 Or cheap pen. It shows how little it can sometimes take. 91 00:04:26.040 --> 00:04:29.160 That's wow. It really highlights how easily we can be 92 00:04:29.199 --> 00:04:33.360 swayed sometimes. But beyond direct trades, they also use bait 93 00:04:33.519 --> 00:04:36.399 right with tempting offers. How does baiting work? 94 00:04:36.439 --> 00:04:39.199 Is it just online It's similar off and online. Yeah, 95 00:04:39.240 --> 00:04:42.879 free movie downloads, free music, just enter your log in 96 00:04:42.920 --> 00:04:43.600 details here. 97 00:04:43.879 --> 00:04:44.639 Classic bait. 98 00:04:45.000 --> 00:04:49.040 But it absolutely extends offline too. There's this really interesting 99 00:04:49.079 --> 00:04:53.399 case an organization's founder actually scattered USB drives around the 100 00:04:53.399 --> 00:04:56.639 company parking lot. USB drive yeah, loaded with the trojan virus. 101 00:04:56.920 --> 00:04:59.839 Employees found them, got curious, culled them in, pluged them 102 00:04:59.879 --> 00:05:02.800 in on, which activated a key logger grabbing their log 103 00:05:02.839 --> 00:05:06.279 in details. Shows how powerful simple curiosity can be. 104 00:05:06.439 --> 00:05:09.839 Wow. And then there's one I've definitely seen myself. Tailgating 105 00:05:10.399 --> 00:05:11.000 or piggyback. 106 00:05:11.240 --> 00:05:15.160 Yes, tailgaming. Basically, someone without the right badge or key 107 00:05:15.199 --> 00:05:19.319 card just follows an authorized person into a secure area. 108 00:05:18.920 --> 00:05:20.959 Like holding the door for someone exactly. 109 00:05:21.000 --> 00:05:23.839 The classic is someone dressed as a delivery driver, maybe 110 00:05:23.839 --> 00:05:26.720 carrying a box. They wait for an employee to badge in, 111 00:05:27.199 --> 00:05:29.800 then just ask politely, could you hold the. 112 00:05:29.759 --> 00:05:32.600 Door, And most people would right, just being polite. 113 00:05:33.240 --> 00:05:36.920 It relies on that natural courtesy. It's apparently pretty common 114 00:05:36.920 --> 00:05:40.519 in smaller or medium companies where security might rely more 115 00:05:40.560 --> 00:05:43.399 on oh I recognize that person. We read about one 116 00:05:43.399 --> 00:05:47.079 security tester who tailgated his way through multiple floors of 117 00:05:47.079 --> 00:05:49.759 a building, even into a financial firm's data. 118 00:05:49.639 --> 00:05:52.480 Room and just worked there unnoticed. 119 00:05:51.920 --> 00:05:54.279 For days, gathering info. It's pretty effective. 120 00:05:54.600 --> 00:05:59.399 It's just amazing how these basic human things curiosity, politeness, 121 00:05:59.600 --> 00:06:03.639 trust can be turned against us, even with fancy tech security. 122 00:06:03.759 --> 00:06:06.399 It really shows how deep those social behaviors run. 123 00:06:06.720 --> 00:06:09.199 So with all these different attack methods, who tends to 124 00:06:09.240 --> 00:06:12.160 be the most vulnerable? Who do they target most often? 125 00:06:12.519 --> 00:06:15.800 Well, the analysis we looked at consistently points to new 126 00:06:15.839 --> 00:06:18.759 employees being the most vulnerable. They don't know the ropes yet, 127 00:06:18.839 --> 00:06:21.639 maybe don't know who to trust. That makes sense, followed 128 00:06:21.639 --> 00:06:25.639 by contractors, HR people, executive assistants even it. Staff and 129 00:06:25.720 --> 00:06:29.199 business leaders can be targets. And the problem is a 130 00:06:29.199 --> 00:06:33.160 lot of organizations still don't have you know, solid awareness 131 00:06:33.160 --> 00:06:33.720 programs or. 132 00:06:33.720 --> 00:06:35.759 Training to be getting a big blind spot. 133 00:06:35.639 --> 00:06:40.959 A huge one, and these attacks, they can cost companies thousands, 134 00:06:41.000 --> 00:06:43.079 sometimes millions every year. 135 00:06:43.480 --> 00:06:47.160 It's clear the human factor is huge. But who are 136 00:06:47.160 --> 00:06:50.600 these social engineers? It's not just the stereotype of a 137 00:06:50.639 --> 00:06:51.959 hacker and a hoodie. 138 00:06:51.639 --> 00:06:53.560 Is it. Oh not at all. They come in all 139 00:06:53.560 --> 00:06:57.079 shapes and sizes, some friendly, some malicious. Understanding the players 140 00:06:57.120 --> 00:06:59.680 is pretty key. Okay, So yeah, you have hackers. That's 141 00:06:59.720 --> 00:07:02.680 the which most people have, often blending tech skills with 142 00:07:02.759 --> 00:07:04.439 these personal manipulation skills. 143 00:07:04.439 --> 00:07:07.759 But then there are the ethical ones, penetration testers. 144 00:07:07.360 --> 00:07:09.560 Exactly, pen testers. They have the same kinds of black 145 00:07:09.560 --> 00:07:12.279 hat skills, but they use them for good, to test 146 00:07:12.279 --> 00:07:14.959 a company's defenses, find a holes before the bad. 147 00:07:14.800 --> 00:07:17.560 Guys do, so they're hired to break in essentially. 148 00:07:17.199 --> 00:07:20.560 Pretty much without causing actual harm. Of course, then you've 149 00:07:20.560 --> 00:07:21.600 got identity thieves. 150 00:07:21.680 --> 00:07:23.800 Their game must have evolved a lot. 151 00:07:23.720 --> 00:07:27.120 Oh absolutely really complex impersonations now trying to get all 152 00:07:27.120 --> 00:07:30.879 your personal details name, address, bank info, ss N, birth date. 153 00:07:31.519 --> 00:07:32.319 They use everything they. 154 00:07:32.279 --> 00:07:36.480 Can find and spies of course, deception is their job description, right. 155 00:07:36.759 --> 00:07:41.199 Social engineering is like a massive part of espionage, building trust, 156 00:07:41.519 --> 00:07:44.639 extracting info. It's what they're trained for. But it's not 157 00:07:44.680 --> 00:07:45.800 always outsiders. 158 00:07:46.199 --> 00:07:47.800 You mean disgruntled employees. 159 00:07:47.959 --> 00:07:51.879 Yeah, that's a tricky one because their unhappiness is often hidden. 160 00:07:52.399 --> 00:07:56.319 Employers might miss the signs, like maybe they start volunteering 161 00:07:56.360 --> 00:07:57.040 for extra. 162 00:07:56.839 --> 00:07:59.279 Work and really why it's called protective. 163 00:07:58.879 --> 00:08:01.439 Behavior makes them look loyal, while they might be planning 164 00:08:01.439 --> 00:08:05.040 something where they complained about management a lot, seeking sympathy. 165 00:08:05.199 --> 00:08:08.360 Sometimes they're loners blaming the company, and watch out for 166 00:08:08.399 --> 00:08:13.120 sudden lifestyle changes, big spending, new car, good ego, or 167 00:08:13.160 --> 00:08:14.000 money driving them. 168 00:08:14.240 --> 00:08:17.160 So internal threats are a real danger. And you mentioned 169 00:08:17.160 --> 00:08:21.160 some surprising professions use similar techniques just ethically kind of. 170 00:08:21.240 --> 00:08:25.600 Yeah, think about executive recruiters or good salespeople. They're masters 171 00:08:25.600 --> 00:08:30.160 of elicitation, understanding what motivates people. Scam artists or con 172 00:08:30.240 --> 00:08:33.759 artists are brilliant at spotting victims and playing on greed. 173 00:08:33.879 --> 00:08:36.440 And even governments that's unexpected. 174 00:08:35.960 --> 00:08:40.240 Often overlooked. Yeah, but governments use authority, social proof scarcity 175 00:08:40.279 --> 00:08:44.000 all the time to get messages across influence behavior. Sometimes 176 00:08:44.039 --> 00:08:47.279 it's for good reasons, like public health campaigns, but the 177 00:08:47.360 --> 00:08:51.159 techniques are fundamentally social engineering, making messages stick. 178 00:08:51.440 --> 00:08:53.639 And even fields like psychology or. 179 00:08:53.679 --> 00:09:00.360 Law exactly, psychologists, doctors, lawyers, they all use techniques like elicitation, understanding, psychology, 180 00:09:00.759 --> 00:09:04.519 interviewing tactics to get information from clients, sometimes to manipulate it, 181 00:09:04.679 --> 00:09:08.000 sometimes just to understand it. Really shows social engineering is 182 00:09:08.000 --> 00:09:08.799 almost a science. 183 00:09:08.919 --> 00:09:10.320 There's even an equation for it. 184 00:09:10.399 --> 00:09:14.200 Yeah, the source distilled it down pretext plus attachment, degreed 185 00:09:14.519 --> 00:09:17.759 plus manipulation, target victimized it's methodical. 186 00:09:17.879 --> 00:09:20.039 So with all these different players, what are they actually after? 187 00:09:20.200 --> 00:09:21.120 What's the prize? 188 00:09:21.240 --> 00:09:26.120 It's pretty broad really, passwords obviously, keys, account numbers, access cards, 189 00:09:26.159 --> 00:09:30.480 ID badges, any personal info, details about computer systems, phone lists, 190 00:09:30.720 --> 00:09:35.360 internal websites or servers, intranet stuff, yeah, internet info, and 191 00:09:35.600 --> 00:09:39.919 crucially the names of people who do have access or privileges, 192 00:09:40.399 --> 00:09:42.480 anything that helps them get deeper in or gives them 193 00:09:42.519 --> 00:09:43.000 an edge. 194 00:09:43.039 --> 00:09:44.879 And how do they usually get this stuff. What are 195 00:09:44.879 --> 00:09:46.600 the common tricks we should be looking out for. 196 00:09:46.879 --> 00:09:50.840 Well, one big one now is friending, gating trust on 197 00:09:50.879 --> 00:09:53.080 social media, maybe starting a casual. 198 00:09:52.879 --> 00:09:55.360 Chat to eventually get you to click a bad link. 199 00:09:55.279 --> 00:09:59.159 Right or give up some info malicious attachments links to 200 00:09:59.480 --> 00:10:04.679 fake's eye. Then there's impersonal or social network squatting. Squatting, yeah, 201 00:10:04.720 --> 00:10:07.279 like taking over or spoofing an account of someone you know, 202 00:10:07.879 --> 00:10:10.679 sending you a message, maybe a tweet, pretending to be 203 00:10:10.759 --> 00:10:12.720 them asking for a favor, Hey, can you send me 204 00:10:12.759 --> 00:10:13.440 that spreadsheet? 205 00:10:13.639 --> 00:10:15.480 And because it looks like your friend, you might. 206 00:10:15.399 --> 00:10:20.440 Just do it exactly. Spoofing online identities is worryingly easy sometimes, and. 207 00:10:20.360 --> 00:10:23.279 The classic pretending to be someone on the inside. 208 00:10:23.120 --> 00:10:26.879 Posing as an insider Yeah, impersonating someone from it help desk, 209 00:10:26.960 --> 00:10:30.279 maybe a contractor trying to get passwords or other info. 210 00:10:30.679 --> 00:10:34.039 There was that study mentioned ninety percent of employees in 211 00:10:34.080 --> 00:10:36.720 one company trusted people posing. 212 00:10:36.320 --> 00:10:37.840 As colleagues ninety percent. 213 00:10:37.919 --> 00:10:40.960 Yeah, hand it over sensitive company info just because they 214 00:10:40.960 --> 00:10:43.639 look like they belonged. It's all about playing on that 215 00:10:43.759 --> 00:10:45.879 internal familiarity, that assumption of trust. 216 00:10:46.200 --> 00:10:48.559 Okay, let's shift gears a bit. We've talked about what 217 00:10:48.639 --> 00:10:52.360 they do, but the real magic or dark magic, is 218 00:10:52.399 --> 00:10:55.759 how they mess with our minds. Right, What are the 219 00:10:55.799 --> 00:10:57.720 basic psychological tricks they use. 220 00:10:57.799 --> 00:10:59.799 Yeah, the mind games are key. A big one is 221 00:11:00.360 --> 00:11:04.120 and confidence. Social engineers just act like they belong They 222 00:11:04.240 --> 00:11:05.720 radiate confidence, even. 223 00:11:05.559 --> 00:11:07.120 If they have a fake badge or whatever. 224 00:11:07.320 --> 00:11:10.840 Exactly, it's the posture, the way they carry themselves. It 225 00:11:10.879 --> 00:11:14.720 puts people at ease, makes them seem legit, like concert security. 226 00:11:14.919 --> 00:11:17.919 They look for people acting shifty, not just checking badges. 227 00:11:18.200 --> 00:11:19.879 Confidence is disarming, and. 228 00:11:19.840 --> 00:11:21.799 They probably try to control the conversation. 229 00:11:21.480 --> 00:11:25.600 Right away, definitely. Often by starting with a question, it 230 00:11:25.639 --> 00:11:28.720 immediately puts you slightly on the defensive, make you feel 231 00:11:28.720 --> 00:11:31.919 like you need to respond. They control the flow. 232 00:11:31.679 --> 00:11:34.200 From the start, subtly setting the terms. 233 00:11:34.360 --> 00:11:38.360 Right, and humans, Well, we're wired to return favors, aren't 234 00:11:38.399 --> 00:11:40.120 we That feeling of reciprocation. 235 00:11:40.279 --> 00:11:42.840 Oh yeah, if someone does something nice for you, I. 236 00:11:42.759 --> 00:11:46.120 Feel like you owe them. Social engineers exploit this constantly, 237 00:11:46.399 --> 00:11:49.639 maybe a small gift, a small favor. The source note 238 00:11:49.679 --> 00:11:52.320 of the timing is key. Oh so give a gift 239 00:11:52.320 --> 00:11:54.519 in the morning, then come back in the afternoon asking 240 00:11:54.600 --> 00:11:57.519 for something, maybe claiming they forgot something or there was 241 00:11:57.559 --> 00:12:00.600 a mix up. It feels less like a direct bribe, 242 00:12:00.600 --> 00:12:01.919 then more. 243 00:12:01.840 --> 00:12:04.919 Natural, sneaky, and humor. I bet that helps them seem 244 00:12:05.000 --> 00:12:05.879 likable big time. 245 00:12:06.159 --> 00:12:09.120 Using humor breaks down walls. Yeah, makes them seem friendly, 246 00:12:09.279 --> 00:12:12.039 less threatening. Yeah, helps them get info, maybe talk their 247 00:12:12.080 --> 00:12:13.799 way out of a tight spot, or just charm a 248 00:12:13.840 --> 00:12:17.039 gatekeeper like a security guard. A fake it call might 249 00:12:17.039 --> 00:12:19.519 feel less suspicious if the person on the other end 250 00:12:19.639 --> 00:12:20.480 is cracking jokes. 251 00:12:20.759 --> 00:12:23.080 Okay, this next one you mentioned from the source is wild, 252 00:12:23.360 --> 00:12:27.039 always stating a reason, especially using the word because. 253 00:12:26.919 --> 00:12:29.759 Isn't that fascinating? The copy machine study. 254 00:12:29.559 --> 00:12:30.679 Yeah, tell us about that again. 255 00:12:30.759 --> 00:12:33.639 Okay, so people try to cut in line. If they said, 256 00:12:33.720 --> 00:12:36.279 excuse me, I have five pages. May I use the 257 00:12:36.320 --> 00:12:39.679 machine because I'm in a rush. Ninety four percent let 258 00:12:39.720 --> 00:12:40.120 them cut. 259 00:12:40.440 --> 00:12:41.960 Makes sense. They gave a reason, right. 260 00:12:42.000 --> 00:12:44.200 If they just said, excuse me, I have five pages, 261 00:12:44.240 --> 00:12:48.759 May I use the machine? Only sixty percent agreed. But 262 00:12:48.840 --> 00:12:51.200 here's the crazy part. If they said, excuse me, I 263 00:12:51.240 --> 00:12:53.879 have five pages, May I use the machine because I 264 00:12:53.960 --> 00:12:55.360 need to make copies. 265 00:12:55.240 --> 00:12:57.799 Which is not really a reason at all. 266 00:12:57.879 --> 00:13:01.679 It's totally redundant. But three percent still let them cut 267 00:13:02.039 --> 00:13:03.039 ninety three percent. 268 00:13:03.320 --> 00:13:03.679 Wow. 269 00:13:03.720 --> 00:13:06.200 It shows we often react to the presence of a reason, 270 00:13:06.559 --> 00:13:09.639 the structure of because, not necessarily the logic of the 271 00:13:09.639 --> 00:13:12.840 reason itself, especially if we're stressed or busy. It's like 272 00:13:12.879 --> 00:13:13.840 a mental shortcut. 273 00:13:13.919 --> 00:13:16.960 So any reason is better than no reason. That's powerful 274 00:13:17.120 --> 00:13:17.960 and a bit scary. 275 00:13:18.519 --> 00:13:19.080 It really is. 276 00:13:19.200 --> 00:13:22.559 This leads nicely into elicitation. The source called it subtle 277 00:13:22.600 --> 00:13:26.440 extraction of information during an apparently normal and innocent conversation. 278 00:13:27.120 --> 00:13:28.519 Sounds super hard to spot. 279 00:13:28.759 --> 00:13:31.360 It is very low risk for the attacker, very hard 280 00:13:31.360 --> 00:13:34.120 to detect. You rarely even though you've given anything away. 281 00:13:34.360 --> 00:13:35.399 Why does it work so well? 282 00:13:35.440 --> 00:13:37.440 It plays on basic human nature. We want to be 283 00:13:37.480 --> 00:13:40.159 polite to strangers. We tend to talk more if someone 284 00:13:40.200 --> 00:13:44.039 praises us. Professionals like to sound knowledgeable. We respond if 285 00:13:44.039 --> 00:13:48.159 someone shows concern, and most people don't like to lie outright, so. 286 00:13:48.159 --> 00:13:50.159 They gently pull information. 287 00:13:49.799 --> 00:13:53.360 Out exactly maype you act, even just by answering a 288 00:13:53.440 --> 00:13:57.159 question or nudge you down a certain path. It also 289 00:13:57.200 --> 00:13:59.639 makes their main story, their pretext, seem. 290 00:13:59.480 --> 00:14:01.639 More believer and they have to be really good at 291 00:14:01.679 --> 00:14:02.960 conversation to pull this off. 292 00:14:03.039 --> 00:14:07.639 Oh yeah, masters of it. First, being natural, they have 293 00:14:07.679 --> 00:14:10.039 to sound and act like they belong, like an expert 294 00:14:10.080 --> 00:14:11.039 in whatever role they're. 295 00:14:10.879 --> 00:14:12.559 Playing, and educated on the topic. 296 00:14:12.720 --> 00:14:16.679 Definitely enough knowledge to talk intelligently. Pretending usually doesn't work 297 00:14:16.679 --> 00:14:21.919 for long, and maybe counterintuitively, not being greedy, meaning don't 298 00:14:21.919 --> 00:14:24.639 push too hard for information too quickly, let the target 299 00:14:24.679 --> 00:14:28.840 talk more, be patient. Use that reciprocation principle. Give a 300 00:14:28.840 --> 00:14:32.320 little info, get a little info. Rushing raises red flags. 301 00:14:32.399 --> 00:14:36.840 The source mentions specific elicitation techniques from a DAHS pamphlet. 302 00:14:37.440 --> 00:14:41.720 Yeah, things like ego appeals, subtle flattery, your job sounds 303 00:14:41.759 --> 00:14:46.440 really important, or finding mutual interest. Oh you're into compliance databases, 304 00:14:46.480 --> 00:14:48.879 I was just reading them extends the conversation. 305 00:14:49.159 --> 00:14:51.879 What about deliberate false statements? 306 00:14:52.279 --> 00:14:55.200 That's a clever one. Yeah, you say something wrong on purpose, 307 00:14:55.440 --> 00:14:58.000 knowing the other person will likely correct you with the 308 00:14:58.039 --> 00:14:59.240 real information. 309 00:14:59.120 --> 00:15:01.879 Ah, exploiting the need to be right exactly. 310 00:15:02.320 --> 00:15:06.039 Then there's volunteering information yourself, hoping they'll reciprocate with something 311 00:15:06.120 --> 00:15:10.879 equally valuable. Sets the tone and assume knowledge, acting like 312 00:15:10.919 --> 00:15:13.639 you already know things to get the conversation rolling and 313 00:15:13.759 --> 00:15:15.360 encourage them to add more detail. 314 00:15:15.600 --> 00:15:18.759 And the way they ask questions is critical to totally. 315 00:15:18.799 --> 00:15:21.399 Using open ended questions, what do you think about? Well? 316 00:15:21.440 --> 00:15:24.080 How does that work? Things you can't just answer yes 317 00:15:24.159 --> 00:15:25.879 or no to gets people talking. 318 00:15:25.720 --> 00:15:27.279 The pyramid approach right. 319 00:15:27.240 --> 00:15:31.399 Starting specific and getting broader or the reverse. Then closed 320 00:15:31.480 --> 00:15:34.879 ended questions for specific facts. Is your manager happy with 321 00:15:34.919 --> 00:15:38.559 the project? Leading questions like lawyers use hinting at the 322 00:15:38.600 --> 00:15:41.600 answer and assumptive questions, acting like you already know they 323 00:15:41.639 --> 00:15:42.559 have the info you want. 324 00:15:42.720 --> 00:15:46.120 All these subtle conversational tricks build up to the main act, 325 00:15:46.200 --> 00:15:50.159 which is pretexting, creating that whole fake scenario exactly. 326 00:15:50.200 --> 00:15:52.960 It's the foundation. Yeah, and the first rule of pretexting 327 00:15:53.080 --> 00:15:57.159 is research, research, research. The more they know, the better. 328 00:15:56.919 --> 00:15:59.240 Their chances, and they often target emotions. 329 00:15:59.519 --> 00:16:04.039 Absolutely. Malicious actors are ruthless. They exploit tragedies like nine 330 00:16:04.080 --> 00:16:08.279 to eleven or earthquakes for fake charity scams, or use 331 00:16:08.320 --> 00:16:12.120 celebrity deaths to lure people to bad websites using SEO tricks, 332 00:16:12.120 --> 00:16:14.080 playing on that surge of public interest. 333 00:16:14.399 --> 00:16:17.799 It's pretty dark, really dark, exploiting grief and shock like that. 334 00:16:18.000 --> 00:16:23.080 It is another principle personal interests increase success. It's easier 335 00:16:23.080 --> 00:16:25.320 to fake it if the pretext is something you actually 336 00:16:25.320 --> 00:16:26.039 know about or. 337 00:16:26.039 --> 00:16:27.840 Enjoy less chance of tripping up. 338 00:16:27.879 --> 00:16:31.120 Right avoids that cognitive dissonance in the target where something 339 00:16:31.159 --> 00:16:33.759 just feels off about your story. If you're pretending to 340 00:16:33.759 --> 00:16:35.879 be tech support but look terrified of a server rack, 341 00:16:36.120 --> 00:16:36.960 it won't work. 342 00:16:37.039 --> 00:16:39.360 Like method acting for criminals kind of. 343 00:16:39.519 --> 00:16:43.799 They even practice expressions or dialects, record themselves, try accents 344 00:16:43.799 --> 00:16:47.159 on strangers, and the phone is still huge easy to 345 00:16:47.159 --> 00:16:49.720 spoof caller ID now make it look like the call 346 00:16:49.799 --> 00:16:53.000 is coming from a bank head office, even the white house. 347 00:16:53.320 --> 00:16:55.360 Wow, and simpler is better for the. 348 00:16:55.320 --> 00:17:00.799 Story itself generally, Yes, Simpler pretexts better chances, fewer details 349 00:17:00.799 --> 00:17:04.160 to remember, less chance of contradiction, lets the target fill 350 00:17:04.160 --> 00:17:07.559 in the blanks with their imagination. Sometimes they even make small, 351 00:17:07.599 --> 00:17:11.359 calculated mistakes. Why makes them seem more human, more relatable. 352 00:17:11.640 --> 00:17:15.119 Nobody's perfect. Plus dressing the part helps Khakis and a 353 00:17:15.160 --> 00:17:15.680 polo for. 354 00:17:15.640 --> 00:17:18.759 Tech sport, and it needs to feel natural, not rehearsed exactly. 355 00:17:18.839 --> 00:17:22.559 Pretext should be spontaneous, Use an outline, not a rigid script. 356 00:17:22.839 --> 00:17:26.119 Be flexible, pay attention to the target's reactions and adapt. 357 00:17:26.640 --> 00:17:28.200 Practice makes perfect. 358 00:17:27.839 --> 00:17:29.680 And they don't just grab the info and run. 359 00:17:30.079 --> 00:17:34.400 Usually not, good social engineers provide a follow through or 360 00:17:34.480 --> 00:17:38.599 logical conclusion, like a doctor giving a diagnosis. They wrap 361 00:17:38.680 --> 00:17:41.160 things up, maybe give the target something to do next. 362 00:17:42.000 --> 00:17:45.200 It avoids immediate suspicion. If tech support just walked out 363 00:17:45.240 --> 00:17:48.920 after messing with the database, you get suspicious fast. They 364 00:17:48.960 --> 00:17:50.920 need to close the loop plausibly. 365 00:17:51.400 --> 00:17:54.480 This all feeds into the bigger picture of influence and persuasion, 366 00:17:55.160 --> 00:17:58.079 which sounds less like a trick and more like a science. 367 00:17:58.359 --> 00:18:01.240 Getting someone to think or do you want maybe without 368 00:18:01.240 --> 00:18:02.319 them even noticing it. 369 00:18:02.279 --> 00:18:05.039 Really is a science. The source laid out five key 370 00:18:05.039 --> 00:18:09.599 fundamentals for influence. First, set clear goals. Know exactly what 371 00:18:09.640 --> 00:18:11.319 you want to achieve before you even start. 372 00:18:11.400 --> 00:18:12.839 Have a target in mind, yes. 373 00:18:13.359 --> 00:18:16.599 Second, build rapport quickly connect with the target, get their attention, 374 00:18:17.039 --> 00:18:20.279 maybe even affect their unconscious mind advanced stuff. 375 00:18:20.319 --> 00:18:22.039 They need to be super observant too. 376 00:18:21.960 --> 00:18:25.920 Right absolutely. Third, be observant, aware of yourself, your surroundings, 377 00:18:25.960 --> 00:18:28.960 the target's reactions. Avoid getting lost in your own head 378 00:18:29.079 --> 00:18:32.839 your internal dialogue. Stay present. Fourth, be flexible. 379 00:18:32.960 --> 00:18:35.559 Adapt if things go wrong, exactly. 380 00:18:35.200 --> 00:18:38.000 Like bending a branch, not snapping a steel rod. If 381 00:18:38.000 --> 00:18:42.200 one approach isn't working, change tactics smoothly, don't seem rigid 382 00:18:42.279 --> 00:18:43.599 or unreasonable. 383 00:18:43.240 --> 00:18:45.240 And control their own feeling crucial. 384 00:18:45.799 --> 00:18:48.960 Fifth, be in touch with yourself. Understand and manage your 385 00:18:48.960 --> 00:18:52.359 own emotions. If you secretly hate smoking, it'll be hard 386 00:18:52.400 --> 00:18:56.160 to genuinely persuade someone to quit. Social engineers project the 387 00:18:56.240 --> 00:18:59.119 required emotion, not necessarily their true one. 388 00:18:59.359 --> 00:19:03.119 Okay, on those fundamentals, the source listed eight specific techniques 389 00:19:03.160 --> 00:19:07.200 they use for influence. First one reciprocation. We touched on that. 390 00:19:07.480 --> 00:19:10.599 Yeah, that deep seated need to return favors. They look 391 00:19:10.640 --> 00:19:14.039 for small chances to make you feel indebted subtly. 392 00:19:13.720 --> 00:19:15.599 Then obligation. How's that different? 393 00:19:15.759 --> 00:19:19.039 It's broader, more of a moral or social duty, like 394 00:19:19.279 --> 00:19:21.559 holding a door open leads to the next person holding 395 00:19:21.559 --> 00:19:25.160 the inner door. They might use smart complimenting, give a compliment, 396 00:19:25.279 --> 00:19:28.400 then make a request. Play on that feeling of social obligation. 397 00:19:28.640 --> 00:19:31.200 What about concession giving ground. 398 00:19:31.000 --> 00:19:33.680 Right, yielding on something to make the other person feel 399 00:19:33.680 --> 00:19:36.799 they should yield too, Okay, I'll meet you halfway. They 400 00:19:36.880 --> 00:19:41.240 might label the concession demand reciprocity later or given bit 401 00:19:41.279 --> 00:19:43.119