WEBVTT 1 00:00:00.120 --> 00:00:03.399 Right, Welcome back everyone, Ready for another deep dive Today. 2 00:00:03.560 --> 00:00:06.400 We're going to be digging into social engineering. 3 00:00:06.559 --> 00:00:08.560 Ooh interesting, which I think. 4 00:00:08.439 --> 00:00:10.320 We all kind of have an idea of what it is, right, 5 00:00:10.679 --> 00:00:13.359 but this is going to be a really fascinating deep dive. 6 00:00:13.640 --> 00:00:18.760 We're using The Social Engineer's Playbook by Jeremiah Talamantes. Have 7 00:00:18.839 --> 00:00:19.719 you ever heard of this book? 8 00:00:19.800 --> 00:00:21.239 I have. It's really interesting. 9 00:00:21.320 --> 00:00:25.120 Yeah. It's packed with like all sorts of crazy statistics 10 00:00:25.160 --> 00:00:27.079 and real world examples and stuff like that. 11 00:00:27.280 --> 00:00:27.480 Yeah. 12 00:00:27.480 --> 00:00:28.920 I think what it does a good job of is 13 00:00:28.920 --> 00:00:32.399 that it highlights how social engineering it goes beyond just 14 00:00:32.439 --> 00:00:34.880 like the hacking, you know, the computers and stuff. It's 15 00:00:34.880 --> 00:00:39.039 about understanding human nature, yeah, and how we can exploit 16 00:00:39.200 --> 00:00:42.759 those those tendencies that we all have right to trust 17 00:00:42.840 --> 00:00:45.960 and be helpful, to be liked to belives exactly. 18 00:00:46.159 --> 00:00:48.039 Yeah, and especially you know in the world that we 19 00:00:48.079 --> 00:00:50.520 live in today, right, Yeah, which is like this hyper 20 00:00:50.560 --> 00:00:52.960 connected world. Like I mean, the book mentions that back 21 00:00:52.960 --> 00:00:56.920 in twenty twelve, thirty seven percent of data breaches involves 22 00:00:56.920 --> 00:01:01.240 social engineering. Wow, that's according to Verizon Data Breach Report. 23 00:01:01.799 --> 00:01:04.079 It's probably only gone up from there. Yeah, And I 24 00:01:04.079 --> 00:01:06.480 think the other thing too, is that you know, we're 25 00:01:06.480 --> 00:01:10.599 not just talking about online scams anymore. Right, Physical social 26 00:01:10.640 --> 00:01:13.439 engineering tactics are on the rise. It's like the con 27 00:01:13.560 --> 00:01:16.719 artist has gone digital in a way. Yeah, because now 28 00:01:16.719 --> 00:01:18.280 you can reach so many more people. 29 00:01:18.640 --> 00:01:20.680 Yeah, So okay, let's just kind of break it down, 30 00:01:20.799 --> 00:01:24.280 like what exactly is social engineering? So the book defines 31 00:01:24.319 --> 00:01:29.200 it as like manipulating people into taking actions or revealing 32 00:01:29.280 --> 00:01:33.280 sensitive information that ultimately goes against their best interests. So 33 00:01:33.560 --> 00:01:35.719 it's really all about the abuse. 34 00:01:35.359 --> 00:01:36.519 Of trust totally. 35 00:01:36.599 --> 00:01:38.879 And that's why it's so important for you listening to 36 00:01:38.879 --> 00:01:41.959 this to understand the different types, right, because it's not 37 00:01:42.040 --> 00:01:43.680 just about oh, I'm not going to fall for that 38 00:01:43.719 --> 00:01:47.680 phishing email. It can affect social engineering can affect anyone anywhere, 39 00:01:47.719 --> 00:01:49.040 and it can take many forms. 40 00:01:49.280 --> 00:01:51.599 Yeah. Like, for instance, the book talks about this security 41 00:01:51.640 --> 00:01:55.959 consultant Steve stasuconis I believe is how you pronounce his name? 42 00:01:56.400 --> 00:02:00.680 Who scottered USB drives labeled payroll or swim suit picks 43 00:02:01.200 --> 00:02:03.680 around a company's entrance? Can you believe that? 44 00:02:03.840 --> 00:02:04.480 Pretty genius? 45 00:02:04.519 --> 00:02:04.799 Actually? 46 00:02:04.840 --> 00:02:08.479 I know, right, if you think about it, it preys 47 00:02:08.560 --> 00:02:12.240 on our innate curiosity, right, like to uncover a mystery 48 00:02:12.560 --> 00:02:15.240 or you know, get a great deal, right. 49 00:02:15.280 --> 00:02:16.919 I mean I have to admit I would be very 50 00:02:16.960 --> 00:02:19.360 tempted me too, Yeah, I would be very tempted to 51 00:02:19.400 --> 00:02:20.639 be like, what's on this thing? 52 00:02:20.879 --> 00:02:22.039 Yeah, like what's on there? 53 00:02:22.360 --> 00:02:24.080 Especially the swimsuit picks? Come on? 54 00:02:24.240 --> 00:02:26.759 Yeah, especially and like who's who are the swimsuit picks of? 55 00:02:26.879 --> 00:02:30.199 Right? Right? Exactly? Yeah. So, I mean it really makes 56 00:02:30.240 --> 00:02:32.879 you realize, you know, just how vulnerable we all are, 57 00:02:33.159 --> 00:02:35.960 absolutely to these kinds of tactics, totally. Yeah. 58 00:02:36.000 --> 00:02:38.879 And I think what makes this even more complex is 59 00:02:38.919 --> 00:02:42.520 the psychology behind it all. So the book actually dedicates 60 00:02:42.560 --> 00:02:47.240 a whole chapter to how social engineers manipulate us using 61 00:02:47.479 --> 00:02:50.280 Robert Saldini's principles of persuasion. 62 00:02:50.360 --> 00:02:53.599 Yeah. So it's not just trickery. It's like understanding, you know, 63 00:02:53.759 --> 00:02:54.759 how our minds work. 64 00:02:54.840 --> 00:02:56.400 It's like they're hacking our brain. 65 00:02:56.360 --> 00:02:57.520 Right exactly, Yet. 66 00:02:57.400 --> 00:03:00.000 Not just our computers, but our actual brains. 67 00:02:59.800 --> 00:03:02.000 The thing about Chaldeani's work, and the reason why it's 68 00:03:02.039 --> 00:03:07.000 so so relevant here is because these are deeply ingrained 69 00:03:07.159 --> 00:03:12.000 persuasive techniques in human behavior totally, right, Like we are 70 00:03:12.199 --> 00:03:14.919 in many ways wired to respond to these. 71 00:03:14.919 --> 00:03:17.199 I don't even realize it, yeah, right exactly. 72 00:03:16.800 --> 00:03:19.800 Which is what makes us such prime targets for social engineers. 73 00:03:20.240 --> 00:03:24.360 So let's dive into some of these tactics one by 74 00:03:24.439 --> 00:03:27.319 one and see how they play out in the real world. Right. 75 00:03:27.919 --> 00:03:30.439 So the first one is reciprocity. 76 00:03:30.759 --> 00:03:34.360 Okay, reciprocity right, So this is the idea, right that 77 00:03:34.439 --> 00:03:36.960 if someone does something nice for you, you almost feel 78 00:03:37.000 --> 00:03:38.479 obligated to return the favor. 79 00:03:38.719 --> 00:03:39.199 Yeah. 80 00:03:39.240 --> 00:03:41.840 The book gives a very specific example which I love, 81 00:03:41.879 --> 00:03:44.680 which is like someone offers to light your cigarette in 82 00:03:44.719 --> 00:03:47.919 a smoking area. Oh interesting, and then later on they 83 00:03:47.960 --> 00:03:49.879 might need to get into a secure area, and so 84 00:03:49.919 --> 00:03:52.120 they ask you, hey, can you hold the door, and 85 00:03:52.120 --> 00:03:54.319 you're like, oh yeah, sure, you know, because they were 86 00:03:54.360 --> 00:03:55.800 nice to you earlier and just trying to be a. 87 00:03:55.719 --> 00:03:58.479 Polite right, And all of a sudden you've given someone 88 00:03:58.520 --> 00:04:01.280 access to like a restricted area or something exactly. 89 00:04:01.280 --> 00:04:01.680 That's it. 90 00:04:01.879 --> 00:04:04.759 So the takeaway for you is to be to be cautious, right, 91 00:04:04.840 --> 00:04:08.319 especially if you're in a security sensitive environment and someone's like, hey, 92 00:04:08.319 --> 00:04:09.759 can I get that for you? Can I do this 93 00:04:09.879 --> 00:04:13.000 for you? Just be cautious, like what's their motivation? Why 94 00:04:13.039 --> 00:04:15.080 are they going out of their way? What's going on? 95 00:04:15.280 --> 00:04:17.120 Yeah, that's a good point. It's easy to get caught 96 00:04:17.199 --> 00:04:19.879 up in the moment, you know, absolutely, and not think 97 00:04:19.920 --> 00:04:22.879 about the bigger picture. Okay, so what about authority? 98 00:04:23.199 --> 00:04:29.040 Authority classic, so we are conditioned right to obey authority 99 00:04:29.079 --> 00:04:30.560 figures even if they're fake. 100 00:04:30.720 --> 00:04:30.959 Yeah. 101 00:04:31.000 --> 00:04:34.160 And so the book uses the example of like the 102 00:04:34.199 --> 00:04:37.319 it guy needs access to the server room, right. 103 00:04:37.160 --> 00:04:38.800 Like, we just I don't know, I feel like our 104 00:04:38.839 --> 00:04:41.800 brains go on autopilot in those situations. It's you you 105 00:04:41.839 --> 00:04:44.319 see a uniform or hear like a voice of authority, 106 00:04:44.360 --> 00:04:46.439 and you're just like, oh, yeah, okay, they must be 107 00:04:46.560 --> 00:04:47.240 legitimate it. 108 00:04:47.360 --> 00:04:51.959 Yeah. And so this really highlights the importance of verifying authority, 109 00:04:52.240 --> 00:04:54.399 you know, don't be afraid, especially when it comes to 110 00:04:54.480 --> 00:04:58.160 like sensitive information or giving someone access to something, ask 111 00:04:58.199 --> 00:05:02.519 for identification, double check with you know, the department. It's 112 00:05:02.639 --> 00:05:04.639 much better to be safe than sorry. 113 00:05:04.480 --> 00:05:07.800 Right, exactly, absolutely, Okay, what about scarcity scarce? 114 00:05:08.360 --> 00:05:11.079 This is where they kind of, you know, social engineers 115 00:05:11.160 --> 00:05:13.079 use a sense of urgency to try to force you 116 00:05:13.160 --> 00:05:16.680 to make a quick decision. So the book gives an 117 00:05:16.720 --> 00:05:20.720 example of like a frantic call from the COO, right, 118 00:05:20.800 --> 00:05:22.759 like the CEO is locked out of their account and 119 00:05:22.759 --> 00:05:25.360 there's a big presentation and they need you to reset 120 00:05:25.399 --> 00:05:26.560 the password right now. 121 00:05:26.639 --> 00:05:27.319 Oh my gosh. 122 00:05:27.480 --> 00:05:30.040 Yeah, you can just imagine that stress and that pressure, 123 00:05:30.160 --> 00:05:31.959 right and you're just like, oh my gosh, I need 124 00:05:32.000 --> 00:05:33.040 to fix this right now. 125 00:05:32.959 --> 00:05:33.600 Right exactly. 126 00:05:33.759 --> 00:05:36.439 You know, So anytime you feel that pressure, those pressure 127 00:05:36.480 --> 00:05:38.639 tactics like that should be a huge red flag, right, 128 00:05:38.800 --> 00:05:43.480 take a breath, verify the situation, and remember that there's 129 00:05:44.000 --> 00:05:47.639 very rarely a true emergency in any of these situations. 130 00:05:48.319 --> 00:05:52.279 It's better to be slightly delayed than to compromise security. 131 00:05:52.519 --> 00:05:57.480 Absolutely. Yeah. Okay, so we've got reciprocity, authority, and scarcity. 132 00:05:57.639 --> 00:05:59.800 What's next next is likability? 133 00:06:00.079 --> 00:06:01.759 Likability Okay, this one's kind. 134 00:06:01.680 --> 00:06:04.560 Of straightforward, which is that we comply with people that 135 00:06:04.600 --> 00:06:07.360 we like or who seem similar to ourselves, right, like human. 136 00:06:07.240 --> 00:06:10.399 Nature to want to like help people we connect with totally. 137 00:06:10.480 --> 00:06:13.120 But this is where it gets true, okay, because be 138 00:06:13.240 --> 00:06:16.560 mindful of how much personal information you're sharing, especially with 139 00:06:16.639 --> 00:06:20.079 people you don't really know, right, even if they seem friendly, 140 00:06:20.519 --> 00:06:23.680 that could be a tactic, right to build that rapport 141 00:06:23.759 --> 00:06:26.000 with you for manipulation later on. 142 00:06:26.279 --> 00:06:30.240 So like set boundaries absolutely, and just you know, don't 143 00:06:30.240 --> 00:06:33.680 be too quick to trust someone just because they seem relatable. 144 00:06:33.759 --> 00:06:35.439 Totally okay, what about concession? 145 00:06:35.600 --> 00:06:39.439 Concession? So this is where a social engineer starts with 146 00:06:39.480 --> 00:06:43.959 a big request and then concedes to something smaller, which 147 00:06:44.000 --> 00:06:46.439 makes you feel like you've won the negotiation. 148 00:06:46.680 --> 00:06:49.720 Right, It's like you're using your own desire to like 149 00:06:50.560 --> 00:06:51.240 compromise it. 150 00:06:51.199 --> 00:06:52.639 Gets exactly, Yeah, that's it. 151 00:06:53.120 --> 00:06:56.439 So really the key here is to recognize any negotiation 152 00:06:56.519 --> 00:07:00.279 where you feel pressured is suspicious, right right, ask yourself, 153 00:07:01.079 --> 00:07:03.160 what are they getting out of this deal? Are you 154 00:07:03.279 --> 00:07:06.519 truly winning or are they manipulating you to get what 155 00:07:06.560 --> 00:07:07.079 they want? 156 00:07:07.279 --> 00:07:10.800 Yeah, so be aware of the power dynamics, Yeah, totally 157 00:07:11.040 --> 00:07:14.560 at play, and don't be free to walk away exactly. Yeah, yeah, 158 00:07:14.639 --> 00:07:17.319 if it feels off, If it feels off, okay. And last, 159 00:07:17.319 --> 00:07:21.160 but not least, on our list of like psychological uh 160 00:07:21.480 --> 00:07:24.000 you know, tactics here is obligation. 161 00:07:24.399 --> 00:07:25.480 Okay. Obligation. 162 00:07:26.199 --> 00:07:29.360 So this is when a social engineer gives you something, 163 00:07:29.519 --> 00:07:32.319 maybe a small gift or some information, to make you 164 00:07:32.399 --> 00:07:33.920 feel indebted to them. 165 00:07:34.160 --> 00:07:37.560 Right, So they're creating a sense of reciprocity. 166 00:07:36.519 --> 00:07:40.439 Exactly before they even like make the ass exactly. 167 00:07:40.720 --> 00:07:41.120 Yeah. 168 00:07:41.160 --> 00:07:44.040 So it's important to be wary of those strings attached, 169 00:07:44.079 --> 00:07:46.360 Like what might they ask for later? Is there a 170 00:07:46.399 --> 00:07:49.160 hidden cost to that free gift or helpful information? 171 00:07:49.480 --> 00:07:53.480 Right? So think critically, yes, and don't let your feelings. 172 00:07:53.079 --> 00:07:54.639 You know, feelings get in the way. 173 00:07:54.600 --> 00:07:58.199 Cloud you judgment. Right. Okay, So I think what's so 174 00:07:58.319 --> 00:08:01.439 fascinating about all this is that these tactics, I mean, 175 00:08:01.480 --> 00:08:03.680 we're talking about them in the context of social engineering, 176 00:08:03.879 --> 00:08:05.959 but they are used in everyday life. 177 00:08:06.000 --> 00:08:08.319 Oh yeah, all the time, all the time, right. 178 00:08:08.240 --> 00:08:10.319 And I'm like already starting to see it. 179 00:08:10.319 --> 00:08:12.680 It's like you put on a whole new lens to 180 00:08:12.759 --> 00:08:13.680 view the world. 181 00:08:13.439 --> 00:08:17.199 Right exactly, Yeah, like how people are trying to influence us. Absolutely, 182 00:08:17.399 --> 00:08:19.759 It's it's a little scary but also like kind of 183 00:08:19.759 --> 00:08:20.560 fascinating to it. 184 00:08:20.560 --> 00:08:21.399 It is fascinating. 185 00:08:21.519 --> 00:08:24.519 Yeah, it's like you can't you can't unsee it once 186 00:08:24.560 --> 00:08:25.399 you start seeing it. 187 00:08:25.480 --> 00:08:29.879 Okay, So we've kind of covered this like psychological foundation, 188 00:08:30.079 --> 00:08:33.399 right of social engineering, But now I'm curious about how, 189 00:08:33.879 --> 00:08:38.080 like how do they actually put these tactics into practice? 190 00:08:38.120 --> 00:08:40.480 So that brings us to like the next one of 191 00:08:40.519 --> 00:08:42.919 the more like intriguing things. I think the book talks 192 00:08:42.960 --> 00:08:46.360 about which is the concept of elicitation. So it's about 193 00:08:46.759 --> 00:08:51.240 subtly extracting information from someone without them realizing. 194 00:08:50.799 --> 00:08:52.399 They're being probed sneaking. 195 00:08:52.519 --> 00:08:54.600 It is, it is, And it's really about asking the 196 00:08:54.679 --> 00:08:59.080 right questions, listening very carefully, and then piecing together, you know, 197 00:08:59.120 --> 00:09:02.519 what seems like in ocuous details to build a bigger picture. 198 00:09:03.000 --> 00:09:06.759 So it's not just being chatty, it's being like strategically chatty. 199 00:09:06.879 --> 00:09:09.080 Yes, it's weaponized chattiness. 200 00:09:08.559 --> 00:09:11.600 Right, exactly. Yeah, And what makes it, I think, so 201 00:09:11.840 --> 00:09:15.559 powerful is that it plays on our natural tendencies to 202 00:09:15.639 --> 00:09:18.600 connect with others, to share information and to. 203 00:09:18.600 --> 00:09:20.039 Help exactly right. 204 00:09:20.159 --> 00:09:22.679 Okay, so let's break down some of these elicitation techniques 205 00:09:23.440 --> 00:09:26.000 that are mentioned in the book. So, one of the 206 00:09:26.000 --> 00:09:27.360 first ones is flattery. 207 00:09:27.559 --> 00:09:28.039 Flattery. 208 00:09:28.240 --> 00:09:31.120 Yeah, so because we all love a little bit of praise, right, Like, 209 00:09:31.159 --> 00:09:34.000 who doesn't like to be like complimented, right, And so 210 00:09:34.039 --> 00:09:35.720 they know how to use it, right, They'll shower you 211 00:09:35.759 --> 00:09:38.799 with compliments, make you feel good about yourself, and therefore 212 00:09:38.840 --> 00:09:41.960 you're much more inclined to open up share information. You know. 213 00:09:42.799 --> 00:09:46.960 It's amazing how like a few well placed compliments can 214 00:09:47.080 --> 00:09:48.639 just like lower our guard. 215 00:09:48.879 --> 00:09:49.519 It really is. 216 00:09:49.639 --> 00:09:50.039 Yeah. 217 00:09:50.399 --> 00:09:53.360 So The takeaway for you is to be wary of flattery, right, 218 00:09:54.039 --> 00:09:57.240 especially from people you don't know well if they're fishing 219 00:09:57.279 --> 00:10:01.480 for details, especially about work or personal life. Be cautious 220 00:10:02.240 --> 00:10:03.480 how much are you revealing? 221 00:10:03.759 --> 00:10:07.960 Keep the bragging in check exact, especially with strangers. Yeah, okay, 222 00:10:07.960 --> 00:10:10.200 So what about false statements? 223 00:10:10.360 --> 00:10:13.960 False statements? So the idea here is that we can't 224 00:10:14.000 --> 00:10:17.679 resist correcting someone who's dead wrong. Oh yeah, that's true, 225 00:10:17.799 --> 00:10:19.720 and then in the process of correcting them, we might 226 00:10:19.759 --> 00:10:22.159 accidentally reveal confidential information. 227 00:10:22.679 --> 00:10:24.960 Yeah that's so true, because you're you know, you're so 228 00:10:25.120 --> 00:10:27.879 focused on setting the record straight total that you don't 229 00:10:27.879 --> 00:10:31.559 even realize you're giving away sensitive information exactly. Yeah, So 230 00:10:31.840 --> 00:10:35.320 just a reminder to be careful about how much insider knowledge. Yeah, 231 00:10:35.399 --> 00:10:37.159 you know you're sharing, even if you think you're just 232 00:10:37.200 --> 00:10:37.799 being helpful. 233 00:10:37.960 --> 00:10:40.679 Totally think about the consequences before you. 234 00:10:40.679 --> 00:10:43.639 Speak, right, exactly, So think before you speak, and don't 235 00:10:43.679 --> 00:10:47.639 let your desire to be right override your sense of security. 236 00:10:47.679 --> 00:10:48.039 Good one. 237 00:10:48.159 --> 00:10:51.240 Yeah, okay, So next, artificial ignorance. 238 00:10:51.480 --> 00:10:54.559 What is that artificial ignorance? This is where a social 239 00:10:54.600 --> 00:10:58.279 engineer plays them okay, to get you to explain things. 240 00:10:58.399 --> 00:11:01.480 Oh, so they're using our helpfulness against it. Yeah. 241 00:11:01.519 --> 00:11:05.600 They might pretend to be unfamiliar with your field or 242 00:11:05.639 --> 00:11:08.799 a particular process, right, and then they're prompting you to 243 00:11:09.039 --> 00:11:13.279 explain it to them, and in the process, you might 244 00:11:13.360 --> 00:11:14.639 reveal something you shouldn't. 245 00:11:14.960 --> 00:11:16.279 Oh. Wow, that's so subtle. 246 00:11:16.360 --> 00:11:16.799 It is subtle. 247 00:11:16.879 --> 00:11:18.639 Yeah, it's like they're leading you down a path but 248 00:11:18.679 --> 00:11:19.840 you don't even realize it. 249 00:11:19.960 --> 00:11:20.399 Exactly. 250 00:11:20.480 --> 00:11:24.840 Yeah, So be wary of overly curious strangers who seem 251 00:11:24.919 --> 00:11:29.399 oddly uninformed about your field could be a ploy to 252 00:11:29.440 --> 00:11:32.759 get you to lower your guard and divulge information you shouldn't. 253 00:11:33.240 --> 00:11:36.720 Yeah. So it's about like trusting our instincts, I know. 254 00:11:36.799 --> 00:11:40.240 Yea if someone's questions, you know, feel a little too probing, 255 00:11:40.480 --> 00:11:43.679 or you know, their lack of knowledge feels suspicious, exactly, 256 00:11:43.840 --> 00:11:47.559 we should be cautious. Okay. Now, sounding board, this is 257 00:11:47.559 --> 00:11:48.279 a new one for me. 258 00:11:48.480 --> 00:11:49.200 Sounding board. 259 00:11:49.320 --> 00:11:51.759 So this is where the social engineer pretends to be 260 00:11:51.840 --> 00:11:56.200 like a sympathetic listener, and so they encourage you to 261 00:11:56.279 --> 00:11:59.120 like vent about your work or brag about your work 262 00:11:59.200 --> 00:12:00.440 or your personal Oh. 263 00:12:00.480 --> 00:12:03.120 So they're like creating a safe space for you. 264 00:12:03.080 --> 00:12:04.279 To overshare exactly. 265 00:12:04.360 --> 00:12:04.600 Okay. 266 00:12:04.639 --> 00:12:08.080 Yeah, and then in the process you're unwittingly revealing information 267 00:12:08.320 --> 00:12:10.840 that could be used against you or your organization. 268 00:12:11.799 --> 00:12:14.480 It's amazing, how like, you know, just having that feeling 269 00:12:15.000 --> 00:12:18.159 that someone's on your side absolutely and just completely lower our. 270 00:12:18.039 --> 00:12:21.120 Guard you can. Yeah, it's a reminder that even venting 271 00:12:21.200 --> 00:12:25.159 or celebrating, like even when you're happy, right, can leak information. 272 00:12:25.600 --> 00:12:29.320 Right, So think twice, Think twice before you open up, 273 00:12:30.039 --> 00:12:31.919 even to people who seem trustworthy. 274 00:12:32.000 --> 00:12:34.440 Yeah, think about the potential consequences, right. 275 00:12:34.320 --> 00:12:37.639 So, like, be mindful of our audience absolutely, even in 276 00:12:37.679 --> 00:12:38.879 casual conversations. 277 00:12:39.080 --> 00:12:40.840 Even casually, we never know who's. 278 00:12:40.559 --> 00:12:42.519 Listening or how they might use that information. 279 00:12:42.720 --> 00:12:43.080 Never know. 280 00:12:43.720 --> 00:12:45.639 Okay, bracketing, this is a weird one. 281 00:12:45.679 --> 00:12:48.960 Bracketing. Yeah, so this is a technique where the social 282 00:12:49.039 --> 00:12:53.399 engineer throws out wild guesses, either too high or too low, 283 00:12:53.960 --> 00:12:56.159 to get you to give a more accurate answer. 284 00:12:56.480 --> 00:12:59.240 Oh. So they're using a process of elimination. 285 00:12:58.879 --> 00:13:01.440 They are, Yeah, they are to narrow it down exactly. 286 00:13:01.639 --> 00:13:04.679 For example, they might say something like I bet your 287 00:13:04.720 --> 00:13:08.600 company has at least five hundred employees, right, and then 288 00:13:08.639 --> 00:13:10.320 you correct them and say, well, actually no, we have 289 00:13:10.360 --> 00:13:11.600 closer to two hundred. 290 00:13:11.960 --> 00:13:15.080 They just elicited you know that's so clever, A good one. 291 00:13:15.159 --> 00:13:16.399 Yeah, I would have never thought of that. 292 00:13:16.600 --> 00:13:17.200 Yeah. 293 00:13:17.360 --> 00:13:20.159 So it's a reminder that if someone's pushing for numbers 294 00:13:20.200 --> 00:13:23.639 or specifics, that's a sign they're not just making casual conversation. 295 00:13:23.960 --> 00:13:28.120 Okay, be cautious. Yeah, so pay attention to the types 296 00:13:28.120 --> 00:13:30.879 of questions people are asking, absolutely, and don't be afraid 297 00:13:30.919 --> 00:13:34.919 to like be vague or evasive if you feel uncomfortable. 298 00:13:34.399 --> 00:13:36.559 Yeah, don't give it to them, right exactly. 299 00:13:36.960 --> 00:13:40.519 Okay. And last, but not least, confidential baiting. This is 300 00:13:40.559 --> 00:13:42.159 the one that like, I don't know it, just it 301 00:13:42.200 --> 00:13:42.879 feels wrong. 302 00:13:43.159 --> 00:13:45.559 It does feel wrong. It's like, come on, Yeah, so 303 00:13:45.639 --> 00:13:48.720 this is where a social engineer shares fake secrets to 304 00:13:48.759 --> 00:13:50.519 get you to reciprocate with real ones. 305 00:13:50.639 --> 00:13:53.799 Oh, it's like they're playing a game of like informational Chicken. 306 00:13:54.120 --> 00:13:55.000 They are, they are. 307 00:13:55.080 --> 00:13:55.320 Yeah. 308 00:13:55.399 --> 00:13:57.519 They'll say something like, just between you and me, I 309 00:13:57.559 --> 00:14:00.559 heard our departments getting a huge budget increase next year. 310 00:14:00.639 --> 00:14:03.639 Oh yeah, And if you're not careful, you might be like, oh, really, well, 311 00:14:03.679 --> 00:14:05.840 I heard we're getting a whole new software. 312 00:14:05.399 --> 00:14:07.799 System, right, you know, just get caught up in. 313 00:14:07.759 --> 00:14:08.279 It, you do. 314 00:14:08.399 --> 00:14:14.279 Yeah, So be extremely cautious. Yeah, shared secrets aren't always confidential, right, 315 00:14:15.039 --> 00:14:16.000 It could be a ploy. 316 00:14:16.320 --> 00:14:20.200 Okay, so the lesson here be very cautious about what 317 00:14:20.240 --> 00:14:22.919 you reveal, absolutely, even if someone else sees to be 318 00:14:22.960 --> 00:14:27.799 sharing sensitive information exactly. Okay, So we've talked about elicitation, 319 00:14:27.960 --> 00:14:31.399 these like sneaky tactics that are designed to get us 320 00:14:31.440 --> 00:14:35.320 to spill the beans without even realizing it. But what 321 00:14:35.440 --> 00:14:39.519 happens when social engineering gets even more theatrical. That's where 322 00:14:39.559 --> 00:14:40.639 pretexting comes in. 323 00:14:40.799 --> 00:14:41.240 You got it. 324 00:14:41.320 --> 00:14:44.240 Pretexting This takes it to a whole new level. It's 325 00:14:44.240 --> 00:14:50.159 about creating believable scenarios sometimes with like fake identities, backstories, 326 00:14:50.240 --> 00:14:53.480 even props, to gain your trust and achieve their goals. 327 00:14:53.720 --> 00:14:56.600 So they're like putting on a performance. 328 00:14:56.320 --> 00:14:59.519 Totally, Yeah, a one man show to deceive their target. 329 00:14:59.679 --> 00:15:02.559 Yeah. It's so crazy wild and so you know, just 330 00:15:02.600 --> 00:15:06.039 like with any good performance, research is key, Like they 331 00:15:06.080 --> 00:15:08.080 have to sound legitimate, right, so they have to know 332 00:15:08.159 --> 00:15:09.279 the lingo, the. 333 00:15:09.200 --> 00:15:12.159 Procedure culture of the organization, and they're trying to infiltrate. 334 00:15:12.360 --> 00:15:16.759 Yeah, it's like they're like method acting, method acting, really 335 00:15:16.759 --> 00:15:19.879 immersing themselves in the role. Okay, so give me the 336 00:15:19.919 --> 00:15:22.879 good stuff, Like what are some of the examples from 337 00:15:22.879 --> 00:15:23.320 the book. 338 00:15:23.799 --> 00:15:26.440 So one of the more simpler ones, right, which I 339 00:15:26.440 --> 00:15:29.480 think is still really effective, is the copyer repair guy 340 00:15:30.120 --> 00:15:34.679 needs mailroom access. It's all about appearances, right, and assumptions. 341 00:15:34.960 --> 00:15:36.919 You see someone in a uniform. 342 00:15:36.799 --> 00:15:38.559 Yeah, exactly. 343 00:15:38.159 --> 00:15:41.639 Carrying a toolbox, like, Okay, this person's probably legit, exactly, 344 00:15:41.679 --> 00:15:43.480 even if something feels slightly off. 345 00:15:43.360 --> 00:15:45.600 Even if yeah, and then you're like, oh. 346 00:15:45.320 --> 00:15:49.399 Man, it's amazing how our own expectations can fool us totally. 347 00:15:50.120 --> 00:15:51.240 Yeah, it's wild. 348 00:15:51.679 --> 00:15:55.320 The book also mentions the irs audit notice email this 349 00:15:55.440 --> 00:15:57.600 plays on our fear and urgency. 350 00:15:58.039 --> 00:16:00.639 Just those two words are enough to send like. 351 00:16:01.200 --> 00:16:04.919 Shivers sends me into a cold sweat. 352 00:16:04.600 --> 00:16:07.279 Oh my gosh. Yeah yeah. Yeah, so they're exploiting that 353 00:16:07.360 --> 00:16:08.159 fear totally. 354 00:16:08.240 --> 00:16:09.840 Yeah, right, absolutely. 355 00:16:10.120 --> 00:16:13.519 Okay, so even the most official looking emails. 356 00:16:13.399 --> 00:16:14.080 Ken be fake. 357 00:16:14.320 --> 00:16:17.559 Yeah, so always double check the sender, look for any 358 00:16:17.600 --> 00:16:21.000 red flags, and never click on links or attachments that 359 00:16:21.039 --> 00:16:21.919 you weren't expecting. 360 00:16:22.200 --> 00:16:24.960 Yeah, and actually this is a good place to stop 361 00:16:25.000 --> 00:16:27.000 for now, and we will pick up this conversation in 362 00:16:27.039 --> 00:16:27.519 part two. 363 00:16:28.240 --> 00:16:30.759 Okay, So where were we? Oh yeah, talking about some 364 00:16:30.799 --> 00:16:34.120 of these crazy social engineering tactics The book actually has 365 00:16:34.120 --> 00:16:36.240 this whole chapter. It calls it the playbook. 366 00:16:36.320 --> 00:16:38.279 Oh yeah, it's like literally a playbook. 367 00:16:38.320 --> 00:16:41.240 It is like a cheat sheet for how to like 368 00:16:41.440 --> 00:16:44.879 manipulate people, right, all these different pretexts. 369 00:16:44.919 --> 00:16:45.759 It's pretty wild. 370 00:16:45.799 --> 00:16:48.600 It's like you almost have to admire the creativity, but 371 00:16:48.679 --> 00:16:51.080 also like knowing about it is the first step to 372 00:16:51.240 --> 00:16:53.200 protecting yourself, right exactly. 373 00:16:53.279 --> 00:16:56.559 Yeah. Yeah, So walk me through some of these plays, like, 374 00:16:56.639 --> 00:16:59.639 you know, what kind of scenarios should we be on 375 00:16:59.639 --> 00:17:00.320 the look for. 376 00:17:00.799 --> 00:17:04.920 So one that's incredibly common and still super effective is 377 00:17:05.559 --> 00:17:07.720 like the security bulletin email. 378 00:17:08.000 --> 00:17:08.680 It looks like. 379 00:17:08.680 --> 00:17:12.880 It's coming from you know, Microsoft, your anti virus provider. 380 00:17:12.960 --> 00:17:14.079 Oh yeah, yeah, I've seen those. 381 00:17:14.160 --> 00:17:17.319 You've seen those. Yeah, and they're warning you, like about 382 00:17:17.359 --> 00:17:20.960 some critical security vulnerability, you know, try to scare you 383 00:17:21.000 --> 00:17:24.279 into clicking a link or opening an attachment to fix 384 00:17:24.359 --> 00:17:24.920 the problem. 385 00:17:25.039 --> 00:17:27.680 Yeah. Yeah. It's like using your own good intention against 386 00:17:27.720 --> 00:17:29.960 you totally, right, Like I'm just trying to be a 387 00:17:30.039 --> 00:17:32.519 responsible digital citizen exactly. 388 00:17:32.559 --> 00:17:35.160 You're trying to be safe, right yeah, and they're exploiting that. 389 00:17:35.720 --> 00:17:37.440 Okay, what else? What else? 390 00:17:37.480 --> 00:17:37.759 Okay? 391 00:17:38.160 --> 00:17:42.359 Bank security email alert they're posing as you know, a 392 00:17:42.400 --> 00:17:46.200 bank representative emailing you about suspicious activity on your account. 393 00:17:46.240 --> 00:17:48.759 I've gotten those two. Yeah, they always like make it 394 00:17:48.799 --> 00:17:49.799 sound super urgent. 395 00:17:49.920 --> 00:17:51.960 Oh yeah, they always do, right, Like you need to 396 00:17:52.039 --> 00:17:55.480 act immediately to prevent fraud, right right, right, And so 397 00:17:55.839 --> 00:17:58.680 they want you to act quickly without thinking. Yeah, you know, 398 00:17:58.720 --> 00:18:02.200 they might ask you to open attachment supposedly to review 399 00:18:02.200 --> 00:18:05.000 the transactions, but it's actually loaded with malware. 400 00:18:05.279 --> 00:18:08.319 Oh yeah. They play on our you know, financial anxieties, 401 00:18:08.400 --> 00:18:10.559