Cyber Crime Junkies
Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.
Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast
Cyber Crime Junkies
New Understanding of the Science of Social Engineering. Expert Chris Hadnagy.
A New Understanding of the Science of Social Engineering. Expert Chris Hadnagy. VIDEO EPISODE HERE.
A Must-watch/Listen episode! We discuss key topics of Social Engineering:
- · Non-verbal communication
- · Science of Brain Neuroscience
- · Manipulation versus Influence
- · Strategic Empathy
Chris Hadnagy is a professor at Univ of AZ, best-selling author and CEO of Social-Engineer, LLC and The Innocent Lives Foundation.
We discussed Chris’ first social engineering framework he created.
We review his best-selling books, and you can find out more here.
www.innocentlivesfoundation.org
Thanks for being a Cyber Crime Junky.
Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com
Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466
🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!
Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/
Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast
Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!
Hi Cyber Crime Junkies. We are really excited about today's episode. It's with someone we've tried to get on our show for months. The topic, a new understanding of the science of social engineering. Mr. Chris Hak joins us, and for those who have been through our cybersecurity trainings that we run as a public service, often alongside federal law enforcement, local field agents of the fbi, department of Homeland Security, you're gonna remember this, uh, gentleman, and you will know that in parts of those trainings, we show some videos. Uh, those videos we've been told are really fun, engaging, entertaining, and one of those usually contains the story of the crying baby, crying Baby, where a social engineer uses a YouTube video of a crying baby to socially engineer, hack, and deceive Verizon, and the target victim, getting the victim blocked out of his account, taking over complete command and control of the victim's cell phone, and blocking him from even accessing the account without knowing her password. all in less than 30 seconds while we watch it happen. It's phenomenal. And in our trainings we show people how to protect themselves from social engineering and more. What's interesting is this, that video of the Crying Baby that was part of Social engineer and Chris HK Stars in that video, and today he was here in our studio live. Chris is a bestselling author of several books. We'll link them in our show notes. He's a professor at University of Ar, Arizona, CEO e o, and founder of Social Engineer L L C. And what I love most is the CEO E of the Innocent Lives Foundation, which has successfully helped 475 cases of human traffick. Turn those perpetrators over to law enforcement. They also help keep geolocating those perpetrators who are trafficking children. This discussion is really about the first social engineering framework that Chris created. The conversation blew by, it went by really fast. We had great questions from those who got to attend live. They even asked for a sequel episode. We'll be holding that livestream in late January. You can check out cybercrime junkies.com for details or connect with me, David Morrow on LinkedIn, and you'll get all the details for that upcoming livestream interview. We know you're gonna enjoy this episode as much as the attendees did and as much as we did here at Cybercrime Junkies. This is your podcast, cybercrime Junkies, and I'm your host, David Morrow. And now the show. Lucky to work for a great group of people you really believe in. Find yourself making an impact. Technology is a river that flows through every aspect of an organization, and today is different. We put ourselves and our organizations literally at risk of complete destruction every single time we get online. One click, one Distraction is all it takes. Hi, cybercrime Junkies. This is your host, David Morrow, along with co-host Mark Mosher. Come join us as we explore our research into these blockbuster true cybercrime stories, along with interviews of leaders who built and protect great brands, and now the show. All right. Welcome everybody to Cybercrime Junkies. I'm your host, David Morrow. Joined in the studio today with my illustrious. Fantastic co-host, mark Mosher. Mark, how are you today? Mark's not able to hear us. Chris, are you able to hear us? I am. I'm on now. I'm on. Okay. There you go. Mark. How are you today? You doing well? I'm great. I guess I just figured out my first podcast, my first time using a mute button on video. Oh, yeah. It's, it's the first time for everything, uh, pr and we are joined, uh, today. We are really excited about having somebody that we've wanted to have on the show for a very long time. Uh, thank you very much. We were very humbled to that. You're here, uh, uh, Christopher Hak, uh, bestselling author, uh, uh, adjunct professor at University of Arizona, founder of Social Engineer llc. We'll touch about those and also what I love most, he's the CEO and founder of the Innocent Lives Foundation, and, uh, you're really the first creator. Uh, of like a social engineering framework, um, that focuses on psychology of social engineering. So we're excited to have that discussion. Welcome, welcome to the podcast. Thank you for that amazing introduction. Really appreciate it. Well, it's okay. It's, it's, it's, it's, you can use it as forward to your next book. Yeah. I'm gonna need to, I think So. I will tell you, we've been doing these, um, cybersecurity awareness trainings, uh, through ingar, alongside federal law enforcement for over a decade now. And one of the videos that we love to show is the one of you, and I believe it was. Jen or Jennifer, I forgot. Jessica. Jessica, yeah. Uh, where she plays, where she socially engineers somebody. That was such, such a good song. It's wasn't that such impressive? It was such a great video. And, uh, we'll, we'll throw a link to it in the show notes of the podcast because it's really something everybody should watch. If you wanna understand CLE effective social. Engineering can happen. They captured it. Like, I think you said one tape, right? Yeah. It was, you know, that that reporter, uh, reached out to us and he had this concept of, Hey, you know, if I said yes to everything, would you totally hack my whole life or try to, and, and we said, you know, we said, of course. Yeah, we'd love to. And then he goes, and then I'd like to come out to the conference and, and, uh, see if I could, you know, film some of it, or we can interview you about what you did. And he said, you know, if you're successful. And I'm like, yeah, okay. You know, and he was pretty tight on the internet. Um, but we started our whole attack. He did one thing that was really interesting is he, he, uh, he bought something on, um, Alibaba. When it was brand new and he wanted to try to buy a bicycle on Alibaba and to see if he could, uh, get it shipped in. So I saw him, he tweeted it and he said, just bought my first thing on Alibaba. I'll be reporting on how, you know, how this, how this sale goes. So I went to GoDaddy and I bought, um, shipping-alibaba.com and, um, I set up a fishing server and I fished him and I said that, um, you know, that, that, uh, there was some paperwork he needed to fill out to get the bike through customs, that this was an Alibaba customs request. And I had a whole form to get his home address, his full name, his date of birth, his social, uh, his phone numbers, all the things that he needed that he wouldn't give me, that we needed to get to attack him. So once we had his home address and all this other stuff, uh, he also had tweeted out that he used this, um, this service called Handy Made or something for a big mess of little Flood that was in their house. So I went and bought a, uh, and he was complaining about how bad the service was. So, um, And went and bought services handmade.com. I fished him again saying, you know, Hey, we saw your complaint. We'd love to, you know, help you out and see if we can fix your unhappiness. And uh, got, um, got his apartment address. And then from there I unleashed Jess. And Jess had, uh, called, um, we called every phone service until we found out which one was his. Uh, we found out he was with Verizon and then, uh, Jess. Um, we did this thing where we played a crying baby, and that was in the video, but we did this first at home. And, uh, she was acting like his girlfriend and baby was brand new and he's traveling overseas and we need to cha we need to pay the bill, but she's not on the account. Can we add her? So we ended up changing his whole password, adding her to the account, ordering some new phones for him. And he was, and at the end of the day he was like, what the heck? Like, I didn't think you'd get anywhere. And that's when he came out to, to Defcon and he was like, Hey, can we, can we try that again? Can you think you can do it like the phone call again? Just live. and we, no, let's try. That's phenomenal. Let's try. And we did. And it worked. I could not believe it worked, but it did. That's just phenomenal. And he was pretty tight. The video, you'll have to, to get it out of our show notes or go go to YouTube and Yeah, it's funny because it is definitely worth, oh yeah. And, and he had, uh, he had been really kind of locked down before he had asked you to do this, right? It was, his home address wasn't anywhere. His phone number wasn't out there. I mean, he was a reporter, so he had his stuff on the things he reported and he had his, his email from Wired out there. But that was it, you know, he was, and he was actually fantastic being a InfoSec reporter. Uh, he was not clicking on emails. Like we had sent a couple Phish before that and he wasn't clicking on those. So I really had to get deep into his. You know, the Alibaba thing, handy made thing. We had to get all these different areas in his life. And um, and, and then we ended up finding like, you know, his, uh, his, uh, college email address, which he was using to control like his Amazon accounts and things, which we all own Oh my. For the day. So we ended up like really just owning his whole life. And, uh, that's, he was a great sport because he, he went public with, I mean, of course before we released the report, we helped him fix everything. Change his past. Oh yeah, of course. And then he released the report because he was, he was like, this is my whole life out here. I mean, yeah, his wife did have a, a baby and we had pictures of the, uh, we had, uh, we had just host. So was so much stuff that we had on him. It was. Wow, that's phenomenal. That's absolutely phenomenal. Um, so, uh, let's, let's touch on some of the books that, that you've written, written in. Uh, first one I believe was in 2010. It was, uh, social. Yes. Social Engineering, the Art of Human Hacking. Um, and then you did, uh, fishing in Dark Waters. Unmasking, the social engineer. And then you have a recent one, which is really good. It's the human hacky, winning friends, influencing people. Um, let's, let's back up a little bit. So how did you, how did you, you know, how did you get into this? Like, how did you. What led you into this? I mean, there's a lot of, you know, uh, were, were you a student of it? Did you start back in the day with hacking? Like, what was it like? I wish I could say I was a genius and that I had a plan. That's okay. Right. I can't, what I can say is I got dumb and dumb luck. Right. So, um, I'll, I'll go back to, to high school days college I was in, uh, I was in college for programming. Tell you how old I am. I was gonna be a Lotus programmer and a Lotus programmer and do some c and some other things. And, um, and I, and I fell in love with the idea. We just, modems were brand new. We had 2,400 BOD modems and we connected them to the computer with L p T one cables. Yes. Kids. If you don't know what that is, look it up. They're big cables. Right. And I daisy changed. Two l p t one cables together and, uh, created a script that I wrote that dialed that was a phone freaker. So I was one of those guys that would love to, you know, get the whistle, play the tone, make free phone calls, figuring out how phones worked. Always. Oh yeah. We've had payphone. We know several of them. We know a lot of, we, we know a lot of the guys that started that way. I, I wrote this script that basically I found out that we can generate those same tones on a computer. Mm-hmm. So I wrote this script that would dial a number, it would play a couple tones, and those tones told the number to basically disable itself for 60 seconds. And then it would hang up and dial nu another number in sequence. And then I threaded it through 16 different threads. So I was basically calling something like, um, I dunno, like 45 or 50 phone numbers every second And I shut down Sarasota County's phone system for a day. And it wasn't illegal at the time because I wasn't doing anything on purpose. I didn't mean to do it. It was a complete and honest mistake. Right. And the, the, the cops came to the, the college and they, uh, they said, Hey, who did this? And I was like, oh, that, that was me. And they were like, well, don't do it again. That was really bad. You know, you can get in trouble. And I was like, holy crap. And then the, the, the dean got mad and kicked me out. Got kicked outta outta school. Oh, you're kidding. That was why my one month of college. Right. So wow. Holy holy league. But I fell in love. I fell in love with it. I said, this is what I wanna do with my life. You know, like this, this was amazing. I said, this was mind blowing that you could do something like this. And I wanted to understand it, but not like I wasn't looking at, I wanna destroy the earth. I, I wanna understand. Mm-hmm. Um, then things, you know, I was young, I was only 17, so things got in the way. I was like, you know, girls surfing, other things, but, you know, I kind of lost interest a little, but I came back, so jumped forward many, many years, um, doing different things in InfoSec. I end up landing a job at, at off sec offensive security. And, um, I worked with a team there, the guys who make backtrack and, and do all the training and pen testing. And those guys are some of the most hardcore people on the planet. I mean, anyone who's taken their course, you know, um, everything that they teach, they do, they're amazing. And I realized, I'm so glad I never finished programming because I wasn't made to do it. and we have a, an audit or a pen test, I'd be like, Hey, I really stink at writing these scripts or writing exploits. Like, can I just make a phone call and see if I can get a. Like, yeah, sure. Go ahead. So I'd call interesting. I'd say, Hey, this is Paul from it, you know, uh, we're doing a database update. I need your password. People would give it to me. And I was like, what the heck? Why did he give me that password? You know? And then the first time I walk up to a security guard, I had aptitude. Yeah, you, you'd be a great, you'd be a great prospecting sales hunter. Oh, I tried that. Exactly. That, that, that's phenomenal. So then the first time I walked up to a security guard with a pest control outfit, the guy let me write in. And I'm like, why? So I started reading all these books and you could see some of them, all these books on psychology and influence and persuasion and body language and non-verbals. I had this like, thirst for knowledge, and I'd be highlighting in the book, and I'd say, okay, like Robert Chaldini stuff, I, I read his book and I'm like, okay. He talks about this, this principle of scarcity. I'm gonna see if I can actually use this on purpose. And then it would work. Oh. So I started writing the, the framework that you mentioned, and it was, it was a project for me and it wasn't even doing it for the world. I just did it because I was like, I need to understand this. And I wanted to write a framework. When it got done, um, Maddy from, uh, offset, he's like, let's put this online. So I went and I bought social-engineer.org. It was available, right? And uh, we put it online and I thought I was getting DDoS because the website kept going down but it was literally the internet blew up and wanted this. So here's how I got into writing, and this is a really, like almost embarrassingly slipped to get to where I am. Um, Kevin Mitnick publisher called me and she said, Hey, I want you to write a book on that framework. You just put on the internet. And this is now 2009. Right? Wow. That's huge. That must have been an exciting call. It was, but I said, Really? No. Yeah, I said, I'm not an author, I'm just a little hacking dweeb. You know, I'm, I'm a nobody. I said, I don't wanna write a book. Uh, I don't even know how to write a book. I'm like, I, I, like, I can barely write a paragraph. I'm like, nah, I'm not interested. And, and I, I'm talking to Madie and I'm like, Hey, you gotta hear this crazy call. I just got, you know, Kevin Mitnick, like the man, this publisher copy. Wow. Asked me to run a book. And he's, he's like, so when do you start? I'm like, oh, no, I told her no. He's like, you're a moron. Like, call her back right now and tell her yes. And I'm like, dude, no one's gonna read this book. Like it's gonna be a failure. He's like, just do it. I'm like, okay. So I call her back and I'm, and I'm like, Hey. So, you know, listen, I, I, I is rethinking it. You know, I, I'd like to do it. I just want you to know I'm really nervous. I'm not an author. There's no problem. We have editors, we have copyright. We'll help you with everything. So I took a year, um, I started that in 2009, and then that book, like you say, came out in 2010. and I had no clue what I was in for. I did not know that was gonna help create an industry that that was gonna start something. Uh, soon as I I, that book came out, I was getting calls from big companies asking me to consult with them. I got job offers and I kept saying, no, no, I don't wanna work for anyone else. And then, uh, one really large company called me and I just outta the blue said, listen, I don't wanna work for you, but I'll be a consultant, you know, so you could, you could pay me as a consultant. And they were like, there are no social engineering consultants in the world. And I'm like, right, so I'll be the first, right? And you could pay me and you could be the first to have one. And uh, they were thinking about it and I came home and I tell my wife, Hey, I wanna quit my job and I wanna start this company that does only social engineering. So she says, okay. How many people did, where were you working at the time? Like office? Oh, at offensive. Okay, got it. Yeah, I had a great job with an amazing team. Oh yeah. I was learning every day. I had the people. I loved the people. It was unbelievable. So here I'm saying like, I wanna quit this. And she says, well, how many people do it and how much do they make? And I said, well, nobody, so I can't answer number two. I can't answer the second part, right? And she's like, can I think about it? I said, of course. You know? So a couple days go by and she's like, Hey, let's try it. Let's take a risk. Let's try it. That's exciting. But we did. I quit my job. I started this company in 2010, got my book, came out the first client, and now 12 years later, here I am running the company with almost 20 people doing this every day. Right? Oh yeah. And you got some of the best of the best too. Yeah. Really? Do you know? I mean, just absolutely phenomenal. So what, um, when you, when you. It developed these four books. Right? Like what was the, who were you speaking to? Because I think your last one is really different from the, from the first three. Yeah. I'm, well walk us, walk us through that. Yeah. Yeah. That's a nice question. Um, okay, so that first book, you know the story. So the second book was Unmasking the Social Engineer. And honestly, I feel almost a little bit selfish because that book for me was, um, was a very personal book. I was a huge fan of Paul Eckman. Uh, he, when I, I, he was one of the first scientists that I, I was ever able to read a book that I understood as a layman. And I'm like, if I ever write, I wanna write something like him. Like he took really intelligent things and he made it so people like me can understand. Then I had the privilege of having him on my podcast and we became friends and I actually flew to San Francisco where he lives. I sat and I talked to him and I said, you know, Dr. Eckman, I, I wanna write a book on nonverbals, but I, I'm worried about doing, cause I'm not a scientist, I'm not a researcher. So would you support me? Would you co-write it with me? And he said yes, which I couldn't believe. Right. So, um, we wrote that second book together and it was, that one was to the social engineering community, people who wanted to do this, or people who are blue teaming and protecting that needed to understand how powerful the nonverbal aspect is when you're doing in-person social engineering or when someone's trying to scam you. Yeah. And that book was, was integral for that. Then my third book, um, I actually have, uh, one of the first patents in the world on a fishing process. The sass had just gotten big, they gotten huge, but what really irritated me is most fishing sass were, um, were focusing on one thing and that was click ratio. Right? And I was one of these guys who was very vocal and I was always getting people to hate me. And I was saying, you know, click ratio is a useful statistic because let's just, why is that now? Why is that? I mean, if, if, if we, because I tend to. Initially by into that mm-hmm. I, I tend to think, well, if we can evaluate click ratio, um, we can see who the super clickers are, we can evaluate it and then specially train those people. Right? So, so let's, let's ba and, and, and I don't say it. It's useless alone is what I'm saying. So let me explain what I mean. I'm an Amazon junkie, right? Let's say you're not. So if you and me are working in the same office, we're sitting next to two cubes next to each other, and the fish of the month is an Amazon fish, I am statistically more likely to click it where you're like, absolutely, I hate Amazon. You're not gonna click it. So click ratio only tells the security department a moment in time vulnerability for that particular pretext. But now here's the important ratio, which is re uh, reporting. So how many people report the. Not just click it. So I say, oh, absolutely. Right? So we grab these stacks, we, that's a much more important step. Much more important, right? Much more important metric. Yeah. Agree. So I say you grab, uh, who clicked and did not report. Who clicked and did report, who did not click and did not report, and who did not click and did report. Now those four stats can give you a very holistic picture on your fishing, right? So I, I developed this patent on a, on a levelized process, how to do phishing levelize that test people in the proper, um, um, area for their particular vulnerability. And that patent came out and the fishing world went nuts. Like people were trying to steal it and change it and whatever. So I said, you know what? Screw this, I'm gonna write a book on it. So I wrote my third book, fishing Dark Waters, and it basically was here's my patent, here's my process. The world can have it. Go do it. You can have it for free because I don't care about. Being the only I I want, I said, this is the way to fix the fishing pond problem. You're trying to, people do it change, you're trying to boil the ocean, which is kind of what we're trying to do, right? Like we're trying to like, like, and, and, and I love that because this is like the pretext for our conversation, right? Is the fact that people, like literally I had a retired f FBI agent on last week and, and, and, and he was even saying, he's like, I've offered to go and speak at schools and train the people at no cost and they won't even return my email. We speak with business owners all the time that are like, everybody knows not to click on links. Right? Everybody why Still the biggest problem, right? Like that's why 80% of all the data breaches happen, right? Cause they're doing it right. Like they don't know. Yeah. That's the issue, right? Yeah. Um, Uh, uh, unbelievable. Yeah, so I mean, it's, it's like boiling the ocean, right? Yeah. Like we're trying to change behavior and it's, it's just, it's just so, so, uh, so important and yet, so kind of just dismissed across the board. I wanted to ask. Yeah. So human hacking, you're fifth book, your most recent one. It does it. David had mentioned it has a different feel. It does, I think, I don't know. It, it feels like maybe the, the audience is intended to a different audience, or maybe, so this is the first one you had, Seth worked. Maybe you can tell us about that. Yeah, yeah, it is. So, so let me just finish with the, the fourth book was a rewrite of the first one, so, oh, okay. After 10 years of doing this, as for as a living, I realized that my first one was social engineering, the art of human hacking, and I kind of did it as an ode to. Right, because like his was the art, art of inception. And is this your fourth one? The, that's my fourth one. Science. This is the science of human hack. Right? And then what I did is, this is just like the first one, but it's better. It's like, yeah. Yes. Thank you. Yes. Much, much better. It's, it's written, it's written with 10 years of experience. There's a lot more stories in it and a ton of science, which is what I love. Like actual, real research papers that I, that I, I, I didn't write them, but I used them to, to prove the points that I was saying. So now to, to your question mark, the thing that happened to me is after I'm, I'm now doing this for a living, but I'm realizing that, hey, I'm using some of these same skills every day with, with my kids. I'm using them with my employees. Uh, I'm using them with, um, um, you know, with, with people that I talk to, with my therapist, with whatever. I'm using them every day. And I'm not doing it to manipulate people, but I'm realizing that the more I communicate, uh, properly, and I use communication profiling tools, and I use things that help me learn how you want to hear, uh, conversation that I'm getting more done and I'm actually achieving better results in my work. Mm-hmm. So I said, you know what, this is like social en using social engineering for everyday life. Yes. So I, I approached a, an a book agent. It's almost a sales methodology. Yeah. Honestly, right? It, it real. So that's a great, that's a, that's a great, uh, take on it because here's, here's what happened is I approached, uh, first Joe Navarro, he's a, he's one of my mentors. Um, and I told him, I said, I got this idea. I wanna take all the work that I did for the last, like 10, 12 years now, and I wanna write a book. That is for everyone, not just for the InfoSec industry mm-hmm. that anyone can use these skills. And he's like, that's genius. And he introduced me to his book agent, his book agent fell in love with the idea and went out and started selling this to, to, to, um, publishing companies. And Harper Collins bought it. So that's when I, I met Seth because I'm like, okay, I need, I need to, I need I see someone saying he's testing the ther the therapist Yeah. In a sense, I am. Yeah. You know, you have to, you wanna make sure they're good. Right, right, right. So, um, Harper's, uh, you know that the way when you write with a big publisher, uh, uh, you know, I, I'm not trying to insult. Wi Wiley is amazing. I love Wiley and I still love them, and I'll work with them again. Um, uh, Harpers does things like where you, they want you to have a ghost. So I got introduced to Seth and, uh, and, and Seth was, um, uh, was amazing. Like he got the concept right away. And normally when you work with a ghost writer, uh, they don't want their name on the book. They're like, well, that's not the way it works. But I loved working with Seth so much. Like, honestly, the way we would do it is we were getting a call like this because it was during Covid that we started writing this, right? Um, we, we got on a call like this and um, um, we would talk for two, three hours and he would record it. Then he would take that recording, have it transcribed, and he would write a chapter on what we talked about from that, and he would send it to me. I would edit it and add my own language to it and things like that. It was such a great experience that I said, look, you need to be named as a co-author because it's, you did so much. Like he was just such an amazing part of the process. So I talked him into that and I was really happy I did because he's, he's great. Um, but the, but you're right, the feeling of that book and the audience for that book. Um, I had some amazing experiences when it came out. I had a group of parents that reached out to me that said they bought that book, uh, to help, uh, them learn how to communicate better with their children and using it in a parenting group. I didn't expect that. Oh, absolutely. Oh yeah. I had, um, I had a, I had what you said was why it kind of made me smile. I had a group of salespeople reach out and say that they bought it and they started a, a, a book club for salespeople and they're using it and that I had a, I had a book club inside of Apple that called me and they were like, Hey, where are you reading your book to help us be better employees? Can we, can you come in and speak to? So I've had these amazing experiences with that book. Things that I didn't expect when I put it out that it was gonna affect so many people in different ways. Well, let's, let's, let's talk about why, right? Like, let's talk about why is it that. People think it's so easy and obvious not to click on links, not to put in USB drives, not to go to rogue websites. Right. And yet we constantly get fooled as human beings. Um, what's the, let's talk about the science behind it. Yeah. Like the, the, the neuroscience. Because I think the better that we understand that, to me it's about like breaking bad habits. And so can we kind of hijack that? You know, it, it, it seems to me like most of the social engineering ties to greed. Fear. Urgency, sense of urgency, right. Curiosity, helpfulness, like, it, it tends to like, those co tend to be common themes that the fishing. Emails appeal to, right? And then what is it about the human mind with the, with the levels of our thinking, right? The reptilian brain, the limbic brain, and then the neocortex that makes us act upon some of those. And what can we do to pause that? Or what processes can be in place, um, like w walk us through some of. Yeah. So let, let's, uh, lemme talk about a book, uh, uh, some research that was done by, uh, um, a researcher named Dr. Daniel Goldman. Mm-hmm. He wrote the book, emotional Intelligence. Amazing, amazing book. Uh, in that book he talks about a, a phrase that he coined called amygdala hijacking. Yep. The amygdala. We have two. So amygdala are these two walnut sized pieces of gray matter in the brain, and they process external stimuli and then create psychological and physi, uh, physiological change, uh, based on that external stimuli before your brain has a chance to catch up. So let me give you a very rude American, it's a fight or flight, right? Yes. Kind. Exactly right. It's, it's, it's, it's when we know there's a huge really mammoth in our village, we must run, right? Yeah. Like it, it's in that part of the brain, right? We have to get outta here. I'll give you even a, um, a more current example. Like, let's say you're deathly afraid of snakes, right? So you're, you're walking through your yard and out of the corner of your eye, you see a long black thing in the grass. Well, what will happen first, you'll, your eyes will open wide. Your lips will pull back towards their, your ears. Like, like eek, you'll gasp for air. Your muscles will tense and you'll freeze. Now, why does all of that happen? Let's think about the physiology of that. Your eyes open instead of closed like this because of they're closed. You can't fight or flight, right? So your eyes open to take around the surroundings. You gasp for air to oxygenate your blood and prepare for that fight or flight. And the, the muscle tense releases adrenaline into your bloodstream, which prepares you for the fight or flight, right? Right. Now, all of that happened in, in a matter of milliseconds, but now a millisecond 150 milliseconds pass and your, your visual courtesies catch up and it goes, oh, that's the garden. Right. And you just return back. You go, you walk through the garden, oh, that was silly, and you kind of laugh it off. But if in the 150 milliseconds later, your visual courtesies catch up and it's a giant black snake coming towards you, your brain and your body is now prepared for grab a rake and defend or run, get the heck out of there. Whatever it is, you have been now prepared for that next action. The amygdala creates that environment. And what Dr. Goldman found is that when the amygdala is hijacked, the frontal cortex, where all this logic and wonderful things happen for critical thinking, that's shut down. It's not in use. So now let's trans, let's transport this over to, to social engineering fishing. Right. Okay, so let's, let's, let's pause for a second. Let's break that down. So when amygdala hijack happens, we can't process rationally, right? We can't. Okay. So the logic part is shut down that neocortex is. Right. It's disconnected. Big wooly mammoth is still in the village. We gotta get human, wooly man. Right? Imagine if, if your brain took time to critically process at that moment, like imagine if at that moment that snake or that wooly mammoth is running towards you and your brain's like, well, let me think about this for a moment. I mean, I could go left, right? For hundred years. Like I, pretty much, they're not around. I need to get closer to that snake. Is it poisonous? I don't know. Right? No. Instead, your body has just been prepared to get the heck out of the way and you'll assess danger later. Mm-hmm. Right? And critical thought is, is going to stop you from those actions that you need. So now we, this is why I always hate that phrase that says, there's no patch for human stupidity because this is not about being stupid. This is the way we're. Right, right. This is the way that we're actually made and this is the way we work. This is the way our brains work. And does it cause problems? Yes. Does it cause vulnerability? Yes. But it also is a saving part of us when there's danger. Now there are fixes. Dr. Goldman found that something even as short as a 5, 10, 20 second pause could be enough to return your brain back to critical thinking. Oh, right. Okay. So, so imagine this, you get that email and it creates fear. Oh my God, my credit card was just used on a big sale or a big order on Amazon. And right away you wanna click the link. But if you have a script in your head that says, Hey, when I get a email that makes me feel fear, pause for a second. So now I take my hand off of the keyboard and the. and it gives me that 15 seconds to go, wait, could is this real? And I go, wait, you know what I need to do? I need to open up a browser. I need to log in to smile.amazon.com. I need to go check my account. Not click, click that link process. Okay. That's so key because in all the security awareness trainings that happen, they always say, well, don't do this. Go and do this instead. Go and verify. Right? Don't trust but verify first before you go act on something, especially if it's against your own financial personal interest. But what happens is a McDell hijack happens and we don't process, we don't even follow those steps. So by pausing. which is really key because we had, uh, we had, um, uh, Dr. Abby on, who is Oh, she's great. She's great, isn't she? Yeah. Who just became your director of education, I believe. Yes. Yeah. With a social engineer. And she was telling us about that. She goes, it's remarkable how the, the pausing of several seconds can actually transform and open the floodgates of your mind so that your neocortex, your rational data thought process can actually address it, because otherwise you're just gonna stay in that emotional fight or flight stage. It's, it is, it is amazing when you think about how simplistic the fix is mm-hmm. and yet we try to make the fix so difficult for people. Like you said, in those security awareness trainings, we'll say things like, don't click bad links. Right. How do you know what a bad link. Yeah. Right. Like, you, you haven't taught me that. Right. So if I'm, if I'm brand new and I'm sitting there, I don't know what a bad link is, like, teach me that first and then maybe I won't click it. So you gotta give them something to do that is immediately actionable by saying, Hey, when you get a a, an email like that, pause for a second. Mm-hmm. don't click anything. Just open up your browser and log into the account the way and, and the way that you know you should and check your account that way. No, you'll see, hey, that wasn't really an Amazon email. Like, I need to, you know, give that some serious thought that that can save people Unbelievable amounts of suffering when it comes to falling for, for phishing emails. Absolutely. What about, um, what about physical, uh, attacks? Like physical, I don't mean physical attacks, like Yeah. You know, like, like a physical assault on somebody, right? I mean the, the compromise of private information Yeah. Through physical breaches, right? Yeah. Like, like showing up at a. at a, at a business with a whole box of donuts getting, breaking into the door, and then you're able to put jump drives on, you're able to log into the network. Yeah. Things like that. Um, why do people, why do people trust strangers so much? Yeah. When, when you see on the news, it's so often that we should know not to. Okay. This is a great question. I love it. And, and I'm gonna, I'm gonna answer it and I'm also gonna tell you a story to get, to give you the solution, but the, the, the first part, the answer of why is this is again, the way that we need to be as humans, right? So think about this. If everybody we met, we automatically distrusted them, right? How hard would it be for the human race to stay? Right. If every time there'd be no procreation, right, right. Because we'd be like, well, I don't trust you. You're probably a serial killer, or You're probably a horrible human. You're probably a terrible person. Instead, we're designed to have this natural trusting ability because it helps us remain and continue the human race. Right. The opposing of that is we walk around feeling paranoid, afraid, and, and angry all the time, which is what we see happening in the world now. Right. But, but that does, but because that's the answer, some people go, well, there's no hope. Well, let me give you a story for this. We had this situation where, um, I, I was breaking into a building, right? So the job was to get past this, this woman who was the front desk, and to get in and, and for listeners that might not know how this works, uh, organizations will pay people like Chris. Yes. who actually good vulnerability. Good point. It wasn't like Leon over on the corner said, dude, break into that bank for me. Thank you. That, I guess that that's a good, that's a good opener, man. Just qualify them. Otherwise, I'll get a bunch of emails and they'll be like, what are you doing? You had a fee fund? No, no. Yeah, these companies hire me to do this. And they're buildings, so that way they know what the vulnerability is. Kind of think of it like going to your doctor and getting a physical. right? You pay the doctor to stick needles in, you take x-rays, you do all sorts of stuff. And he comes back and he says, Hey, here's your problem. So that's what a company does. They hire us to do that. Um, I'm walking up to the front door and there's a guy sitting out in his car in the spot that's marked, uh, C F o, and I can hear him through the window in his car, and he is talking very loudly and he's, he's angry and he's saying things like, I really don't wanna do this today. I really don't wanna do this. and, and I'm like, oh man, I don't know what's going on. But I'm like, this is a bad day for me to be here. I walk in the front door and I could, the woman who's the front gatekeeper, I could see her monitor. It just turned enough that I can see, and she's playing a video game now. I was not doing SE at this point, at this point. I really was like, man, this guy's mad. If he walks in and sees her, he's gonna be upset. So she, she looks up and she goes, how can I help you? And I said, look, you don't know me and I'm not judging, but your boss is outside and he sounds really ticked off. Like if he walks in and sees the game, he's gonna probably, you know, be upset. So she closes it and she goes, thank you. And that was really nice. Now how can I help you? And I've started telling her my pretext, which is I'm here for a meeting with hr. I have an interview and the guy walks in and he says, Beth, I need you in my. So she goes, excuse me for one minute. So she gets up, she goes to the office. As she's closing the door, I catch eyes with her and she mouths to me, thank you. Right? So she says, thank you. So I'm like, okay, now I'm back in s emo and I'm like, this is it. I gotta wait. So I'm out here 5, 6, 7 minutes. People come up and go, Hey, are you being helped? I'm like, yeah, she has, Beth's got me. No worries. Right? So Beth comes out and she goes, did no one come to help you? I'm like, no, man. I guess everyone's busy. They're, they're waiting for you. So she's like, oh, well where were we? And I said, oh, I'm late for my meeting. I told you about in hr, so you were gonna buzz me in. And she stops and pauses and looks at me for like a good two to three seconds. You know how long that is? Like in sound long there? That's three seconds. That's a long time, right? Yeah. And she's looking at me. N no. Like, no, like that didn't happen. But she's also in her brain thinking, well, like this guy was so cool and he helped me not be embarrassed. Just helped. So you gave value upfront. You established trust upfront. Yeah. Like, I can't be bad. I just helped you from, right. I just helped you. How can I be a bad guy? Getting him trouble with your boss. So she says after that two seconds, she goes, yeah, I remember. And she hits the button. Then buzzes me in. Now I go in and hack the whole place. Drop a bunch of pawn plugs, us, B keys everywhere. You know, I'm, I'm doing all sorts of bad things, right? So I get out of there, we write the report, uh, later on, I said during the report meeting, Hey, is there a chance I can just talk to Beth? Like I, I'd love to talk to her because she's about to get in real big trouble with her boss, Yeah. Well, one of our rules, you don't apologize, I gotta tell you, one of our rules is, um, um, is, is that we, we always say to companies that do not fire people for the results of our tests. Right. Unless they're doing something illegal or immoral to your company. Right. Because we are not, we are not uncovering stupid humans. We're uncovering humans that need training. If you fire Beth, it's more about the processes you have in place. Yep. Or or the culture you have in place at that organization. Exactly. Not the individual people that are following that process or culture. If they fire Beth, whoever they replace her with is gonna be the same. It's gonna do the same thing. Right? Right. Exactly. Until they fixed the process. So here's what we did. We got Beth on, she told me exactly what I thought. She says, you were so nice and I could not say to you, to your face, Nope, you're wrong. I wasn't gonna buzz you in. And, and she said, because you helped me not be embarrassed. And I thought, how bad could he be? So I said, okay, so the guy comes back, fix. She almost knew she shouldn't. Yes. Oh, she knew, but she still acted against her own interest because she trusted me. I was a good guy. Right? So the boss comes back and he says, there's no fix for this. I go, yes, there is. I go, here's the fix. And this is what we did. What is fix for? The fix was we changed it. So Beth had to print a badge, but she could not press the button. The button was pressed by a security guard. So we had them hire a security guard at the door, and the button was by him. Now I can go to Beth, I can schmooze her all day long, and maybe I get her to give me a badge with no id. Right? But if I don't have a badge, that security guard is not pressing that button. Nope. Right? So if I got past her, like I did, saying, oh yeah, I was just heading into HR because I'm late now. And she goes, go, go. The security guard's gonna go, where's your badge? And I'm like, oh, Beth didn't gimme one. Go back and get it. Yeah. So by, by taking all the power out of her Right. It lied in reorganizing the workflow. Yes. Right. The policy. Yeah. That's so important. It's so important's great. Cause so many organizations focus on, well, if we have this system in place on our infrastructure, we're secure. Yeah. Okay. It's, I'm not like, it's needed for the infrastructure. Don't get me wrong. We're not saying you don't need that, but you're not secure. Like, it's, it's because when people are letting them in, right. Doesn't matter how good your firewall is, it doesn't matter how good the monitoring is on the network. Right. Like it's gonna be we're we're letting'em in. Yeah. And that, and that seems to be overwhelmingly depending on what article we read or what stat you pick. Between low 60% or 80% of Right. All data breaches are caused by us. Yeah. Right. It's caused by every single time we get online. And, and I tell people, it's a combination, right? You need the firewalls, the antivirus, of course you need the IDs, the ip, you need all that stuff. Well, otherwise, it's, it's gonna be a hot mess. Right? Right. Otherwise need it, it's gonna be worse. Right. But you also need the training and the policies and, and the human side of it. And it's not, one isn't the answer. It's, you know, it's like saying, look, I can go and I can diet all I want and I will lose weight, but I'll gain no muscle. Right. So if I wanna be in good health, I have to eat right. And I have to work out those two things together, make me in good health. One or the other, may do a little, but it's not gonna make me in good health. Right. So it's, it's a combination. And I see, I just want to answer this one question someone asked if they said they missed the name of the book in the beginning. It's called Human Hacking. Yep. Um, so you can actually see it Right, right there behind me. There we go. And we'll have links to that as well. Yeah. We'll, we know, Chris, that that brings a question to mine as a, as you were talking about, is there a difference between influence and manipulating life manner? Is that a great, so I love this question and I, I Chuck Chuckle because what's, what's interesting is that my answer is gonna be a little controversial. And I had, I had Dr. Robert Cini on my podcast, and we actually, and it's hard to disagree with the guy who actually wrote the book on this, right? But let, let's define the, let's define the terms, right? Yeah. Manipulation is tricking somebody to do something against their own interest. Is that a fair definition? It is. So influencing is like inspiring somebody to wanna do something. So I'll give you my, I'll give you my definitions. Uh, manipulation is, is getting someone to do something regardless of how they feel about it. Oh, okay. Right. That's good. Where influence is getting someone to want to do what you want them to do. See, and the reason I, I, I separate that is that kinda is a very basic thing. Like if you think of the word influencer online, that usually denotes someone who is good, someone who is, um, helping people. Someone who has looked up to, whereas you say a manipulator that's not someone that you really enjoy. Um, yeah. There, there aren't a lot of social media manipulators advertising themselves. Right, right, right. so I'm a social media manipulator. You know, I think of manipulation as, I want you to do this thing. I don't really care how it affects you mentally. I don't care how it affects you psychologically. I don't care if it's gonna hurt you or your job. Right. I need to win, so I'm gonna get you to do this. Right. Whereas influences like with. at the end of the day, um, she liked helping me. Mm-hmm. she felt good for helping me even though it wasn't the right thing. Right. And she needed training and some policy change to help her, but she didn't feel dirty or bad afterwards. She felt good. Right, right. And so it's okay when you influence someone. They are, they, they come up with the idea to help you and they do it and they feel good for doing it. Makes perfect sense. Yep. Yep. So, so let's, what's your take on the rise? I mean, the FBI even has recent warnings on the massive onslaught of business email compromise threats. Yeah. So what, first explain to the listeners like what is business email compromise and then how does this psychology play? Um, yeah, so this, this is a really interesting piece, right? Because, um, the, you're right, and for years now, the FBI's been issuing these reports and warnings, uh, about b e C. And if we, if we think about, um, let's just think about like some of these wire transfer scams that, that this happens to. Mm-hmm. somebody gets a call or an email and a lot of times what I've been seeing in, in our clients, it's a dual attack. So they get a call and they say, Hey, uh, this is, this is Paul over at your vendor, and they actually have a vendor that you're familiar with, which is not hard. Through Osen, through open source research, they can find out who. Your vendors are who you use, who you, who your H V A C vendor is, who your print vendor is. All of that is pretty, you know, ZoomInfo even has that stuff. Yeah. There's a a lot of there, there's a lot of even open source ways to find out who the preferred vendors are. So they call and then while they're on the phone they say, Hey, I'm gonna send you an email because this invoice wasn't paid. So now I'm talking to you. So you already have this belief factor cuz the caller ID says, your vendor, I'm telling you, I'm from the vendor now. I send an email and you open the pdf. And it has the logo and everything on it, and it has an amount, and it says this wasn't paid. Now that person's job, as they accounts payable, is to pay these things. And if not, man, they may lose their job. Right? So think about the effect here on, again, amygdala hijacking, like, whoa, we didn't pay this. Now it's 60 days past due, right? And I think it was, I don't want another meeting with my boss on that, right? Why I missed that payment. I, I think it was last year or two years ago, Toyota, I think it was Toyota, lost 34 million in this very scam. Um, I mean three wire transfers. They did the one, this one attacker did. It did three phone calls to them over three separate days. Finally, after the 34th million dollar was transferred, someone higher up went, wait, wait, why are we sending all this money to this, to this account? Mm-hmm. and started looking at it. By then, of course, the money was gone. The$34 million lost with three wire transfers. Unbelievable. Well, mark and I have, I've got two stories to share with you. One, mark and I were meeting with the CIO of a, of an organization, and, uh, we're meeting, we're sitting down, this is pre Covid, this is back in the day when we would sit in person, right. And we're talking to her about doing some cybersecurity work, et cetera. And she, she sat down and we, we were talking and was asking about the background and stuff, and one of her, uh, assistants walked by and said, Hey, I, I, um, sent out that 124 K, um, it, it got wired over to X, Y, Z vendor like you asked and walked by. She goes, okay, thanks. And then we were talking white, a ghost. Yeah, we talked for like a minute or two, and then all of a sudden she turned white as a ghost and she goes, hang. And she went out and we heard them talking. You hear a run down the hall? What are you talking about? She's like, your email, you told me to do this in an email. Your email. She goes, I never sent that. I didn't. And we had to pause the meeting. We had to meet like three weeks later. No. Yeah, it was, it was gone. Yeah. And then another, I mean this is, this happens on a regular basis. Yeah. Regular basis. Another time was, uh, a school district. I don't wanna say where, cuz people will know, but it's in the Midwest. Right? And they were having a building set up, an elementary building. Well, school districts, everything's public, right? The contracts are public, everything else very well-known. Construction firm was engaged. They had the designs, they had the phases of the construction. It's all online because they have to, they're meeting on a regular basis. The treasurer of the school district with the, uh, superintendent of the construction project. They're meeting every, like Thursday morning they're talking, they're talking one day. Uh, big windstorm happens. They even talk about the damage that the crane happened. While they're building it. Right. So they talked about that. And then phase one was done. Uh, they send the invoice, uh, it was$800,000. It's a true story.$800,000. Uh, they, they send the invoice, they pay the invoice. The following Tuesday, the construction company contacts the school. They said, we're gonna cease, uh, construction because we weren't paid for phase one. Oh. He said, well, we just paid you Thursday. Uh, we've been meeting with Todd, the superintendent every, every single week. They're like, we don't have a Todd. We don't have a Todd like this. What are you talking about? They had somebody posing as that going out to the site and watching it. Right. And they, they, they contacted us. Right. We contacted the fbi. Yeah. And that Thursday,$800,000 was liquidated over the Middle East. It was not, it was not. They had, it had been orchestrated so well. Yeah. That, that and, and just the, you know, the embarrassment for the administration. Yeah. It was just, it was just brutal. The extent to which this happens. Right. And, and the, the only thing that was different, the invoice looked the same, just like a regular vendor. Wiring instructions at the bottom. Yeah. The routing instructions were done. I mean, you think about it, like even if it took them a couple months to set up the payout is huge. Right? You're talking about a million dollars right here or millions of dollars. Yeah. In that case with Toyota,$34 million, so Right. If it took you six months to set up the whole attack and buy domains and all of that, who cares? What's six months worth of work for 34 million bucks? That's good money. Like, who knew that cyber crime. Right, right. Like it pays handsomely. That's why it's such a problem. Yeah. Um, yeah. So what, I've got a question, David, real quick. Yeah. Please. As I'm sitting here thinking about this, I'm thinking from the human side, right? Because that's kind of where I feel like your fifth book really is, is it's that that human hack really, when it comes to this, I mean, we're talking about emotions and, and brain processes in, in mental states, you know, is there some part of this that, does empathy play a role in this when it comes to like, human hacking? And, and if so, is is empathy like on a spectrum? Is it there like an empath on one end and no empathy on the other? Or is there anything in between? What's that look like? Yeah. You know, I love that question. Um, that, that's a really good one. Uh, so I, I talk a lot about the role of empathy in social engineering. So I'm gonna talk about it from two different angles. First, as a professional social engineer, I think empathy is essential. Um, mainly because empathy will stop me from using pretexts that will harm other people. Right? So let's think about this. I think it was last year. Yeah, not this year. Last year we saw two major companies who, because of the pandemic, told their employees that there was no money for bonuses. You know, things were hard, things were tight, so no money for bonuses. And that very same month, the IT department decided to use a bonus email as their fishing education test. Think about how horrific that is for those people. Now, here's right, Sally working at, at this company, she's a single mom. She uses that bonus money every year to buy little Johnny as Christmas presents and make sure the end of year goes good. Why would you not fall for that social engineer? And it's appealing. She gets told there is no bonus money, right? So she gets told there is no. So now she's worried and stressed and anxious. How am I gonna help? What am I gonna do for Johnny? How am I gonna make Christmas good? Blah. She's sad and she's depressed. And then she gets the fishing email. and she, she sees that, oh, there may be bonuses. All I gotta do is click here, and then finding out that that was your company's test. Right. See, empathy will make me say, I'm never gonna do that to someone. Right. Because that, I don't know how that could have, I don't know if, if you're living paycheck to paycheck, I don't know if you're in debt. I don't know if you're going through a horrible divorce. This is not the way to test people. You don't. Right. Yes. We are called adversary simulators, but just because I need to think like the bad guy doesn't mean I need to be the bad guy. Right, right. Okay. Empathy important in that. Second is empathy does play a role in us being vulnerable, but I would never, ever want to educate empathy out of. right. I wouldn't wanna do it because I, I'll, I'll take vulnerability and be empathetic then be sociopathic and no vulnerability. Right. Because I would agree. I, I would agree. You can still be skeptical. You can still verify. Sure. You can still like, have a process in place to verify and still be empathetic. Yeah, a hundred percent. A hundred percent. And, and, and I wouldn't want to create, like I think about my kids, right? Raising my kids, trying to have them be secure humans. I would never want to have my kids, um, grow up lacking empathy for other people. Absolutely. Just so they can be secure, right? So you take the vulnerability, but you also want them to have that, that good emotion. So it, it's more of, uh, you know, mark, it's more of like knowing that this exists. So we need to know that we are vulnerable because of this emotion and because of that, um, we just need to have those processes in place. Yeah, that's, that's phenomenal. You know, we've been reading a lot and I know that we're, we're coming up on time here. We could talk to you for hours, more questions. Yeah, so, so we've seen a rash of. Breaches that have involved, you know, a big impetus right now in our organizations to have multifactor authentication, you have to have multifactor authentication on everything. In order to get insurance, cyber insurance, you have to have multifactor authentication. Can't just have it on some things. You have to have it on, on, on everything. Um, and it's key. It's critical, right? It's, it's definitely a pausing step. It's a good step. It's absolutely needed. But we've seen some major breaches where they've played on multifactor authentication, fatigue. Yeah. How does that relate? So it's, it's kind of like what you and I were talking about just a few moments ago about like how you need antivirus. You need IDs. Mm-hmm. you need your firewalls. Well, why? Because they're vulnerable. I mean, think about what is an antivirus? Antivirus is only gonna save you from known signatures. Right. The list it. Right. It's not gonna save you from an no day bad code. Right. It's all, it's right. If it's an no day attacking, you're screwed. But I would never tell a company, don't have an antivirus. Right. Because that's gonna save you from 99.9% of the low hanging fruit. Exactly. And two factor off or multi-factored off is necessary because it's gonna save you from 90% of the attacks when some, when your password's out there, because what is it, 68% of the people reuse passwords cuz they're not using password managers. Oh. So when, when Yahoo gets breached and all those passwords are dumped online, um, it two factor off is gonna save you from having your other accounts compromised. Right. But is it a hundred percent fail proof? It's not. Right. And multi-factor authentication fatigue. What's happening is they just keep peeking them. Yeah. And they're like, well, I know that that's not me. I'm over here doing this. Why do I keep getting these? But eventually they like, I think it was the Uber breach where then they reached out to the person by WhatsApp and they're like, we're the department, can you please click on this? And yet the person clicked on it. And I'm not blaming the person. I'm, I'm curious about what's the science behind that? Why did that happen? Is it just. Irritation. Is it like they, they feed on like fear, greed, curiosity, helplessness, urgency. Here it's like fatigue, right? Like it's just, and the thing is we just don't away. We don't know why without asking the person, because there're gonna be multiple reasons, right? It could be a slip of the finger. It could have been that that guy was also requesting to join the vpn. So Bradley, that request came through at the same time the bad guy's request came through, right? And he clicked yes. On the wrong one. Or it could have been that he was clicking. No, no, no. And it just was happening for eight hours straight. I think the Cisco breach, this is what happened. They sent thousands of these requests at a time. Mm-hmm. So now your phone's lighting up with all of these requests and you mistakenly hit yes instead of no. Right? Right. I mean, I know, uh, what really caught me is, uh, duo, right? Duo is one of those multi-factored off apps. They changed the approve and the deny button. right? The approved used to be on the left. Oh wow. And just this year, approve was on the right now, and I remember the first time I noticed it was because I clicked deny because my finger automatically went to where the approved button. Yep. You normally was, but they moved it. Why the heck did you move it? Wow. You know, like, I don't understand Duo. Why did you do that when you trained yourself? Or even if you did, or even if you did? We, we use, we use Duo and a lot of our clients do, but even if they do communicate that with people, right, we're this change to make it more aligned with Google's authentication or whatever. Right? Like, okay, well then that make sense. Now we have to educate human error. People look on the right side if you wanna, right. Human error could be the reason why they fell. So it's, it's, you know, unbelievable. That's, that's just phenomenal. Mr. Hy, thank you so much. We have, uh, we could talk to you for hours, so I didn't even know an hour passed by. Wow. Yeah, I know. Absolutely blew. That went really fast. Yeah, it was just crazy. Um, what, what is up next? I'm like halfway through my question, so I have so many more questions for You're another episode, if that's okay for I would, I would love to, but yeah. But tell me, like, what, what's, what's coming next? Tell, tell us about your, uh, tell us what's coming next for social engineer and, and, and your, and your, your institute that you're creating. And then also tell us about the, uh, uh, the, the cause that, that, that you're driving with the Innocent Lives Foundation. Yeah. Um, so what's next? Well, I'm telling you 2023 is gonna be a really exciting year, um mm-hmm. as you guys already met, doc Dr. Murano. Um, we, we, uh, we brought her on because I wanted to bring a lot more science into social engineering. Mm-hmm. and I wanted to make a duplicatable. Process for teaching people how to get into this field. Right now, there are 750,000 jobs in this country alone in InfoSec that aren't filled. Yep. And I know I'm not gonna single-handedly fix that, but if I can put a small dent in it, I want to, because I kids are coming outta university and they don't have the skillset for, I would not hire. right? I would not hire them because they're coming out with a lot of book knowledge, but no practical experience, which is also why I'm teaching at U of A is cuz they're letting me do very practical education for the folks there. So I'm really excited about the Institute for Social Engineering, um, and having Abby bring a lot more science into our, our practice. We're really, really looking forward to that for 20, uh, 23 and innocent lives. I'm telling you, I I, I cannot tell you how proud I am. We just hit 475 cases that we've turned to law enforcement. So our mission. is, um, is we help law enforcement. We're not a vigilante group, so we help law enforcement geo-locate people who are trafficking children or who are creating child sex abuse material. And then those guys and gals get arrested. And, uh, we've been around for five and a half years. We just accomplished 475 cases. Um, uh, just, uh, uh, my, my fundraiser happened to get a, uh, a barrel pick, uh, if anyone knows what that is, a bourbon barrel from, from Buffalo Trace. Uh, of course, uh, give it to us. And, uh, we went and did it weller, foolproof, and, uh, unicorn auctions is holding that auction. And Friday night we had a, uh, a live stream with Aisha Tyler. She's an amazing actress from Criminal Minds friends Archer? Yeah. She supports I l f and she did this live stream. We did a tasting of the whiskey. Um, so we're raising money, we're doing amazing things where, uh, my, I have five employees over there and, and 50 volunteers. Uh, we're working our butts off to, to, to accomplish this mission. And we're doing it. I mean, I'm just so proud of them over there. I can't say enough good. Like we're, we're stopping predators. We're we're helping law enforcement conduct a rest of people. We're hurting kids. And in the meantime, we're sa we're saving kids and giving them a chance to have that innocent life that they should have, not having to worry about being abused. So, um, you could, people could check out our mission, innocent Lives Foundation dot. Of course we're a nonprofit, so, you know, I'll throw the, I'll throw the shameless plug out there. Of course, we love donations. That helps us keep our mission going. You have the skill and you wanna volunteer links to the show notes for sure. Thank you. Absolutely. Thank you. Uh, Chris h thank you so much, sir. Thank you. Uh, we, we will reach out. We would love to continue this conversation at some point. Absolutely. I think we need to, I can't believe we only got halfway through. I would agree. That's right. I look down and I'm like, you gotta be kidding me. An hour went through you said like, I haven't even gotten to my list of questions yet. I know So, uh, we will, we will reach out everybody enjoy the holidays, et cetera. But, uh, thank you so much. Thanks for all the work that you're doing, Chris, this is just phenomenal. Thank you. Thank you. So, uh, everybody there, there will be a part two, so have a phenomenal 2023. Absolutely everybody, thank you so much relaxing end of year and we'll talk to you all soon. Talk to everybody soon. Thanks for joining everybody. Cybercrime Junkies. Thanks for listening and watching. Got a question you want us to address on an episode, reach out to us@cybercrimejunkies.com. If you enjoy our content, then please consider subscribing to our YouTube channel at Cybercrime Junkies. Connect with us on all social media like LinkedIn, Facebook, and Instagram, and check out our website. It's cybercrime junkies.com. That's cybercrime junkies.com and thanks for being a cybercrime junkie.
