Sierra Ward* //
Normally I am hidden in the back rooms at BHIS, chipping away at 10 million marketing tasks. I show up occasionally in webcasts, lurking again in the shadows, answering your questions and talking with people on the chat. My most public appearances aren’t even “me” as I hammer away on social media, but behind the shield of BHIS (pun intended). This puts me often times in an interesting position because while I represent a pen testing company on social media I don’t in fact “… security, bro?” (The classic pentesting marketers quandary as referenced by Jason Blanchard in his DerbyCon talk.) Except….. I do…..kinda.
Lately I’ve found a niche market for marketing skills in the world of pentesting. As one of the testers said, at its heart, marketing is persuasion. As a marketer your job is to persuade people to trust the company, to build relationships, and to generate good feelings (which, yes, can sometimes seem sleazy, manipulative and full of marketing mumbo jumbo nonsense. John and I both share an abhorrence for that kind of marketing and I try very sincerely to never make marketing at BHIS any of those things). But persuasion feeds brilliantly into social engineering, where your main job is to persuade people to do what you want/need. You come up with a ruse, figure out how to be convincing and go after your assigned marks (the client always okays all ruses, and knows all aspects of the plan before we start). While it feels very much like con artistry, it’s not con artistry, because we’re not really bad guys, who are after your sensitive data, just pretending to be bad, for practice – your practice.
After helping on several of the phishing portion of tests we’ve done this year, here are tips both doing phishing calls, and on the flip side – spotting phishing calls.
*Remember, people have been taught very carefully to avoid suspicious emails. But not as much time has been taken to teach them to recognize suspicious phone calls. Your best bet is calling.
*People very rarely care what area code you call from. What’s more valuable is the quality of the phone connection. I have had people call me back to confirm I was who I said I was, but that was easily mitigated by answering the phone call as the person I had just claimed to be at the company I said I was calling from.
Live in your role, and realize that in this role you aren’t lying
Part of what makes phishing calls difficult is that you’re lying, bold-faced lying, and for normal non sociopathic people, this can be difficult. But since this is part of work, and you are seriously wanting this company and its employees to understand the dangers of phishing phone calls, you need to actually sell these calls and service you are doing is truly good. When I’m doing these calls I am both hoping to succeed and also desperately to fail. I give employees who refuse my requests an air high-five and silently congratulate them on their job well done!
Appeal to a person’s sense of duty
-We look back through history and say, “how could normal family men (and otherwise “good” people) be Nazi prison guards during WWII?” Because someone in authority told them to do something, and all of us generally want to please the people who are in authority over us. I wish I could say these sorts of appeals weren’t as easy as they are.
-With this in mind don’t ask someone to do something, kindly but firmly tell them you are in authority and that you’re not really asking as much as telling. (This can be a tricky line to walk because people also hate being bossed around.) But don’t let’s them say no, just keep telling.
Build credibility by back-feeding information
-Confirm their email (or any other information you may have like location, birthdate etc.) to establish that you are a person in the know who has authority.
-This also helps if you need to get more pieces of information, you establish trust by offering a few pieces and then ask for the rest.
Appeal to a person’s willingness to help
-People are generally helpful, especially if you can play a floundering card (I’ll get in so much trouble if you don’t help me!)
Make a role for yourself where you aren’t accountable to direct questions
If you’re talking to tech people play ignorant (in my case this is easy!), If you’re talking non tech people, play tech person!
“I am calling for my husband, and don’t know the details of the account.”
“I am just doing my job, would you like to talk to my boss?”
Misdirection is your friend
-Make the goal something deeper than your true intended goal. I.e. you need them to log in to a portal, but don’t make that the point but something beyond that so that they don’t get distracted by logging into the portal, it is only part of the needed process.
-If they ask questions, just ask them more questions until they forget their original hesitancy.
Stress the urgency of the matter
-”This matter is extremely time sensitive.”
-You need the information before you get in trouble from your boss/spouse.
Stress how thankful you are for their help
-Customer service reps are taught to be gracious and helpful.
-People are more prone to do what you ask if you’re nice.
*On calls I’ve had people even offer to try the link I’ve emailed on their home computers when they’re not on the clock. If I were a bad guy, and you logged in at home, I’d also have your home computer information and location, yes! Please, give that to me also!
People’s critical thinking and self-control is at a low in the mid afternoon
-Ever given into a sweet tooth craving at 3pm? Appeal to that by calling in this time frame where they are less likely to refuse your requests, even if they are suspicious and you’re asking them to do something they’ve been specifically trained not to do. People are more likely to just be in a rush to finish the day at this time.
Learn when to bail & when not to bail.
-This can be tricky, because it’s sometimes more suspicious to hang up on someone.
-If they put you on hold, or go get their manager hang tight. Sometimes you can get a manager to do what you couldn’t get the employee to do. Build credibility.
-If you get hesitancy early in your calls hang up and keep going, this person is the most likely to call security and shut your whole operation down.
-If they put you on hold, hang up and call back saying you got disconnected.
-If they get hostile, assure them you’re from headquarters/IT/HR/the bosses.
When in doubt remember your job is to try, not to succeed – ultimately this is training not real phishing so it’s okay to give up if they really won’t comply with your request.
These same ideas are useful as we spot people in other areas of our own lives who may be trying to manipulate us. As always stay cautious out there!!
Up next for this marketer? Maybe I’ll try my hand at physical testing, though after reading Sally’s account I have to admit I was having some cold sweats thinking about those anxiety inducing thrills!
*A big shout out to Kelsey Bellew for helping and giving ideas, she’s another social engineering rock star!