Cybersecurity Mentors Podcast

Turning Sheep Into Wolves: Brian Brushwood’s Plan to Defend Against the Scampocalypse

Cybersecurity Mentors Season 5 Episode 1

Share episode

Magician, podcaster, and World’s Greatest Con creator Brian Brushwood joins us to talk about the coming Scampocalypse, where AI-powered deception meets human vulnerability. We dive into how magic, psychology, and “deceptive role play” can transform security awareness from boring quizzes into hands-on human defense training. Learn why Brian says it’s time to stop training “sheep” and start raising “wolves.”

Topics include:
• Why traditional phishing tests fail
• How AI is powering the next generation of scams
• What magicians know about deception that CISOs don’t
• The “sheep vs. wolf” model for human training
• How to gamify social engineering safely


Send us fan mail via text

Check out our Networking is King Course: How to Build a Career Through Real Connections

SPEAKER_05:

What I'm what I'm proposing, or what I do, is I work with humans on human-on-human scamming. That's what I've done on all of scam school. That's what I've done for 25 years. Uh that deceptive role play, it's the difference between if you've ever played a first-person shooter, the game is very different. If you ever play Overwatch against a bunch of bots, imagine that the best out there is a bot experience. And then for the first time you log in and you're playing player versus player. I am here for PvP social engineering play.

SPEAKER_03:

Could you teach me?

SPEAKER_00:

First learn stand, then learn fly. Make your rules on your son, not the mind.

SPEAKER_06:

I know what you're trying to do. I'm trying to free your mind, Neo. But I can only show you the door. You're the one that has to walk through it. What is the most inspiring thing I ever said to you? Don't be an idiot. Change my life.

SPEAKER_01:

We aren't here to waste your time with buzzwords. In IT and cybersecurity, what you know and what you can do makes all the difference. We are ACI Learning. Training built for novices and pros who need measurable results. Hands-on labs, real-world checks, courses that get you certified and ready for what's next. Build confidence, strengthen defenses, achieve more. Visit acilearning.com/slash simply cyber to learn more.

SPEAKER_02:

Welcome back to the Cybersecurity Mentors Podcast. On today's podcast, we've got a great special guest, Brian Brushwood, magician, podcaster, YouTuber. He's been out there for a while. I discovered Brian through Scam School. We're going to talk about Scam School and magic and all the cool things you can do to trick your friends in a good way. In a good way, right? But really talking about social engineering and how social engineering is obviously, we talk we hear a lot about that from uh an attacker's point of view, but it also can be used for good and it can be used in ways to also teach and train your yourself, but also teach and train your people to be less susceptible to scams or cons and attackers. But welcome, Brian. We're we're glad you're here.

SPEAKER_05:

Thank you guys so much for having me on, man. Uh, it sounds like you guys have taken a fairly uh I hear this a lot. One of my favorite things is going to DEF CON. And traditionally, I've been locked in at the vendor booth where folks line up and they want to tell me how old they were when they saw scam school and learned this trick or that trick. And eventually I have to sell them lock picks or whatever. But this year was different. I just floated around DEF CON and it was remarkable to hear all of these boots on the ground stories where, for a lot of folks in the cyber defense world, I was their gateway drug into human deception. And uh luckily, I'm still covering that beat. If you haven't heard it, the new podcast that I do, World's Greatest Con, I'm extremely proud of. It's very, very good. As a matter of fact, uh Jack Reesider was kind enough to run an episode on Darknet Diaries. And uh now, those same games, that that same modeling of deceptive role play that was a fun lark to win a free drink or get the girl's phone number or whatever the social reason was before back in the day, now is a critical security defense in a world where robots are going to be able to elegantly have pacing, timing, and engage people for the purpose of emptying your wallets. It's it's every so often I believe in the simulation theory, and uh all of a sudden it turns out that card tricks are very important.

SPEAKER_02:

Well, one two things on that. One is the first trick, one of the first tricks I tried. So this is so funny because I'm sitting at a dinner table with my friends, and I was like, all right, I've got three or four things here. Brian has taught me and I practice them, and like I don't know what I was thinking, right? So one of the they're they're sitting there at the table, like not expecting a magic show. They're just eating dinner and it's all nice, we're having a good time. All of a sudden, I pick up a cotton ball that I've lit on fire and throw it in my mouth.

SPEAKER_05:

That's fantastic. They're like, what just happened?

SPEAKER_02:

And I'm like, what am I doing? You know, but I kept going with it. Um, I don't know. That's probably a night they won't they won't soon forget.

SPEAKER_05:

Well, and I think I think that what you just described is far and away my favorite aspect of doing scam school because uh the TV show Hacking the System on Nat Geo, uh, I'm I'm proud of it, but nobody comes up to me and says, thanks to your show, I I don't know, uh paid off my mortgage five years earlier or whatever the advice was we gave on the show. But but scam school was something different because I never wanted anything to be too heavy a lift. I really wanted people to actually do this stuff at home. So the stories that came back to me were always of people crossing that divide, that threshold of instead of just academically upstairs system two, as they call it, learning, and instead actually doing it, modeling that deceptive behavior and crossing the threshold into being a performer.

SPEAKER_02:

Yeah. And um, and that the and I we talked about this before we hit record, but the way I came across scam school was I was interested in social engineering, the social engineering framework had come out, and uh Chris Haddenaggy and those folks had had talked about this, and I was like, Oh, how do you get good at social engineering? Like I get it, but how do you actually practice so that I could learn it and learn it in a positive way, not just scam people necessarily, um, but like what are the how do you get better at it? And then somebody said, Well, you know, magic is a way that you do social engineering and basically trick people, but in a nice way. Um, and I was like, Oh, wow, okay, let me Google social engineering and magic, and lo and behold, you know, scam school came up.

SPEAKER_05:

Yeah, there was a remarkable moment that I experienced just four weeks ago. There is, you know, in Vegas, you got two gigantic conferences. You got Magic Live, which is the biggest, most important United States Magic conference, and you got DEF CON, the world's biggest security conference. And there was, I I went to both just to watch and listen because I've been dialed in on this AI scam, AI-powered scams and frauds for a minute. There's a Deloitte uh uh analysis that suggests that, first of all, we're at the highest reported amount of scams powered by AI and deepfakes,$16 billion they reported this year, and they're expecting up to by the end of two years from now, 2027,$40 billion of reported losses. And as we all know, reported losses are a mere fraction of the real story. And there's incredible incentives to not share the methods of deception among the deceived. And so being there at Magic Live, uh picture, picture you got the bar down in the Orleans hotel, and you got a bunch of magicians kind of loosely hanging around. And then one of those magicians utters the most important phrase, oh, is it catnip? Magicians are all junkies who want to be fooled. And every so often, one magician will give the other the highest compliment ever and say the words, you fooled me. And magicians give this phrase without any shame whatsoever. It is a compliment. And the moment that happens, the mesh networks of humans, the all the humans immediately synchronize up and say, What do you mean? What was it? Oh, you gotta see this. Oh, yeah, does it use a thread? Does it use a marked deck of cars? Does it use this? Does it use that? And the entire mesh network automatically updates itself because the communication is so powerful because culturally, there's no stigma to having gotten got. Now compare that to what I saw when I went to DEF CON and I did a lot of listening. Uh, first of all, everybody, it's my favorite game, is everybody for some reason loves to tell me number one, how old they were when they saw Scam School. Number two, what their first effect was. And in fact, John, you did the exact same thing, which I really enjoyed. But then once we got past that part, I asked folks, what are you seeing when it comes to this AI-powered wave of the scampocalypse, as I call it? And they number one, everyone acknowledges it's very real and it's very much coming. And then when it comes to the solutions, though, people always talked about the tech stack. And the story that I heard, and you guys could correct me on this, is that it sounds like pathogens and antigens are roughly in an arms race. They've got AIs that are making it harder. We've got AIs to see their AIs, and so on and so on and so on. But when it comes to the human stack, the wetware side of things, it seems like that just isn't within the domain of most of the CISOs that I've been talking to. To them, it seems to be a technological problem with a technological solution. But as somebody who's swum in the waters of deception for 25 years now, it doesn't seem right at all. Uh, you describe magic as a safe playground to engage in sort of the dojo of social engineering. And uh when you think about social engineering and uh security awareness training. So, right now, our solution across the board is what Daniel Kahneman in his book Thinking Fast and Slow calls system two training. It it uh what I picked up on is all of the training is number one, top-down, meaning nobody wants to do it, they're forced to do it. And there's a certain set of heuristics that we in uh turn on when we're forced to do something. It's like defensive driving.

SPEAKER_03:

Right.

SPEAKER_05:

And the method is all system two training, which means academic upstairs, you burn some calories to keep it in your mind just long enough before you could go out and play again. So the method seems to be watch a video, take a quiz. And then at some indeterminate point in the future, somebody pokes at you, and there's a secret test that gets taken when you're not ready for it, and then you get got, and then and then the solution is watch a video and take a quiz. And I am certain that this checks all kinds of boxes on your IEEE certification, but I'm equally certain that it does nothing to actually protect any of the humans or make them available able to engage in that all-important system one response. Gavin De Becker wrote a book. Uh, Gavin De Becker does the highest end physical security out there. He wrote a book called The Gift of Fear. And the whole book boils down to listen to your gut. He says, for all of your smart thinking gears and cogs, Vulcan minds, it's system one that caused humans to conquer the planet because we ain't got fangs or claws or scales. We have one thing, the world's most finely honed sense of intuition for when something's off. And so what he does is he he number one, has people listen to their system one, but also you've got to do the reps. Think about uh so think about if the question was physical security. Would we handle this anything like we do for cybersecurity? Right now, our model appears to be we got a bunch of sheep in a pen, and all of the tech folks, all of the CISOs have built a really secure fence around our sheep. And now the problem is we've got these AI-powered wolves hitting at the sides of it. So what do the tech folks do? They build the fence taller and they say, but the sheep, they don't understand how bad the problem is. Aha, says the CISO. I've got this sharp stick and there's these slats. I'm gonna poke the sheep through this fence, and now they're good and scared. They really understand how scary wolves are. None of that is what is needed. What is needed is to have a safe place where the sheep are told you're gonna take turns putting on this wolf mask, and we're gonna play a game and we're gonna practice tricking each other. And now here's the way it's gonna start. Did you guys ever play this game? Did uh uh do you guys know this one? Yes. Okay, I owe both of you punches on the shoulder. For the audio listeners, I just made a circle with my thumb and forefinger, and now I got to punch you in the shoulder when you know that you got got. There should be, if you want effective human-based training, and this is this is I have cleared my calendar for the rest of the year because I want to start piloting this program. There should be a once instead of one hour of real-time slices of you know, watching the fishing and the fishing and the smishing and the the theishing, uh, uh AI, I guess. Um uh what zishing would be zoom? It doesn't matter. But the the important thing is instead, give me 15 minutes once every couple of weeks. And the game is quite simple. You're gonna opt in, you're gonna be assigned a target. You're gonna have to get them. What does getting them mean? Get them to click on literally anything, expecting it to be business related. And instead, it's gonna be a hilarious photo of the CEO given a double thumbs up saying, You got got. And then we're gonna play that game. Next week, I'm gonna hear who won, who got who, and why. And then we're gonna change the rules on you. And I'm gonna get the game closer and closer to the actual pathogens that are out there. If what just made the headlines was that is that a deep fake Zoom scam was able to pull$25 million, which is exactly what happened, then the new assignment becomes here's some deep fake software. Your goal is to get into a meeting that you don't belong and be the fish. Everyone knows somebody's gonna be a faker, and you're gonna build the culture where everyone's gonna have a laugh in the first 90 seconds to spot the faker. And then it's gonna be a lot harder for actual fakers. You guys have heard this. You know that North Korea is spending money to get people jobs in American industry doing nothing but deepfake in this whole thing. It needs to be culturally the smallest thing ever to just get out of the way the possibility that the CEO is not the CEO. Have that be a joke, get back to a shared reality, and let's start training the sheep with deceptive role play. And magic is just one of the vectors that I work with folks to get them to think. What you want is that always-on system one defense. The only time, and I'm sorry, I'm totally obviously I'm very excited about all this. We'll we'll get back to your podcast shortly. But the only time I ever caught a scam in progress was when I was 18 years old working at the movie theater. It was a two-person operation. Guy and a girl comes in. The girl goes all the way down to the far end of the counter and says, I need to know about these candies. And so somebody's over there talking to her about candies. And the guy, uh I was only a couple months into learning magic, but the guy starts doing the shortchange scam on me. If you're unfamiliar, you know, you swap a 20 for some change and then and then and then. And about halfway through it, he ended up getting$50 of the register's money. But I had this tickle from my gut that said, this is a magic trick. And I didn't know why. And it turns out I didn't need to know any of the details or the specifics because I could recognize the rhythm, the gentle prodding, the process. You do this and I do this, therefore we agree on this. Then the logic gates that go forward from it. And that was when I that was before I learned about system one training and doing the reps. That is what I believe is the most pressing issue that is needed is somebody to address the humans. Yes, use the technology to do it, but that moment that the 20-year executive assistant of the CEO hesitates over a suspicious link, it can't be because she's quote, being diligent. It can't be because she's quote, remembering her training. And it certainly can't be because, quote, she's worried about the company's security. It needs to come from the gut because she's ever so pausing, because she's like, I don't want to get got by Gary and finance again. And then she's gonna right-click and flag it as suspicious. And that's the change that is desperately, desperately needed because it's a real threat coming. Thank you for my TED talk.

SPEAKER_02:

Man, I get there's so many good things there. Um, yeah, so much to unpack. Yeah. Uh man, I mean, okay, let me think. I wrote notes here. Um, what one of the things we did is we we took students in a class, and my theory was is we're gonna teach them, we're gonna fish them, we're gonna teach them about social engineering and how fishing works. Now, I didn't have them put the wolf mask on, which I I think would have leveled.

SPEAKER_05:

Nobody does. If it makes you feel better, this was a blind spot in magic. Like I truly believe that I only made one significant contribution to the art of magic at all. In my entire run in scam school, before scam school, all tricks were here's the trick, here's the method, the end. And then, and in fact, you watch the early episodes of scam school, that's what it was. It was trick, method, the end. And then the only thing I did is I put an ad in between those two. But then they handed me a second ad. And I'm like, man, I only have two minutes of a trick and two minutes of an explanation. I can't put two minutes of ad in between those two. So I added the third block where I reinforced the lesson by handing them the deck. And I'm telling you, man, it was like magic because somebody might be a neurosurgeon in the real world, but the moment you hand them cards, very clearly they're modeling new behavior. They haven't thought about how do you spread cards in a way where you can see them all at once. And only that's when they cross the threshold and speak the secret language of actions instead of words. They're no longer just remembering facts and spinning them back, they're instead modeling with their whole body deceptive behavior and unconsciously realizing that their body's telegraphing, that they're hiding something in their hand or what have you. And even better, as studies show, monkeys who watch other monkeys do a task, their mirror neurons fire in the exact same place. So by watching somebody engage in that deceptive role play, the person at home was able to say, Oh, I would have made that same mistake. Or even better, they're like, oh my God, the guy forgot that that card needs to be under the seat by now. And then when because they're making that prediction and they get the dopamine of being right when it pays off, that's how those lessons uh get secured in. And so this blind spot of not thinking it's not enough to fish the you you don't just have to fish the sheep, you have to teach a sheep to fish. That's right.

SPEAKER_02:

Yeah, I think I think we're the reason I totally agree with you, right? Our our security awareness is broken. And it it is exactly what you said. We're trying to give them its awareness. Hey, this happened. This is here's how bad guys are doing it. You should be aware. This is how they've we customize it to what we've seen, which is great. And then when we we do the test that you don't know that you're gonna be tested on, we hope that that's gonna be a reminder of, hey, you just this just happened to me. Let's not let me be more paranoid in a per in a positive way of when that email comes in. But it's really a paranoia test of like, how paranoid are you? Are you paranoid enough to be watching and looking at all the links? Versus that there is a mind switch there when you do know how to fish or how to do the be the deceptive person of like, oh now I'm on the offense. Oh, okay, let me put the wolf wolf clothing on and think like a like a wolf. How might they attack? How might I attack you? But how may how might they attack me? Oh, this is how it works, right? Okay, you kind of get to see behind the covers on the wolf tactics.

SPEAKER_05:

So when I when I was younger, there is a classic scam, the white van speaker scam, where they pretend to be selling you what you all on your own figure out because you're very smart, high-end studio monitors that are stolen. And because they're stolen, you don't tell the cops and you go to the ATM and you pay$300. The real scam is they're garbage speakers, they cost 20 bucks, but you feel like you got something away with it, right? And of course, it's only through having gone through the shame of having gotten got that I instantly developed a permanent understanding of when that was happening. The next time that scam happened, not only not only did I see it coming, but I had notes. It was a couple of 18-year-old kids. I was in my mid-20s. I was like, no, no, no, no, you're doing this all wrong. First of all, where's the magazine? They're like, what do you mean? I'm like, you gotta have the magazine to point to, prove that they're that has a high price. Also, you're not doing anything to indicate these are stolen. That is the mindset that we want our sheep turned wolves in uh doing. You should have notes for the robot scammers.

SPEAKER_04:

No, I I think that's great. Sorry, I was gonna add, I think that's great because one of the things you said that I believe, truly believe, and it's something we're trying to do, is gamifying it, right? Having fun with it, right? Because like like we've talked about, our training is video quiz, video quiz boring. I mean, people dread taking this these types of uh awareness trainings yearly. So, and when we're running these tests internally, we're seeing a lot of people fall for it again and again. And we're in that circle, that that same uh motion of well, we test them, we give them a quiz, a video quiz, we test them, okay, hoping that things improve. And we do try to add that paranoia into somebody, but that can only get you so far. But one thing I wish we could do is have the wall of shame, where we show everyone that has fallen or has gotten got, and maybe that can help push or or um give someone uh a little inkling to be like, okay, I I don't want to do this again, I don't want to fall for this again. But I don't know if John or others would agree with me there, but uh but anyway, just some thoughts.

SPEAKER_05:

Studies show that that method is astonishingly ineffective. Uh and in fact, just having gotten got is all the penalty you need. Anything on top of that is only a paralyzing effect. Now, meanwhile, what is what is absent from the current method is there's no fame, there's no joy, there's no dunking, there's no aspirational, there's no, I can't wait to tell everyone that I'm the one who blocked this attack. And so that is what needs to be done. And in order to do that, again, you have to engage with deceptive role play. Now, the testing that you guys do is a hundred percent critical because it is the only way to get an accurate map of how good the organism of your organization is in terms of defense. And when you see those weak spots, uh, a thing that I hear from a lot of companies is that it tends to be a lot of uh recidivism, a lot of repeat offenders at the same level. And I suggest that doing more of the same thing is probably going to yield more of the same results. So if you're whatever your method out there, uh go ahead, keep your video quiz system two stuff. Or um, also annoying, forgive me, I'm gonna go on a little rant here. You guys have seen Napoleon Dynamite, right? Right. Okay, so uh uh people are like, oh, we hire a red team to come in and penetrate. And all the red team penetration testers, uh uh, they they they legit have the best stories ever of how they they penetrate all over the place. However, my question is, are you training the sheep? Because otherwise you're doing Rex Kondo. If you're just showing up, plugging in a rubber ducky USB and and owning their local branch, then you're doing the equivalent of saying, that's a takedown, that's a takedown, that's a takedown. And then walking away. Don't do drugs. Uh, let's what we want is effective defenses, which means that you should be having your own people. It should be a treat that they get to go and and uh what what I'm what I'm proposing or what I do is I work with humans on human-on-human scamming. That's what I've done on all of scam school. That's what I've done for 25 years. Uh that deceptive role play, it's the difference between if you've ever played a first-person shooter, the game is very different. If you ever play Overwatch against a bunch of bots, imagine that the best out there is a bot experience. And then for the first time you log in and you're playing player versus player. I am here for PvP social engineering play, which, as best I could tell, nobody is doing correctly. So this is the beginning of uh a very long journey for me. And I am certain that already I've said many things that are incorrect and uh and uh uh uh ruffling some feathers. Good. Hit me up, Brian at schwood.com, B-R-I-A-N at S H W O O D dot com. And uh specifically your repeat offenders, I challenge people, give me your bottom 20%, your worst repeat offenders, and I guarantee you that the moment I make them players instead of sheep, everything's gonna change.

SPEAKER_02:

Hmm. Yeah, and we try to add a little bit of like, hey, these are the people that reported it and reported it the fastest, you know, but it is tough. It's good, but I know they don't, they aren't dunking. They're not like, yes, I reported it before Joe, or right?

SPEAKER_05:

Well, you know, you can you can add a bit of that if if if security is important enough, you can budget for you know Amazon gift cards or whatever, where it's like the dollar value on the gift card is directly proportional to how fast you report. That'll that'll penetrate the system one, system two barrier.

SPEAKER_02:

Yeah. No, I think um we do have obviously everybody has repeat offenders, and we're trying to like, hey guys, come on, wake up. But I I think that it it does I'm trying to think about where why the focus is on the tools, right? Because we're tech people, that's usually what what it is, and it's easy to sell a tool than a humanware, wetware uh solution. Uh what do you mean?

SPEAKER_05:

I can't because uh what uh think about it. I'm sorry to cut you off, but but the uh I think this is also something I thought about. It's so a tool can always be quantified in a way. Look, there's a reason that HR has a natural selection for one type of people, whereas IT has a natural selection for another type of people. But we're entering an age where we need to not be siloed and we need for people right now, people think of HR as a lawsuit mitigation expense. And instead, they need to be thinking of it as a critical security expense because what we are increasingly losing is that shared reality. So historically, pre-pandemic, 20 10 years ago, when we think of the holiday Christmas party, we usually thought of that as a morale booster or a culture play or a soft perk or something. Uh, I'm here to say that it is critical security because in that initial throat clearing at the beginning of Zoom, of every Zoom meeting, you need to be able to not do a security dance, but instead casually say, oh, we met at the thing. Yeah, like, yeah, yeah. Do you think Andy's bruise went down? I don't know. He hit his head pretty hard on that cake stand. Now those two people have just done a parody check. They've done a checksum to verify their shared reality. And it was frictionless the entire time. So all of these social niceties that come organically when we're in person, when we're seeing each other every day, need to be remanufactured as cultural institutions to prevent scams.

SPEAKER_02:

Very interesting. I like it. Yeah. One thing I thought about was the book Unthinkable that I'm I'm listening to right now. And it talks about like how all these disasters that have happened, you know, 9-11 and others, and they research what happen what people do. What what do they how do they respond? Is it like the movies? No, it's not typically like everybody's running around screaming. They're usually way too calm and don't get out of the building when they're supposed to, or get out of the the fire or whatever. Um, but the train they talk a little bit about the training, and I'm only about halfway through, but the training that people give to what you should do. In an emergency is really dumbed down because they don't trust the people. They don't believe they can handle that information of what you should do. They say, trust us, we're the flight attendant. We will tell you what to do. Versus, hey, you know, you you should know. Like, you what if the flight attendant's not available? Whatever. You should know what to do in case of emergency. And I thought about that from this awareness mindset of like, we are the trusted ones, don't worry. We don't really tell you what's behind the curtain because we'll take care of it, versus like, hey, no, here's what, here's how it works, and here's what we do, and here's how bad guys attack you. And oh, and your level of, hey, try it out. Go try this out, right?

SPEAKER_05:

Well, and and you know, you mentioned 9-11, and that's a really good example of for very good reasons, they that is a sheep inside a fence scenario, and the sheep were actively told never be anything other than sheep. You know, they don't want any wolves. Because back in the 60s and 70s, there would be, you know, hijackings were very common and a problem, and they had largely solved it systemically. However, everybody had gotten so sheep-like that that one structural uh uh brittle architecture was able to be taken advantage of. Now, of course, the moment it happened once, it could never happen again. In fact, just by the you know, the fourth plane, they were the the sheep were able to say, oh, we should we should be like wolves right now. And they did. Uh that's what's needed in cybersecurity is let's start practicing today. And yes, eventually, all of my friends in IT and tech, uh I I believe you that eventually there there will be AI mentors for these games. But if you're looking for today training, then get a human and start considering ways to engage in deceptive role play. I mentioned the circle game dynamic is just one, but but also like learning any magic trick, because when you learn a magic trick, the that is a safe space to engage in the exact same behaviors that'll be deadly in the world of scams and cons. When you think of an image of two tiger cubs, roughly rough and tumble playing, it's an adorable animated gift. But of course, those are exactly the moves that they'll use to slice the belly open of an antelope down the down the way or to defend their own tiger cubs. And so uh uh in the world of magics, you you learn, for example, dual realities. There are magic tricks where they rely on two different spectators having two different understandings of the same objective phenomenon. And you can see that already. Here's a here's a social engineering hack you could do. If you're in a customer service loop with someone on email, and maybe you're on the third or fourth ping-pong back and forth and you're not getting what you want. Just add bracket all caps in the subject line, bracket all caps, high priority in there. And then what'll happen is the CSR who receives it will think, I don't know why that's there. So they'll escalate it to their manager. The manager has a choice. They can either call IT and say the very awkward thing of, was there an update I didn't know about? Or they could do the very easy lowlift thing of prioritizing your email on there. So uh uh that kind of that's a magic trick that eventually becomes a slight social engineering hack in a fairly white hat kind of way. But the more magic tricks you learn, the more of these core principles you see in everything from uh uh, for example, uh my friend Apollo Robbins is a gifted pickpocket. And if you've seen his TEDx talk, one of the things he talks about is standing face to face uh uh up against somebody who says, pick my pocket. And of course, there's you're they're too on guard. You can't penetrate that barrier between the two of you. So what he does is he says, Yes, absolutely, absolutely. First one thing, I I have a show right after this. Which way is, and all of a sudden his phone is out and he's pointing to a map. And what are you doing? You're standing shoulder to shoulder, and the rules are different in that situation. There's now a third vector to pay attention to, which makes it appropriate to pat someone on the shoulder and lift their wallet. That kind of thinking should be so well known to everybody inside your organization that they smell it coming a mile away when somebody's pulling it on them.

SPEAKER_02:

It gets you out of that um, the automated mindset, right? You're just in, and maybe that's the system one and system two thinking where that's what most people say, hey, I I just clicked, I was in a hurry, it was on my phone, I didn't really read it, right? I just I thought it it had that sense of urgency. You're just in auto mode, autopilot, and so you did the thing, right? And but if you switched, I think there's a difference between the defensive and offensive mindset, right? Where you're always on the defensive and you're always being attacked, basically, and we're attacking you too, uh, versus you switch to offense mode, it just changes your mode, right? And that's a it's an analogy too for cybersecurity, which I think you and most people need to do both because if you're always defending, you're just beat down all the time. But when you switch to offense, you switch to a different level, and now you're like, oh, how would I attack myself?

SPEAKER_05:

Well, and I like that you brought up automatic mode because automatic mode can be programmed in your favor. For example, if you do the reps and you see an opportunity to get an easy gotcha on someone, then when you see that email that is malicious, the the problem that we have now is that anybody internally who gets a threat and they should flag it, it is one of two things. Either it is the inside testing them, or it is um uh uh an actual threat. Now, the actual threat out there is quite simply too big for them to imagine. They can't wrap their minds, they can't, they can't go to work for their, you know, at their, let's say, minimum wage job and still and and hold in their mind the responsibility of the corporate uh corporation security. Also, they can't conceive of what tests might be coming at them. That's a vague threat that all they know is that it feels really bad when it happens. But their friend right there in the cubicle down the way, they know what that's like. And then they click on a thing and then they lean back and they they look over and see them smile. Those are stakes. Those levers of fame and shame are how all deception works. And what we need are mild versions because right now the game is all or nothing. The nothing is don't worry, it was a test. The all is it's the entire company's firewall that just cratered.

SPEAKER_02:

Yeah. Great.

SPEAKER_04:

We've had we've had situations where in our training, after what we kind of go, we do the test, we'll see the results, we go and present the results to leadership and and whatnot. There have been situations where there are individuals who are interested in kind of what we're doing, how we do it, and then they give us suggestions about potential new fishing ideas. And that actually, to me, that that makes me feel in a way, okay, it's working for some, some are getting it, but not everybody is, and not everybody thinks this is important enough, or maybe they just don't understand it, or maybe it's just not so important in their everyday life. They got so much other thing going on, that's the last thing they're thinking about. But when we do get those new suggestions, some of them are actually pretty good. So that that gives me a little bit of hope, at least.

SPEAKER_05:

So here's an insider secret that you guys can steal. Here's the secret to every stand-up comedian who you can't believe how fast they are when somebody heckles them. They have this perfect zinger. The secret, quite simply, is they've already heard it and they got stung before. And in this groundhog day-like reality, they somebody got them good, and then they had the three-hour drive home to just think about what they would have done. I swear. And boy, lodged in the back of their mind, ready to go. They're begging, begging for a heckler, because now I got you. And that's the difference between thinking like a player and being on defense as a sheep.

SPEAKER_02:

I like it. Um, so let's switch a little bit to just in general, and I think we talked about just how magic you can use this in a safe way. If you're talking to somebody that said, Hey, I want to understand social engineering, how does magic play into that? Or how do I how can I communicate to my grandparents this concept? Right. And I want to understand social engineering, and it's a big word. Engineering's in the title, so it must be you must need a four-year degree for this, right? Um, but how do you keep it simple? But as a as a new person, somebody that's new to cybersecurity, and they want to make a difference to their company. And they're they're maybe low on the totem pole, but hey, you know, how can I how can I understand this, but also how can I help promote this idea?

SPEAKER_05:

So if you want to help, figure out a way to make your point without words. And so what I mean by that is first of all, with the magic trick, if I fool you, that happens privately. Like you can either say you were fooled or not fooled. Those are all words. Meanwhile, in your heart of hearts, in your brain of brains, you know whether or not you got God. So I can craft one of these moments and if and if so, learn some tricks, is part one. But number two, remember that humans always respond to incentives. Uh, I was talking a week and a half ago, trying to explain kind of this wave of scams to my mom. And she she's a bit older, and uh, I tried to tell the simplest version of it, and specifically I was pointing out how sophisticated SMS phishing has gotten. And of course, if if for anybody unfamiliar with SMS phishing, the initial primary outreach doesn't matter. All they want is a response so that they can get a conversation going that eventually will become a romance scam that eventually empties your bank account into crypto. But as robots are taking on the task, they're getting better and better. I I'm in Austin, Texas, so I have a uh an Austin-based number. But in this case, this is how I would advise somebody to do it. Oh, I don't know if this is gonna focus or not. That's fine. Oh, there it is. Uh it says here, I'm going to Austin on a business trip in November. Where are some good barbecue stops? And so in this case, it it did a lot of things smartly. It it assumed, it put me on defense, acting like I'm the weird one because I didn't have them in the email. It it acted as though it was a follow-up and it was congruent. And I would imagine, so I showed that to my mom and she said, Oh, I would never, I would never respond to that. And I was like, why? And then she does the same thing people do after a magic trick. They rationalize after the fact. And she said, Well, because everyone knows that Austin has barbecue. And I was like, Okay, what if it was about quilting and a new pattern that you had ordered? She'd say, Well, I wouldn't respond to that. And I'm like, why? Pause, dot, dot, dot. Well, because I'm not really into quilting anymore. And I, and then so that very night I went home and I I opened up N8N and uh vibe coded using a Google Voice number, a very simple app that did just three windows. Window one, contact info of my loved one. By the way, somebody replicate this, make it easy for other people to do. Number two, a brief window where you just describe who your loved one is and their interests. And then number three, the important one, type the first SMS message that you, as the role-playing deceiver, are intentionally writing, hoping that they will reply to. Now, of course, when you get to that moment, the moment the cursor's on there, your brain kicks in and thinks, okay, I don't want to be too specific because that'll raise a red flag. It needs to, oh, you know what? Mom's going to my uncle's 80th birthday party. I'm going to act like there's somebody who uh is arranging a dinner beforehand and just doesn't happen to be in her contacts. So now I'm mentioning an event that only she would know about or whatever. Now, of course, all of this could, if you spend enough kilojoules of electricity, you could have robots find all of this stuff out. So there's no reason that that this is impossible to do with robots. But two things. Number one, just the act of writing that first uh prompt puts you in the role of the deceptive role player. Number two, you can do, imagine you do 10 of these at night and then you go to bed. And after that first prompt, a robot takes over. And the LLM's job is just to keep them talking. And you wake up the next day, and out of the 10 people you put in there, it says, Yeah, these three went, this one went for two hours. And now you know exactly which of your loved ones you have to have an important conversation with. These are the kind of things that we need to be thinking of. Again, I'm at Brian at schwood.com.

SPEAKER_02:

No, this is great. Um, Steve, any any questions you have?

SPEAKER_04:

No, I mean, yeah, so many. Um, this is great. Um, I I wanted to ask you some questions about just some of your favorite cons that you've that you've seen, you've done, you've heard of, um, and just kind of get your get your thoughts there.

SPEAKER_05:

Yeah, well, uh, luckily, the uh oh, I just totally messed everything up. My screen share is no longer active. That's fine. Uh, that's what this whole show, World's Greatest Con, is all about. And uh it's maybe the single thing I'm most proud of in the entire planet. If you go to World's Greatest Khan, start with episodes one, season one. It's about how the Allies fooled Hitler using a Trojan horse of a dead body, filling his pockets with lies that sketched out enough of a story that no less than Hitler himself was able to project onto the reality that caused him to defend the wrong coast and stop World War II. So the stakes are huge. After that, we did a whole season of game show cons where we learned about how you can get all of these upstanding citizens, you know, former uh military uh teachers, all to perjure themselves live in a con congressional hearing simply because they're bound by those, by uh the logistics of fame and shame. We also uh there's an incredible season on Project Alpha. Uh basically, this in this case, the scam artists are the good guys because the United States government was spending military money, or actually, uh it was a contractor, doesn't matter, but uh listen to it. Uh Project Alpha, two 18-year-old kids pretend to have psychic powers in a laboratory, and every day they have to make up new psychic phenomenon under increasingly difficult uh conditions, all for the purpose of proving how easy it is for scientists to be get fooled. And by the way, if you're if you're this is the motivation for how and why I'm thinking this way about cybersecurity, is everybody is treating cybersecurity and their businesses exactly like the folks at Washington University treated the Mac lab. It never occurred to them that there could be a wolf in their midst. And of course, and in this case, there were two wolves, and they completely tanked the entire study. And uh, I I I you know I don't want it, I don't want people to go screwing up corporate. Look, let's all learn magic tricks, is what I'm saying. So let me stay one step ahead.

SPEAKER_02:

Absolutely Operation Mince Meat. So I had listened to I somehow, some randomly, I was listening to like public radio, and they had a series on Operation Mince Meat. And it was one of those things where it was like 8 to 8:30, 7:30 to 8, and I had to listen to it and make sure I caught it, you know, every it wasn't like every day, it was like every three days a week or something on the radio as they told this whole story, and I was like enraptured. I had never heard of this, and then I forgot about it because this was 2007.

SPEAKER_05:

Man, if you could remember what program that is, that I would love to track that down.

SPEAKER_02:

It might have been on NPR, it was definitely public radio, and I was like, and the and the narrator was great, right? They did a great job because they kept me totally, I mean, the whole premise behind it kept me totally entertained. And I was trying, I got like, hey, wait a minute, I gotta make sure I listen to this on the way to work because I don't want to miss what happened next. And then I I saw where you guys were covering. I was like, wait a minute, that's the thing I I heard so long ago. And then the next Netflix movie came out, which was great. I thought it was great. Um, so yeah, it's this is a very cool story. So I encourage everybody.

SPEAKER_05:

That was one of my favorite moments when we did season one about mincemeat, because there's only one book that's the canonical source for all that stuff by Ben Ben McIntyre. Uh, the um uh we didn't have the rights to anything, and but a podcast, you know, there's sort of a journalistic middle area where it's like, okay, how much of this is just Brian talking about it? How much is this the story? How much money is involved, or whatever? So we knew a Netflix movie was coming and we wanted to get our story out before theirs came out. But then sure enough, after ours was out, I got an email from so-and-so at Netflix.com. And I was like, here we go. Here we go. And then and sure enough, I get on the line and they're like, listen, we have a movie coming out that's Arboration Min Speed. I'm like, yep. And they're like, would you mind interviewing the Academy Award-winning director on your program? And I was like, Oh, yeah, that'd be great.

SPEAKER_02:

Oh, that went way better than I thought it was gonna get. Yes, indeed. Very cool. No, I think um this is this is awesome. Thanks so much, Brian. Um, I think we could keep going. I think what would be interesting is I think people are our listeners just think about this concept. I actually had said before, I I think it would be cool to go back and get a degree in psychology because I think this is such an interesting area for cybersecurity and that most people don't really dabble in. They don't really they think tech, like you said, that there's the people side, human wear, and there's the technical side. And a lot of times they don't cross over, but we the robots are coming, right? You know, they're they're here, they're here.

SPEAKER_05:

Well, I'll tell you what, I I am aware that that I have come out swinging with strong opinions on what needs to be done. And I would be very curious if your listeners, if if you want to solicit responses from your listeners, I'll be happy to come back and and and have a conversation about what the flaws are in this plan.

SPEAKER_02:

Absolutely. Yeah, thanks, thanks so much. With that, any anything we we we can find you? What's your what's your latest um forward?

SPEAKER_05:

Definitely check out World's Greatest Con. And uh to be honest, um, if you want to hear more of this stuff, uh, I put a lot of it on my email list. Uh it's it's awkward to sign up for. Just sign up for a giveaway at gimme.scamstuff.com, g-i-m-m-e. We do a giveaway. I've done a giveaway every week for 20 years, and then eventually you'll or or buy something on my website, Scam Stuff. Uh buy a one dollar something, you'll be on the email list.

SPEAKER_02:

Cool. Now we'll we'll link to everything. So definitely happy to share it. And thanks, thanks again, man. It's good to see you. Thank you guys, man.

SPEAKER_04:

Thanks for all you do. And a huge thank you to our sponsor for season five of the Cybersecurity Mentors Podcast, ACI Learning. You can check out ACI Learning at acilearning.com/slash simply cyber. Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

SPEAKER_02:

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

SPEAKER_04:

Do you have questions or topics you'd like us to cover? Or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast and follow us on LinkedIn. We'd love to hear from you.

SPEAKER_02:

Until next time, I'm John Hoyt. And I'm Steve Higaretta. Thank you for listening.