2020-12-16-Social-Engineering-Works

Social engineering works.

I’m gonna do something in this post that is uncharacteristic of many in the social engineering world: I’m going to say a few things that I know are controversial. Please try to withhold judgement or defensiveness and see that I very intentionally try to use inclusive language where appropriate. I’m not an exception here. And my point in writing this is not to attack, but because I want to help. I’m not perfect and I may be wrong, but at least my intentions I believe come from a good place.

It feels silly needing to start this by making the argument that ‘SE works’. The truth behind that statement is hotly contested by many in the information security community. I’m not here to convince anyone of the efficacy of phishing as an attack vector(the quantitative data does that all by itself). What I seek to challenge is the thinking that some people are invulnerable to social engineering.

Some of us are too smart for that, right? I don’t think enough of us fully appreciate the real implications of the fact that even Chris Hadnagy has been phished. Many of us who speak about SE make this point often. But I don’t think we’ve really spent the time to consider what it really means if one of the top minds in the SE field can get SE’d. Unless we think we are somehow smarter or more tuned into than him. If you do, I implore you to suspend your ego for your own sake. Just being aware of the placebo, doesn’t invalidate the placebo effect. Brains amirite?

Okay so what? Well, I think the premise in this type of thinking has far reaching consequences, and if I can help make the world just a little better through this post, then that’s all I care about.

And the premise that some people can’t be social engineered, means that the foundations of our discipline isn’t valid. If SE isn’t valid, then what does that say about the fields we draw on such as psychology, sociology, and anthropology? Are those wrong too? Okay I’m sick of building the setup. Moving on.

See the point I’m trying to make here is that people CAN change. I know for a fact they can. I’ve personally used social engineering to influence others to change. After reading Cialdini, I can’t not see the compliance tactics being used by e v e r y o n e. From every angle. And they work. Just look at all the disinformation campaigns and conspiracy theories. It’s terrifying how well they work.

And I’ve also changed.

I can’t speak for anyone except myself, but I personally know many high level people in social engineering who have also made massive changes in their lives. A lot of us got into social engineering originally because we were reading some book about how to be better at socializing or self-help or leadership. Most of us think the best social engineers in the world are somehow special and are just naturals, but this is not the case. We changed from the shy teenage introverts we were into the leaders we are now.

But somehow the idea that people can’t or won’t change has made its way into the heart of so much discourse these days. Which is something I’ve been having a hard time understanding. I know so many incredibly smart people in our community that have said things that are so wrong and sometimes so extreme that I think we must like fighting and violence more than we want to make the world better.

I truly pity anyone who thinks people are incapable of changing, because it probably means that they also think they are incapable of change. And that’s gotta feel like a prison. But you can change that right now. We can all change. We can all be better. You are not just a passenger, you’re the driver.

At this point I don’t know how this post should end. I started it feeling so inspired to say the only way we can make the world truly better is to stop fighting, but I can already imagine the responses this post will get. You all know me as a very passionate person and I woke up this morning with words pouring out of my brain that felt so transformative, but now that they are on the page I’m not so sure.

Do what thou wilt, but please at least have the self awareness to know that how we communicate and relate to other humans is everything.

EM