After social engineering my way into the inboxes of White House staff and Banking CEOs I then went to work in email security — it was very much the fairy tail ending. For 3 years I manipulated BEC (Business Email Compromise) cyber-criminals into revealing specific intelligence which was then passed on to global financial institutions… Continue reading Authentic tales from my time as a social engineer + lessons I’ve learnt as a email security professional.
BattlePhish™ — Gamified Phishing
Roughly speaking, the how… Random split of your org: Team A, Team B. Team A votes on the the phish (from choice 3) and the time it’s sent out (they don’t need the day) They then get to find out how successful they’ve been. Repeat with team B. Next month, randomise again…. Above, is the… Continue reading BattlePhish™ — Gamified Phishing
ETTS™ Framework
The Email Threat Training System™ is learning framework that provides employees with a structured understanding of the risks they face within their email world. Stage 1. The Viewers Reality (Where their beliefs live)The first part of establishing the viewers reality is to simply state the problem that email or even SMS, has. That being you… Continue reading ETTS™ Framework
Cyber Social Engineering
Social engineering is a vast topic which thoroughly deserves its place as a foundational element of all things security. As long as technology still allows us humans to interact with it — and while we wish to keep certain things away from public view — social engineering will have a crucial role in defeating both… Continue reading Cyber Social Engineering
I socially engineered a social engineer. Here’s how.
Whilst I knew I had put a lot of thought into my pranks, as I edged closer to the infosec industry I did think the ‘prank’ label might not be doing me any favors. I’d gone with ‘EMAIL PRANKSTER’ as it was literally descriptive and added a clown horn to what I was doing, which… Continue reading I socially engineered a social engineer. Here’s how.
Inbox Hypnotism™
It was back in 2017; whilst I was co-writing an article with Dr Ian Levy, the Technical Director at the NCSC, that I first used the term ‘inbox hypnotism’. It seemed to perfectly describe the symbiotic state someone lost within their emails slips into, as their subconscious takes greater responsibility for peripheral processes. Being ‘In… Continue reading Inbox Hypnotism™
My Wall Street phishing trip
Fast trying to rationalise my targetting of Barclays Bank and the Bank of England I felt a trip across the pond was in order – let the dust settle. It brought with it more challenges: time zone differences, subtle language variations etc. But I was very keen to see how the US stacked up against… Continue reading My Wall Street phishing trip
Spear phishing the White House. Twice.
To me it seemed the most natural thing in the world. That once I’d concluded my pranking spree on Wall Street, and in lieu of a reply from Fort Knox (seriously) I would turn my sights towards email’s golden goose egg; the White House. An iconic symbol of global dominance and security, I reasoned that… Continue reading Spear phishing the White House. Twice.