The Story

It started as an experiment. In 2016, from a laptop in Manchester, I registered a lookalike email domain and sent a message to a senior White House official. The reply came back within minutes. That first success led to another, and another. Over the next few years, I sent more than 150 lookalike emails to some of the most powerful and security-conscious people on the planet: Wall Street bank CEOs, UK government ministers, Hollywood executives, heads of intelligence agencies. Almost every time, they replied.

The media picked it up. BuzzFeed News broke the White House story. CNN put me on air. Jimmy Kimmel turned it into a segment. I earned a Wikipedia page and a reputation as the Email Prankster. But the label never quite fit. I wasn’t trying to embarrass anyone. I was trying to understand something: why do smart, protected people fall for the simplest tricks?

The answer wasn’t what anyone expected. It wasn’t about technology failing or security teams sleeping. It was about established behaviours — the unwritten rules of how people communicate in professional settings. Reply quickly. Don’t question the boss. Trust the domain name. These behaviours are so deeply embedded that even the most security-conscious people in the world follow them without thinking. I wasn’t exploiting software. I was exploiting culture.

That realisation opened doors I never expected. The US Secret Service invited me to brief their agents. The UK’s National Cyber Security Centre asked me to collaborate on research with their Technical Director, Dr Ian Levy. I worked with the Financial Services Information Sharing and Analysis Center and the National Cyber-Forensics and Training Alliance to help banks understand the human side of business email compromise. I went from being the person demonstrating the problem to the person helping organisations understand it.

Along the way, I developed frameworks to explain what I’d learned. Inbox Hypnotism describes the trance-like state people enter when processing email — the automatic, unquestioning compliance that makes social engineering so effective. Ask&Do maps the behavioural triggers that attackers exploit to get people to act without thinking. BattlePhish is a live social engineering exercise I run at conferences, where the audience watches an attack unfold in real time and learns to recognise the patterns before they fall for them.

I’ve spoken at events around the world — from Mercedes-Benz boardrooms to cybersecurity conferences — sharing these ideas with audiences who thought they were immune to social engineering. The talks are part storytelling, part live demonstration, and they tend to leave people rethinking everything they thought they knew about email security.

Today, I’m Product Innovation Specialist at QuilrAI, where I’m building the tools I wish had existed when I was on the other side. QuilrAI uses AI to help organisations detect and respond to the kind of social engineering attacks I spent years demonstrating. It’s the natural next step: I showed the world how easy it was to exploit human behaviour, and now I’m building the technology to fight back.