Ep. 213: “Inside DEF CON’s Social Engineering Village”

“What the Hack?” is DeleteMe’s true cybercrime podcast hosted by Beau Friedlander

Beau: Here, we’re recording. All right. It’s 6:50 in the morning. It’s already 100 degrees outside. I’m heading to Room 317 in the massive Las Vegas Convention Center West. This is DEF CON, a hacker convention. Specifically, I’m going to the Social Engineering Community Village where hundreds of people are going to watch watch contestants talk their way into other people’s lives. It’s part improv comedy, part cosplay, and very much a psychology experiment.

Speaker 1: We came last year at 7:30 or so, and we barely made it in. So being that this is such an interest to me, we got up at 4:45, went to Denny’s for breakfast. By about 6:30 we came to sit in line. I was not missing this today at all.

Beau: She is not alone. By the time the doors open, the line stretches down the whole convention center, like literally a couple football fields, all of them to watch a game where you win by getting someone to trust you. I’m Beau Friedlander and this is What the Hack, the podcast that asks, in a world where your data is everywhere, how do you stay safe online? If you’re picturing Tom Cruise hanging from the ceiling, breaking into a static-free room, that’s not this. Social engineering is hacking people, not machines. It’s finding the right combination of charm, authority, and curiosity to get information you probably shouldn’t have. It’s also the way romance scammers get people to hand over their life savings, and it’s the root cause of many enterprise-level data breaches. Here at DEF CON, you can see it happen in real time. The day started early, so if we sound chill, it’s because we’re still… I mean, I haven’t slept yet.

Beau: Are there criminals in the community here learning more about social engineering or is it mostly security people learning how to stop it?

JC: I made that joke last night as we were setting up. I really don’t know what the dynamic is in terms of having people register. DEF CON’s cash-only venue so people can come and go. We don’t do any types of checks of who comes in, but in who we talk to of who frequents, when we get into conversations, I think we’ve primarily identified: we have your practitioners—so people in pentesting companies, people that do internal pentests for organizations where they might be a security analyst or a security engineer, and they’re also taking up internal testing. We have teams that are building out internal security awareness programs. So, and this is probably who I think is best suited to come see the village.

Beau: I talked to JC, that’s all I’m saying. I do know his real name, but I’m a privacy dork. And his partner, Snow—and yes, that’s her hacker name. They run the social engineering community village.

Snow: Essentially we have pre-selected teams and they’re given a target company and they have weeks to do research on this target company and try to find objectives. So everything they’re doing is before they even step foot into DEF CON.

Beau: And does the company exist?

Snow: They are real companies. Yes. And so these teams are practicing, they’re working with coaches. They’re figuring out their pretext, who they wanna call, all of this pre-work where they’re spending hundreds of hours. And then the second part of the competition happens live in our soundproof booth, where they place real calls. They have 22 minutes to place as many phone calls that they can to capture as many objectives. So we have a scoreboard and you can see how it’s broken out between the remote phase and then the in-person call phase.

Beau: So we get to hear exactly what they’re doing. And as if we were at a football game go, “Oh, come on. That was the wrong call.”

Snow: Yeah, or my favorite part though is when they actually get stopped. If someone’s like, “This sounds like a security threat,” or something like that, and it stops ’em in their track, but you’ll hear the crowd in here applaud, ’cause that’s what we wanna see, right? We don’t want to see this be successful.

JC: And that’s one of the big takeaways, is you really have, apart from the visceral reaction and this situational irony of being in the audience and knowing what’s actually unfolding, you have two takeaways. One is as a practitioner to see how you can improve your craft, right? How to do better, and then as a defender, when a company gets stopped, you can hear how their process is built. For instance…

Beau: Usually the only people who get to hear this stuff are criminals or, you know, the people at the companies that are being targeted. The phone calls, they’re not even posted on YouTube. In fact, to record any of these phone calls or any of the contestants doing their thing is a federal crime. It’s wiretapping.

JC: Because you are not party to the conversation, that would constitute wiretapping. So nothing is ever recorded. Everything’s just essentially played live.

Beau: So they’re locked away maybe as evidence or very deep in a corporate training manual, or the thing that the training manual is based on. But here at the social engineering community village, anyone from a seasoned pentester (that’s someone who tries to get in), to a curious high schooler who is probably even more curious can walk in and watch a live demonstration of how human trust works and how it can be broken, and they can even try their hand at it.

JC: Because you’re seeing social engineering in real time by real practitioners at various levels. And so it actually gives you something to see, where typically with social engineering, especially in the voice or in the physical realm, we can only tell stories about it. You never actually see it in practice. A phishing email, you know, there’s evidence of that. Everybody can review it and everybody has reviewed it. But a phone call, that’s really reserved to only companies that have those call recordings because that’s part of how their business is set up, and then they get hit and then they find the call and are able to re-listen and see how it works and dissect it. This lets anyone at any level see how social engineering works, person to person.

Beau: The rules are simple. Contestants sit in a soundproof booth with a headset and 22 minutes to call real businesses, trying to get as many objectives hit as possible. An objective might be the name of the company’s antivirus software, what kind of biometric authentication they use, what kind of coffee they stock in the break room. It’s really real-world details that are stepping stones to a bigger breach. In the village, they’re just points on a scoreboard. But before we get into why people get good at this, we should talk about why there’s so many people waiting to see it, to sit in a dark room and watch it happen.

Will: That’s the beauty of social engineering. It’s troubleshooting the mind of a different person.

Beau: Troubleshooting the mind of another person sounds creepy. That’s what makes this different from code or network hacking. Every target is different, every conversation unpredictable, and the best in the business can make it look effortless. At first glance, this all might look like just another DEF CON spectacle, like the Lock Picking Village or the giant Capture the Flag competition. But social engineering is a little different. It’s more personal. And for the people who come here, the motivation to get good at it runs deeper than bragging points.

Ellis: At the end of the day, these are all sales techniques. You know, we’re selling some sort of falsehood to get us information, but it’s the same kind of techniques that salesmen use to sell more cars. And so it’s not just information security; it’s also a wider protection of yourself against scams and influence widely. And so, you know, it’s for everyone and so it really is just social science and communication at the end of the day. And, you know, how do you understand it? How do you deal with it? And, you know, how do you prevent it from being used on yourselves? And how can you use it for your own gain without crossing any ethical boundaries?

Beau: Ellis is one of the competition judges. For him, learning these skills is about a lot more than just defending against hackers. It’s about understanding how influence works and how to use it responsibly. But not everyone here comes from the security world.

Megan: I love this. My husband will tell you that I should be a social engineer. So for me, this is just my area. I love it. I love to see what people can come up with for these on-the-spot, essentially improv situations, even with months of preparation.

Beau: This is Megan. She’s not a hacker. She’s not here on a work trip. She’s here because she loves the game, the quick thinking, the human chess match. The costumes, probably; I didn’t ask her. So much so that she gets up literally at four in the morning to make sure she has the first spot in line.

Megan: I think it’s the con game part. Because for me, I’m a very good rapport builder, so obviously I like to see that aspect. But I’m a very big truth teller, so obviously no one’s doing this with ill intentions. And I think that’s why it fascinates me so much, is just they are doing it out of, I don’t wanna say the goodness of their hearts, but they’re helping a company learn where they’re vulnerable. But you’re doing it in such a creative way and you’re having to yes, build that rapport initially on the spot with somebody in 90 seconds. And just once that rapport is built, how much information they’re able to gain and how quickly that rapport helps to get all this information that normally you shouldn’t be able to get so quickly.

Beau: Megan is not the only person waiting to get in. Hey, what’s your name?

Doobie: Uh, Doobie.

Beau: What are you hoping to learn today?

Doobie: I mean, I feel like I’ve known about this competition, told so many people for so many years. I’ve been wanting to check this out for years and never had. And, you know, some people that I know here told me, “Get here early; the line gets crazy.” I think it’s already gotten pretty crazy. So, I’ve just been kind of excited to get here early and actually see it, get a good seat and really kind of experience it.

Beau: Do you work in InfoSec?

Doobie: I do, in application security. But I feel like social engineering specifically touches everyone, no matter what field you’re in. It’s really cool.

Beau: It’s the entertainment part of what we do.

Doobie: Yeah. Oh, I think it’s super interesting. Social engineering really applies to everyone and everyone is being attempted to be socially engineered, you know, hacked by threat actors.

Beau: If not by threat actors, then by giant companies like Meta.

Doobie: Oh, absolutely. Absolutely. Yeah. I mean, it’s just the psychology aspect to it and the overlap, and even how AI is being used now. I’m pretty sure they’re having some kind of AI competition aspect of it later.

Beau: For others, it’s not about the thrill of the crowd, it’s professional development. It’s their day job. What’s your name?

Teresa: My name is Teresa and my handle is R-M-T-P.

Beau: Okay. So we’re at DEF CON. We were just in the social engineering community and you guys competed. What is your day job?

Teresa: Well, right now I’m on the defense side, so blue team, but until like one year and a half ago, I was part of the red team for a consulting company. And in there I was doing physical intrusions, using social engineering, phishing calls, phishing emails, sending phishing emails and creating all the scenarios behind it.

Beau: In security jargon, red team means you are the hacker hired to break in so the client can learn where their weaknesses are. For Teresa, social engineering isn’t a hobby. It’s part of her toolkit. What’s your name?

Ayub: My name’s Ayub Jabril Yusuf.

Beau: You have a handle you go by?

Ayub: White Cyber Duck.

Beau: Okay. So tell me a little bit about your experience today, getting the Starbucks people on the phone, who you talked to.

Ayub: Yeah, so I picked places in the South and also for time reasons, like it was a less busy time of day for them, and for the stereotypes maybe of hospitality.

Beau: And now why would you want to choose nice people over not-nice people?

Ayub: Because nice people will give you the time of day. I’m sure if you call someone in a very busy city and they have a busy day going on and they get accosted all day, it would be very difficult to have them participate in a long-term conversation with you. But if you find people who have the time of day, you say their name, if you talk about something they care about, then they might have the time to give you the time of day.

Beau: So, here’s the problem. The fastest growing cyberattacks don’t start with code. They start with a conversation. A well-placed question, totally chill. A little too much trust because, well, you got the good vibe. And before you know it, someone’s handed over the keys to their account, their company, their life savings. We’ve seen what social engineering is and how it works, right? It’s hacking people, not computers. And we’ve met some people who are learning how it works. So there’s curious fans and there’s seasoned pros. And all this matters because the same techniques used on this stage are being used right now by criminals and even hostile governments, situations that we potentially all may face in one way or another. And if the bad guys, the threat actors, get better at this faster than the good guys, we’re all gonna lose ’cause anyone can be targeted, right? It’s from a Fortune 500 CEO to just you at work answering the phone today. So after the break, we’ll step inside the booth with the competitors, hear how they think on their feet, and learn the psychological tricks that make strangers spill their guts. And by the way, that wasn’t a pig-butchering reference. The booth is a soundproof isolation tank. Basically, you get a headset and you get a countdown clock with 22 minutes to call numbers on a list for the target company, and some objectives, right? There’s also an opt-in heart rate monitor that the readout appears on the video feed that the audience is watching. Note to SEC, that’s actionable private health information. “Hey, this is Beau from Dr. Heartdude’s office. Dr. Heartdude wants to talk to you about your bradycardia.” Yeah, I do want to do this competition. Anyway, the contestants spend months conducting OSINT, or open-source intelligence, figuring out how they’re gonna do this, and using that information, they devise pretexts, basically scenarios. This is who I am, this is why I’m calling. Some of them have more than one pretext, and each will involve a costume change, which is pretty funny. Can you just tell me your name?

Will: I’m Will or Triggered Sloth.

Beau: And how long have you been coming to DEF CON?

Will: This is my third year.

Beau: What do you like about it?

Will: Everybody is always learning a new way to social engineer, the new hot thing. ‘Cause there is always some new hot thing you have to figure out. And that’s the beauty of social engineering. It’s troubleshooting the mind of a different person.

Beau: Troubleshooting the mind of another person means reading tone, catching subtle cues, and adjusting in real time, all while staying in character, right? It’s part improv theater, part poker face, part therapist. The first move in almost any successful call is finding common ground. A good social engineer isn’t just asking for information; they’re making the other person want to give it to them. Here’s Teresa again.

Teresa: That’s why I started like impersonating someone from IT, because usually when someone from IT calls you, you are willing to answer all the questions because typically you have issues with internet connection. You have issues with the software, the browser, everything. So usually you give away the browser version, the operating system, like the guy just did. And also since the guy was willing to respond to any of my questions, I just thought, okay, I’ll try the badge one. So I needed him to describe the badge for me, and he did, and that was awesome because he didn’t have only one, but he had like two badges with him. So he described both badges for me. So that was really, really cool. But the strategy that I used for all the pretexts that I wrote was, “Correct me if I’m wrong.” So I’m just saying, “Oh, you are using Windows 10, is that correct?” And they’ll say yes or no. And that’s easier for the person on the other side to answer and you’ll get a point right away or a couple of points.

Beau: Impersonating IT works because it feels helpful. The person on the other end doesn’t think they’re being hacked, they think they’re being assisted, and that flips a powerful psychological switch: compliance.

Seth: Coming into this, we were genuinely so scared. We thought we would get caught. We thought we would fail, but it somehow worked in our favor. I think a lot of that fear helped push us to keep working on our pretext to make it the best it could be.

Brian: It’s honestly wild that we called them with the pretext, they instantly said no, and then we’re just like, “Oh, shoot, this pretext doesn’t even work.” And then we just call another number and instantly get some guy who like doesn’t care at all, doesn’t verify us, and just answers all of our questions. It’s crazy.

Beau: Even high school competitors are really good at this. Actually, kind of frighteningly good.

JC: We have a pretty big student contingent.

Beau: Here’s JC who runs the social engineering community village again.

JC: This year we have a high school team. We extended a seat to them as a prize essentially to let them come to a bigger showcase and demonstrate their skills.

Beau: By inviting students, they’re hoping to shape a new generation of security professionals, showing them that the skill set they’re learning here can be used to protect people, not just exploit them. What’s your name?

Seth: I’m Seth Williams.

Brian: Brian Ho.

Beau: And you are their teacher?

Josh: That’s correct. My name’s Josh Chin.

Beau: The same script that hits the jackpot with one person, the information jackpot, it might completely flop on the next call. Now, I can tell you when we were in the audience and that guy said he hadn’t checked his email for a year, the whole room cringed. What went on through your mind when he said that?

Seth: I think I was sort of in that competitor mindset of just go with whatever happens. I have these objectives I know I need to get, and we’re on a time limit here, so I can’t let that little thing catch me off guard and I need to keep moving.

Beau: One thing I noticed was both of you, now when I saw you sitting in the audience, I thought, “Whoa,” ’cause you were really focused. When you got in there, it looked like you were really focused, almost like an actor. Like you just went in and became what you needed to become. What was going on in your head when you started making those calls?

Seth: I mean, from my background in high school, you know, I ran track. So there’s some of these track meets or even cyber competitions, and there’s sort of that light switch that needs to happen, this lock-in for each of those moments to really do your best. And I think that’s something I’ve just learned over time and applied it here today.

Beau: How about you?

Brian: I mean, when he said he hadn’t answered his email in a year, I just thought that was hilarious. I was just laughing. I was laughing with the audience.

Beau: Now what was going on in your head when it was go time? 22 minutes to go, or 21 minutes and 58 seconds?

Seth: I mean, I was super scared, but thankfully Brian was the one starting off, so I was just like trying to help him prepare as much as I could, which is a little better for me than I guess if I had to start the call. And I got more comfortable over time, which I was able to do that last call a little less nervous.

Brian: Honestly, it was just that sense of fear, like that fear of failure and that fear of messing up that really, I guess, puts us in that fight-or-flight moment. We have to do this now, and we don’t wanna mess up. So it really requires all that mental focus to get there.

Beau: It was phenomenal. And I noticed that both of you said no to the pulse meter, when they brought you in there to check your heart rate. Did they ask you to do that thing?

Brian: Yeah, we just didn’t really want to.

Beau: I wouldn’t do it either ’cause it’s sharing personal health information. It’s absolutely no privacy there. Steven, tell me; you’re in college, yeah?

Steven: Uh, freshman right now.

Beau: You’re a freshman in college, rising freshman.

Speaker 3: Yeah.

Josh: So these guys were high school seniors. Yeah. Steven and Brian. So they just graduated and they’re both entering college this fall.

Beau: So Steven, tell me now, you’re part of this world. Are you interested in entering into cybersecurity?

Steven: Yeah, I like cybersecurity. I would like the critical infrastructure aspect of it. And it was kind of a really fun part of how we started out our social engineering because our social engineering focus was on critical infrastructure and at Temple University. So I remember the critical infrastructure and all the intersections of how it’s undervalued and people kind of dismiss it, but it’s so important to our world that it needs to be more looked at.

Beau: It’s the same competitive drive, right? Whether it’s track meets, a hacking call, or a cybersecurity career. And at DEF CON, you can watch that focus get tested in real time. Sometimes it holds steady, sometimes it snaps. In a single morning you can hear contestants crash into a brick wall, not get any pick-ups on those phone numbers they’ve got, and then two calls later, someone else sails right through an open gate.

Ellis: You go with the classic IT opener, like, “Has your computer been running slow?” or “Is there any issues?” And they’re like, “Well, yeah, actually it is.”

Beau: This is Ellis, one of the competition judges.

Ellis: Name’s Ellis. One of the judges for SEC. And you know, you kind of help them through it. And so even though it may be quite literally transactional, it’s like, well you try and actually help in those situations too.

Beau: That’s the other secret. The help doesn’t have to be real, but the feeling of being helped absolutely does. And that’s what builds trust. And trust opens doors. And here’s the thing: you can hear the audience react when a contestant pulls it off. It’s not just about the data they got, it’s about watching someone navigate another person’s mind in real time and win.

Ellis: Some people’s strategies, some people really like to have fun with it and some people are more focused on truly, you know, in 22 minutes, how much can I do? And I think stylistically…

Beau: There’s something about this event that can make you forget that in the real world, social engineering is the same set of skills used by scammers, phishers, and criminal gangs, which means the people who run this competition have to be very clear about one thing: this is not an event to train threat actors.

Ellis: You know, social engineering-wise, I think tends to toe a little bit more gray of a line where, you know, application security as well. Don’t hack a website that you don’t own. As simple as that.

Beau: This is not for you. That’s not yours.

Ellis: This is not for you. And social engineering is a bit more difficult because there’s a thin line between persuasion and manipulation.

Beau: That gray line is where DEF CON’s social engineering village lives. That is the nexus of the whole thing. Persuasion can be used to sell you a car or to sell you a scam. It’s the same psychological lever, just pulled in a different direction.

Ellis: You can take any piece of offensive security and you can do bad with it. That’s just how it works. But that’s what we try and emulate and make sure that the ethics drive our actions rather than making mistakes in those cases. And so it’s about finding that line and making sure that you’re pushing the security industry as a whole, whether it be social engineering or application security or any piece of it.

Beau: Here, the point is to raise awareness, to show people exactly how these techniques work so they’re harder to use against people. Here’s Erin West. She’s not a competitor. She’s an OG former prosecutor who now spends her time tracking down the bad guys and clawing back money that’s been stolen. I met her at Harry Reid Airport. She was on her way in and I was on my way out.

Erin: We are going to be looking at every single lever that can be pulled against these bad actors. We are going to be examining from top to bottom how they’re doing their dirty business, and then we are going to dissect it and figure out where we can make any kind of disruption. So I’m going to a village, I’m gonna be presenting on this and I’m going to be asking for help. I’m gonna be showing them what I know and I’m going to say, “Now let’s form our new coalition of disruption to take down these bad actors.” I think that what you’ve hit on is something really important that we should be talking more, and that is the psychological influence that these scammers have over victims. They’ve hired PhDs to figure out exactly how to manipulate people into moving money in a way that it gets stolen from them. Our enemy is the most sophisticated enemy that we have ever dealt with.

Beau: That’s the stakes. If the bad guys are hiring PhDs in persuasion, the good guys can’t afford to sit back and hope the firewall will be enough. Right? That’s not going to work.

Ellis: At the end of the day, it’s really just about communication, how do you understand it? How do you deal with it? And, you know, how do you prevent it from being used on yourselves? And how can you use it for your own gain without crossing any ethical boundaries?

Beau: The audience here laughs, cheers, groans. I can’t play it for you because of wiretapping rules, but it happens every time a contestant gets a win or hits a dead end. But the real victory is walking away with a new awareness of just how easily we can be convinced and how quickly trust can be turned into a weapon. I know Snow said earlier that the real victory is when someone says, “I don’t think I’m gonna do that,” but it actually happens less than the opposite, than people actually handing over information, and that is the problem. After the break, we’ll step out of that isolation tank and into the real world where social engineering is used to hunt criminals, track stolen millions, disrupt the lives of just normal people trying to live their life, steal money, run drug mules into Europe. Pretty bad. Inside the social engineering village, the stakes are measured in points. Contestants get the name of an antivirus program, that’s a few points. They get someone to describe their employee badge or the stupidest movie they’ve ever seen, that’s more points. But in the real world, those little wins can add up to a crime that drains a person’s savings, cripples a business, or fuels an international scam network. We’ve already heard from Erin West. She’s such a rockstar in this world, I could only make an airport interview work, because that was her schedule. Erin is a former prosecutor. She now runs Operation Shamrock, a coalition of investigators, law enforcement officers, analysts, and technologists who take on global cybercrime. Her team doesn’t just sit at desks, they pull at every thread tracing, stolen cryptocurrency, mapping criminal supply chains, figuring out how threat actors recruit victims, launder money and hide. All that. So what does disruption look like?

Erin: For me, it looks like making it more difficult, more expensive, more time consuming for them to do their work. We’ve got a situation where we have bad actors that are operating in foreign jurisdictions where we can’t physically go stop this. So what can we do to make it more difficult for them to do their work? Step one for recovering stolen assets is to get victims in front of a qualified investigator in the shortest amount of time possible, and so one of the things we do at Operation Shamrock is I’ve collected a group of the best investigators in the nation who know how to investigate cryptocurrency. They can get real-time connected to law enforcement who know how to do this and are doing this because they care.

Beau: Erin West and Operation Shamrock are going after the scam industry, right? That worldwide organized crime. Because of the sheer scale of the damage – talking big companies getting breached, retirement accounts wiped out, and everyday people losing their life savings – none of this is abstract. It’s about making the work these criminals are doing harder to do, making it riskier, making it less profitable, and doing it one human vulnerability at a time.

Erin: So the World Health Organization will tell you that we have an epidemic of loneliness in the world right now. And so we’ve got a lot of people who are just looking for companionship. They just want someone to be able to talk to, someone who hears them. So that is the social engineering game that the enemy has mastered. And what they provide is the most intense relationship that people have ever been in. And when they get out of this, they report that they felt heard, they felt understood, they felt cared for in a way they never had before. In fact, some of them say it was worth the loss just to have that relationship for a period of time. That’s how desperate the situation is.

Beau: So why is this happening? Because it’s possible.

Erin: This is knowing how to get people to do things they would not ordinarily do, and that is move their entire net worth. So yes, our enemy has hired PhDs. They have hired PhDs in computer science to figure out how to do deepfakes better. They have figured out how to create a completely plausible, to a regular person, relationship that they absolutely have no doubt is real and that they are going to live the rest of their life in a very wealthy way with this person who has taught them how to make smart investments in cryptocurrency.

Beau: Back in the booth at the social engineering community, the stakes are decidedly smaller, right? Just points and bragging rights. But the skills on display, they matter, and they matter on the stage Erin West is working with Operation Shamrock. Social engineering is a weapon. It’s something to drain a bank account, empty a retirement fund, or compromise a company’s most sensitive systems in the hands of a trained professional. And it can be used as a shield, a training tool to anticipate attacks, strengthen defenses, and close gaps before a threat actor can exploit them. And here’s the thing: once you’ve seen it, you realize these skills aren’t confined to shady phone calls or tech support scams, or a soundproof booth at DEF CON. Social engineering shows up everywhere. In sales, when someone builds rapport to nudge you towards signing a contract. In politics, when a candidate frames a message to bypass your skepticism and push the right emotional buttons. In customer service, when an agent calms you down just to keep you on the line, keep the conversation moving toward whatever their goal is. The mechanics are all the same. It’s rapport-building, subtle flattery, maybe offering help, getting a laugh, reading tone, matching it, knowing when to push and when to back off. It’s all just human psychology fine-tuned for persuasion, influence. That’s what makes this room so strange and so compelling. The calls you hear aren’t happening in some back office in Manila or… those are actually compounds, or a boiler room, another compound probably situation in South Africa with Black Axe or many other groups. They’re happening on a stage in front of a cheering audience with everyone in on the joke. But the moves are identical. The same little nudges that make someone give up a detail they didn’t plan to share, the same pivot when a conversation starts to shut down, the same confidence that keeps you sounding credible even when you’re making things up on the spot. The Social Engineering village is part classroom, part theater, and part warning—a big part warning. It’s a live-fire demonstration, right? On how human trust works and doesn’t, and how easily it can be bent, nudged, or just broken. It’s like seeing a magic trick explained. Once you know how to do it, once you’ve seen the sleight of hand, you can’t unsee it. So in that respect, it’s super important and I recommend everybody get acquainted with how this stuff works. You leave this room and suddenly you see it everywhere. In the sales pitch, in the campaign speech, in the news. You know, “How’s your day going?” from a customer service rep, all that. You start hearing the moves, you start catching the tells, and that’s the point. Because the more you notice, the harder it is for someone to use your information against you, those moves against you, anything against you, because you’re listening, you’re looking, and you’re clocking everything. Okay, it’s time for our Tinfoil Swan: our paranoid takeaway to keep you safe on and offline. Now, obviously we’re going to do this about vishing calls, right? When the phone rings, you know why it’s ringing? It’s ringing because your phone number is online. Really, there is a very good chance that’s why it’s ringing, and so you should consider getting your information removed. Personal information can be removed very easily. For instance, this show is made possible by DeleteMe, and it is according to Wirecutter the very best service out there to do that. Here’s the deal: A visher, a vishing scammer, they’re going to try to hook you. There are super simple tricks. They’ll create a believable story or a pretext. You heard a lot about pretexts just now. Maybe they’re calling from the bank or an IT department. They just need a little tiny wheensy bit of information, and they’re already going to have some information about you to make it feel legit, and they have that why? Because of OSINT. Open-source intelligence. Okay. Next, they’re going to build rapport. Now, they may do that by, “Oh, my cat just jumped on my lap. Hold on one second,” or they might have actually their phone right underneath their face playing some sound to make it sound like they’re at a cafe; maybe even people from a cafe at wherever you live speaking the language that is your target language. You don’t know. It’s going to feel okay, though, and that’s the point. Once there’s a little bit of rapport there, then comes the pressure. The caller will create a sense of urgency, telling you something bad is going to happen either to you or to them. They may be like, “My boss is going to kill me if I don’t figure out what’s going on with your virus protection program, because it’s not working according to our system over here.” Whatever it is, it’s designed to make you worry and do something. Finally, they’re going to ask for some information. They’re always going to ask for information. It might be via a trick like, “Hey, correct me if I’m wrong,” and they’ll ask you to confirm details. Bear in mind, they may have three or four details that are right and one that is wrong and the wrong one is the one they’re trying to get out of you. The secret is, don’t get caught up in that conversation. When you feel anything like this happening, hang up. If you’re really worried, call the official number and get in touch with the company that’s supposedly calling you. But I promise you, if it’s really that company, they’re going to send you snail mail or an email or they’re going to call lots of times, and you still want to go through the official number. And not the one in the sponsored listing when you did a search. If it says sponsored, skip it. Go down to the actual company and the actual SEO-driven result where that company resides, okay? So these are just a few tips to stay safe. Always when these calls happen, you need to stay chill, stay skeptical, and yeah, stay too busy for it. Get off the phone. That’s our tin-foil swan. Stay safe this week. See you next week. What the Hack is brought to you by DeleteMe. DeleteMe makes it quick and easy and safe to remove your personal data online and was recently named the #1 pick by New York Times’ Wirecutter for personal information removal. You can learn more if you go to joindeleteme.com/wth. By the way, if you do use that URL, joindeleteme.com/wth, you’re going to get a 20% discount on DeleteMe’s product. So check it out, and again, stay safe out there.

Learn More:

• Learn about what social engineering is and how it works
• Read up on social engineering prevention and protection
• Learn more about the DEF CON conference coming in April