Social Engineering During Job Interviews

 

Recently, I got an email from a fan of Social-Engineer.Org, Chris Hammond (thrasher).   He has read the book, listened to the podcasts, and read the newsletters.  He has recently had a chance to try his new found skills on a job interview, wondering if he could give himself an advantage during the job interview.

We caught up with him and had the following conversation.

SEORG:  Chris, Thanks for talking with us about this experience you had.  Can you tell us what you do presently?

thrasher:  I work as a consultant for a large firm where I do mostly security, privacy, and governance related consulting. I have never done an SE engagement, but I am a huge fan of all your work.

SEORG: If you do not do social engineering during your engagements, can you tell me what opportunities you have to actually try your hand at these skills?

thrasher: I was recently invited to interview for a health sector privacy contract. I got to thinking that some of the SE concepts I heard about during your podcasts with Kevin Hogan and especially, Robin Dreeke, could really make an interview go smoother.

SEORG:  That sounds interesting... what did you get a chance to try?

thrasher: I started out with the premise that if I could build a rapport with the interviewers, I could then try to make them want to help me out by awarding me and my firm the contract over other candidates.

SEORG:  Excellent.  What was your plan to do that?

thrasher: I actually had a very specific rapport building plan as follows:

1. Smile with eye brows raised;

2. Use an endearing head-tilt;

3. Use lots of eye contact - but not too much so I am not creepy;

4. Mirror my interviewers' body language;

5. Focus on listening and talk only when necessary; This one was really the opposite of my past job interview behaviors where I focused primarily on getting key messages across.

6. Look out for their physical signals as much as possible; and

7. Use no pretext and stick to drawing deeply on my own experiences - especially where I felt my experiences overlapped with theirs.

SEORG:  Wow, that is really detailed.  Did it work?

thrasher:  Yes, after a short amount of time, I detected that a reasonable rapport had been established.

SEORG:  How did you know?

thrasher: They started to share past compliance horror stories and to joke about how IT and privacy people often do not see eye-to-eye.

SEORG:  Excellent indicators.  So what did you do to take it to the next level?

thrasher: I tried giving them an opportunity to help me out. I told them, quite truthfully, that I had done the kind of work they needed on multiple occasions in the past; however, I had worked overseas for three years and needed to get back in the game. I needed to learn what had changed in the local regulatory regime. This contract would be a great opportunity for me to do that.

SEORG:  OK, so let me get this right, first you used some excellent SE skills to build a strong bond of rapport, then you literally just told them the truth?  How did this work out?

thrasher:  (laughs) Yah, it was quite interesting and way different from my past interviews, but the conversation went long and personal.  A week and a half later, my firm was awarded the contract. 

SEORG:  Congrats! And Excellent work.

What Can We Learn?

 

 

What I personally find interesting is how the principles of social engineering are used in many aspects of everyday living. This is a classic example and one that was very effective.

Being an effective social engineer means being a good communicator, whether that is written, verbal or in non-verbal language.  It is not always about "tricking" someone into believing something they shouldn't or don't want to.  Thrasher showed us that by effectively communicating his skill set and his abilities, it made it clear they were the wisest choice for this job..... and they got it!

To bullet out what you can take away from this account:

  • Communication is key - effectively communicating can make the difference between success and failure
  • Building Rapport - enough cannot be said about how important it is to build a strong bond quick
  • Truth - telling the truth in communications can be a very effective tool in social engineering

 

In the end thrasher states that he is not a social engineer for his employment and doesn't view himself as one, but he learned a lot of these skills from the book, newsletters and podcasts.

Thank you for sharing this with our team and taking the time to talk with us.

Do you have a similar story or account of success?  Contact us at [email protected]

 

Written by Chris Hadnagy

 


 

 

 

 

 

 

Looking for Professional Social Engineering Services?

Social-Engineer.Org is branching out with our new website Social-Engineer.Com (coming soon!)

We are providing some of the following services:

 

  • Social Engineering Pentests

 

  • Social Engineering Risk Assessments

 

  • Professional Information Gathering Services

 

For more information on any of the above or how we might be able to help you protect your company from malicious social engineers contact us at:

[email protected]

 

 

 


This years Social-Engineer.Org CTF at Defcon 19 is sponsored by:

Offsec Sponsors

 

core Sponsors

 

qualys sponsor Sponsors

all clear Sponsors

spy Sponsors