Ep. 325 - Security Awareness Series - A Crystal Ball for Mitigating Threats With Chris and Carter
[00:00:00] Chris: Did you know that there's been almost 30 breaches this year alone? And I'm sure if you're a business owner, you're sitting here like me, you wish you had a crystal ball, but you can learn what the threat actors are gonna do so you can avoid being their next target. That is a topic for today's episode of the Social Engineer Podcast of Security Awareness Series.
[00:00:20] Chris: This is episode 325. I'm Chris Hadnagy, CEO and founder of Social Engineer, LLC, innocent Lives Foundation and the Institute for Social Engineering. This podcast has been around since 2009, and as we said last month, we changed the format a little. So every month we're gonna have one of our team members here on the show with us, with our topics.
[00:00:39] Chris: They're gonna get to choose that. And this month is Carter was with us Carter, introduce yourself. 
[00:00:45] Carter: Howdy. I'm Carter Zupancich, and for the past two years I've worked with a great team here to uncover human-based vulnerabilities and use those vulnerabilities found to go ahead and improve our client's security posture.
[00:00:58] Carter: Lead to, of course, [00:01:00] uh, threat mitigation. So as a human risk analyst here at Social Engineer, I spend most of my days emulating the adversary, whether that be vishing, phishing, smishing, or other targeted social engineering engagements. And from time to time, I get to join Chris or others on the team to, uh, sweet talk our way into a building or sneak in at night.
[00:01:20] Chris: Carter has a pretty good talent at the, uh, the break-ins a little scary. Um, when I, when he went with me on his first one, he had just a natural talent doing it. I don't know what that says, but we'll leave it there. Uh, as always, these episodes are sponsored by our company Social Engineer. So if you go to social-engineer.com, you can check out some of the services that we'll be even mentioning today.
[00:01:39] Chris: Now one of them being callback phishing. What is that? Well, in the real world threat actors have been sending phishing emails to your company and offering tech support. The number that your employees will call, though, of course, does not go to your support system. It goes to theirs, and then they use that trust to basically gain information or access to your network.
[00:01:59] Chris: Well, we've simulated [00:02:00] this. We call it callback phishing, and it's a service. You can go check out at social-engineer.com. If you're interested in social engineering, we want you to join the Slack channel. So the link is in the show notes, and if not, you can hit up Carter or I, and we can get it for you. Uh, there's activity in there every day, people talking about all aspects of se.
[00:02:16] Chris: There's even a job board. So if you're looking for a career advice, come on in and you can ask. It's a family friendly and legal place to discuss these things. Uh, also, I wanna take a moment to invite everyone to invite you to go to innocent lives foundation.org. Our nonprofit, there's been around for eight years.
[00:02:32] Chris: We're over 585 cases at this point in helping law enforcement to geolocate and track people who traffic children and create child abuse material. We need your help. We need some donations to keep the mission going. So if this is a mission that sounds something close to your heart that you can support, then go to innocent lives foundation.org and help us out by donating.
[00:02:52] Chris: If you're a parent or a caregiver, we have a lot of information on there that can help you. And last but not least, we're huge fans of the band [00:03:00] Clutch, as you know here. We force everyone in the company to love them. No, we don't. It's just natural to love them 'cause they're awesome. They allow us to use this music for the podcast.
[00:03:09] Chris: So if you like the music, go to clutchmerch.com. Give them some love and give them a shout out because as you might know, Neil, the lead singer helped me start ILF eight years ago. So he is a very dear friend and we love their music. If you like this episode, give us a thumbs up or like, and if you have any topics you want us to cover, put 'em in the comments on the YouTube channel because while we do read all those, we answer all those and we will come back to you with an episode about what you would like to hear.
[00:03:36] Chris: Okay, Carter, let's talk about our topic today. What is it that you chose to have as our topic of conversation 
[00:03:43] Carter: Yeah, so you mentioned callback, phishing here, which we'll get to in a moment, but, uh, the biggest thing we're looking at today is kind of the most prevalent, uh, TTPs or tools, tactics and procedures that we've been seeing.
[00:03:56] Carter: Out in the wild, whether that be all the way back to 2022, [00:04:00] 2023 with your MGM Caesars, um, attacks that most, most are, uh, familiar with that initiated via a help desk vishing call. And kind of zooming, zooming up a little bit and looking at some of the more recent, uh, breaches and initial breaches, I should say, uh, that have occurred from that.
[00:04:20] Carter: So as, as we know, most of these happen from a simple phone call. Uh, so that's what we're talking about today. 
[00:04:27] Chris: Yeah. I think, uh, in the Verizon report, um, if I get this stat wrong, correct me, but I think it said that somewhere like 86% of all the breaches we see have social engineering as their initial launch point, 
[00:04:40] Carter: correct?
[00:04:40] Carter: Yes. Something, something up in that range and another. Stat that stood out to me even more recently is within CrowdStrike's, uh, global Threat Report for 2025, which showed that throughout 2024 we saw an increase of 442%, um, for vishing uh, related attacks. And that [00:05:00] number stood out to me like crazy. And to your point too, the DBIR also pointed out somewhere in the 70 to 80% range.
[00:05:08] Carter: And is that, uh, that, that stat from CrowdStrike, was that just over the last year? That was, so that was their 2025 report. So that reflected on the whole year of 2024, they saw that increase. 
[00:05:19] Chris: Yeah. I mean, I, I think what we're seeing here, at least what I'm noticing is, um, a lot since AI has gotten so advanced, I mean, we found a, we found a group outta the country of Georgia that was using an AI tool to take away their accents.
[00:05:33] Chris: So when they called, they sounded American, or they could sound British. And that's a big deal because, you know, we've kind of been trained that certain accents that kind of put us on alert, you know, whereas if it's an American accent, we, we tend to trust it. So, um, the increase in, in Vishing, I think is also related to a lot of the technology that's available to these threat actors to help them be better at their job 
[00:05:57] Carter: Exactly. And I mean, even in 2023, we saw. NSA, [00:06:00] FBI, CSA, we're all warning about these synthetic, yeah, voice synthetic video attack vectors. And, um, I'm not sure about you recently, but if you've received any, any calls, even some of my friends have received some calls that, uh, definitely sound that, that scammy or, or malicious nature.
[00:06:18] Carter: Um, but they sound Canadian. They sound American, et cetera. Uh, so that democratization of access to these publicly available tools, um, same with, you know, LLMs for doing initial reconnaissance in Osint. Mm-hmm. And then using those of course to, uh, speed up the process of pretexting and creating more tailored attacks is another, is another item that's extremely prevalent nowadays.
[00:06:43] Carter: It is amazing 
[00:06:44] Carter: how, 
[00:06:45] Chris: um, good agentic AI has got at doing osint. Like, I'm very much, it, it's almost like, you know, I, I'm not one of those guys that we're gonna be replaced by ai. That's not my, that's not my thing, but I'm looking at this like, holy mackerel. Like it does [00:07:00] the work of like five people in one fifth of the time.
[00:07:04] Chris: It's, it's really crazy. And of course you need to verify everything that comes out of ai and that's where I think humans will always stay. But we know that if we're using it, I mean, what do they call it on the dark web fraud, GPT, I think it's only, uh, 1800 euros a year. Anyone can have access to a full AI platform that writes phishing scripts, actually creates phishing emails and sends them, could do cross site scripting, could write, uh, exploits and malware, could actually manage the, um, the shells that come in from, from malware laden emails.
[00:07:35] Chris: I mean, it's the, the things that it can do is kind of ridiculous for 1800 euros a year. I think this is why we're seeing this increase in, in these, these kind of, um, tactics from threat actors. 
[00:07:47] Carter: And with that too, just to add onto that, we even see a lot of the open source tooling out there that you can pair together with, um, something to enable well via MCP to enable web access, to scrape websites, to your [00:08:00] point, to go ahead and actually execute attacks.
[00:08:03] Carter: There's, I forget the name off the top of my head, but there's been a couple open source projects out there lately that have enabled that orchestration of agents across, um, multiple specialties. Like, like running your own red team. Hmm. 
[00:08:17] Chris: It's interesting because, um, I was having a conversation with, with one of our, one of our clients and they were saying, you know, this, this scattered spider group, they must be just amazing at Vishing.
[00:08:26] Chris: And I was under the impression that they were just like really amazing. And I'm not saying they're not, but I'm just, I'm now trying to, you know, goad them on. But I got to listen to some of the calls that were done between, um, Clorox's, uh, tech support company, uh, because that whole lawsuit went public and it was like level one vishing
[00:08:46] Chris: It was like, Hey, this is Chris. I forgot my password, and they're like, oh, let me reset that for you. I'm like, wait, wait, hang on, stop. Oh wait, time out. Really? Like I'm reading the script again. Like, no, that didn't just happen, and the next call was like, Hey, this is Joe. I forgot my [00:09:00] password and I need you to reset it to this.
[00:09:01] Chris: They're like, okay, I'll do that. Like what is happening? That is scary. When you think about in 2025 that Vishing at that level is actually still working 
[00:09:13] Carter: right. Able to call a help desk, no verification or validation of identity, no callbacks, no to a trusted number, no second channel verification through internal message or any other trusted channel.
[00:09:28] Carter: Um, yeah, when you look at the transcripts of those calls, it's, it's pretty mind boggling to your point. That's like our level one, barely any influence. Um, and just asking for that, which is incredible, but also terrifying. To see there. And I mean, a alleged, allegedly a, according to, uh, Clorox, there were supposed to be verification and validation procedures in place.
[00:09:52] Carter: Um, whether, whether those were were done or not, um, based on the transcripts, it was, it was pretty eye-opening that such a [00:10:00] breach could occur that way. 
[00:10:01] Chris: And I think this is why, like when, when people ask us, um. Well, there's supposed to be like these verification steps, right? So how would Clorox have known?
[00:10:11] Chris: Well, this is where auditing and testing come in, right? Right. Because the way they got audited was through threat actors and then lost millions of dollars. But if you spend a little bit, a lot less money than the breach costs to have your teams audited, you would've known that there were some people that maybe weren't doing ID checks or verifying, and then the problem can get fixed.
[00:10:32] Chris: Before the breach occurs, which is why I'm always so shocked, like we do it for our health, right? We go to the doctor and take preventative measures. We do it for our car. We make sure our brakes are are done and our tires aren't bald. You know, we, we do it for our, our house to make sure that if a storm's coming that we're ready.
[00:10:48] Chris: But now we have this billion dollar company and we're like, no, no, we're just gonna take our chances here? We don't really wanna do the, the work. It's a little shocking to me when I hear things like that. 
[00:10:59] Carter: It is. 'cause it goes [00:11:00] back to, I mean, what, what we always talk about here, which is while training is effective, none of it can be tuned, tailored, modified, or, um, had holes poked into it, uh, without having that testing along with it.
[00:11:13] Carter: So that, I mean, that goes back to what we discussed about call spoofing still being prevalent in the US Yes. Um, and that goes back to. Actually validating and calling back a trusted number on file, some sort of second form of authentication. And another thing, Chris, that I think we've seen too in our testing is even some sort of logging or ticketing, no matter what is going on with the call, so that there's a log of, okay, this person allegedly this, this person has called in three or four times and reset their password, or they've.
[00:11:51] Carter: Any other suspicious activity as well to go ahead and flag on that, which goes back to the reporting factor as well. That would stop us a lot 
[00:11:59] Chris: of the time. [00:12:00] Right? If correct. If we're using the same target over and over to reset a password and the, the next guy who went in there went, but you just did this 10 minutes ago, right?
[00:12:09] Chris: They'd be like, oops, uh, yeah, I forgot it again. Right. That would, that would really put a damper on our. On our style, which is kinda like, you know, it's interesting, I know in the beginning we, we talk about callback phishing and uh, you know, we can talk about that not only as a service, but we, I think we should talk about that as a threat actor tactic, right?
[00:12:26] Chris: Because it's, um, you know, I can remember the days in this industry when you were able to spoof a domain. Right now you really can't. Right? Um, DCAM, SPF,, all these things have kind of stopped it. So what do the threat actors do? They start buying domains. So now it is legitimate, right? Buying real certs.
[00:12:44] Chris: So they are HT PS, right? So it's a whole nother level of looking at that. So now when the email comes out, it looks as legit as possible. And a company like, think about it, there's a company like Clorox. If you're gonna get a, an email from a tech support [00:13:00] group that doesn't have clorox.com, it's gonna have the, the company's website.
[00:13:04] Chris: That means you're, that's a whole nother layer of, of the needing to be tested because those emails come in and I know just from us doing it with our clients, when someone falls for that level, that's first step. Oh, no tech support needs me to call. I, I at least, and you can correct me 'cause you do way more, but.
[00:13:22] Chris: Is it almost always that they didn't just continue to fall for it? Like, do we get shut down 
[00:13:27] Carter: after they've called in? Typically, not actually. So if we look at numbers and just compare them to like our state of Vishing 2025 report, which showed, uh, human-to-human vishing. So when we're almost like cold calling into, uh, individuals or health help desk agents, et cetera, we're seeing a, a compromise rate of somewhere around 31 to 31.1%, um, within that data set.
[00:13:52] Carter: And just based on our initial numbers, within some of our client campaigns on the, on the callback phishing side, we're seeing [00:14:00] upwards of 92-93% compromise. Um, when individuals are calling in, 'cause they've already, they've already taken that initial step of quote unquote falling for the phish. Mm-hmm.
[00:14:12] Carter: And they're trying to figure out, uh, what is going on. What the ticket might be about what, whatever the, whatever the initial, uh, pretext is. But ticket ticketing is something that we've seen, um, a lot of success in as well. And when you're calling in like that, you're expecting to verify yourself, uh mm-hmm.
[00:14:32] Carter: To the malicious individual or us that are simulating the attack. 
[00:14:37] Chris: You think about the principles of why this works, right? I mean, you know, Cialdini talks about consistency and commitment. Exactly. So the, once we've committed to a decision, our brains really, really love consistency. So if that person looks at that email and says, this is real, and now they call in, they're, they don't wanna step back and go, wait, I was wrong.
[00:14:57] Chris: They have to continue to be, this is real, this is [00:15:00] real. So I think that's why we see this 93% success ratio for a compromise ratio, I should say not success, because that's a terrible way of wording it. But it also brings up another thought is that, um, that might, that might be showing that many companies have ineffective, uh, phishing testing.
[00:15:18] Chris: Because if we're seeing 93% compromised, then that means 93% of the people are getting the phish and not recognizing it as a phish to report it, and then taking the step of actually calling in. So that tells us that a lot of. Companies, phishing programs real, you might really need to start looking at those and say, what, what are we doing wrong here?
[00:15:38] Chris: Why can't they catch this thing as not being a real email? 
[00:15:40] Carter: A real email? Right. And it goes back to expectations. But before I step there, I do just wanna make a quick clarification to that. 93% is, of those that called in mm-hmm. Is the compromise rate. Yeah. So the, the overall rate that fell for the phishing email is significantly lower.
[00:15:57] Carter: Okay. Um, I don't have the number in front of me, but I be believe it was [00:16:00] less than, uh, eight or 9%. 
[00:16:02] Chris: Okay. 
[00:16:02] Carter: Um, that's in total. Okay. That's good. That's a good clarification. But the expectations part is, is important to your point, is how are we expected to receive our tickets? How are we expected to reach out to our support, our tech, our IT help, uh, whatever it may be.
[00:16:21] Carter: That's what we're, we're seeing that both with callback phishing and we're of course seeing that with vishing, where we're reaching out to people and they might not understand that it, hr, whatever the pretext may be, they aren't supposed to be reaching out via phone. They're supposed to be reaching out via email or, you know, instant message through, pick your platform.
[00:16:41] Carter: Uh, so that expectation component is important too. 
[00:16:45] Chris: Yeah, I think that's, um, that's a really good point because that, that can apply. That point can apply to anything, whether we're talking about your company or your family, right? So. We could say, how many times grandma have I called you and asked for money?
[00:16:57] Chris: 'cause I'm in prison. Right? That's not happened. It's not [00:17:00] my, it's not my mo. Right. So if that happens, maybe you think, Hey, that's a little weird. Like, I need to verify this before I just send Chris $5,000. 'cause I've, this is a weird story, you know, I'm gonna, I'm gonna call his wife and find out if he was really in Mexico over the weekend.
[00:17:13] Chris: Right. So Right. Second factor. Exactly. Yeah. Second factor. Right? Because the verifying part is, is you know, again, whether we're talking about your family or your company. Uh, it's, I think it's one of the really biggest pieces that we don't see happening, right? So let's, let's talk about some of these controls, um, on hardening help desks or anyone really that it can be a victim of phishing.
[00:17:35] Carter: So we'll touch on a couple of them and then I have a story that I wanna just use to illustrate some of the ineffectiveness of just piecing some of these together. Mm-hmm. And not doing kind of the whole, the whole, um, set of, set of guidelines and principles. So we've already talked about, uh, clear expectations.
[00:17:52] Carter: So set, making it clear from hiring or from whatever the process changes that, uh, Chris. Support is [00:18:00] only going to reach out via a trusted, via an internal domain. Um, so via email, they're only going to reach out this way. They're never going to call you. 
[00:18:10] Chris: Uh, and, and let's touch on that just a little more because I think there's, this is a really important point.
[00:18:14] Chris: This, this expectations. I can't tell you how many times I've seen even in, in some of our clients or past clients expectations like this. Don't click on malicious links. True specificity is important. Yes. What's a, what, my question is what is a malicious link? How, how are you telling your people to identify a malicious link report?
[00:18:38] Chris: Um, phishy phone calls. What's a, what's a fishy phone call? Yeah. Right. I don't, I mean, like, so if you're telling, selling someone who doesn't know anything, maybe never even heard the term vishing, and now you're telling them to report and they're, and this is a call, this is a customer service rep. So they're constantly getting people who are yelling at them or mad at them, or, you know, don't know anything and they're, [00:19:00] they're upset.
[00:19:01] Chris: But now you're saying, report this. Well, I think to, to your point about giving the expectations they need to be specific expectations. Like, like what you're saying, HR will never call you and ask for your social security number without a verification. So if that happens, report that call. Right, right. You know, and I think that is like such an important piece of this initial puzzle because.
[00:19:23] Chris: And, and having it more than just once a year, like something on their desktop. That's a biggest point there, right? Yeah. Yeah. I, you know, you tell me something now, and then you ask me, and I don't know, I, I was gonna say three months, but how about a couple hours? I'm probably not gonna remember it right now.
[00:19:38] Chris: If you gimme a long list of rules, and let's say you are specific, let's say you actually got specific and you say, okay. Oh, if this happens, don't do it. If this hap, you can get as specific as you want. But if you expect that person to remember all that when they're now doing their job. That, that that expectation 
[00:19:54] Carter: on your part is really unfair.
[00:19:56] Carter: Too much cognitive load. Yeah. Yeah. And on the side of like help desk agents [00:20:00] too, what we've seen effective with our own clients is, let's just say this is a customer facing help, help desk for insert whatever activity here. If you, maybe even to simplify it further, we've seen a few say, Hey, only customers that have a legitimate we'll say.
[00:20:19] Carter: Number or what, whatever it may be, account number, case number, et cetera, are calling this line no one else. And that, and that keeps it very simple, where instead of having to identify what's suspicious and what's not suspicious, you just say, Hey, someone claiming to be, uh, from IT hr, whatever the pretext is.
[00:20:38] Carter: No, they're not a, they're not a customer. They don't have a valid account number. We just don't do that. Yeah. Um, and some of, some of that keeps it very quick and efficient. And I know myself, along with the team has seen that be very effective, especially for help desks that are customer facing. And they'll just immediately shut us down.
[00:20:56] Carter: 'cause they're like, you're not a customer. Sorry. 
[00:20:59] Chris: And [00:21:00] what I like too is we have a customer that has, um, their call center. To reset a password, you need X, Y, Z. So let's not say what it is. But you need, you need these, you need these data points. Yes. But they can't see the next data point, so you can't even elicit it out of them.
[00:21:16] Chris: It only tells them if it's right or wrong when you give them an answer. So let you know. Let's say it's dog's name and I say fluffy, and they type fluffy, like, Nope, that's not right. And they can't see the right answer. And I'm like, that is genius because, you know, people wanna help. I mean, I know there's one phone call, the guy's like, I'm really sorry.
[00:21:33] Chris: You know, I, I don't, I don't know what I, that's not the right answer. I don't know what to do. I can't see it. They want to help. So we don't wanna make a customer service agent rude. The person wants to help. But if you disable them from being able to give the information out now, it doesn't matter how good the hacker is or the threat actor, they're not gonna be able to get the info.
[00:21:54] Chris: I think that's a really great way of handling that. 
[00:21:57] Carter: Yeah. And there's, there's some, we won't name like specific softwares. Yeah. But there's [00:22:00] some great tools out there as well that do, that do this exact thing that I believe that a specific client was using where they cannot do, they cannot proceed. They cannot reset the passwords or.
[00:22:12] Carter: Um, move laterally and, and start to jump to different accounts like we saw with that, uh, Clorox and Cognizant, um, story there, which actually initially happened too in 2023. And this is just now the lawsuit happening and being resurfaced here, so, yikes. It is extremely prevalent even now. Um, but with that, aside from expectations and, and setting those very clearly to be specific.
[00:22:36] Carter: Also, another thing that we've seen effective is arming them with the exact language to use so they don't feel like they have to make up something on the fly. They just have a short line. Like, I'd be happy to help you if you contact me through the approved channel. Mm-hmm. And not even giving any specifics, just This isn't the approved channel.
[00:22:58] Carter: I'd be happy to help if you went [00:23:00] through there and just, yeah, giving them language. 
[00:23:02] Chris: I think that is a really, really good tip, um, giving, giving that out because I think a lot of times when, you know, you have this customer service, their job is to help now they can't help and they might not know what to do, what to say by giving them a nice little script, um, that, that really could make the, put them at ease.
[00:23:21] Chris: And I think what it also does, something I always talk about is a lot of times we find employees don't feel empowered to take the right action if the right action might be turning a, a customer down. It might be saying no to someone of an authority in the company. So you need to empower them to have the language to be able to say, this is not the way we do this in this company.
[00:23:43] Chris: So, no, I'm sorry. We are, we're not gonna go this route like we know here. You're never gonna get a message from me on Telegram asking you to buy gift cards, right? So, so if you get that, verify it, which that comes up to another point. What do I mean? How [00:24:00] do we tell. What should be our advice on verification?
[00:24:04] Carter: Sure. So there's a couple ways to go about this, and depending on the sensitivity, I'd say that can change things. But what we've seen here is number one is just secondary validation through some sort of trusted channel. So like we've already said, someone calls in, they claim to be, uh, Josh. Whoever, um, calling in to reset their account password to reset MFA 'cause they got a new phone.
[00:24:30] Carter: Uh, something like that. Number one is having that initial callback. 'cause even if it's, looks like it's Josh calling on the phone here, it may be a spoof number. And if you call back to that legitimate line, that's how number one, we can thwart that one vector. And then the second point, of course, like you said earlier about, uh, grandma received a call from Chris talking and asking for money or something like that, reaching out to a second trusted party through a trusted channel to say, Hey, is this legit?
[00:24:57] Carter: So that might be a [00:25:00] supervisor, that might be a direct manager and loop in another trusted party into the conversation to make sure that more than just one individual is, is knowing about this, about this specific. Reset, MFA, reset, whatever it may be. 
[00:25:15] Chris: This comes back to the empowerment, um, point again, because, you know, you're, you're, these steps are going to, if, let's say it's a real, a real customer, let's say it's not a threat actor, and they really don't have, they don't remember the information that they need in order to do the task, you're now elongating that phone call for a real customer and you're keeping the customer rep on the phone for longer for one call.
[00:25:41] Chris: All of that affects ROI. But there's a big But is that couple extra pennies that you spent on that call more expensive than paying for a breach, right? Because you didn't have the empowerment for the employee to say, this is not the right channel. Or I need to [00:26:00] verify that you're, that you are who you say you are and I can't do that 'cause you're not giving me the right information.
[00:26:04] Chris: Right. So. I think th this comes back to this a lot. Like we've, uh, we have to really start seeing companies empowering their staff to, to be that, that human firewall that really can save, save them from 
[00:26:16] Carter: all these problems. Yeah. And quick story back, since we're talking about empowerment here and we're talking about callback phishing, um, I wanna just illustrate a quick point that occurred during one of our callback phishing.
[00:26:27] Carter: Engagements where someone followed the correct steps, they were empowered to instead of take action on that email that they received with the phone number at the bottom as the call to action, they actually reached out to their tech help or their tech support line. And from there, this is the interesting part, that agent.
[00:26:46] Carter: Didn't find the totally made up, totally random ticket number that we had generated for each of these phishing emails and was confused. So they called, and at the time it was me sitting on the line there, they called me and said, Hey, I'm [00:27:00] sorry I don't have this ticket number in my system, do you? And of course perk up and say, oh yeah, what's the ticket number?
[00:27:07] Carter: And oh yeah, I have them if you wanna transfer 'em over. And I just want to illustrate that where we had one person. That was a great addition to the human firewall, but that second did not think, wait a second, this is an invalid ticket. And then pass the individual over. And that individual that now thought they were following proper procedure, which they were, has total trust in me because their support passed them over to us.
[00:27:34] Carter: And that, of course, resulted in a full compromise. Um, but that just goes to show that every person in the, in the chain matters. 
[00:27:42] Chris: That actually hurts. That story hurts. I mean, I feel so bad for that. That person, like that person's gonna sit there forever thinking what is the right thing to do now? Right.
[00:27:56] Chris: That's like, oh boy. That is [00:28:00] just a, that's a horrible story. It really is. I don't mean you, you are horrible. I mean, that's just a horrible, that's our job.
[00:28:06] Carter: But it was, it was a great vulnerability 
[00:28:08] Carter: to find 
[00:28:08] Chris: it. Yeah. It was, it, it is a, and it is for the company to see that now, knowing that, hey, here we are testing your customer support, but your tech support actually needs testing because that's exactly, that's pretty horrific, man, that this, this person did the right thing.
[00:28:23] Chris: Wow. 
[00:28:23] Carter: Wow. And we, and we see those differences, right? Where typically we've seen their, you know, general support lines and such are a bit more hardened, um, at least in, in our testing. But here, that was not the case. And hopefully that some of that did lead to improvements there. 
[00:28:40] Chris: I tell you. That is, um, that's one, that's one for the records right there.
[00:28:45] Chris: It's, that's one for the records. Yeah. Truly. So I think if we, if we kind of wrap it up, we're talking about, um. Empowering your people, right? Giving your, your people a, a form of how they can verify trusted [00:29:00] callers that is not, you know, looking at the caller ID 'cause that could be spoofed. Um, being able to continually and constantly educate through auditing and real world testing.
[00:29:13] Chris: And, and for me, I, I think this is like one of the biggest things that we need to talk about is make it non-punitive. Yes. And some CISOs gonna ask, well, what? Well, what if they just keep failing? I get it. So there may be a time after proper education and testing that someone's showing you they don't care about your organization.
[00:29:31] Chris: And that may, that may lead to them having to be exited. Right? I get that. And we're all for that, but not the first time they fail. Right? Not, not because they're human. So are they teachable? So they fail, we train them, they fail again. We train them, they fail again. They're now. They are now, maybe you say, okay, this is a problem.
[00:29:51] Chris: Right. You're, you're, you're creating a big vulnerability. But what we normally see is they fail. We train them, they maybe fail again. We train them and then next time they're [00:30:00] like, Hey, I'm not going for that again. I, I, I fell for that twice. Right. They know. Yeah, they know. They know. They know when you're on the phone at that point.
[00:30:07] Chris: Yeah. And now they're gonna know when a real threat actor's on the phone and they're gonna take the same action. You get rid of that person because they failed and you hire the next human to replace them. Guess what? That human's just as vulnerable as the human. You just fired. So like, what's the point?
[00:30:22] Chris: Right? So I think making our employees the strongest asset. Um, I like that. At this company we talk about that, right? Because we have, we've all heard those phrases like, um, humans are the weakest link. And I, I think we can kind of turn that and say like, humans can be your strongest asset. But it's really up to you, uh, as a company owner, like do you, you have to be the one willing to Keyword is can 
[00:30:45] Carter: yes.
[00:30:46] Carter: With, with back, back to drilling or testing, training and, uh, using that training to, uh, continuously find those weaknesses and, uh, points where attackers or people simulating attackers [00:31:00] are able to, uh, pivot from. At the end of the day, as, as we've seen here, identity is the, is the new, is the new vector, or is is the vector that we most commonly see, uh, exploited for that initial access.
[00:31:13] Carter: And at least at this point in time, that is continuing to grow 
[00:31:19] Chris: Carter. Great topic and great points that you put together for this. So thank you for making this a good one, and this is a perfect timing. Thanks for having me on and really perfect because this is, this is, um, this is Cybersecurity Awareness Month.
[00:31:32] Chris: So if you're listening to this in October, then you can use this in your company as part of Cybersecurity Awareness Month. Spread this around. This is something that everybody needs to hear, um, and you can help your company stay more secure. Until next month when we have another one of our team members on it, we'll be talking about something just as fascinating.
[00:31:49] Chris: Please stay safe and secure out there till then. See [00:32:00] you.