Is It Legit to Use Fear as Part of My Pretext?

One question I get asked often is, “Chris, isn’t it legit to use fear as part of my pretext in a social engineering exercise? I mean, after all, the bad guys are doing it. Wouldn’t it be realistic?” 

Well I can’t argue with you that the bad guys are using FUD (Fear Uncertainty and Doubt) right now, to attack all of us.  Especially with COVID-19 (The Corona Virus) we are seeing a massive influx in phishing emails, vishing calls, SMS attacks and even impersonation attacks surrounding the fear of this virus.  And I am sad to say, I have even seen some fellow SE’s report they will try and use this while breaking into some buildings.  Going as far as donning gas masks and claiming they are cleaning for COVID-19. 

Would these type of pretexts work?  I have to say, probably yes. If I saw someone in a gas mask with intense cleaning solutions I would avoid them at all costs.  If that would work, then why not use it, right? 

RIGHT? 

Enter the Motto 

It is a legitimate question, if it works isn’t that what I get paid for? Shouldn’t I test every potential threat a company has and then tell you where you are weak? 

Yes and no. 

And this is where our motto comes in, “Leave them feeling better for having met you.” (https://www.social-engineer.org/framework/general-discussion/code-of-ethics/) I wanted to think of a good illustration for this and here is what I got at 1am… so bear with me.  Gordon Ramsay. 

As a used-to-be chef, I would probably remove a small piece of finger to be able to be trained by Gordan Ramsay.  Then I go to my favorite streaming channel and I turn on Hell’s Kitchen and I see the way he treats those poor souls. Because he demands the best, because he demands the highest level, he often gets it by yelling, berating, and cursing at them. I reflect on the utter stress and I rethink my life choices. 

But then you can flip a few channels over and see Gordon Ramsay on “Master Chef Junior”. There young kids come to compete under his tutelage. No screaming, no cursing, no berating… BUT there is still the stress, there is still the demand for the highest quality. 

What is the lesson? It is the same Master Chef, the same world leading expert, Gordon Ramsay but in one case he is pushing his vocal cords and their limits and in the other he is not – he realizes what is needed in those situations. 

Making Application 

So, lets apply this to you, my dear fellow human hackers.  You have a job here and it is to test everything, to really help your people to learn.  Answer these questions and then your answer will be clear.

1. How long have you been phishing/vishing/SE’ing this population? 
2. How have they done during this testing? 
3. At what level of difficulty have you been testing them? 
4. Do they view you as your partner in protection or the evil overlord of the dark underworld of cyber? (go drink now) 
5. Have they proven they have the ability to “catch” the type of ball you are throwing in previous tests? 
6. Would this test alienate them or help them see the danger? 

Now wait, put down the pen!  before you answer these questions, don’t do it with “Well I think they can….” or “They better be able to…”. Really answer these questions and your answer will be clear. 

Story Time 

Once I was tasked with phishing an organization with over 200,000 folks. In honestly reviewing the questions above: 

• They were relatively new, under 6 months old 
• They were doing poorly in testing 
• Previous tests range on the easy side 
• They didn’t know me too well and therefore I was NOT a partner yet 
• They have not proven ability to catch 

So yes, hindsight is 20/20, but guess what I did? I saw in the news there was this new phish going around where the attacker sent an email from a popular online department store and it looked like a recent for a purchase on their credit card, it was complete with a “thank you for your order message.” 

I proudly clicked send on 200,000+ emails and waited for my glory to pour in.  But there was no parade, there was no fireworks, there was no banquet in my honor – instead there was burning stakes and pitchfork laden locals in my front yard (figuratively). 

The results is their IR department was overwhelmed with responses, and some were so afraid they started to call credit card company’s reporting fraud and calling the department store reporting fraud.  Multiple very high level investigations where instigated and… well, let me just tell you it was a mess. 

But Didn’t They Learn? 

Well no, because fear shuts down rational and critical thoughts by hijacking the amygdala.  The residual after finding out it was a test is shame, guilt, and anger – all not really great emotions to help one want to learn. The lesson was lost and I was left with a giant mess to clean up and a lot of apologies. 

We work with that client still today, and they are amazing, but there was a lesson there.  If I had answered the questions, I would have seen that I could lessen the message and get the same feel across. I can test without having to be Gordon in Hell’s Kitchen, but Gordon in Master Chef Junior, and still got a high-quality product at the end. 

And that lesson would be so beneficial for many in this industry now and for those entering this industry. If your goal is to show how awesome you are, how leet you are, how amazing your skills are – then yes focus on the hardest, badest, meanest pretexts around. But if you want to have long term, quality relationships with clients helping them become truly secure, then plan how you get them to that level. 

Is There Ever a Time? 

So is there ever a time that you should use really heavy pretexts that border on the “not leaving you feeling better for having met me” line or even stepping over it? 

Yes. 

This same client, after working with them for 5 years straight this one department we trained and trained and trained was a machine. Stopping us at every vector and pretext we through at them.  They were a prized fighter, a master chef, and they were ready for Hell’s Kitchen. 

We unleashed a pretext on them so hardcore I never speak about in public, unless you are at an APSE class (yes, I know a shameless plug) and then sometimes I tell this story. But it worked, we got them again.  They went back, trained that group and they again where an impenetrable wall till we came up with a new pretext.  And this cat and mouse game continues with us trying new things and them getting better at stopping us. 

But that took years to get there. 

The Lesson 

So, does fear have its place? Yes, it does. Does FUD have its place? Not in my book.  Remember, we are paid to think like the bad guys but it is essential to remember we are not.  We are the good guys and what separates us, well, what SHOULD separate us, is the ability to have empathy for our targets. Understand the emotions they will go through and realize our end goal, or mission.  It is not only to train, educate and empower our clients or staff to be protected from these attacks but to leave them feeling better for having done so while protecting them. 

Stay safe. Stay positive. And go SE someone. 

Sources:
https://www.social-engineer.com/free-yourself-from-fud/
https://www.cdc.gov/coronavirus/2019-ncov/about/index.html
https://www.social-engineer.org/framework/general-discussion/code-of-ethics/
https://www.social-engineer.com/social-engineering-training/
Image: https://hackernoon.com/drafts/wbfe3ngz.png 

The post Is It Legit to Use Fear as Part of My Pretext? appeared first on Social-Engineer.Com – Professional Social Engineering Training and Services.

Recent Articles By Author

• Disability Access Within the Field of Social Engineering
• How to Take Control of Your Online Presence
• Social Engineering: Back to the Basics

More from Social-Engineer

*** This is a Security Bloggers Network syndicated blog from Social-Engineer.Com – Professional Social Engineering Training and Services authored by Social-Engineer. Read the original post at: https://www.social-engineer.com/is-it-legit-to-use-fear-as-part-of-my-pretext/