It’s hard to believe that it has been a year since I started working in the field of social engineering. My career background was in hospitality, but I’ve always been fascinated by psychology and the causes behind human behavior. A few years ago, I learned about social engineering through a friend. I was fascinated by the fact that many psychological aspects are applied social engineering. Needless to say, I was very excited to start a new career path where I would be learning more about psychology, as well as online and technical security. The following are some of the lessons learned during my first year working as a social engineer.

It’s OK to Feel Bad

A large part of my job consists of vishing. Vishing is defined as “the practice of eliciting information or attempting to influence action via the telephone.” Many times, especially after building rapport with the target (the person we are calling to elicit information), I felt guilty for influencing them into giving me the information required. After the call, I would feel as if I had betrayed their trust and I often wondered “what type of person am I?”

Lessons Learned my first year working as a social engineer

As it turns out, I learned I’m the type of person who has empathy. Empathy is essential for an ethical social engineer. Empathy is not a weakness but a strength—it enables me to think like the bad guys, but never become them. Whenever the feeling of guilt starts creeping up, I remind myself that I am helping corporations and individuals be aware of vishing attacks and that I’m contributing to educating them to become more secure.

Losing is Winning

After overcoming much of the guilt I was initially feeling, I started to enjoy my vishing victories. Whenever we call a target and we are able to obtain their information, this is a considered a “compromise,” which my brain translates as a win. Whenever we call a target and we do not get the information we’re after, that’s referred to as a “shutdown.” My brain translates that into losing.

As I gained more experience in vishing, I began calling higher-level targets. Meaning they had already passed the lower-level vishing attacks, which is part of our levelized vishing program. The higher-level targets were not as easily deceived into giving out information they should not. As a result, I was shut down—a lot. Or, as my brain would put it, “losing” a lot. But was it really?

Within a short time, I started working on the monthly reports that we offer our clients. These reports reflect data regarding the calls we have made, such as the ratios between shutdowns and compromises. They also reflect how our program is helping employees become more aware of potential scams. As a result, they are able to recognize a vishing call, which results in more shutdowns -meaning our training works! Creating these reports allowed me to see the full spectrum of my job. Although getting compromises naturally feels good, being shutdown is the ultimate win. Being shutdown means our clients are tested, educated, and making safer choices for their companies and themselves. Now, whenever I am shut down in a call, I remind myself that “losing” is winning.

Don’t be Afraid

Another valuable lesson I learned is, don’t be afraid. Don’t be afraid to ask questions; asking questions and getting clarification before or during a project helps to be better prepared and increase the chances of success. Also, don’t be afraid of stepping outside of your comfort zone. As an introvert, I did not enjoy talking to random people on the phone (let alone trying to elicit information from them). However, it has helped me improve my communication skills, not only in a work setting but also in my personal life. I used to dread having to call a company to dispute something that didn’t seem right on my bill. However, after a year of making calls to strangers for a living, I find it much easier to speak to anyone over the telephone.

The Best is Yet to Come

Overall, this past year has been challenging and amazing at the same time. Starting a new job in a field that I find fascinating but that I had no previous experience in, has allowed me to learn so much. I had the privilege of working in the 2021 Human Hacking Conference. It’s a conference that explores human behavior in its various forms, featuring experts in deception, body language, intelligence research, and nonverbal communication, just to name a few. I can’t wait to see the lineup of experts for our next Human Hacking Conference!

The most important thing that I have learned during this year is that I still have so much to learn. Thankfully, my colleagues are the best teachers (literally) and I look forward to learning from them each day. Each project, each conference, each day at this job, gives me the opportunity to keep learning. I look forward to seeing what new lessons and skills I will learn in the coming year. I have a feeling that the best is yet to come.

Written by Rosa Rowles

Sources
https://www.social-engineer.org/framework/attack-vectors/vishing/
https://www.social-engineer.com/dealing-with-guilt-as-a-social-engineer/
https://www.social-engineer.com/the-role-of-empathy-in-ethical-social-engineering/
https://www.social-engineer.com/services/vishing-service/
https://www.social-engineer.org/social-engineering/failing-gloriously/
https://www.social-engineer.com/human-hacking-conference-year-beta/

Images
https://insights.dice.com/2020/01/09/student-interest-a-i-machine-learning/
https://www.altogetherautism.org.nz/a-shift-in-perspective-empathy-and-autism/