Find your connection point (with James Linton)

Full episode transcript:

Andra: James Linton is a social engineer and email prankster known for duping high profile celebrities and politicians for five months in 2016 through to 2017, the quote-unquote lazy anarchist, known by the Twitter alias sign and reborn, created over 150 look-alike email accounts and email high profile individuals into political, financial and entertainment industries from his iPhone 7.

This is the first thing you read on the Wikipedia page for my guest today, while this intro hints at the incredible stories below, it’s just one chapter of a story. So how did James, a designer at the time, managed to get into the inboxes of the CEO of Barclays, Goldman Sachs, Tesco, and celebrities like Kevin Spacey.

And most of all, how did you do it without previous hacking experience? Now answering these questions is what we do in today’s episode while exploring James’s intuitive understanding of human nature and its triggers. Join us for a personal adventure as James shares his challenges with finding out how to use his gifts in a way that gives him joy and fulfilment while helping others.

If that resonates with you, there’s a lot to take away from our conversation. So, stick around!
So, James, I’m extremely excited to talk to you today! It is a privilege and an honor to have you on the podcast and to be able to share some of your stories with people who might not have heard of them or who may not understand, you know, the entire kind of complex set of factors and actions that basically underlie your projects and your work.

You’ve used your skills and your mindset to reveal weaknesses in, in human nature, kind of across a range of high-profile politicians and celebrities, you know, including the CEO of Barclays and Goldman Sachs the CFO and CEO of Tesco, Kevin Spacey, and so many more people. So, I wanted to ask, how did you decide to kind of profile and socially engineered them?
What was the underlying decision that kind of triggered this whole thing?

James: I think it was human weakness, but in a way, looking back now, I think it was my human weakness that triggered it. I was working in advertising. I’m quite obsessed with the things that I enjoy doing…

I definitely loved designing and being a designer. And then, just over the years, that kind of eroded to the point where there was really nothing much left. I don’t know if it was… there was no real room to be as creative in the industry anymore. I kind of moved more into advertising than working at a design agency.

So other people tend to make more of the decisions and just, I think ultimately, I didn’t have any satisfaction from it, but you reach a certain age. You’ve got a girlfriend that’s not very well. So, you’re kind of responsible for supporting people and bringing in some money and, you know, you have to exchange your time for that.

It just turns out that time took quite a toll on me really mentally and stuff. And it was…I kind of aspire… I was, I guess, there was losing control in a way, but I felt paralyzed from moving from there. I couldn’t decide where to go next. It was just a mishmash of things that I enjoyed doing, but none of them kind of tick the box of a career.

And just through messing around whilst at work, obviously being into UX and design and stuff, I was just noticing the reduction of technical information and email and things like this. So, it kind of dawned on me one day that „Yeah, you’ve got a name though, and you’ve got some texts that were written, but there was nothing really more than that that was giving some identity that was validating it.

And at this time I knew nothing about cybercrime at all. I could spot an email if it had like a bubbly stretched logo and things like this, or you know, very sort of obvious things. But other than that, I had no idea that criminals were using a display name, deception as a natural tactic.
It just never, never came up on my radar. I always had fairly inwardly facing roles in companies. So, I wasn’t really getting the levels of spam that may be somebody who was active on LinkedIn or posting directories and all this kind of thing we would typically get. So, I guess it was quite naive to what was out there.

It just turned out that what my thought process must have been running in parallel with finding the floor in email guests, this kind of ability to change the name and match the content in terms of tone and pretend to be someone else. And naturally, I decided to be the CEO of the company where I worked.

Andra: To me, that is fascinating because there are obviously scammers and cybercriminals who have been doing this for so, so many years, decades, even and cannot, you know, did not, let’s say reach the level of success at the end of the success rate that you had said to me.
That is fascinating because it’s obviously true that your kind of abilities, your combination of abilities, mindset, the way that you see and relate to things around you are very specific to the hacker mindset, even though you didn’t necessarily think of yourself as a hacker at that point.
So, what was it like when you got your first reply on one of these kinds of, let’s call them projects? One of these projects, what was that experience like? And, and how did it change your perspective as to „Hey, there’s something here that is worth doing”?

James: Yeah, it was, I guess Barclays was the first one that kind of got media attention, I guess. And sort of looking back, I guess he was a bit of a proof of concept that Tricks or pranks that I was pulling off at work could actually be scaled up and used elsewhere.

I mean, I didn’t really have any idea about email gateways or AI for the detection or any kind of things that would stop me from doing this. I just kind of reasoned that it’s a bank, it’s a big bank. They would have a way of preventing this from being possible.

As it turned out they did, but only if they were a desktop computer. It wasn’t on mobile devices or iPads. It wouldn’t flag up as being from outside of the company. They changed the app afterward apparently and sort of a consulting fee missed out on there to me, I think.

But yeah, I guess it was a huge rush the first time it was definitely an adrenaline sport for me. I like the fact that I was using as little information as possible. And so, I was doing the smallest amount of research that I have to, to kind of pull these off. And it was always a case of each one being its own little experiment, I guess, in a way.

Could I, what would the ingredients to make this work and the psychology and matching the tone of voice, I guess, was the bit that was really interesting rather than the technical aspect, because I think, but it wasn’t that bit is, and still is super simple. Anyone can sell a Gmail account and change the payment at the top.

And yeah, there’s a bit more work in finding out. The email address of the person you’re trying to get into the inbox, but outside of that, there’s then this kind of unknown area. So, I enjoyed building up a kind of mental picture of what the referendum by email or where it will be dropping into what that would be like and kind of grabbing bits of information and you’re kind of adding color to it.

And that was the thing that I enjoyed, I guess. Cause when it. When it came off, it was sort of, it was exciting. But then I also managed to pick up on little techniques or things that I could then move forward to the next prank for another better word and kind of, you know, see if there was anything I wanted to change.

So a lot of split testing I guess in a weird way, what would work and what wouldn’t well then mindful work. I was enjoying the fact that I seem to be good at something because I honestly felt like I wasn’t good at my job anymore in a certain respect. So, it was just nice to feel that I was able to do something and it was getting attention and people were for the most part kind of enjoying it and so saying you know, this is interesting for one of the better words.

Andra: It definitely was not, not just interesting, but also I think that it’s, well, let’s say moments like these or actions like these and their results that, you know, get people to stop and pay attention to security in general to human nature, I guess. And the way that we tend to react to things too, is, let’s say that automated part of our brain that usually kind of drives most of our actions.

And it just helps us pay attention to „Hey, could this happen to me?” Is this something that… you know „How would I react in a similar situation?” Let’s say when someone impersonates a key person in my life and basically gets me to do something that I wasn’t willing to do without me realizing it.

We kind of feel cheated in a way, but also, I think it’s an inflection point for all of us. You know the moment when you fall for a scam. And I think that you know, most people have throughout their lives, not just online, but generally, I’ll fly in there. They think exploiting human nature is kind of built into human nature by design. Although we don’t really realize that until we’re faced with it ourselves.

So I’m very curious. You mentioned. You know, a series of ingredients that you try to put together to try to understand the psychology and the approach of your targets. So do people that you cause inboxes, you, you know, you were looking to infiltrate. So, what were those ingredients? You know, because I think that they reveal a lot about human nature and I hope that, you know, people listening to the podcast will also think about it.

The type of information that’s out there about them that could be used in this way. And most likely already is.

James: Yeah. I mean it can be the smallest of things. I think it would be really hard to ring-fence yourself from having an element of information out there that could be used against you. I have to kind of.
Looking back at it. Afterward, I sort of boiled it down to relevancy and implausibility were two key things that sort of created trust with an email. So, you know, if there’s a bit when COVID happened, obviously COVID was a topic that scammers jumped onto because it was, it was relevant to a huge amount of people.

So you suddenly got like, kind of hope that you can, you can go to them with implausibility. Is it a kind of sliding scale, and this is where the awareness training and stuff come into it because everyone has some sort of, some level of internal security? If you email somebody and say, I’m a scammer, similarly, your money now they would go, no, cause that’s a scam.

So that’s like the very extreme end of it. And then it kind of gradually comes down from that. So actually. Drop into somebody’s inbox, which we are conditioned day in, day out, and for decades, even to trust what’s going on in our inbox generally there’s kind of two internets. There’s the roar internet, which is before I’ll be well before the hundred and $73 billion industry, which is in the stack, starts to try and stop things.

And then there’s the kind of internet post that users see. I think this is one of the problems with awareness as well, but they’re always describing the world that lives in the rural state, not the one that’s actually arriving in their inbox. So, there’s a complete disparity between the perception of that perception and their reality.

And if you go in and go, everything that you’ve seen for 10 years is wrong, this is what’s going on. They’ll happen. I think it just makes it very hard for messaging to stick. When you kind of say fight all your inclinations to believe what the view that you’ve formed. What was the question again?

I always do this. I kind of go off with a little kind of block ski rather than just that.

Andra: No, no, no. This is very helpful because of your observation about the way that we talk about it. Security and privacy online and off because now they’re all, I mean, we’ve gone past that separation a while ago. I think that this is very important and I think that this is one of the challenges why we as people who work in the industry in one role or another have difficulties.
Breaking through the echo chamber and reaching people who have no kind of relation to the industry, they don’t know what’s going on. They don’t care about it. It makes it difficult to appeal to them unless we figure out a way to explain how it works in their context and then their real life, and then their habits that they’re probably, you know, going through unconsciously simply because they became just automated and ingrained into their mind.

So I think it makes a very strong point, you know, to look at relevance and trust and how they’re being used against us and it’s an even more important topic, especially as companies that we consider ethical. So not run by cybercriminals or malicious actors are also manipulating our perceptions and our decisions in a similar way that cybercriminals do.

So it makes it, I kind of find, you know, things that. These types of actions and methods have in common all the time. And it always triggers me to be even more cautious. Is this something that you’ve seen, you know, in your work looking at the industry, looking at how companies react, and how global leaders and decision-makers viewed a situation?

James: I kind of still emphasize. It’s so huge. And I think one of the benefits is having the only kind of three and a half, four years experience of it from the kind of not, not caring even slightly about it. And it was, I can still flip back to that mindset, but on the flip side of that, it’s such a huge industry to try and map out and take in that it does take time.

So I think I’ve still got it. And maturing the point on the bigger picture out there. So, it seemed best to kind of the bit that I have done kind of from victim to perpetrator, from not caring to be aware enough, to take care of myself online, to kind of focus on that bit, the bit that has matured.

And I do feel like I’ve got insights to bring to it. Rather than. Kind of going beyond that. So yeah, I can’t, what was the original question again?

Andra: Don’t worry about it. The original question was that if you see kind of similarities between how cybercriminals act and how to let’s say manipulation through technology through theoretically ethical companies works.

James: Yeah, yeah, yeah, yeah, definitely. Yeah, I think that this is. This is a problem. I don’t think it was a problem that was mapped out prior. I think it’s just a lot of behaviors that people slipped into because we’re still in the early days of the internet. Rarely, it’s not generations or centuries-old, it kind of still plays the kind of finding its feet and finding what impact it has on society as a whole.

I don’t think we ever expected that. When I was 19, I got given an email address at college and I knew nobody else would have an email address. But you know, that’s basically just having a storage unit which I couldn’t use. So, the way things have gone forward and then the kind of technology that is having to combat its own advancements.

It just seems that everything’s racing ahead and it’s very hard to keep up, I guess, in some ways. But I think the human element is tricky to look at because like you say, people have a reality and you really have to meet them where they are to try and change their perspective on things. Really, it’s often not until something either happens to them or someone that’s very close to them that that triggers the reason for why they need to care about it.

That is something that could happen to them and losses to cybercrime still going very at usually rapid rates. It doesn’t lock, especially after a lockdown in COVID. I’m sure it’s going to take a huge jump again. So, we’re not getting on top of the problem in some respects and it’s quite easy to even see some of the huge big companies in a silo and think: “Well, yeah, they want us to control their ecosystem, but that obviously, we’ll probably have a knock on the fact people move on to the low hanging through and there are certain responsibilities.”

You make a certain part of the internet more secure, especially at a kind of enterprise-level if it’s going to have a knock-on effect to people lower down because the criminal element and people wanting to make money in an illegal way is… I see no way of arresting our way out of that.
And there’s somebody once said “It’s kind of, I think when I first got into email security and we were kind of interacting with scammers and capturing inboxes and going through things like this and we were able to get the attributions, I kind of saw that as the pentacle of I could achieve as my kind of the second chapter after the pranks, something of use.

I often give this kind of glorified image of me. Diving off the back of a Toyota land cruiser and rubbing the cybercriminals in the ground and slapping the cuffs on it. And then, the headline “Pranks the two-law enforcement”. I’d probably get copyright; it’s called the actual title for that.

And gradually I kind of, you know, I was finding attribution for things and the realities of it started kicking in, but you can give law enforcement a treasure map, information, but then they can’t read. I imagine they can’t really use it.

Andra: That must feel very frustrating to do all that work and not be able to take it to completion because it’s a part of… I guess the chain that does not depend on you in any way that you cannot control.

And I imagine that you’ve seen a number of things. I particularly wanted to highlight what you mentioned about, you know, the internet. So being very young, I think that because so many new things have happened in the last 30 or so years.

We’re inclined to believe that we’ve had this relationship with technology for most of our lives. And some of us have, I mean, some of us are the type of generation who grew up with technology and the internet specifically. So, it feels like it’s always been around, but the biological facts have not changed that much about how our brain works, how we react to things.

So, I think that you know, people need to, and especially with people listening to this episode, I just want you to know that it’s normal to feel overwhelmed and it’s normal to have difficulty understanding these things and to work with them and to integrate them into your behavior. It’s a natural part of our evolution.

It’s just that we can go on without them. I strongly believe that if we don’t educate ourselves into kind of these topics around security and privacy and critical thinking, I think that we’re going to have trouble keeping our minds clear and making good decisions for ourselves.

That it’s going to be difficult for us not to be manipulated by cameras, cybercriminals, corporations, governments, whatever it is, whoever wants a piece of our mind. So, I’m glad that you talked about all of these key elements and the way that your work has transformed your own decision-making process.

So I was very curious to find out throughout these past years, how your perspective and maybe use of technology has changed because you’ve gone from design and development to becoming a cybersecurity specialist and you’re now working on raising awareness and on actually making a true impact and getting through to people with things that they care about and try to get them to pay attention and to invest some time and effort into this area of their lives.

James: Yeah. I mean, it has been a really kind of I think a gift of a journey from certain perspectives. It was kind of what would only dared dream would happen as kind of that happened now. Looking back, and it has the thing now is always after this new way of making myself secure for the foreseeable future.

It’s my career straight life that happened. So, I’ll always be incredibly grateful for that, but then it triggered a switch that was very specific to emphasize. So, it started off with that. We’re going to get somebody arrested and everyone’s going to stop after that because they’ll be like “I don’t want to get arrested.”

So I kind of slipped that full-ride bus and said “that’s not gonna work.” So, then it’s looking at “James is in fact a researcher.” You know, I was interacting with scammers and stuff, and the level of skill needed for social engineering, in that instance, is not particularly high. There were several semi-automated systems we were using, so we could do it at scale.

And we were saying bank account information and feeding that into FSI SAC and other financial institutions. And I could see the benefits to it. And it was feeding things back into the products that the triggered company that I worked for at the time. Well, then after I was made redundant, I was suddenly not outcast as such, but I’ve been sort of blinkered on the part of the industry.

I was working on that. All of a sudden, I was sort of not left to the road sidebar. I was kind of looking back at emphasis. I go “Whether I actually climbed back on here, where is suitable?” I’ve been doing research, is that what I want to do going forward, and my best with the continuity there?

Or do I take it as a new assessment and kind of start from square one and go, right? This is where I’ll be useful. This is where I can make a difference as such because I’ve got used to it. After working in advertising, I kind of got quite some enjoyment out of the fact that I was able to kind of make a difference to people beyond.

Yep. Beyond myself, I guess you know, in terms of preventing crime from happening to them and the more I kind of thought about it, the more that, I mean, despite my ADHD, making this research incredibly hard when you’re managing a load of different spreadsheets and data sources, I was spending an awful extending, an awful lot of effort managing that side of things, and that all-bare bones of the job will not lie tricky.

It was hard to come up with a case that I should continue to try and take that to the next stage because I knew it would put a huge amount of strain on me as a person. And for the first time in my life, I actually decided to go easy on myself and not take that route. I know, right? What do you actually enjoy doing?

What are you good at? What’s not going to leave you that can deflate it massively. And I kind of thought that the ideas and sort of concepts and running with things like that were what I wanted to do. Almost like a Tony Stark role. But the problem with that is companies aren’t very keen on having this kind of person wandering around the loft space, writing stuff down, putting that on Slack, and then wandering off about half-finished, you have to own some things.

So, having decided that my impact on security in general, as a third researcher has now diminished return, I was only ever going to become below average. Sorry, researcher. As time went by because it just wasn’t naturally seated to me, possibly to quite specific the project we were working on because it was involved in building this system and to communicate with scammers at scale, there was a bigger project to work on.

It was kind of new and exciting. But then, once that’s up and running to a large extent, it kind of opens up more of my weaknesses, I guess. So, looking back, I was like, “Right, what can I do?” And it just seemed to me that awareness was such a huge part of making people safer. It’s arguably the biggest role of the attack surface.

Yeah, the answer to it, in some instances, it’s just a one-minute cartoon. No, this is a $170 billion industry, and we were trying to cure this ever-expanding problem with a few little animations. And then we send them some phishing emails. I just thought there was a great urgency there to do… A kind of urgency to sort of kick things along, I think, beyond what was happening.

And you know, I have nothing to lose. So it was a case of “Let’s start exploring what the next stage of this might look like.” What might something, you know, people were queuing up longer to get donuts than they were doing awareness. And everyone’s like: “Oh God, you can’t do any content over 30 seconds long because people, they just switch off them.”

Right, well, no, I don’t believe that people will watch a documentary of a book crawling around for two minutes. You know, we’re not finding that connection point to get the information over. And ultimately, I decided that I’d go straight back to the personal world of the person, because by association if you increase that security making decisions in their own world, that’s going to affect the work world as well.

You can’t really… you can’t do one without the other, although you can kind of make the world worked well to have this huge on study bit of learning, which has kind of slotted on based on kind of insights from the raw kind of internet as such, and then they’ve got their lung that they understand and relate to over here.

And it’s just kind of this unbiased mass. So, it was kind of, I thought I was, I was quite disparaging of awareness. I always thought, you know, it was a rather bland little video that you could watch with the sound out and it had logged that you’d seen it and then you’d have 18 guesses at the multiple questions, and then you’d be done.

That will be turning over. Well, the more I got into it, the more I realized what a hugely rewarding and rich landscape is kind of moving between technology and the person’s seeing what can be done because the actual lessons that we want somebody to learn you know, you could probably say them in a minute.

The actual, the bare bones of it, one would keep them safe, but it’s obviously it’s not easy. So that was the kind of thing that I thought I could definitely get into.

Andra: Thank you for walking me through this entire process, for walking us through this entire process. I find it fascinating because basically, you’re trying to kind of help people connect the dots in their mind like you did when you started doing this out of sheer curiosity, passion, interests the experimentation mindset, you know, putting your creativity to work, which is a topic that came up often in the stories that you told me about. How does evolution happen and how does the decision-making process work?

So, you’ve seen and studied how high-profile decision-makers react to, you know, trying to potential scams and to potential compromise. You’ve seen how cybercriminals try to apply their tactics and try to just find those cracks in our foundation and in our behavior that they can manipulate to their advantage.

And now you’re trying to help people understand and realize how, and when this might happen and really understand why they should care about this, because “the why” is always the most powerful thing that makes us pay attention and get invested in these things.

What do you think, which particular let’s say aspects of human psychology, do you think to make us so easily receivable because it’s easier to deceive, you know, any one of us much easier than we’d be comfortable admitting we’re realizing… And I was wondering if we could start with the concept of inbox, hypnotism that you came up with because they think that that is a very important topic, a very practical one, and it’s bound to be so for as long as the email is around and then beyond that because we have so many other inboxes now.

James: It was funny how I stumbled across this term. I attempted a prank call. Levy is the chief or head technical director at the NCSC in the UK Island. I nearly got away with it, but he’d held down on the link, which was in part of the email. And this is like the pinnacle of being careful to be displayed by him.

And he saw that it was from the “mail.com” email address. I don’t think anyone’s used the “mail.com” email address for legitimate purposes and the whole existence of the email and that kind of tweak them. And then he thought of it, didn’t blow his cover straight away. We had a few exchanges back and forth, and then he said “I can’t remember how we got to it, but do you want to write a blog post together?

You do it from your point of view and I’ll do it from mine.” And this was in the transition period when the friends had stopped. Well, they don’t stop. These are like the last three and I’ve been strategic, I guess I try to prank people in the industry because I was trying to build the CD, obviously.

As it turns out that people in the industry don’t like being pranked unless you’ve got successful, like with Ian. So I had to reverse engineer everything that I’d been doing and look back over it and I just got fixated on the concept of what’s helping us over here. What’s actually going on.
What are the building blocks that come along for free as such, you know, when an email comes in, what sort of behaviors does that trigger? Even if it’s blind, what kind of ripple effects does that have. and it kind of ultimately decided that it was the ability to kind of obviously truly ascertain that an email is malicious.

Then you go into the headers and all this kind of thing. And so, at the opposite end of that, you don’t check any of that and you don’t check that because you don’t believe that it’s fake and you don’t believe it’s fake because it’s built on the repetition of, like I said, the previous decade, nothing fake coming through.

So, the overwhelming evidence when you open your inbox is, you know, you don’t even think it, you just think this is all, we naturally shift as the thing is genuine, especially in a work situation. And that’s where the inbox hypnotism came from because most people nowadays will kind of term it as being in the zone.

You know, when you’ve kind of reached that pinnacle of things is almost happening on the technical level. In the background, you are moving us to the next email and you’re digesting the content that you’re making decisions about the messages you get, but you never really questioning what’s going on unless, as I say, you really do get a wobble to the relevancy and the plausibility.

You know, plausibility, you might get in Nigerian Prince scam thing, claim the inheritance now plausibility relevancy. It could say “Hi, Karen!” and you’re named Steve. So, it wouldn’t be relevant to you. I got really interested in how flexible those are. The more kind of hypnotized we are by our inboxes, the more you can kind of get away with it at the initial message stage.

Andra: And does this apply to social media as well? Because now we have various inboxes, there’s Facebook and Instagram, and WhatsApp. And then, now more recently signal, which is a very good thing. But still, there are so many inboxes and I feel kind of like the same type of behavior and pattern app applies to them as well.

And those are also written with all sorts of things and plus they also have the nuance that they’re personal. So, you expect to like your cousins are going to send you messages and your aunts and uncles and relatives and parents and brothers and friends and so on. That to me makes it even more dangerous, especially as scams, like free vouchers and all sorts of contests and dubious stuff gets across and gets shared and gets amplified so fast and people fall for it because there’s also that added layer of trust.

Like “Hey, I know that this is from someone I trust.” I’m going to be a lot more susceptible to being scammed and manipulated through this network effect. So, how do you think people can kind of, you know, what’s the simplest thing that they can do to try and build this habit of looking at their inboxes with a critical eye and not overriding our instinct to instantly believe everything that we see and that we read in either email or social media?

James: I mean, obviously this is something that, I mean, social media route, I’m less savvy with I’m the kind of person that just…

It’s like a child data buffet. And the more information I can throw into my head, the happier I think I am. And I kind of learned that that’s not the case. It really is like putting too much food inside yourself. You feel bloated. You feel not very well. It kind of ties you out. So, I’ve gotten into the habit of regulating how they try to expose yourself too because you can end up consuming five different news articles about exactly the same story.

And it is bonkers. It’s not a good use of time, but your brain’s kind of used to feasting on this because there must be some sort of reward going on there. Well, I think in terms of email, the first thing to kind of do is there’s not treated as a mystical land. You know, you have your personal email world, you have your work email world.

They’re made up of humans and services and you invite, or you are invited into or you invite people and services into that world. So, it’s not got endless sides to it, it is kind of curated to a certain extent. And so, given its shape, certainly really important, I think, and not kind of see as some sort of chaotic dropping house where anyone can just turn it off if something does come out of the blue.

You know, you have to treat it as if it was something out of the blue, turning up at your own house into your own sort of holiday snaps. Don’t know what I mean by that. And then after that, it’s really hard. And I think this is where I’m still kind of flying back and forth between phishing awareness and how, because there’s a lot of talk about that in a minute, but you know, kind of fishing employees is useful.

We tried a few instances where a few messages have gone out. You’ve got a pay rise and that’s caused some overall, I mean, it’s clear to see why, because if an employee receives that they get happy and they get sad, then they fail. Oh stupid, but they feel like that they feel foolish about being happy in the first place.

So affecting somebody emotionally like that, it’s obviously not good. And then, you get the kind of fightback of, you know, the scammers. They have no qualms about what they’re going to say. That’s true, but they’ve still got to be plausible and believable. And so they can’t take it that far.
You can only go to a certain level. I mean is it, you know… scammers about the moral list or so you’ve got a pay raise. That is a pretty horrible thing to say, especially in the current climate where the opposite is probably happening. I kind of got fixated on the idea of once you remove that phishing when the stolen, the fake phishing email, how quickly will you return to the grieve you’re in before?

Does that genuinely make a fact to believing messages? I’m still not 100% sure it’s done. I think it is useful to have, I think it would be more useful if there was a way of showing the kind of process behind phishing awareness. So, you could see the security guard kind of picking down.

And I think once you understood that, then the phishing would gain more of a life to itself anyway. And I think that will kind of change the dynamic of it, but you would know that. This is what was being done, that people were picking out a certain thing, hoping to get you to click on this. And they were picking the time.

And just give me a little bit more of the backgrounds of the process, just halfway there, but yeah, it’s how quickly returns the previous predictions that you’ve already been living in the inbox statements. Do you keep trusting things again? So, to recognize a threat, especially when it’s an identical threat to an actual genuine email, often they are complete replicates.

I mean, some of it is trash. Some of the scams out there is just rubbish. Some of them are highly believable. You would not question it, especially for the spoof, the email address. So that’s what I’ve been wrestling with. And it’s like, well, what’s stopping me from falling for these things.

And I guess I got a bit fixated on the factor, just pausing around the actual actions that have value. I sort of boiled it down to four in the end and you know: you’ve got to make a payment; you’ve got click on a link and then often I couldn’t sort of login. You’ve got to download, open something, and then you’ve got task errands.

You’ve got these four things and they have to be happening for a scammer to be successful. If you don’t do any of those, you’ve not been scammed. So, to build in the awareness that these actions or behaviors are things that hijack you and they have value to a scammer, then you can get a bit more protective about them.

I’m about to put my email address password and again, this is the moment where this is happening. Just become more aware of that transaction that’s going on? I think that’s where I’m kind of up to the minute and where I think that there are some interesting areas to explore rather than make it recognizing: Oh, this is a scam site.

I mean, scam types that are actually going on currently are useful to know, even if you’ve just flushed it by someone, some of the words there, the phrasing. Yeah. You know, registered in your subconscious and even in that kind of inbox, hypnotize state, you can suddenly get that thing that you snug upon. If you don’t come to a full Holt at that point, then if that’s then followed up with the right, we now want your details.

These are all the kinds of switches that are starting to get flicked, and you just need a group of switches that bring it into the conscious and then you’re making a safety decision. Rather than kind of venture gratingly recognizing something off, you know, that’s what the phishing game looked like when we did it. So. Yeah, I’ve been thinking about it a lot.

Andra: It really shows and this isn’t very helpful advice in a very helpful perspective. You’re basically giving out an entire security awareness course. And I think that, from my experience, as a non-technical person, I’ve been keeping it on these things, trying to understand them, myself, trying to help others understand them too through, through my work.

I think that the point that you made about teaching people, principles, and teaching people to identify those triggers for both themselves and for others that might try to manipulate them in one way or another, I think that those are very helpful because technology is bound to evolve.
Situations are bound to get a lot more diverse and unexpected. So, it’s kind of developing these underlying fundamental principles that help us have the same type of cautious reaction to various things in our lives. This could apply to giving out your ID to people. This could apply to, you know, questioning why a company is asking you to fill like 20 different fields with all sorts of details on you when they’re not necessarily, you know, actually necessary for you to use that service or product.

So, I think that the way that you talked about this and the way that you were thinking how to make these things stick and not just make them a point in time… Although that point in time may be helpful, it may not be enough to actually get absorbed and integrated into people’s behavior as they go along about their days.

They have enough things to think about already. We’re just trying to add to that and to create that slammed level of cognitive dissonance that makes them stop. And like you said, kind of surface the threat or the potential threat to the conscious kind of awareness and then make them solve from what they’re doing and think twice about that.

I think that is very helpful and powerful! And I was wondering if you’ve ever, you know, if you’ve also kind of, in your research considered, what can be an alternative to using fear, uncertainty, and doubt, which is such an overused principle and insecurity. It usually makes people feel bad about themselves because they’re not doing enough, they’re missing out.

They’re not technical enough. They’re not skilled enough and what I found is that they become very defensive about that, which is perfectly natural because I don’t like to be told, like “I’m not good at things” or realize I’m not good at things.

So, what do you see as an alternative to this principle? What do you think makes people feel like “Hey, I can actually do this. This is something that I can totally do, and it’s not that difficult. And it actually makes me feel good about myself that you know, I’m evolving and learning new things.”

James: I think it definitely is starting from where they are exactly. Where they are, you know, kind of… our eyes are open. What do they see? What is their reality? What are their beliefs about email or things like that? And then it’s making stages after that. Those are the, well, I think anyway, the stages have to be the smallest of steps because this is where you sort of gaining the trust of them if you lose them at that stage now, I don’t think there’ll be open to kind of believing that what you’re saying is useful to them.

You know, like if you want somebody to have better password hygiene, you can’t just say “Oh, well, you know, it’ll stop bad things from happening.” Well, why will it stop things from happening? Well, somebody might get into your account, and yeah. You know, that’s kind of part of the picture, and its kind of… it’s like telling someone to brush the teeth without saying, you know, and all this other stuff.

So if you said to somebody in six months’ time all your teeth would fall out, then they would have more of an inclination to be aware of it, pre it happening. So, I think by explaining prudential stuffing or in the most simplistic of way, if a scammer tricks you into going to a website and putting in your email address and password, they can, then it’s the equivalent of getting keys code.

And they can then try that loads different places, banks, Facebook, you know, all of a sudden, they understand the dangers more. And you don’t have to go into huge technical value. It’s a very simple thing to kind of get your head around the concept of, you know, that will kind of ingress into that their safety has this huge knock-on effect, which causes them a lot of danger and it’s not getting over those kinds of concepts because we see them as too complicated.
I think it’s not giving them the full picture. So by building and once you’ve instilled that personal level, your Facebook account when suddenly you won’t be able to log into it and stuff. Only loads of people suddenly go: “Oh, I can get into that, especially our account. I think somebody has hacked into it.”

And then, they just kind of the shrugging. They’re not really all that bothered. They don’t know if it’s gotten to their email address. They don’t know where it’s got. Eventually, they’ll get round to asking to support if they can have control back. But they’ve no real idea of what actually went on there that, you know, they’ve not seen any actual effect in their world, so essentially nothing’s happened over then.

Someone’s getting into it, but they don’t know the story behind this. I think it needs to start adding bits of calling it to that world in a very delicate and in ways that they will think: “Oh, no, that’s kind of useful”, something they might say to somebody else, like a family member. Because I know they’re secure and protect people’s family members turns up the worst security ever.
Andra: That’s so true. And I’ve actually found that you know, even people working in, let’s say non-technical roles in cybersecurity companies and in private companies and in technology companies… not everyone practices what they preach, which I find that especially, I mean, to me is… being particularly someone who works in communication.

When I first got into the field, the first thing that I did it’s educating myself and then actually do all these things because I’m a big believer in “you’re never going to be able to explain what you don’t understand and what you don’t do yourself.” Also, I find it like it’s unethical to try to sell something and then to teach people something that you don’t practice, that you don’t understand.

You can add the level of nuance, emotional impact, and all of that. So, leveraging, I think that these emotional relationships and realizing that what we do for our safety positively impacted people around us and what we don’t do negatively affects them.

Because putting up pictures of your parents’ house on social media, so that crooks cameras and everyone else, you know, even like offline thieves let’s call them that will see. That is a very, very, very bad idea. You’re basically making them more vulnerable simply because you just wanted to post something on social, which is honestly not a good idea.

It’s like inviting “Hey, why don’t you and 300 people come over to my house and see everything that’s inside it.” So yeah, drawing parallels with kind of far real lives. Although our lives online are just really I think that we’re just beginning to understand that there are some implications, some connections between the two of them, and that one flows into the other. There are very real consequences to what we do online for our jobs, for our finances, for our future, for health mental, physical, or otherwise.

So yeah, definitely understanding they just wanted to emphasize this because they think that it’s a connection that we don’t often see, that’s not talked about enough, and that I hope people, you know, just stop and realize, think of what they’re doing and how it affects their loved ones. Because I think that’s is a powerful motivator basically.

James: Slightly different because their kind of love for you brings some gravity to what they’re saying. You can push past some of your collective experience to try and instill it, but it’s still… I think it’s something that everyone that works with and emphasizes… will understand that the minute you’ve got to say someone used to have a better password or that person you’re chatting to online is a scammer…

The minute you asked to justify that, that’s when, sure, having the 50-page PowerPoint that you’ve used at some seminar, once, you’re suddenly scrambling around for the right words to convey it, because it is really, really tricky. My girlfriend challenges somebody online dating and I could have a girlfriend so I can turn:

She’s like “Oh, you see, you’ve met somebody. And then I just heard a kind of say. They work on an oil rig off in Nigeria.” And my girlfriend kind of looked at me because she knew that the huge epicenter to the kind of BC and scams and I was almost bursting, I was lying down on the bed, watching TV. I was always bursting or ready to kind of rip apart with logic and reason why this guy was a scammer.

And it was really hard. It was ridiculously hard to come up with a succinct way of saying this person is a hundred percent the scammer, because if you go in and say “I am 99% sure that 1% can suddenly just explode and that everything person clings onto, and the trust happens at such an early stage.

The thing with the emails and the scams it’s that the very first email where they kind of get that right and the ones after it can be almost insane and the content that they have because the trust is already done at that point. And it’s very hard once somebody is kind of committed to trusting things and some sort of go “Whoa”, you know? Shake themselves clear and then go just in a minute: “Am I being scammed or pranked or whatever, because everyone’s image of what a scam is, this is not looking like it. This is either too personal, this detail, this is fast irrelevant.” You know, it’s not asking for money yet and all this other stuff. So yeah, I think it’s really hard. This explaining why without knowing more of the story, why it’s important…

So, I think it’s making that story digestible. I think the first bits that you get somebody to kind of take them have to be things that they can see almost instantly or see the obvious benefits of, and then once you’ve got that trust in what you’re saying, I think we can build from that.

But yeah, human behavior is really strange like when you try and kind of change, you see.

Andra: It is, it is so, and I, overdoing this podcast over the last few years, I’ve seen this over and over again. And even in my own behavior through therapy and coaching and, you know, understanding biases and that just… those moments when your rational brain looks at your kind of monkey lizard brain (how kind of neuroscientists likes to like to call it) and it looks at it and it just wonders “What are you doing? We know better than this, but you can’t keep it from happening, even if you realize it sometimes and I think that’s okay because it is definitely a process.

It is a process of improving our critical thinking, our decisions, the way that we act online, offline, and integrating all of these elements that make us better, but they’re still difficult to integrate that doesn’t make it any easier. We know that eating healthy is good for us, but it doesn’t make it any easier to try to adjust your diet for a healthier lifestyle.

It’s not easy to pick up running or any kind of fitness activity. So, I think that there are so many parallels with just our resistance to change in general, but in stories like yours and the examples that you provided that perspective that goes beyond the technical aspects that ties into the reality of these things, the emotional reality, which is something that we as humans relate to the most.

I think that that’s very valuable and your entire body of work is super valuable! And I cannot wait to see what you do next and how you teach and help people and support people on their path to actually become a bit safer generally in life, not just online. Cause you kind of carry those lessons with you, hopefully.

So, I wanted, because I’ve already, you know, we’ve hopefully I haven’t interfered too much with your schedule today. Just to wrap up, I would love to continue this conversation for many, many hours

James: I’ve still got some type of questions I’ve got. Well, no, it had to be, the cats can wait. They’re all asleep.

Andra: Yes. I fed my cat before we talked as well, so I made sure that he doesn’t walk all over my desk because he usually does that. I kind of wanted to ask how did you just wanted to connect, kind of come back to the beginning of our conversation, and ask, you know.

What kind of path or what was the process to finding that sense of purpose that is associated with what you’re doing now? Because just to give a quick personal story here, when I started working in cybersecurity, I finally felt like the things that I learned about communication and marketing in general, just helping people, you know, understand concepts, I finally felt like that.
This particular area is where I can finally put these skills and knowledge to good use to actually making a difference in people’s lives and helping them in a very authentic way. So that to me gave me a lot of meaning, and this is why I love this industry. I love trying to explain these concepts.

I was wondering what the process looks like for you, what it looked like, what maybe it still looks like, and trying to find that source of meaning because I feel there’s an increasing crisis around finding meaning in our work and finding joy in it, so we can do it in the long run when it gets hard and complex.

James: No, it’s definitely something that I have reflected on it and kind of tried to reverse engineer. That’s just the way it is for me. I think it’s because I was only diagnosed with autism about 18 months ago and in a way that freed me from trying to make certain traits of mine better than they would probably ever go into being.

I always saw them as I think spectrum thing. Can you kind of, you decide on the shape is something that you want to be or want to achieve and you just say it, you look at it. So logically it’s like I am skin and bone, a brain, I have eyes. I have, you know, all these things. Somebody else has done this apparently with barely in trouble.

I just have to steer myself and I can reach that cookie-cutter thing that I see as being the shape of me, that’ll make me happy. And then kind of found out about autism. And it didn’t really affect much per se. Obviously when I’m a little bit easier on myself in some aspects and tried to manage it fast, became clear why after a busy day socializing with people at Atlantic, which I really enjoy…

You know what it would absolutely drain me for the next two days, I would be like a collapsed Taito bag. So I just got forgiving about that. My girlfriend actually has physical troubles over the back of the spine and she has the same thing with her physical ability. She can push herself and achieve a lot physically for a whole day, but then, you kind of have to, you have to go back and then you have to replenish.

And if you’re not carefully getting to a stage where the second year, almost at 95% and you go out and you use that up again, you kind of need to be even a little bit easier on yourself. Then you plan on, otherwise you never kind of get back to the self that can achieve and do those things, I guess.

So there’s that kind of exploration, right? What are my limits? How in the working world somebody is going to give me money? Why am I looking at limitations? How far can I take this? And I’ve never, I don’t think I’ve ever really had careers as such a bad thing that I couldn’t do.

I just felt I would have done regardless of the money. They were kind of, they were a bigger thing for me. That was something that I could attach my thinking to. They would keep me occupied and outweigh during business hours because it needs to be churning something over. So, I was kind of trying to establish that I don’t feel or never feel the need or want to manage people. You know, it’s arguably part of a lot of managing myself.

Andra: I know what you mean. I empathize with all of the above, especially the managing people. That experience was very, it was exhausting for me. It was a source of depletion.

James: I’m sure it’s the same as you, whereas collaborating and kind of teamwork, you know, I really enjoy, I get a lot from that, but you know, I don’t want to waste.

I just want to be doing the thing that I want to be doing. It’s kind of selfish in a way. I will not encroach into that time to have to tell you or to kind of check up on you because it would feel hypocritical and I want to do this thing. So, it’s like, in the world of work, as it stands, how much can you just do this thing?

And what limitations does that come with? And you know, if that is the case and this was all about trying to find where a slotted back into emphasize. Well, then it became a bigger picture of why do I slot in at all? Because I was having a real battle with my attention. At the time it was reaching the point where it was stressing me out, the fact that I was trying to do all these things or trying to get organized and it just wasn’t happening.

And you know, what point? So, it was anybody admits defeat and goes “No, too much information is going into my head. I know it’s not good for me, even though I keep doing it. When do I actually go right? This isn’t actually for you, you need to stay at the shop somewhere, selling paintings or sort of thing.

You know, there’s nothing wrong with doing that. Why you always kind of having this wall up and shit to keep climbing this ladder that you’re not even sure why you’re kind of climbing it.” I think a lot of it came on seeing my dad and he’s kind of traditional progression through promotions and more responsibility and stuff like that.

That became an obvious thing to me too. And I was just the person to go right. That’s how it’s done. Is it okay? Yeah. We got a slightly bigger house out a lot of time and things like this. So that seemed to be what everyone was trying to achieve. And it came selfish almost to have a life that was outside that more traditional model.

And you know, if you’re hard on yourself, you have to see what way you sit back in. And I don’t know, I guess in the end by being easier on myself and deciding that, you know, no one’s going to die. If I try and pursue my own ideas myself, rather than try and find somewhere to fix them because I felt well next stage would have involved really defining why a social engineer is important in an intersect company.

You know, it’s the most used tactic, but it tends to be, I don’t know, it’s not that it’s sidelined, it’s just not seen as an important part of the mix and I’m still trying to decide where it would fit in an ideal world. I think it’s a good viewpoint to have.

Andra: It definitely is. Yes!

James: From a technical logical point of view now with the advancement of ML and machine learning and stuff like this, it’s getting less and less important about the messaging, I guess, to a certain extent, a huge amount of just garbage as well, which just seems to…

I guess that frustrated me as well. That’s the problem, it was hard to get an idea of how big the problem was out there. So, I’m looping around in circles here, but yeah, I was trying to do an assessment on myself, figuring out “What are your limitations now? What can you do on an average day? How much time can you spend at your computer?

How many different tasks can you complete?” and things like these. And then the most obvious thing after all that kind of assessment was you have to work for yourself cause easily fit in anywhere else. And then started a new journey for me, a journey of wanting an idea to expand and how do I get that to happen?

And, you know, I’ve worked with some really clever inspiring people and that makes me respect other people and their kind of skills and knowledge bases outside of that. I started connecting and it wasn’t such a big head anymore. I didn’t think I knew everything. I was more than happy to take my viewpoint on something and switch it out for something from someone else.

And I’m constantly dropping into people’s DMS, asking them stuff. Because you know, I just don’t care. I’ll just go, right. What do you think of this? If they don’t reply? I forgot I’ve sent it the next day anyway. So, it’s kind of… I’m like a very overexcited Labrador bounding about the internet and DMS on various different platforms and “What do you think of this?”

What you know and one little word was suddenly flip and I they’re buying round and I’ll go off on another tangent. I am kind of collaborating and working as a team. I don’t think they realized they’d been taken off economics.

Andra: That’s an excellent perspective.

James: It was valued in other people’s opinions, I guess. And then thinking even more so that the human is that we aren’t designing tech. So that tech has an amazing life. We want humans to have an amazing life. If tack obviously goes too far, then humans are reduced to the point where they lose jobs and all this other stuff.

There’s a balance point. What we’re trying to achieve here? We’re trying to achieve a company that makes the most profit in the world and uses the least amount of human intervention. I guess only to fight back a bit for the chaos and the unknown. The thing that isn’t stored in a spreadsheet somewhere, you kind of theory from surreal to start and try to apply it to somebody as a human being. We’re really used to in medicine, just all of a sudden we get “Whoa, this is actually…

It’s a weird drug that was invented for that is actually, you increasing their serotonin levels. And we don’t really know what’s going on, but we don’t know. We don’t question. Is it working? Whereas an emphasize any kind of change has to be ripped apart to the main UTA recreated have 38 different languages applied to it and then rolled out two things are massive.

It’s kind of the pinnacle that seems to be this huge. Biggest of a technical machine and it’s like “No, we’ve somebody has to decide at which point that’s kind of enough.” We need to keep the human element in that.

Andra: I love that. And I think that you rounded up our conversation and encaptured so much insight into this, you know, in this connecting your story to the bigger picture. This is going to be so helpful to those who want to understand kind of a little bit about these connections that happened behind the scenes and that are not accessible to everyone.

They’re actually not accessible to most people, you know, except like a group of, you know, tech-oriented and security-focused people who understand what’s going on. But it takes a few years to get to that level of understanding, to understand how we can actually play a part in this, and then to help others.

So, I just wanted to say a big thank you for sharing so much of your story and for sharing things in so much detail. I know there are a few technical terms that we mentioned that we didn’t necessarily define, but I promise to everyone who’s listening to this, that they will find definitions and links to resources in the podcast description.

So they can dig into that. And if they’re interested, really be able to wrap their minds around what it means and how it looks like and how they might come across the things. And there realize I cannot wait to… I honestly cannot wait to see what you do next, James. And I’m really looking forward to learning more from you.

They think that you bring such a valuable perspective, not just to the information security industry, but to, you know, our society in general, because we need people like you who do this difficult, emotional, and technical workers who managed to bridge these worlds and make them come together in a way that makes an impact for a whole lot of people. So, thank you for that!

James: Yeah. Even I like the sounds of that person. I’d love to – congrats! It’s been a real pleasure to talk to you today!

Andra: Thank you so, so much!