Spotting A Virtual Fake

"Social engineering is using manipulation, influence and deception..."

-Kevin Mitnick

Fake videos and stories are crawling the web like an out of control spider infestation. AI is transforming the internet into an illusory hall of mirrors, and no one is sure what's real and what isn't. Sadly, big tech's response to this is predictable: lots and lots of dollar signs.

I know how the game works, because the truth is, I do it myself. I impersonate people for a living. Over the years, I’ve been known by many faces and names. I'm the CEO asking you to complete a mandatory company survey by 5PM. Once you click, I'm inside your network. I pose as your most profitable client, frustrated that I can’t login, before helpfully providing a screenshot of the error message with a virus inside (this one gets IT employees every time). I'm Jen from Human Resources because you put a typo in your benefits package (hint: it's another virus).

And believe it or not, I’m actually the good guy. Companies pay me to deceive their employees because when the real thing comes, they want them better prepared on how to spot a fake. Most assume what attacks look like, and this is actually why they fall for my tricks. They’re looking for poor grammar, a stranger asking for social security numbers, or an IT employee with a foreign accent.

But it's not 1995 anymore.

Times have changed, and so have hackers. Because they know how to blend in, I figure I should too. I research the company’s people, client processes, upcoming events, and the nuances of how their business works. I look, sound, and even feel like one of their colleagues. I mention the projects they’re already working on and who they're working with to build rapport. After I get access, I often hear comments like, “It seemed so real!” Or, “I honestly thought you were Jay from finance.”

The most common reaction, however, is the one I hate: shame.

People feel stupid. When I tell them how I did it, they're self-worth shrinks like Super Mario when he loses a mushroom.

But I don’t say, “Game Over!” and move on. I remind them that social engineering has nothing, absolutely nothing to do with intelligence. This seems counterintuitive, but I've got data to prove it. I’ve fooled thousands of people, and guess what? In every data set, it’s clear that education level never, ever plays a factor. I’ve tricked lawyers, doctors, and the smartest engineers in the industry. 

How do I do this?

Because social engineering has everything to do with emotions, and nothing to do with how smart you are. 

Your "boss" sends you a disciplinary action document: fear.

You've been asked to speak at a seminar regarding your recent peer-reviewed paper: curiosity.

This psychological distinction is more important in the age of AI than ever before, because every single one of us experiences emotions like urgency, trust, and fear. Those right-brained instincts are what social engineers target. Our emotions drive more of our decisions than we often realize. For instance, an employee that recently wired 25 million dollars to a cyber-criminal wasn’t stupid, he trusted the deep-fake video feeds his eyes said were his co-workers. After all, they looked just like them.

When I teach people how to gauge their emotions when processing new information, their demeanor shifts from ashamed to excited. They didn't have a weapon in the fight before and now they do. So, whether it’s someone like me, AI, or big tech, your emotions don’t have to work against you. In fact, in a world of fake news, deep fakes, and misinformation, you can leverage emotions to your advantage.

Here are a few ways to do just that:

Always practice suspicion.

When something feels off, it probably is. Healthy distrust is not the same thing as paranoia, and it should become one of our closest companions in a virtualized landscape. A friend of mine mentioned researching and verifying with two or three credible sources before believing what you see or hear. I think he's right. Also, make a habit of reading independent journalists and writers who disagree with you. You don't have to align with what you read, but the added level detail may paint a different picture in the end, or at least offer one seen from different light. Read current events from right and left wing outlets and look for nuance in between. Jesus spent time and listened to people who were his enemies, what keeps us from doing the same?

Take a deep breath and walk away. This prevents what social engineers refer to as amygdala hijacking, what happens when emotions like fear flood the mind and diminish rational centers of the brain. Only a few breaths can restore logic and reasoning back to working order, and walking away stops emotional decision-making or hasty conclusions. If you’re pressured by someone over the phone to make a decision, just reply “I’ll need to think about it for a few minutes, thank you” and hang up. If your anxiety spikes while doom scrolling a newsfeed, this practice can calm your nerves while simultaneously increasing critical-thinking.

Decrease social media exposure. You might not be targeted by social engineers like an employee at Microsoft or IBM, but you are targeted by tech giants who objectify you as their product through continuous engagement. Remind yourself that memes and tweets, while certainly amusing, diminish your mental acuity overtime by distilling complex realities into caricatures and jokes.

Train your brain. AI is only as good the training data (what LLMs and neural networks use) you feed into it, meaning that a model trained on the dark streets of reddit and facebook won't exactly light up your path. But can you guess what can? While you can't choose the training data for Meta or OpenAI, you can choose the training data for your own brain. So, what are you training your mind on each day? Compare the volume of your news feeds with the volume of God's word to get an indication.

Guard your desires: We can't will ourselves to better habits with information alone. If the information age has taught us anything, more information doesn't equal wisdom.

"Above all else, guard your heart, for everything you do flows from it." -Prov 4:23

Try this: Ask God to give you a love for His news feed and His information. Don't better yourself, transform yourself, because it's only faith that yields freedom. There's a world of difference between someone who downloads the world's information each day, and someone who downloads the very words of God. That difference changes how you perceive reality, which is all the more important as we walk a virtual one.

Bonus: Here's a cyber security training short I created for corporate teams targeted by threat actors. You can use the same techniques yourself. Feel free to download or distribute.

How to Spot a Fake

Jonathan Runyan is a senior cyber security engineer and former pastor writing on the intersection of spiritual and virtual reality. You can read more about him here.