Wolfmasking

All right. What's up everybody? Welcome to Simply Cyber Firesides. It's that time of the week. Think about the last security awareness training your organization ran. Just give it a second, right? Maybe you're the one who ran it. Someone clicked through some slides. Maybe they passed a quiz at 70%, got a green check mark on the LMS, and three weeks later that same person fell for a fish, and then you had to go talk to them at their desk. We have been telling ourselves this lie in our industry that behavior change can come from this type of compliance for years, and it just simply doesn't. The arrival of AI generated scams, deep fake voice calls, hyperpersonalized social engineering means the stakes just got existentially higher while most orgs are still running the same forgettable slideshow they used in 2014. And if you've ever taken the Department of Defense's awareness training or that stupid video where they're like the blocky like dire straits money for nothing looking people, you know exactly what I'm talking about. How ridiculous they are. What if the reason people keep clicking is not a knowledge problem? What if it's an experience problem? The answer's been sitting inside the entertainment and magic industries this whole time. Well, that is exactly what we're going to unpack today on simply cyber fire sites. I want to say welcome to everybody. What's up, Zach Hill? IT career questions. TJ Chris Khal here coming in. Try can love it guys. What's up, Robert Rogers? We got a great show for you today with Modern Rogue. He is in the chat as well as in the studio. And we're gonna get cooking. And I'm super pumped. Guys, remember, we're gonna be going deep on a term, a new term, okay, that Brian is pushing and bringing to market. Wolf masking. All right, we're going to go deep on wolf masking today. Social engineering psychology and why your awareness training might be giving people false confidence instead of real skill. And if you have a question, remember guys, this if you're new here, this show is all about engagement. It's all about delivering value to you. I do this show as a service, as an opportunity to serve you as a community member and as a cyber security practitioner. So by virtue of that, if you have questions, put them in the chat as soon as you have them. It's not so much for me to just talk up here. It's to make sure that you get something that you can walk away with and utilize at work or in your career going forward. And the honestly the community questions are the best ones. I I come up with some myself, but you know, I think the community you guys straight crush it. Now, let's talk about our guests for a second. I have been genuinely looking forward to this one because today's guest approaches the human side of cyber security from a completely different angle than anyone we've had on fire sides before. He is a TED X presenter, author of five books, host of YouTube channels with a combined 4 million subscribers. That is not a typo, 4 million subs, creator of the Billboard number one comedy podcast, Great Night, and the person who convinced NASA to run mind control experiments aboard the International Space Station. If we get time, we'll talk about that with Brian. As founder and CEO of Scam Stuff and host of Modern Rogue, he has spent nearly 20 years teaching millions of people exactly how con artists and scammers operate because he believes the best defense against manipulation is understanding the playbook firsthand. Ladies and gentlemen, can you please, if you're a squad member, grab your Oprah emotes and make it rain in chat? Otherwise, just put your hands together. And help me welcome our guest today to Simply Cyber Fireides. Brian Bushwood. Let's go get him. It's going to be a banger. — What's up, Brian? There we go. — We move a little faster than Reream does there, buddy. How are you, — dude? I am so intimidated. I think when we first met last year, I was just starting to go live every morning on Modern Rogue. And Modern Rogue has traditionally been a highly polished trying to be TV kind of show. So rebooting all those old skills that had gone long dormant for live streaming, I was like, "Yeah, maybe I still got it in me. " I tuned in and all out on my run every single morning. I would listen to you and I just remember thinking, "This is what excellence sounds like, Brian. Lock it in. Be this good. I am still working on it. — Brian, you are too kind. Listen, I just give this amazing true accurate

uh introduction of all your amazing accomplishments and you come on stage and talk about my uh live stream delivery. You are — That's right. That's called a deflection and it comes from a place of believing I'm inadequate. — You are a gentleman. But you have been a magician, a TV host, and a bar trick evangelist, a podcaster, and now you describe yourself as keeping companies safe in the face of the AI scam apocalypse, a term that I love. Uh, walk me through the journey, man. What was the moment where security culture became the thing that you wanted to work on? Yeah, so first of all, it is worth noting that before I became a magician, I was part of an elite group of inside sales support at Dell. This is at the height of the. com bubble 98. 99 and uh they had just started to take on third-party sales support and so whenever a sales rep would get in over their head like somebody was building an ISP or designing a workstation they needed an OpenGL card or whatever they would escalate to our group and we were a bunch of hot rodders building our own PCs. But one month I had a really good month as a magician at the same time that I got a raise. And for the first time I realized, oh, this is how you end up doing something and wondering what might have been. So I just wanted to get this magic thing out of my system. I grew up watching Pen and Teller and was such a fan of this kind of punk rock counterculture magician scam artist kind of archetype. And so I just wanted to get it out of my system. But two, two years later, I was on the Tonight Show. Then I found the college market where using, you know, punk rock, blood and guts, magic, eating fire, all that stuff was a hit. And then around, oh, I want to say 2007 was when a bunch of folks uh there used to be a channel on cable television called TechTV, and I loved it. I followed it every single day. And then they got bought by Comcast and uh and collapsed into G4. And so all the people who got fired said, "Well, screw it. The internet has changed all the rules. What if we did media online, a new generation of it, call it revision three. " And so as somebody with a tech background and having followed all these tech folks, I suggested, what if we did a whole show about social engineering at the bar and on the street? Now, I of course knew that what the show would really be is teaching magic tricks, but of course, nobody would want to tune in for a magic show. So instead, we kept it to social engineering and we taught everyone, look, you have a terrible problem. You don't know how to drink for free at the bar. But if you know how to be the most interesting person in the room, it turns out that there's a set of rules that work again and again. And without intending to, I kind of fell backwards into 600 plus episode of the internet's longest running show dedicated to social engineering. So th that brings us all the way up to three or four years ago. The first time, this is before chat GPT, I saw a demo of chat of GPT3 at the time. And uh the moment I saw pretty good word salad come out of this machine, it hit me that you already have scammers who can barely speak English. And all of a sudden, all the ways that we were teaching to protect against scams and cons and fishing, all of that overnight was about to be irrelevant. Logos weren't going to be shabby knockoffs. They were going to look as good as the original. Websites that were highly customized were going to be possible. And so around 2023, I started really paying attention, kind of planting my flag, betting that there would be what I later started calling the scam apocalypse. that the idea that there would be a bunch of robotpowered title wave of scams and cons because there's nothing new in the world of the structure of all these scams except for the fact that the bad guys can do it at scale and then around I guess it was around one year ago is when FBI data started coming out and Deote released a projection that showed it doubling. It was like a hockey stick. I thought to myself, holy cow, am I Al Gore? Is this my inconvenient truth? Is this way I need to get on stage and point to this graph? But by the time I got to Defcon last year, it was really clear that everybody knew that it was bad and it was incoming. And so the question that everyone had was, well, what are you going to do that isn't already being done? And the solution that I am coming up with and piloting now is called wolf masking. — Yeah, 100%. And I want to say shout out Marcus Kyler in chat saying like specifically security culture is what he wants to spend the rest of his career doing if he can get into it. And Marcus I I've talked to Brian about this technique of wolves masking. It's great. So this one's going to definitely dial in for you. So Brian just to take a step back um you know you did this show

for 600 episodes very long time. Uh talking to people at bars like love the fact that you were the doseekis guy before the doseekis guy. the most interesting man in the world. Uh what did you learn over the run of that show uh about how knowing a trick changes whether people fall for it or not? Because it seems like that's kind of the seat of everything that you're doing now. Yeah, there was one moment that I we didn't intend for anything this interesting to come out of a show about bar tricks. But if there's one lasting contribution that Scam School made to the art of magic, it's that in general, if you looked up how every magic trick book had step one, here's the trick. I guess I should draw a T for trick. Uh here's the trick, and then step two, here's the method, the end. And at first, that's what we did on Scam School. We would do here's the trick, and then here's an ad, and then here's the method, the end. But then they handed me a second ad. And in those early episodes, you could see me trying to figure out, okay, what's a third block of a thing we could do? Maybe it's questions from the audience. Maybe it's showcasing other people. None of that really stuck. But around the episode 70 or 80 mark, I just did. It was the dumbest, most obvious thing. After I taught the trick, I handed them the cards and I said, "Now you do it. " And of course, at that moment, everybody was convinced that they definitely had it. Oh, they saw the trick. They understood it. They knew how it was done. But the moment — move. They got it from here. Yeah. — Yep. And then the moment you hand them the cards, it's suddenly very clear. They like, "Oh, sweetie, you don't even know how to spread the cards. " Okay. Hold them in. This is called mechanic grip. We're going to move over on the side and you're going to see how we're showing the indexes of each of these cards, etc., etc. And it occurred to me that what we came to call the C block was actually the most important part of the show. Not only because it moved people from hypothetical knowledge into practiced knowledge, but along the way they would make all of the exact same mistakes that the people at home might make. Or they would run into a problem and the people at home their mirror neurons would be firing and they're like, "No, no, no. If you do that, you're not going to your left hand won't be free to grab the whatever. No, no. You're supposed to stick your pinky in there. " And there was something that was when I began to become very attuned to the difference between the hypothetical knowledge in the future versus the practical knowledge of having done it in the past. — That's wild. So, okay. So, I before we get into wolf masking, right? because you spent years like as a magician um you know tricking people and having them kind of see the change and understand because with cyber security awareness training I feel like when you explain it to them it doesn't really it almost feels like an external experience and it doesn't really resonate with the individual. So, you know, from all your experience, like what what is cyber professionals fundamentally misunderstand about how people actually learn and how they change behavior for the better in our case? — Well, uh, one thing I don't want to be on the record is doing is saying that anybody's doing anything wrong. Uh, but I will suggest, — okay, how about areas of, uh, opportunities for improvement. — There we go. I I would say that what we have right now is an incredibly robust system for educatingbook learning, right? What we have is we've got so many competitors with so many increasingly excellent series of videos with interactive quizzes and demonstrations, but at the end of that lesson, kind of like uh imagine when you uh go to get your driver's license. Yeah, you need to watch the videos. You need to do the book learning, but you also need to put in the reps driving the car. You need to uh encounter a reason to have that deeply instinctual reaction on there. And so after the book learning, you get tested. And then usually when you fail the test, if and by and large everyone does fine, but for those that do fail the test, then their remediation is usually just to go do another video and another quiz, which um which maybe helps a bit, but there are some people that desperately need an intervention. The way I think of it is if you got your normal distribution of humans, what we're doing right now certainly works for 80% of everyone, but every company has their bottom 20% your at risk uh always clickers. And so at some point when I talk to people, they're they're upset. CEOs, to be frank, they're like, "Well, I've got these people, maybe they call them boomers, I don't know, who won't stop clicking the thing, and they're about to have to replace them, which all of a sudden that gets really expensive to replace an employee. That's $15 to

$85,000 depending on your uh depending on your industry. And at that point, it becomes worth it to try literally anything, anything crazy out there just to see if you can get them to instinctively stop or recognize the trappings of a scam. Uh, if there's one origin story that I could share, when I was 18 years old, I was only two months into doing magic and I was working at a movie theater. I was working a cash register and it was the first time I ever caught a scam in the wild. It was a two-person team, a guy and a girl. They split up, me and my coworker. She went down to ask about the candies or whatever. He started asking for change for a 20 and then 50 and then two four two 20s that needed to add up and then oh that's my 10 and we agree that's your five. And even though I had never heard of a change raising scam or a short change, even though I was only a month and a half into knowing magic, at a core level, I remembered thinking this is a magic trick somehow. Now years later, I would learn that what I was experiencing was what uh in security, in physical security, they call system one defense. That's your deeply instinctual recognition of the patterns of somebody about to spring a trap on you. Uh Gavin Debecker in his book, The Gift of Fear, says that the system one defenses that intuition is the number one reasons that humans conquered the planet. We don't have fangs or claws or scales. We have one thing, the world's most finely honed sense of intuition for when something isn't right. And yet, we don't buoy that. We don't craft it. We don't hone it as much as we should for very good reasons in the cyber security world because we don't want people spending a lot of time acting as predators and stuff. But if what is currently out there isn't working, then all of a sudden doing some rough and tumble play just like a couple of tiger cubs that are make an adorable animated gift. Rough and tumble playing. They're modeling the skills that'll make them deadly predators and excellent defenders later in life. And that seems to be what I'm not seeing in the cyber security landscape, which is part of the reason I'm trying to do these pilot programs. — I love it. So, just a couple quick questions. Uh, and then I'm going to follow up on the wolf masking thing. Uh, Dan Rearen, longtime super dude, Simply Cyber community member. He wants to know at the movie theater, did you have the spiky hair? No, I had equally ridiculous foot and a half long hair. There's never been a time that Brian's had a civilized haircut. Probably up to and including right now. — So, if you Google Brian uh Brushwood or you Google scam school, you will see um you will see his spiky hair and what he's got going on. Also, TJ wants to know if you'll give him two10s for five real quick. — You better believe it. Just uh I'll tell you what, I just need to cover my uh administrative expenses. Just Venmo $3 to me and then I'll get that to you. — Yep. Exactly. So, you use this term wolf masking. The title of this episode is wolf masking. Do us a favor, Brian. Just explicitly define what wolf masking is. Um because, you know, obviously in the leadup to the show, people have seen it, heard it, but what is it and you know, where does the word come from? — Yeah, sure. So when we talk about our beloved employees, we tend to think of some people think of them as precious eggs in a basket or sheep in a pen. And we've done pretty good at teaching them uh at keeping pathogens, viruses, deceptive vectors out, but now we got this tidal wave of AI. And so we're continuing to build up big fences around our pen. But the problem of course is when something gets through, when a system gets compromised, then these sheep, they do the inevitable. They touch the thing they're not supposed to touch and then we have real bit big bad trouble. So my theory is we're going to do a play day. It's going to be a little bit of time. We're going to open up the pen and we're going to say for one day, for one season, we're going to not be sheep. We're going to wear this wolf mask and we're going to take turns being the predator. Now, of course, you want to have it sandbox. in a safe, controlled way. You want to have limits to the rules. You want to defang all your pathogens. And mostly, what you really want is to create some kind of data set so that they can go from hypothesizing in the future to remembering what they did in the past. So, in other words, think of it this way. Imagine right now uh let's say I was in the business of protecting houses and the traditional way to do it is there's you inside of your house and you pay a lot of money

for somebody to come up and describe a bad guy could come in this way, way. Make sure to lock the door and describe all the ways they could get you. In this scenario, your job, your role is to be a hypothetical victim with a kill count of zero. And then after the training, you're good and scared and you're thinking of all the ways they can get you, all the wolves out there can get you. And so you end the training still a hypothetical victim with a kill count of zero. When in wolf masking, and I don't care whether it's fishing or deep fake voices or deep fake video or even physical penetration testing, you cannot graduate as a hypothetical victim. You can only finish the program as an experienced predator or a former deceiver, somebody who has fooled somebody. And this is obviously what I'm doing is I'm remapping what I experienced when I ran a magic camp. A bunch of students came in having performed zero magic, fooled zero people, and by the end of graduation, they had fooled many people. So then down the road when they encounter these deceptive vectors, they have a mental map. They have a memory of how they did it. It's the same thing that we get in martial arts. Imagine a whole town where there's, I don't know, 50 karate dojoos, but none of them are hosting karate tournaments. All of them instead just watch kung fu movies and label all the kicks and the punches and stuff. That's all important to know, but and of course drilling against a training dummy is good to know as well. But until you've thrown a punch and dodged one coming at you, you haven't gotten the instinctive training that you need. — Yeah, that's a really great point. The applied skills and I know uh like I said in the intro, many organizations I mean it's actually kind of um bickered about within industry and like let me know in chat what you guys do at your organization or more importantly how do you feel about this. So Brian, in the cyber industry, right, people are like, "We don't want to fish our end users, right? Like that's it's tricky and you know, it feels like we're bullying them. " And then some people say like, "We do want to fish our users because we want to see um who falls for it so we can, you know, take action. " I did see some pretty gnarly fishes during COVID like uh you know fishing emails that were about like the uh surplus checks or whatever the stimulus checks or you know uh vaccine information. I was like oh my god like we're not running that at our organization. But in this instance, right, you're enabling the the people to actually pretend to be the victim. See it from the other side, right? See the entire process. So, I love the idea of it, but like what is it? I know you've run these, right? So, chat, he's run these at organizations. So, what like put us on the ground and like what does it actually look like when you go through it like walk us through a session if you will. — Sure. Well, so the key is to do what I call the read method. Re a D. R is for render. 0 to one. Go from nothing to something. And I don't care how good or not good your is your your attempt is. And by the way, uh shouts out to Clemson University CISO John Hoy. Uh I went on his program uh — of the community by the way. — Oh, that's right. And well, and so I at the time it was all just a vague feeling that we weren't that we needed to do boots on the ground deception. And to his credit, he when we finished up, he said, "When do we begin? " I was like, "Are you serious? " He goes, "Yeah. " So we went and we talked to the dean of the college of nursing at Clemson and she said what a wonderful pedagogy. Let's give it a try. So I got 80 freshmen whose and my job was to take them over just four sessions and I think I only had 20 minutes of each of the sessions to do it. But my goal was to go from zero to one. So the very first thing I did was I said, "Okay guys, how many know what a fishing email is? " Great. I want you to Here's my actual email address. brianwood. com. There is no C in Schw. I want you to type the following subject line. Uh, my first fishing email. And now I just want you to type this is a serious document. Serious document. pdf. Now, how many of you guys know what a hyperlink is? Some hands. Great. Here's how we're going to highlight it. Now, we got to pick a silly image because a fishing email is something that pretends to be a serious thing, but in fact is something else. So, I want all of you guys to go find crazy funny dog images. The funnier the better. Everybody ran out and found an image and he's like, "Great. Now we're going to do a hyperlink. You're going to make it look like a PDF, but instead it'll go to a gotcha image. " And just like that. So it said, "Here's a serious document. PDF. " And then it led to a gotcha image. So really all I'm doing is a version of Rick

rolling basically, right? I'm just like Gary Gyax when he invented Dungeons and Dragons. Page one, he says, "Guys, Dungeons of Dragons is just let's pretend with rules and dice. " All wolf masking is uh rick rolling with rules and dice. Basically, once we get zero to one, here's an important part. A lot of training programs, everybody thinks of the first part. They want to get the white hot flash of shame. They want people to understand they could be got. Spoiler alert, I think everybody knows they can get got because when we hear the stories of people who get fooled, everybody agrees that if they had a 100% of their brain rocking, it wouldn't have been a problem. But when somebody f falls for it, they always say the same three words. I knew it. Then they go on to explain that they understood that all of the training, but because of very good reasons, 90% of their brain was tied up, whether it was deadlines, stress, travel, some kind of emotional leverage. In the case of the pandemic, that was a prime environment. In the case of bitter polarized times, for example, right now there was one uh fishing email that went out from what appeared to be HR that made a highly politically charged identity thing. So if you're on one team, imagine it was all mega. If you're on another team, imagine it was mandatory gay pride something. But it said we're going to add this identifier to your name and all the company stuff unless you click manage my preferences. And so of course people are not uh using 100% of their brain in that emotionally charged moment. And of course with only 10% that's when instinct kicks in. That's when in combat when the grenade goes off soldiers say the training kicked in. Or likewise if you're a firefighter on the third floor and you feel the floor goes spongy you're not thinking of charts and tables about wood integrity under pressure. you're immediately just shouting get out cuz you know the next thing that happens is that the building collapses. And so with that in mind, we don't want to shame anyone. So instead, I uh with these 80 emails, fully half of them got the assignment wrong. They linked to a page, not the image, or they didn't even get the link on there. But what I the corrections all came in private, and they came from a person, not from a system. Because you can't swell with pride when a system compliments you, but you can feel that from a person. Likewise, you can't put in the extra effort to impress a system, but you can do that for a person. And so, uh, one week later, we come back for the second step, e enhance. So, we begin of our hourlong lesson. We spent the first 15 minutes only complimenting the creativity and showing off all the best, most interesting, funny, surprising images. And of course, everybody who uh who made one of these, they're getting the spotlight shown upon them. That feels great. And everybody who's not having the spotlight on them, they're thinking, "Well, that sure would be nice. " Psychologists call this the nurtured heart approach. And the goal of that is to alter the monetary supply of praise. By giving lots and lots of praise for fairly neutral things, the new punishment becomes a lack of praise. And you're like, well, I liked it when I was getting a lot of praise. So, you invest all of this is in the spirit of trying to coax that most intimate part of people's minds, their core identity into wanting to own the task. So, at this point, we show a whole bunch of the emails that we got and we compliment the folks who did well. And I say, "Now, this time, you're not doing anything new. You already did it. You already wrote your first fishing email. Now, I want you to try to really fool me. Think about what Brian would be interested in. Think about, we talked about the trappings of authority, of urgency, of opportunity, speaking to the other party's greed, their ego, and then the students very quickly got good. for example, they immediately here we go. Uh so we have some of the examples here where they uh they got corrected privately, but as we get into There we go. So in this case, they started doing incredible stuff like mentioning, oh, my uncle runs a cyber security key uh convention. Would you be interested in being the keynote speaker? Just click here and apply for this opportunity. Another one said, "Oh, Mr. Brushwood, I don't know if you noticed, but the entire time over your sold over your shoulder there was this uh there was this was running and then you click on the angle the image and it was a gotcha image. All of these were them owning the task. " And I personally I don't really care how good or not good they were. What I care in YouTube we think of

viewer minutes. What I care about is problem-solving minutes because the longer they're spending time trying to solve and think like a predator, the more their identity is pivoting farther and farther over that training is moving from system two hypothetical to system one instinctual because system one only runs on history. So at this point, of course, then we get into the third one. A is attack. That's player versus player. And at this point with same game, we talk about how clever and deceptive everyone was. What a good job they did. And then I point out now this in this case, you guys don't know much about me, but you guys know a lot about each other. You know each other's identities. anxieties. You know where people came from. You know what campus looks like. You know uh what deadlines are coming up. Now, I want you to write to try to fool each other. Just line one, write who you want to pretend to be. Line two, write the subject that you'd like to use and then write the text and then we'll take it from there. This is when the real stuff happened because all of a sudden they're writing about FAFSA requirements. They're writing about acade academic fraud accusations, use of AI, they're uh they're pointing out all of these anxieties. And the best part is that if you are an enterprise company, think about this. If you have a thousand employees all trying to model deceptive behaviors and fool each other, the only way to do that is to create a model of what your own anxieties are. And you're actually trying to fool yourself. So in trying to write their emails, you get a real time strategic heat map of all your company's weaknesses. If 30% of all the scam emails that people are writing all reference the same deadlines, the quarterly reports, the shareholder meeting, whatever it is, then that is a giant red flag to you at the top that lets you know we've overindexed on the need for this. We've created a weakness in this one part. If somebody, let's say there was a PR disaster, somebody got fired about a thing, and then all of a sudden that shows up in people's attempts to scam each other, that's another signal. These are the kind of things that if you just asked a survey or brought in an outside auditor, you could never access these. But by getting people to take on the role of hypothetical predator, even just for fun, then they're revealing all this. Economists call this revealed preferences that we're able to take advantage of. And then finally, the D is for defense and awards. Defense is we come back and we say, "Great, you guys did great. " Here's the thing. All of your emails are going to randomly be assigned to other targets in your same cohort. You will get one point for each person you fool, but you will also be a target. And you'll get two points for each one you catch attacking you. So at this point, even if you were not very good at the attack email, you at least spent enough time to know what you did and you instantly recognize it effortlessly. If you know Aikido and you see somebody adopt the body posture that you could tell they're getting ready to strike, it's effortless for you to instantly and instinctively knock it away. And the best part is at the end of that of that next week when the attacks come in and people report them in the case of whatever your security suite is. Maybe it's just rightclick report as fishing. In our case, we had people forward it to fishing atclemson. edu. Uh but the number the biggest thing that we had was everybody was so excited to win the game that they were reporting non-game emails. They caught real pathogens in the wild as the collateral damage in the middle of the season of the of this game. And then by the end of it, as silly as it sounds, I can't overstate this enough, the importance of certificates of award, of recognition, their new identity needs to be cemented in. Robert Chaldini in his book influence talks about how he AB tested two different neighborhoods. One neighborhood was the control. He didn't do anything. The other one they went door to door and they had people make a presentation of a certificate of good environmental stewardship. Then people hung it up in the wall and they took pride in it. End of experiment. Except he quietly tracked participation in recycling rates afterwards. And once people hung that award on the wall, it was too inongruent for them to not sort their recycling. They couldn't take pride in the award and not have consistent actions that were pro-social. So likewise, when we look at with fishing emails, for example, and it

could be any of the deceptive vectors, you got open rates, you got click rates, you got fished rates, and on and on. And then you've got report rates all the way down here. All cyber security training is going to reduce. You can't do much about the opens, but you can reduce the click rates, fishing rates and so on. But we don't see a lot of motion on the report rate. But once you've taken third companywide in a competitive wolf masking event, once you have that trophy on there, just like the recycling, it's going to be too inongruent for you to not report these attempts. The goal is not only for you to recognize a deception coming, but to have notes. You should be ahead of them in the game. You ever have that experience? You go to a Super Bowl party and there's somebody sitting in a lazy boy recliner who played all of one semester of college ball and he's holding court on what they ought to be doing and he knows all the rules inside and out. Even though he ain't never played and he never played seriously, he does know those rules, but he's holding court and sharing his institutional knowledge. That's exactly what we want to manufacture, which is part of the reason why I think it matters a lot that we're only dealing with, let's say, 10 to 20% of a company at a time. Because while they are going through a brief season of wolf masking, the other 80 to 90% they know that it's happening which changes the rules. So right now if we get on a Zoom call and let's say you're a mid-tier executive, you notice that one of the videos are kind of weird and you think to yourself, man, I wonder if this is a deep fake. There's only two scenarios. It could be a synthetic test or it could be North Korea. Those are that's a big gap. And the social cost to interrupt your CEO or your CFO to ask if he's a North Korean operative or whatever, that's too high of a social cost for anybody to do. So, as a result, we can't get out of that shame risk threshold. But if you know that 10% of the company is in the middle of a season about deep fake videos, well then now we have a middle tier where there are real stakes. Yes, it's not totally stakeless like a synthetic test and it's not a real pathogen like North Korea, but you are pretty certain this might be Gary finance. So you're able to say, "Excuse me, are you doing that game? " And then they laugh it off. feel like ah no no but seriously show me your sink. Come on yeah. And now because the social cost is lowered it makes it much easier to go forward. Uh the first place I saw this phenomenon was last year. There's the number one magic convention in America is called Magic Live. And here's the secret about magicians. We are all junkies for getting fooled. The highest compliment a magician can give to another magician is you fooled me. We give it freely and we give it without shame. And the moment somebody says it and somebody overhears it, the whole bar erupts. Everyone's like, "Oh, have you tried it with a blue deck? upside down? You know, you could do it behind your back. Hey, Gary, get over here. " And so what this uh Nasim Nicholas Talib calls this anti-fragile behavior. Every time a new deception is introduced, it stresses the system in a healthy way to where as everything updates, the system emerges stronger. Antifragile systems are like your muscles or your bones. The more stress you put on it, the stronger it gets. And so to my eyes, as a group, magicians all hungry to fool each other, to play both predator and prey, offense and defense, that is the gold standard. What we would give for all of our security apparatus to be that interested in keeping up with the latest. In the world of magic, it's actually a problem because very talented magicians invent new types of deceptions. They release them to market and two weeks later the whole network is updated. Every member of the Wetwear stack now is immune to that defense. Not because they hypothetically understand how it's done, but because they've already done it for five of their friends. If I showed you a trick and then told you how it's done for about a half hour, you would be immune. But in a couple of weeks, I could probably fool you with it again. But if I hand you that trick and I point to this restaurant and I say, "I want you to perform at every table here, by the end of that one night, you are functionally immune from ever being fooled by that trick again. " That's the example that that's what we're trying to get to.

— Wow. So I mean that was quite thorough in an explanation and you know we saw some people in chat love and peace uh for one uh TJ Chris Khal like pointing out that you know it's it's quite effective and your logic and reasoning underpinning why it is effective uh is completely sound. So you know for the people in chat right now GRC pros they're the ones who are typically responsible for implementing this type of stuff. Oh, hold on one second. Of course, my guy. Um, like obviously you've sold it, right, Brian? As far as I'm concerned, like it's fun, it's clever, it's catchy. Like, how do they even start implementing some of these ideas? Cuz, you know, like you first of all, you have to sell it because you're basically trying to play a game at work, right? Which some organizations may or may not. I feel like 1950s IBM doesn't want to sign up to play games at work, right? Uh, so how do they go ahead and implement some of these ideas? Where does one even begin? — Uh step one is uh try to make it frictionless because every remember that part in the scam school experience after the trick, after the method when you ask uh do you got it? They're all going to say yes. Nobody wants to take that third step because there's so much they they're putting themselves out there. They might get it wrong. They might look foolish. And of course, nobody at the top wants to sign off on what you want my staff going around playing games. Wait, you want Whoa, you want more scamming and stuff? All of that feels like a distraction. And for some people, for that 80% where the standard model totally works, then it probably is a distraction. Now, uh, but the remember that there are two tiers. There's the bottom 20% at risk who need an intervention. There's also the top 10% who are handling assets with too many zeros. So many zeros that they need a belt and suspenders approach. One way I like to think of this is what we have right now is seat belts. We have perfectly effective ways to protect our people if people remember to buckle up. When there's a problem, it's not that the seat belts rip apart. It's that to a person they forget. They don't have the habit of buckling up. Now, meanwhile, airbags are much more expensive than seat belts, but they're always on and at your most valuable, you want airbags and seat belts. So, first of all, be selective about who you put into this high calorie, hightouch program. Eventually, eventually I'll have training modules on all of this. For right now, we're at the part where what I have is an extremely compelling uh theory that desperately wants the data to back it all up. So, for now, I want to book as many pilots as I can from here to the end of the year. And if I wake up every day, do a class, and then spend the rest of the day grading papers essentially, by the end of this year, I'm going to have 10,000 points of data that'll be used to train an LLM module. And just like Gary Gyax when he invented Dungeons and Dragons, phase one was he had to be the dungeon master for everything. And then once he was able to get his systems down, all of it kind of emerges. Somebody brings in a little bit of JRR Tolken to the system, somebody else brings a little bit of this mythology. Eventually, best practices become revealed and they get systematized. And then he's selling monster manuals. And then it's phase three, you're able to scale. One of my, this is my galaxy brained endgame. When we hear about AI, we see the jobs that are being lost to the robots. We hear in the hypothetical about uh jobs that will be invented, jobs that we can't even conceive of. Like 30 years ago, you wouldn't know what a social media influencer was. The job of it didn't even exist 30 years ago. This is all new territory. What I strongly suspect is every organization of a certain size and up is going to need kind of a hybrid role for a companywide deception resilience officer, a hybrid dungeon master game show host, somebody who's able to keep their eye on the prize because out there in the headlines are all of the ways the deceptive vectors that are being created by bad guys. If we're keeping this antigen pathogen model in mind, all you have to do is take smallpox out there in the wild, whatever the deceptive ve vector is, defang it, make a version of it that fits within your culture at your business, create a limited trial that only does the wolf masking re a d 0 zero to one. Like for example, let's take uh let's take you got a lot of customer service reps who deal with voices. Great.

— In very little time, in about 30 minutes, everyone can go from zero to one building a deep fake voice. We're all going to be goblins or elves or smurfs or whatever it is. We're going to make a fake voice. Then we're going to enhance. Now, I want you to make it sound like a CEO. And people will have to solve for it. They'll ask, "Well, where how do I do that? " And then you just ask back, "I don't know. How are you going to do that? " And then you'll watch the lights come on as they say, "Well, we do have the Christmas presentation audio. What if I take a s sample from that and put it in? " Great. You got it. And soon they've crafted a deep fake of the boss. And then we get to a attack PvP. You're like, "Great. Order a pizza with it. " Yeah. Nobody's looking. Just call pretend to be him and order a pizza. So you call a random pizza joint. You needed a pizza anyway for this meeting. They got through it. There is no substitute for the heart racing, the excitement, the full kinesthetic body posture, your eyes dilate. All of this is how we anchor experiences into uh into a way to recognize them from a mile away. If you're the one making that trap close, you will never forget what that feels like. And then finally, defense. You're working your call center. Uh you get a cookie. You get something special if you're able to spot the strange deep wakeake or the person who's pretending to be one thing but is actually something else. — I love it. Brian, so you actually just mentioned something that's kind of unique to the simply cyber fire sides. Normally I ask uh you know where can people find more Brian and all this, but you just mentioned uh a desire to run these kind of um pilot programs and experiments with organizations to demonstrate the value and and for your own benefit to get data points so then you can you know really refine this and and then you know kind of introduce it to industry. So if someone's listening to Jen and they're loving this and they want to connect with you to you know explore doing this at their organization or just better understand how they can do it at their organization like how do you want people to follow up with you I guess lack of better word? — Yeah. Well, the uh this is it's kind of funny uh and forgive me that it's I guess I did some good marketing because I call the rise of bad guys using robots to deceive everyone the scam apocalypse. So, I got scamocalypse. com and then the solution that I came up with I like to call wolf masking. So, if you just go to wolfmasking. com, you'll see that there's a I'm not hard to find. Just look up Brian Brushwood email and Most of what I'm saying is there in pieces, but again, uh, yeah, just reach out to me and I'll be happy to help you guys. If there's one thing that I had to learn to do when I was doing scam school is everybody at the bar was not there to learn magic tricks. So, I had to court them and make it frictionless and easy and fun each step of the way. Now, little did I know that there would ever be some kind of pro-social benefit to any of this, but if I have a skill, it's pretty it is at coaxing people into stepping just a little bit outside of their comfort zone, a salami slice at a time, so that finally they're in they've end up doing something that they never thought that they would have done. Uh speaking of which uh the end of the wolf masking story actually ends up uh at Clemson where the last one with the attack uh student on student attacks. By the end they were fullon stealing all of the trappings of the president of the university writing implied narratives about hacks happening with student verification portals. All of that ending up with gotcha images at the end. Once people grasp the task, even though it's just the tiniest waiting into the to the shallow end of the pool of deception, you don't have to be terribly good to go from no experience as the deceiver to some experience as the deceiver. And chat's popping off on this one. We've got I think he's new to the uh to the community here, maybe just stumbled on, but uh love and peace uh says you're the god of whatever it is you're doing. whatever this thing is. — Yeah. He needs you in his business. He mentioned earlier about giving you 50 grand or somebody give this guy 50 grand. I don't think he was volunteering up his own 50ps on that one. So, uh, wolfmasking. com. Is that right? Yeah. Okay. So, I'm going to drop the link in chat. So, if you want to follow up with, uh, Brian, he said connect with me. I guess if they go to wolfmasking. com, they will be able to get up with you, right? Like — Yeah. And or just brianwwood. com. S H W O D. Uh, again, I'm not hard to find and I to be honest, the

smarter part of me would be protective and I'd be doing all kinds of proprietary blah blah and investors. Uh, I am too scared of just how unprepared we are for this robotfueled scam apocalypse. We uh I guess basically I look if you had 10 thou $10 million in the bank, you knew for a long time to be uh on guard against scams and cons. If you had a million, you could be pretty good about it. But at $10,000, you were pretty much scamroof. There was no reason for you to be on guard because that's couch cushion money. But now here in the western world in in western society in America, we are two orders of magnitude over the dollar amounts that are life-changing in other parts of the world. If you're a bad guy, a bad actor somewhere out in the world, the shortest path to money used to be to run giant slaveun scam organizations in abandoned tenement buildings in Thailand or what have you. But now you don't even need to do that. The shortest one is to start running LLMs to befriend and deceive wealthy or not even wealthy westerners. If I was a bad guy, I would be right now any male aged 60 to 65, I would have robots befriending them, showing up saying, "How's the birthday? How's the wife? " All that stuff. And I would just let it cook by the tens and hundreds of thousands. So that five years from now when they're 70 years old, maybe retired, maybe a little bit lonier, maybe looking for a sense of purpose, that's when I would start setting those robots to start cashing in, to start setting up with investment opportunities. And by that time, you'll have spent five years with this robot, having no idea. It'll be inconceivable that it was a robot the entire time. And along the way, five years from now, we're going to have perfect audio fakes. Zoom fakes. They'll be you'll even be able to hire somebody that looks enough like it to say howdy and shake a hand at a family gathering. It'll be just a task rabbit event to someone. All of these things become horrifically profitable down the road. And the shortest path to getting us healthy is again to get all of us thinking like that group of magicians, that group of junkies who loves jockeying for position, fooling and being fooled. That's what I want to build the culture of. — All right. And just to be clear, not a tutorial information session on how to become a cyber criminal here at Simply Cyber Fire. Just highlighting it to indicate how to avoid it. Now, um Brian, one of the things we do on the show here is a lightning round and it's an opportunity to get to know you a bit more. Uh in addition, now normally we run it at the mid roll of the show, but you were cooking, man. you were in the lab putting stuff together and uh we only have six minutes left in the hour. If you can imagine how quickly we went, dude. Like, — wow. — We've been going Yeah, we've been going 54 minutes. So, uh let's do the lightning round really quick. I do want people to get to know you as well as I do. Dude, you have performed on stages in front of hundreds, maybe thousands of peoples. You hosted TV shows, very successful YouTube channels, top 10 podcasts. Which format gives you the most adrenaline? Oh man, to be honest, uh really doing the live stuff like this, like my brain can't handle the knowing the difference between 10 people watching and 10,000. All I know is that whatever's happening is completely on the record, so I better be really good and off the cuff. It's very intimidating. — I love it. Now, just as a bonus question, because I do love TJ, uh like you know, and like I love TJ. He knows. Um least favorite chore coming from the audience. least favorite home short. Go. — Oh, man. Anything tedious. Uh, Bills. Bills. — Oh, yeah. Bills suck for multiple reasons. Uh, you live in Austin, Texas. Not to dox you, but it's out there. — Oh, yeah. — What's something that uh about Austin that you would never give up? — Uh, Rudy's Barbecue. It's in a gas station, and I hold it up against any of the best. Everybody loves your Franklin's, all your famous Austin barbecue. The truth is, it's all pretty good. So, go to the gas station barbecues. All right. You get a fill up in a sandwich while you wait, right? Kind of thing. What's something that you're genuinely embarrassingly bad at that would surprise people that watch you on stage? — Taking compliments. — Ah, okay. As we saw at the intro of this episode where he, you know, greased himself up and slid right past what I was saying. Scam school has been running for nearly 20 years. Brian, what's one bar trick or scam from the entire catalog that you still find satisfying to pull off? Okay. So, if I had a time machine, I would go back and set up exactly what I set up in 2008. I had the

idea for uh this is when YouTube was young. I did Well, here we can actually do this trick. Uh so, uh let's do this. We had this crazy hypnosis NP uh neural linguistic programming life coach guy and he claimed uh that out of all the cards in a deck of playing cards, you could recite some lines of poetry and it would cause somebody to think of just one. And not an obvious one like a queen of hearts or an ace of spades. Do me a favor. Empty your mind and I'm going to say the lines of poetry. — Okay. Okay. — Okay. You ready? Okay. The lines of poetry are, "The woods are lovely, dark, and deep, but I have promises to keep, and miles to go before I sleep. " Out of all the cards in a deck of playing cards, what card pops into your mind? — A three of spades. — Three. You've done this? — No. I mean, — you are you serious? — Yeah, I've never done it, but I mean, I am hosting, watching Chad, and running a stream. So, I mean, I I can't full I'm listening to you, but maybe it's because — No, no, no. In fact, if you search right now, and if anybody's listening, if you search Scam School, uh, Professor uh, Charles Single Singleton, Professor Charles, — did I get it right? — Look at this. So, I mean, you tell me. — Show us show us, Brian. — Uh, here. Professor S Charles Singleton interview. There we go. We'll see if this interview Bro, — here we go. Yeah. Here we go. Whoa. — You gonna put it on? — Welcome back to Scam School. We are here at the Nomad Bar in Austin, Texas. And today we are talking to Professor Charles Singleton. Now, before we went to break, you said something that kind of blew my mind. It sounded like you were describing like I mean it sounded like mind control. Well, actually it is. Our studies of neural linguistic programming have discovered deep structures in the human brain that can be accessed with linguistic triggers. We can actually put a thought into someone's mind — like against their will. — Yeah. — Do you have any examples? — We would read a poem by Robert Frost, the woods are lovely, dark and deep and I have promises to keep and miles to go before I sleep. Then we would have them think of a card and 100% of the time, every time they would think of the three of spades. — Oh my gosh. — Isn't that crazy? That's amazing, right? — I want to take a shower right now and put on a new body. Like what are we doing here? No. — So, here's the best part. Uh, I'm going to tip you guys the method so that you can do this. I created back in 2008 52 different accounts under 52 different names with 52 different versions of that interview. Each one corresponding the name to a different card. Because you'll notice I didn't give the name of the guy until after I heard the card. And so basically look up scam school mind control experiment and that'll reveal how to translate the name of the card into the name of the uh expert. — Okay. So you have 52 videos. So that was a magic trick. — Oh yeah. Pretty good though, right? — It was great. I I wanted to uh I Yeah, I was probably gonna tell everybody go in and tell my wife I was gonna take like a crying game type shower. Like I was I like this was Brian, you just did it. You pulled one off on me. What a what an absolute delight, man. I you know, you're a guest on my show. I didn't expect like a free magic show. Um and dude, you did it. Like can you just Let me ask you this, dude. You're a you're like a um like compulsive magician. You you've kind of mentioned it in different ways over time. Like you love it. You love the adrenaline. You love the the the surprise. all the things associated with it. Like do you just find yourself injecting a magic trick wherever like when it becomes organic? Like I don't even know like right now if you planned on doing that but like you saw the opportunity. Is that something you do all the time? Like not awkwardly where you just like walk up to someone in an elevator and turn around and be like pick a card, you know? Well, when a magician first starts doing magic, they kind of they find their favorite three to five tricks. And then often times you need to have a gizmo on you or some kind of gimmick. Uh and so you go out every time you go out in public, you make sure that you have those things on you. But it wasn't until like once I got past a hundred episodes of Scam School, I began to dare myself like, let's see if you can live off the land. Well, not carry a deck of cards with you and just see what's around. And I'm telling you, it's like Terminator vision. I walk in and then the moment somebody says magic, like out of the corner of my eye, I my mental map is I'm like, "Okay, I got a bunch of coins in a bag over here. I got that deck of cards over here. We could do blank blank. " And then for because I realized, "Oh, wait, no. I'm at the computer. We could do the mind control scam. " By the way, that was the one that they did on the International Space Station. By the way, that was done by Richard Garri

America's first second generation astronaut. — Oh, I love it. That was so good, dude. Like, so do you um like do you pay for drinks at bars or do you just like do this? — Uh nowadays, I'm always the one paying for drinks because when you make a game of seeing how many free drinks uh you can score, the answer is always too many. — Yes, of course. I see. So, we've been talking to Brian Brushwood today, getting to know him a bit personally uh here at the end, but we've been talking about wolf masking and this technique of flipping information security awareness training on its head by enabling our user population to be the attackers and to be the wolves, if you will, and having them kind of attack each other, but in the most, you know, uh kids ball pit foam baton kind of way. Brian, take us out on, you know, final thoughts around wolf masking, the value, and how people can connect with you. — Uh, I'll tell you, if I'm stepping on anyone's toes, there's part of me that thinks I can't be the first one to have this idea. Uh, if anyone else is already doing something like this, I'd love to hear about it. Brian Schwood. com. But when I ask myself, why hasn't anybody been doing this already? It occurs to me that magic, we've had 400 years of training up and best practices and constantly getting each other. Uh cyber security as a crime is only 30 years old. Wrap your mind around that. So it makes sense that we would first have the top down book learning solutions and only now that that essentially scams are democratized thanks to the robots. We have foreign interests. we have, you know, cyber criminal gangs or whatever. And only now are we at the place where what economists would call enough market pressure means that we have to rethink kind of our culture in when it comes to being protected against deceptions. — I love it. How can people get with you again, Brian? — Oh, just brianwood. com or you can find me at wolfmasking. com. — wolfmasking. com is definitely going to be the easiest way. Uh obviously schwwood sounds uh difficult to phonetically. — There is no scene in Schwood. — Yeah. So uh go to wolfmasking. com. Guys, this was uh like literally an incredibly fast hour of content. I want to thank Brian Brushwood for coming on and just delighting us with uh you know, Brian like I'm a big GRC person. So awareness training uh behavior modification, which is ultimately what awareness training is designed to do, is very near and dear to my heart. and doing it well has long been a challenge in the cyber security industry. I feel like I've got a pretty uh effective technique for doing it. But what you've given us today with wolf masking takes that to a whole other level. I want to thank you on behalf of myself and the entire Simply Cyber community for spending time with us today and sharing this knowledge chat. I want to thank all you guys. Your questions were amazing. Your engagement was awesome. And I think well, excuse me. I hope that you can take this information and go to your organization, go to your business and try to implement it and ultimately try to level up. Again, wolfmasking. com to connect with Brian so you can get more insights. Like he said, he might be developing uh modules or templates or, you know, tools that can help you with this type of stuff. Don't sleep on it. It's absolutely great. Brian, thank you so very much, y'all. Until next time, stay secure.