Now That's IT: Stories of MSP Success
Now that's IT: Stories of MSP Success dives into the journeys of some of the trailblazers in the Managed Service Provider industry to find out how they used their passion for technology to help turn Managed Services into the thriving sector it is today.
Every episode is packed with the valuable insights, practical strategies, and inspiring anecdotes that lead our guests to the transformative moment when they knew, Now, That's IT.
This podcast provides educational information about issues that may be relevant to information technology service providers.
Nothing in the podcast should be construed as any recommendation or endorsement by N-able, or as legal or any other advice.
The views expressed by guests are their own and their appearance on the podcast does not imply an endorsement of them or any entity they represent.
Views and opinions expressed by N-able employees are those of the employees and do not necessarily reflect the view of N-able or its officers and directors.
The podcast may also contain forward-looking statements regarding future product plans, functionality, or development efforts that should not be interpreted as a commitment from N-able related to any deliverables or timeframe.
All content is based on information available at the time of recording, and N-able has no obligation to update any forward-looking statements.
Now That's IT: Stories of MSP Success
Deepfakes, Disguises, and Deliveries: How Rob Shapland Hacks Human Weakness to Build Stronger Security
Modern cyberattacks aren’t just technical—they’re personal. And Rob Shapland knows how to exploit the human element better than anyone.
In this episode, Chris Massey sits down with Rob to unpack the wild world of social engineering—from sneaking into corporate offices disguised as a delivery driver to using AI voice clones to bypass MFA. With over 200 successful break-ins (all authorized, of course), Rob shares what IT leaders and MSPs are still getting wrong—and how to fix it.
They cover:
- Why the human layer is still the biggest vulnerability in security
- How attackers are already using AI for voice and video deepfakes
- What companies can do today to strengthen their weakest links
If your clients think MFA alone is enough, this episode proves otherwise.
Let us help you unlock your business's full potential.
N-able Business Transformation is Expert led and Peer informed.These valuable executive programs are tailored to provide effective guidance and a faster path to a scalable and successful business.
Book a Call with Chris Massey now to learn what Business Transformation can do for you!
'Now that's it: Stories of MSP Success,' dives into the journeys of some of the trailblazers in our industry to find out how they used their passion for technology to help turn Managed Services into the thriving sector it is today.
Every episode is packed with the valuable insights, practical strategies, and inspiring anecdotes that lead our guests to the transformative moment when they knew….. Now, that's it.
This podcast provides educational information about issues that may be relevant to information technology service providers.
Nothing in the podcast should be construed as any recommendation or endorsement by N-able, or as legal or any other advice.
The views expressed by guests are their own and their appearance on the podcast does not imply an endorsement of them or any entity they represent.
Views and opinions expressed by N-able employees are those of the employees and do not necessarily reflect the view of N-able or its officers and directors.
The podcast may also contain forward-looking statements regarding future product plans, functionality, or development efforts that should not be interpreted as a commitment from N-able related to any deliverables or timeframe.
All content is based on information available at the time of recording, and N-able has no obligation to update any forward-looking statements.
One, two, three, four. I delivered these flowers to this rather bemused woman. Then I went into a meeting room and plugged a remote access device into the network and then used that to hack in afterwards. I got a massive buzz afterwards when I finished and left the building Massive adrenaline highs, like, okay, this is fun, this is really fun. You've got this horrible nerves beforehand and this massive elated feeling afterwards, so it's a real experience.
Speaker 2:But yeah then then it's like okay, well, I've got a taste for this now welcome to now that's it stories of msp success, where we dive into the journeys of some of the trailblazers in our industry to find out how they used their passion for technology to help turn managed services into the thriving sector it is today disguises deep fakes, long lens cameras.
Speaker 3:It's not the next fx siri with rami malik. It's the true life of rob shaplin. After years inside one of the uk's earliest pen testing firms, disguised as a cleaner, a delivery driver, even a fake employee, rob has gained unauthorized access to more than 200 companies, military bases and government facilities. Today, rob runs his own cybersecurity firm focused on social engineering and awareness training. I'm so excited to get into these stories and more. Welcome to the Now that's it podcast, rob. Nice Chris, it's great to be on and just I really appreciate you being here. A little extra special it's the end of event. We're in an amazing event this week Enable Empower. It might start to get a little loud in the background because it's going to be social hour in a few minutes, and so thanks for taking a few minutes away from networking with all the amazing MSPs in the UK and Europe.
Speaker 1:Yeah, it's been a great event so far, so it's nice to have a little bit of quiet before the evening.
Speaker 3:It's calm before the storm. That's right, all right. So let's rewind a little bit. Rob, you're in school, you make yourself an admin at the school's IT system, and what happened? What did that experience unlock in you?
Speaker 1:Yeah, I think that was my first exposure to hacking as a as a thing. It was quite early days and I was just messing around. I didn't really know you could do hacking. Um yeah, hacked into school systems, left it all on like the, the admin screen of every single computer, and then kind of forgot about it, to be honest, because back then it was I mean, it's already quite a niche career, but then it was even more niche. It was hardly anyone doing it. I didn't know it existed as a career. So it took me a few years before I found out you can actually do this as a job, and when I did find that, that was quite exciting so at the moment, your teachers, your parents, your friends they're probably not looking at this as a talent that you have probably not.
Speaker 1:It's probably more of a negative thing. At that point there's always a negative connotation or association with hacking isn't there? You're going to be a black hat, You're going to be going to prison, all that sort of stuff. But the fact that you can do it now as a job and help people, it's really cool.
Speaker 3:It's awesome, but at the time it's Rob's in trouble again.
Speaker 1:Yeah, that's it, yeah, yeah.
Speaker 3:It's how Rob goes to school and get told off by the teacher again for hacking and messing around. I've gotten to know you pretty well in the last couple of days and I just don't see that characteristic in you. But if that was your past, that was your past.
Speaker 1:Indeed, I mean, I never got in proper trouble. I never went to jail or got the authorities banging on the door or anything like that.
Speaker 3:So at university you chose software testing right, a fairly safe tech career. What drew you to that path?
Speaker 1:To be honest. So I was always good with computers, right, and I was looking for a career that used that. And my dad was very much like you are not going to finish university and do nothing for a few months. He's like circling jobs in a newspaper for me immediately you know, this is early days before we did add all the online stuff. So he threw a newspaper at me, went what about that one about software testing? I have no idea what that is. I have a look at it. Uh, it sounded boring and it turned out to be just as boring as I, as I thought it was going to be not to offend any software testers out there, but it wasn't for me. Um, and I did that for three, three, four years.
Speaker 1:In the end, different companies um and found, you know, when you're searching for a new job and you just I just typed in testing online and it came up with penetration testing, which is the sort of alter ego of ethical hacking. And, as you do at that age, I had a good laugh at the job title and looked into it and I'm like, hang on, that's hacking. You can do that as a job. That's amazing. So I applied for it and I'm like hang on, that's hacking. You can do that as a job. That's amazing. So I applied for it and they came back to me and said right, okay, you've not got any experience. Write me 500 words on SQL injection I've got a Google SQL injection to start with and find out what that is. Wrote an article about it, used that to get the interview, did the interview and then got the job and that was my first kind of exposure into properly doing hacking.
Speaker 3:That's great. Why do you think that first job was painfully dull the software testing?
Speaker 1:Because it uses your brain a bit, but not as much as hacking does. You're just checking stuff works, so there's not like a lot of lateral thinking to it, whereas hacking is very much thinking outside the box especially when you throw in the social engineering elements.
Speaker 3:What did, uh, so you get the job at uk is sort of one of the first pen testing firms there, right? What did training look like, I mean?
Speaker 1:training to start with was literally you're going to make tea and watch us do stuff. So the company was really small, like three or four people, and I was just learning, just shadowing, like old school, none of the nowadays where everyone expects to be thrown in and doing all the really exciting stuff. Right at the start it was very much okay read this 400-page book on TCP IP and then watch us do an infrastructure test and then do that for six months and then start getting involved in the testing and then from there move into application testing, web apps, and then from there and there there's more and more stuff. There's internal testing, there's mobile apps, all sorts of stuff.
Speaker 3:So there's lots on the technical side that you can do and I was doing at that stage. Do you remember any of those like early assignments? Just what it was like? What was going through your mind Like when did it sort of click that this might be a career for me?
Speaker 1:Yeah, I think it's when you start to do fun stuff, like when we got a TV shipped to us for minus one pence, so they basically they paid us to send the TV because we just manipulated the price. This was like a major website as well and you could just change the pricing on there. I did that a few times. Different companies got money paid into me and items sent, which was really fun. And then it was when I started going on site. I would go to clients offices and test their internal networks and you know when you could take control of the tvs in the atrium of this huge company and just say, like hacked by rob or whatever, in the middle of that, in front of hundreds of people.
Speaker 3:It's like this is fun, like that felt like being in a movie, taking control of things in a building it's, it's right and like, I think, most of the MSP industry and the IT industry, they understand the idea of vulnerability, pen testing, right. But this was a different level, like this was you were breaking in.
Speaker 2:Yeah, yeah.
Speaker 1:And there's a big disconnect between seeing a vulnerability on a screen whether it's Qualys or Nessus, whatever is reporting and relating that to. Actually that can be used to do this. I think you can just see it as oh, it's a red, I've got 500 reds or 10,000 reds or whatever, but actually some of those can just be exploited in one click and away you go. So being able to go into a network, find a vulnerability, then exploit it, then use that to access other areas of the network, move around laterally and then download actual important information. It's fun to take it all the way, like that that's cool.
Speaker 3:All right, we're going to dig more into that here in a minute, but there's probably listeners saying this is kind of some crazy stuff here, and I heard a rumor that you're a bit of an extreme sport guy, right, sort of an ultra race guy. Tell us more about what Spartan races are all about.
Speaker 1:Yeah, yeah. So my outside of my hacking life, my other life, is obstacle racing, so Tough Mudder, spartan race. But there's also some more specific, very technical races that take place in Spain and all over Europe and I got involved in that seven or eight years ago. I just went on a fun run like Tough Mudder, like a lot of people do, and then I realized there's a bit of a competitive scene to it and I can't help myself getting involved in the competitive scene of pretty much everything that I've ever done. So when I realized I could do that, I started training a bit more, running a bit more and eventually qualified for the UK national team. So doing that in june for the first time, um, so that's gonna be really fun. I'll be out in portugal and then world championships in sweden in october. Uh yeah, it's just fun swinging around from monkey bars, jumping over things, picking things up and running with them. It was just yeah and you were not.
Speaker 3:Not ex-military, no. So this is what's fascinating about this is, um, you've got this interesting brain. Obviously there's a physical side of it. You're in great shape. You're looking at this for energy, exercise and competitiveness, but the obstacles that you're going through, they're pretty extreme right, and so you've got to have a. It's a mind game as well as much as it is a physical game.
Speaker 1:Oh yeah, it is. When you're running between the obstacles obstacles you're running as fast as you can like. Imagine you're doing a 10k race or whatever and you're going flat out and then you get to something and now you've got to pick up a 50 kilogram ball and go with that and you've got to put that down and then you've got to swing from these little attachments and nunchucks and things that hanging from monkey bars and then drop off that and then get going again. It is hard, it's punishing and it's. You get into that mental place where it gets a bit dark for a while and then you come out the other side and actually I enjoyed that.
Speaker 3:That was good there's something about you. You know that. I've listened as I listen. You tell stories. You've not come out and said this, but you have this personality where I I can prove you wrong, like I can do this, I can get in there. Do you agree with that? Do you have that sort of yeah, yeah.
Speaker 1:I would much rather someone said to me like, if I'm breaking into a building, don't think you can get in there. Yeah, try your best. What I hate is when people say, oh, that'll be easy. Because then it's like, oh, there's the expectation that you're going to get in, so, on the off chance that you failed, it would feel really awful. But I much prefer the challenge of you know you you'll never get in here, you know. Okay, give me enough time, give me enough budget to do it properly. I mean, yeah, if you give me two hours to do it, that's probably not going to work, but if you tell me I can have a few weeks, then yeah, let's see what we can do.
Speaker 3:That's great, rob. All right, let's talk a. So you started to develop this niche. What does you know? You call it social engineering, right? So what does that mean? How does that resonate to you? Where did it come from? What happened?
Speaker 1:Yeah, so to me, social engineering was always associated with physically breaking into a company's offices. As a term, it encompasses more than that. It's really anything that where you're influencing or manipulating people in some form form, whether it be phishing or phone calls or whatever. But to me it was always the physical side and that's how I started, and my boss at the first company was the one that did it there and he decided he had enough of it. He wanted to hand it over to someone. He said to me all right, why don't you have a go? And he set me a target of a client in London and the task was to get in and get hold of the Wi-Fi password they used and that was used amongst all their different offices um, first one, so nervous, absolutely bricking it. To be honest, like it was, it was so scary.
Speaker 1:I must have walked past that office 10 times before I went in and I had a fake badge that I'd taken from a social media post that the company had done. They put someone with their badge and I was like, okay, make a copy of that. Um, and then I had an ipad with some like wi-fi signal strength apps on it and I thought, okay, I'll go in, pretend to be IT employee, ask them if they've got any problems with their Wi-Fi, because everyone always has problems with Wi-Fi, and then maybe that can get me the password. So I finally brought up the carriage to walk into this building, said I was there from IT. They said, okay, you need to sign in downstairs. So I went down there and said have you got any problems with Wi-Fi? And they said, oh yeah, it's terrible. Especially down here, it doesn't work at all. I was like okay, I'm going to need to log on if you've got the password.
Speaker 2:He said oh, yeah, here you go.
Speaker 1:Just gave me a little paper with this 30-character password on it. I was like, well, that's really secure unless you give me that thing on a piece of paper. So I typed it all in the same shared Wi-Fi network and take anything I want, because now I'm authenticated to corporate resources and things as well. So I got a massive buzz afterwards when I finished and left the building Massive adrenaline highs Okay, this is fun, this is really fun. You've got this horrible nerves beforehand and this massive elated feeling afterwards. So it's a real experience. But yeah, then it's like, okay, well, I've got a taste for this, now I'll take it over.
Speaker 3:So cool, so obviously attacks have become more sophisticated. Essentially, users have right. Mfa has become a thing that people are saying you've got to have, you've got to have, and AI has become this exciting new thing that companies are using to become more efficient. I heard you tell a story about AI and MFA. Do you mind sharing? Obviously leave names out to keep the innocent.
Speaker 1:Yeah, absolutely yeah. So to give an example, let's say I wanted to hack into an email account. So to get into someone's email you need their email address, their password and they're probably to get past their multi-factor authentication. So the company that I was targeting for this example, they wanted me to get into one of their senior leaders' email accounts. I didn't mind which one, just get into someone's senior's email account and see what you can see inside there, and so I thought, okay, email address.
Speaker 1:Often for senior people you can find that online fairly easily. A bit of Googling, maybe on the website, if not. Pretty much everyone's email address is available through LinkedIn. Although LinkedIn doesn't show me directly what your email address is. If I've got the name of the person that's working there and the company they work for, it's not going to take a genius to work out what their work email address is, right. So that's the first part, but that's obviously the easiest bit.
Speaker 1:Second part is the password Now for this company. How I got that was through a data breach. So there's I'm sure most people are aware there's massive databases full of breached credentials out there that have already been stolen from other websites, and one of their senior leaders was in this breach database. He'd had his email address and password stolen eight separate times from eight completely unrelated websites and he'd been using his work email address to register for everything, including all his personal websites. Now, in each of those eight different examples his password was the same. So I've kind of figured. Well, if he's using it for eight completely unrelated websites, it's probably fair to surmise that password is one he uses absolutely everywhere. A lot of people do that reuse passwords in places. Not a lot of people reuse the same one absolutely everywhere, as this person seemed to be doing. But I thought, okay, I can probably guess that that's going to be the password he's going to be using for his email account as well. Now there are other ways to get a password. One of the other ways I've used is simply to sit next to someone on a train and watch them type the password into their laptop, which is very simple. Maybe you can't follow it in real time, but I've got a pair of glasses I use to record stuff when I'm doing social engineering. You can look at the keyboard and then reverse the footage, slow it down and work out what they've typed. So there's lots of different ways of getting a password. It doesn't necessarily involve brute forcing or guessing or different combinations. So, anyway, I thought that was probably the password he was using.
Speaker 1:But then I thought, okay, this is quite a well-defended company. They're almost certain to have MFA. But before I log in as this person and trigger any alerts on his phone, can I confirm, yes or no, whether they've got MFA in some way? So I went on to LinkedIn, searched for the company and started looking at their IT employees. They had 10 or 20 IT employees in the company Pressed on their profiles and some people on LinkedIn will just list all the places they've worked. You know, I was here five years, here three years, here two years, but some will break down within those job roles what they did. And one of their IT employees had listed every project he'd worked on since he started at the company and one of those was implemented Microsoft Authenticator, mfa. I was like, okay, great. So now I know the company's using Microsoft MFA, so I can probably guess it's going to be the system where a number comes up on the screen and then that prompts a thing on their phone and they have to type in that number and match it.
Speaker 1:Now how do you get around that MFA, because that's the bit that's supposed to protect you, right? Okay, password is as well, but if you can get hold of someone's password, great, but you can't log in because of the mfa. It's the whole point of having mfa. So best way to get around is social engineering, normally through a phone call. So perhaps I phone you up and I pretend to be from it. I'm doing some maintenance on your account. I've logged in as you, I've got your password, so it must be it, and I just need you to authenticate me through the MFA. So that's the rough idea of how I was going to do it.
Speaker 1:But I always get a bit carried away and I want to go to the next level and see how far I can take it. So what I decided to do was can I clone the voice of one of their IT employees? It was probably far more than I needed, to be honest, because the chances of them actually recognizing the IT person's voice is fairly slim. But I thought, okay, it'd be fun to try and maybe it's the thing that is the convincer. So best way to find a voice YouTube normally. I mean you could claim my voice easily. There's enough YouTube videos and stuff out there of me.
Speaker 1:So I started looking for all the different IT employees on YouTube to see if they were on there and one of them had done a conference bit, like we're at now, and he did an hour talk and it was all recorded on YouTube and it was really high quality. I was like, okay, that's perfect, because that's an hour recording. Now for voice cloning through the AI systems, you don't need an hour. Two minutes, roughly speaking, is enough to create a passable copy. It's not going to be perfect, but it's enough on a phone call that it will probably work.
Speaker 1:So I cloned his voice and then with the software you can do a couple of things. So you can either do what's called text to speech, where I type in exactly what I want to say and it will read it out, which is great if you've only got one thing, because if they respond something different, you're suddenly typing. There's going to be a really awkward pause. The other thing you can do is you can hook it up to ChatGPT or Gemini or whatever AI system you want. Give it a prompt, just like you would in ChatGPT. You are an IT employee, you are trying to get this person to give you an MFA code or type in a number onto the screen and it will do that. You have to engineer the prompt in a certain way. It doesn't like you trying to get passwords and things from it, but it will work.
Speaker 1:So I thought, okay, so I'll clone his voice and then I'll get it to say something and then, if it goes off, beast, I'll let the chat GPT kind of try and get the password for me effectively, sorry, the MFA code for me. So all the parts are in place, I think anyway. So I logged in as this person. The password worked exactly. It was the one from the data breach, exactly how I hoped. So now it prompts on his phone an MFA prompt from Microsoft Authenticator. So now I phone him. Now his phone number's on the website. So I made it very easy to do that, phoned him up and then essentially played the voice recording saying hi, it's Steve here from IT. We're just doing some maintenance on your account at the moment. You might have seen a Microsoft Authenticator prompt pop up on your phone. Would you mind just entering the number 23 for me please? And he went oh, hi, steve. Yeah, no problem. Actually I've had a few problems with my laptop recently, um, so that's great, you're on the line. I'll do that for you now. So click pause, types in the number and I'm in, so straight into the email. Um, we end the phone call and now I'm inside.
Speaker 1:One of the most senior executives email now. You imagine he'd been there for 15 years, never deleted an email in his life, so there's so much information within there. But also, one of the powerful things you could then do is send email as that person. So authorizing money transfers, for example, would be a great thing to do. So the simple bit of social engineering voice cloning tool. It sounds well, that's quite technical. It's not. Honestly, it's about five dollars a month for the, the voice cloning tool. It's so easy to use as well. Honestly. You just upload a voice recording. It creates the thing you type out what you want to say happy days and it works. Um, so I'm not saying it's incredibly difficult to do that, um, but that system works and it. I've tried that against a few companies and this is very successful so for anybody that's listening, rob is actually here, by the way.
Speaker 3:I just want to validate that for everybody. This is not a clone, an AI clone of Rob. He's actually here. It sounds very sort of nefarious, very devious what you're doing, but companies are hiring you to do this, right, like this is part of what you've been tasked with, and so just talk a little bit about how does an engagement like this start, right, like we just told, the story of. This is what happened. But today, rob, if you're doing this, if somebody is interested, what sort of size does a company typically get to, or what are the characteristics of why a company, a business, would hire you? And then, probably most importantly, what are the outcomes? What do you do with this exercise?
Speaker 1:Yeah, okay, great question. So for me, I like to work with clients that really care about their security. So some firms they just want to say security's a box I need to tick. Yes, I've done my training. Yes, I've done my pen testing, yes, I've done my vulnerability scanning and that's all. They need to get their insurance or whatever. And that's the limit of what they want to do.
Speaker 1:But other firms actually care about it. It's like, well, how good is the training I'm doing? Is doing just me learning good enough, or could I do something better? And that's where I tend to step in, because I will do these engagements where I break into the email or break physically into the office, record it all and then show it in training for those clients, and then that's a really powerful message. So, rather than just doing a 10 minute video and doing a quiz or something like that, failing the quiz because they're doing something else at the same time, then doing it again and finally passing it, Instead they're in a room with me, I'm scaring them, I'm showing them videos of me actually break into their office, of cloning their CFO's voice and asking for a money transfer and things.
Speaker 1:So what I want to do with that is, enhance the company's security properly in a way that's memorable but also helps them at home as well. So a lot of what I do talk about in training is to do with their home life as much as their work life. So I really like to work with clients that don't have to be any particular size Like generally speaking they tend to be medium-sized businesses, maybe a bit larger, just because otherwise they're so focused on the really basics of cybersecurity, not really thinking about employing someone to go and break into their building or other bits and pieces. But the interesting thing about that story I told you with the MFA bypass is that didn't touch any security systems, if you think about it. So you could have your EDR in place, your MDR, your email quarantining everything. All of it got bypassed by that, Never touched anything. The only thing it touched. The only layer it touched is the human layer. It's the person at the end of that call who gave me the code or typed in the code for me.
Speaker 1:Now if he'd been trained correctly and had been engaged in the training and listening, it had gone well. There's no reason I ever should be typing in a number that I haven't logged in myself, or I didn't want to log in myself and I didn't initiate that call that came from someone else. I don't know who that person is, just because it's got a random mobile number. I don't know. That's one of my IT people. It could be anyone. So by doing the training in such a way that it's engaging and interesting, you actually make that human layer really, really effective, and most hacks now come through that human layer. So why would you, why would you just have the easiest option with your training? Why would you not go to that, that next level? Wow.
Speaker 3:It's. It's very scary as a business owner, as a human right, the fact that you know I have a podcast. I have hours and hours and hours of my voice out there. You just gave a couple of sort of pieces of advice there, but what's something that maybe businesses can just do better with to protect themselves from some of these social engineering type attacks?
Speaker 1:Yeah, I mean. So the voice cloning stuff is interesting because once your voice is out there, it's available to be cloned. You're not going to strip yourself off the internet and all your podcasts, remove them all just on the off chance that you get cloned, right. So that's not going to happen. So you have to educate people on how to defend against it. And the main thing is what are you being asked to do? So? If you've received a phone call from someone, what is that person asking you to do?
Speaker 1:Now, you know the voice kind of technology is out there and a lot of people don't know that. So, again, that's an education piece and a training piece. If they phone you, what are they asking you to do? So? Are they asking you to do something a bit unusual share a password, authenticate through mfa, do a money transfer, and they give you the bank account details on the call, that sort of stuff. And have you initiated any part of this yourself, or is it all inbound to you? Is it all calls, emails, messages, whatever that's come to you? And that's the point where you're being asked something to do something weird.
Speaker 1:The way that you can defend against it is to stop the call, the video, whatever it is, because it could be default video as well and initiate back on a number or an address or whatever. That you can defend against. It is to stop the call the video, whatever it is, because it could be a default video as well and initiate back on a number or an address or whatever that you know is definitely that person, because that kills the attack dead, because now you know you're speaking to the right person, you can check. Well, did you just phone me and ask me for my password and they'll go? Well? No, because we shouldn't ever do that. And then you've stopped it. So it's little bits like that. It's thinking about the underlying reason and being the one in charge of the situation. That tends to be the thing that defends companies.
Speaker 3:That's great, great advice, rob. I appreciate you sharing that with the listeners. You spent over a decade at a company that felt like home, and now you're starting your own thing. What changed?
Speaker 1:Yeah, I mean we just so. When I started we were four people. It was a proper, proper, family-run business and I know that sounds oh yeah, it's not really a family, is it? It's just work. But it genuinely was, because we got on so well we're all still friends now and we built that up to, you know, not big 20, 25 people and then the owner sold the business to a slightly larger business and that was okay, it was good. And then it got bought by an even larger business and you know, things change right. There's nothing wrong with that larger business, it's just it wasn't really a fit between the two of us.
Speaker 1:So I'd been thinking in the back of my mind for ages like I should set up on my own, and people had always been telling me that we don't understand why you work for someone else. Like you, come in and do the training, you do the social engineering, it's all you there. We don't care who you work for. So you know, let us know if you ever set up on your own. So I thought, well, I've got some friendly clients waiting in the wings potentially, and you know that's what you want when you start a business. I couldn't be doing cold calls and linkedin messages and all that sort of stuff.
Speaker 1:Um, so, when the kind of time was right, I thought, okay, let's do it, let do it, let's set up and let's go for it and let's see how it goes. And it's been hard work. Anyone that's listening to this, that's owned a business or any point owns one now knows what it's like and it's very personal. You take everything personally, whether it's a job well done or a job rejected or whatever. But yeah, I'm really enjoying it so far. It's nice to be in control and do everything the way that I think it should be done.
Speaker 3:That's great. Talk a little bit about how you anticipate the future of sort of social engineering attacks, and I mean, how quickly do you think things are going to evolve? What do you think, what do you expect?
Speaker 1:I think the voice clone and the deepfake video is going to be the big thing. I mean, it already is big, but it's going to be huge over the next couple of years. It's going to be to the point where anything inbound to you you're basically not going to be able to trust because you just don't know who you're talking to anymore. Yeah, it's already a case of the basic level. Phone numbers can be spoofed right, so your bank phones? You already a case of that. At a basic level, phone numbers can be spoofed right. So your bank phones? You don't know it's your bank, but the vast majority of the public don't know that. They trust the fact that it says their bank's name on the screen. They answer the phone expecting it to be the bank and now someone fraud, defrauds of a money.
Speaker 1:Um, combine that with a clone of a voice and a video of someone. It becomes incredibly difficult and the technology is advancing so fast. You know, now you can create a deep fake video, real time over microsoft teams using a single image of someone's face, and it's pretty good. To be honest, it doesn't. It's not those days of needing thousands of images and stills from videos and all sorts of stuff. You now can do it with a single image, so you know if your image is out there, which almost everyone's is in from social media or on the company website, I can now create a clone of that.
Speaker 1:Call you video. Call you whatever I'm going to do and and potentially trick you into doing something. And the rate that technology is is advancing is going to mean that in a couple of years it's going to be so hard to spot. So that's what I foresee being the big problem and again that is going to come down to training on on little techniques of how you defend against that Little silly things like if you're on a video call with somebody you're not quite sure if it's them, ask them to pass their hand in front of their face because it breaks the mask that the deep fake video uses. Stuff like that you would never know unless you played around with it yourself. It's going to take that sort of level of training to help people protect against it Scary and pair that.
Speaker 3:Can you imagine pairing that with? We're in an age where you know our devices, know like they see what we're searching for, they see what we're looking for out on the Amazon or whatever. And then someone calls you and says, hey, I got a deal on this. And you're like, oh, I was just looking at that. I mean, it's that knowledge that the hackers, the bad guys, have about you. You built that trust, you know, and what's going on?
Speaker 1:Scary scary stuff, yeah, and kind of related to that. We're going to move more into biometrics right as a system to authenticate us, because password's a bit out of date now.
Speaker 2:I'm just waiting for the sorry.
Speaker 1:I'm just waiting for the big first biometric hack where someone steals all the fingerprints or iris scans and I'm so worried about that because you can't change that stuff. At least with a password you can change it. Right. If you take one of my iris scans, that's it. You can authenticate to everything and I can't change my eyes. So yeah, I think that's another future thing to worry about.
Speaker 3:Very good, so you've spoken to hundreds of companies, educated them on risk. You've spoken at tons of conferences. What's something that still surprises you today? That you hear from companies.
Speaker 1:To be honest, it's that they still get the very basics wrong. You know, you still get companies that don't have MFA everywhere. You still get people clicking on stuff and you look at it and you go how, like I know to most people IT isn't their thing. Right, when you work in security or IT in general, you can look at things and go. You know how does anyone ever fall for that? But you know, most people it's not their job. They don't know the difference between a dash and a dot and an email address and why would they? But some of them are really obvious and you think, oh god, that whole company was hacked because someone got an email from the ceo and just some random gmail address that had nothing to do with the company.
Speaker 1:So I think it's that that still surprises me that, as a criminal, you know I talk about sophisticated methods, voice cloning, all that sort of stuff. Honestly, most of the time you don't need any of that stuff. I could probably could have just phoned up and said hi, it's bob from it, you can have your password and you might have got it. Um, so it's that it's simple. That's, that's the thing. I think it's the simple techniques that normally work and most companies that are hacked. It is those, those simple things, a patch that they didn't bother to apply because they're on a four-week patching cycle. For some unknown reason, or they just don't want to patch that system that's 10 years out of date, or they can't patch it. And it's just simple things and that always surprises me.
Speaker 3:So my last question I like to ask this to every one of my guests. We call this the now that's it podcast. Rob, when did you know? Now that's it?
Speaker 1:I think it was one of the first building intrusions I did when I got in. I got in dressed as a flower delivery man, so I came in with a bunch of flowers and I picked someone to give them to. Just randomly off of LinkedIn. I picked this woman to give them to and I went into the building and said I want to deliver these by hand, is that okay? And I delivered this, these flowers, this rather bemused woman who took them, and then I went off to use the toilet. I say that in inverted commas, because then I went into a meeting room and plug the remote access device into the network and then used that to hack in afterwards and I thought this is cool, this is really exciting.
Speaker 1:I left the building and I was actually coming back the next day to do an internal pen test, so I'm allowed in the building. They know I'm there now the social engineering part's done and I came in and she was. I thought she was happy to start with about the flowers. Turns out she wasn't. Um, she'd actually broken up with someone not very long ago. I thought the flowers were like a reconciliation thing. So I felt quite awful after that. But but I mean that sounds awful. Now I'm saying that's when I like when I upset someone. That's not really it, but it's the thrill of the different things that you can try and that you can make work. You know, you can get delivered inside a very large Amazon parcel, which I've done. It's just really fun stuff. And each time you get in it's more and more fun. And from there it just snowballed and I thought, yeah, this is what I want to do. This is fun. I'm not waking up on a Monday morning going, oh, I've got a week of work.
Speaker 2:I'm waking up on a Monday morning going.
Speaker 1:What fun am I having this week, which is so different?
Speaker 3:to the first couple of jobs I had. So cool Rob, every one of our guests on. Now that's it. Our amazing guests have interesting lives, but you have one of the most unique ones and most fun Scary but fun. I really appreciate you being part of this. For those listening that want to get a hold of you, what's the easiest way?
Speaker 1:It's probably find me on LinkedIn. So, rob Shaplin, on LinkedIn my company is called Psionic, so you can drop me an email, but it's quite a long email address, so probably easy just to find me on LinkedIn and then we can hook up from there.
Speaker 3:Find me on LinkedIn and then we can hook up from there. That's great, and now we'll make sure we get your URL and LinkedIn details in the pod as well. Thank you so much, Rob. Really been a pleasure to get to know you, hear you tell your stories. You're a great storyteller and I think you do something really great for companies help them figure out what's broken and how to prepare for risk. So thank you so much. Thanks for having me on.