Uncategorized

5 Years as a Social Engineer: What I’ve Learned

Posted on by Christian Yng

It was another uneventful afternoon in the office, and I had to compile a long list of numbers into an easy-to-read invoice for the latest conference at the hotel. As a hotel account exec, my job felt repetitive and numbing. I punched in numbers in a zombie-like state, but then I was reminded that there was a new SE (Social-Engineer, LLC) podcast I could listen to. As I heard the stories of break-ins and psychological aspects of social engineering, I couldn’t help but pause and think “what an awesome job that would be”. Little did I know that in a few short months I would start my career as a social engineer.

Reframing

As an entry level social engineer, the greater part of my job consisted of vishing calls. During these vishing calls I had to get into the role of my alias and deliver a realistic pretext using influence techniques such as authority, urgency, and sympathy (to name a few).

There were times when the targets were very friendly and would share personal details about their lives, such as how they just came back from maternity leave and miss their baby or having to go on bereavement leave because they just lost a family member. I would genuinely feel happy or sad for the individuals that I spoke to; at times I felt terrible that they were giving me not only the flags (the information requested) but sharing intimate details of their life with me. The experience often left me feeling as though I was betraying their trust. To manage those feelings of guilt, I had to find a way to cope.

A conversation with one of my colleagues helped me to understand two things: 1) We’re actors not liars and 2) we’re helping them to be more secure, not only at work but also in their personal lives. And 3) at SECOM, we work with companies that do not want punitive results for failing tests. Reframing, or adjusting, my thinking about the vishing exercises we perform helped me to feel good about the work that I do, knowing that at the end of the day I’m helping people, not harming them.

Empathy

Some may wonder “how can you have empathy and execute realistic simulations for your clients?” As ethical social engineers we study the methods and behaviors of malicious attackers and use the same tactics to influence people. However, there is something that sets us apart, and that is empathy. Empathy allows us to test people for vulnerability while leaving them feeling better after our interaction with them. This is applied in our pretexts; we never use fear, threats, guilt, shame, or flirtation, and we always ensure the target has an ‘out’ to stop us.

As exhilarating as it may be to have the ability to influence and/or manipulate others, our goal is to train and educate our clients so that they can be safer in their workplace, as well as in their personal lives. A valuable lesson I’ve learned is that an ethical social engineer would never show off their skills at the expense of someone else’s dignity. Empathy is what enables us to act like the bad guys but never become them.

Embrace Being Uncomfortable

As an ethical social engineer, I often step into unfamiliar or emotionally challenging situations such as confronting or leaning into biases, questioning norms, or simulating deception for training purposes. Rather than avoiding these moments, I’ve learned to lean into discomfort. At times, incorporating the feeling of being uncomfortable or nervous into the pretext can make it even more effective.

For example, there’s always some hesitation when starting a new vishing campaign for a new client, I will add something like “sorry I’m new here and I’m not really sure how things work”. Doing this allows me to be ok and feeling and displaying nervousness adds credibility to the pretext.

Also adopting new roles in my career, such as helping as an instructor or public speaking, can seem very daunting; however, I’m learning that embracing discomfort is a catalyst for both professional and personal growth. Pushing beyond our limits creates new opportunities for learning, and transformation. (spoiler alert: I am giving my first infosec speech September 27, 2025, at BSides Orlando).

It’s Not About Us

It’s not about us, it’s about them. Undeniably, this type of work is exhilarating, however it’s not about how good we may be at our job or our skills as social engineers. It’s about people. It’s about helping people and companies be more secure by providing realistic learning experiences while being ethical and treating others with dignity.

Some say that malicious attackers are not ethical, so to keep it realistic we should employee the same extreme fear tactics that they use. While we use many of the same influence techniques that bad actors use, we are not them; thus, we refrain from using pretexts that use extreme fear or that may be demeaning. You don’t need to burn down the building for a fire drill to be effective.

Never Stop Learning

It’s really hard to believe that’s it’s been 5 years since I started my career as a social engineer. Time really does fly when you’re having fun! One of the most important things that I have learned (and why I love this job) is that I never stop learning. I continue to learn from my colleagues every day. I love to see how we can all take the same pretext and deliver it in five different ways. There are still so many things for me to learn in this industry…whether it’s new OSINT techniques, body language, psychological aspects, or even lock-picking. I can’t wait see what new opportunities come my way as I continue to learn as well as help others along the way.

Written by
Rosa Rowles
Human Risk Analyst, Social-Engineer, LLC

This entry was posted in Uncategorized and tagged .
Christian Yng

Leave a Reply

Your email address will not be published. Required fields are marked *