This is Rob. He once climbed inside a large cardboard box and got delivered to an office.

No, this is not a line from Would I Lie to You?

Rob Shapland is an ethical hacker, and last week at our Cyber Unpacked event, he regaled the audience with tales of his derring-do. His speciality is social engineering, whereby he targets the people who work for a company, either through phishing attacks, phone calls in which he clones an exec’s voice or ‘physical intrusion’, as he quaintly puts it.

In other words, Shapland will impersonate an employee, a cleaner, a delivery man and, occasionally, climb into a box to demonstrate how easy it is to ‘break into’ a building – where he will then proceed to ‘steal something’ or ‘take videos or photos’.

None of these acts are criminal. He is commissioned by the company – usually only one or two people are in the know – to test their security. Shapland starts, in the same way as cyber criminals, with OSINT: Open Source Intelligence Gathering.

He will do research on the internet, but his biggest source of ‘intelligence’ is through social media. Shapland will trawl the social media profiles of his target companies for any piece of information that might prove useful, for example, which cleaning service they use or photographs of a building’s layout so that he can plan his route.

His most valuable source: LinkedIn. ‘I go for the corporate social media. I will scrape every single photograph. Almost everything gives me information,’ he explains. ‘For most companies, I can find ID badge designs through LinkedIn, through conferences people have attended.’

Shapland will also check for a colleague to whom he bears a resemblance and ‘borrow’ their details for the badge he prints at home. ‘It will pass muster if they have a system which means they look up photos when I’m at the reception desk.’

‘Depending on how long I have available, I will take names from LinkedIn and search through their Instagram or Facebook profiles, say, because sometimes they will post corporate-related things on their personal accounts,’ he added.

Photographs inside a company’s offices are particularly useful. ‘Firstly, you can quite often see on people’s screens software versions and things they might be using. I tell all the IT teams to remove their qualifications from LinkedIn, so that you don’t know which software they’ve been installing or what programmes they are proficient in, because that is basically signposting to hackers a beautiful open back door.’

The larger the company, as he puts it, the more sources of information there are.

The second phase is reconnaissance. ‘I will sit outside a company from first thing in the morning until the end of the day, observing the security arrangements of the building: where are the security guards positioned? Do they change at certain times? Is there a back entrance to avoid security? How long do the doors stay open for?’

It was during reconnaissance for one job that he realised the target company had a different procedure for couriers arriving with small boxes and those arriving with big ones; the latter were simply wheeled in through another entrance without any checks.

The final phase is planning: how will he break in? ‘For most offices, you could probably follow somebody into the building. But I like to come up with slightly more sophisticated ways in case I get caught, and then I’ll have a back story.’

More recently, tasked to ‘break into’ the server room, to which access was restricted, and take selfies, he became an ‘energy auditor’. ‘Server rooms generate lots of heat. I needed a pretext to be there. I decided to dress up as an environmental engineer on behalf of the council to measure temperature leakage from windows, doors…’

Researching the local council, he identified somebody who worked in that area. Using their identity, Shapland phoned the company, booked an appointment to conduct an audit and created an outfit: a green polo shirt with a tree icon, a lanyard badge, clipboard and an iPad with an app (he created) to store his readings and a laser gun to read temperatures.

Suffice to say: his mission was accomplished. (I’d tell you how, but then I’d have to kill you!)

Speed is now a weapon

Criminals don’t have red tape. That was a key message from Shapland, in conversation with Kerry Parkin, founder of The Remarkables.

While the majority of cyber hacks are still phishing attacks, a new area is emerging in which hackers exploit technical vulnerabilities. ‘AI tools now can find those vulnerabilities faster than companies can patch them,’ he explained.

‘A criminal will scan the entire internet for the signature of a single vulnerability. They will target every company that matches that signature, and hit them within hours of the vulnerability being discovered. It used to be weeks. Now it is hours.

‘Once they are inside the system, they might stay there for weeks or months. But they have the tools to actually hack the company and remove information within a few hours.’

AI tools are also helping with phishing attacks. ‘I did a phishing attack and used ChatGPT and other tools to help me design it,’ Shapland explained. ‘If I say I worked for X company for the last three months and they haven’t paid my invoice, can you help me come up with a convincing email to get them to open this PDF attachment? ChatGPT will work nicely.

‘I can also use it to create an email address to send it from. I can’t say I’m going to do a phishing attack but can’t buy BritishAirways.com, for example, but I can ask for equivalents that are close to that address which I can then use. And there are tools which will design the malware, embedding a virus into a PDF attachment that is supposedly an invoice.

‘Most cyber cyber-attacks emanate from Russia, China and North Korea, and obviously that creates a language barrier. But not if you’re using AI. There are fewer spelling mistakes and grammatical errors because they haven’t written it themselves. Hackers are inherently lazy, and now they have all the tools they need. It makes it much faster.

‘It is almost impossible to keep pace with how quickly the tools are evolving and how they work, and how quickly you can now hack a company using them. But most companies are not very good at adapting quickly because of the amount of red tape.’

The business side of things

Scattered Spider were the group behind Marks & Spencer’s well-publicised cyber attack last year. Shapland describes them as ‘aged around 18, 19, 20, teenagers who have grown up with technology. They often come from the gaming world, and maybe tried to hack a game so they didn’t have to pay for it, and that naturally seems to progress into the hacking world.’

He adds: ‘They’re incredibly skilled. They collect together on platforms like Discord and Telegram and share information. They show off to their friends. They use some of the latest hacking techniques to break into organisations just to show off.’

But then the penny dropped that, if they added ransomware to the attack, which can evade any anti-virus software and scramble or encrypt all the data on a network, they could actually make millions of pounds. The only problem is that Scattered Spider does not have any ransomware.

Step forward Dragonforce. (And not the one Wikipedia describes as a British power metal band.)

This Dragonforce is like a support service for cyber-criminals. It develops ransomware to lease to cyber-hackers through an affiliate model, whereby Dragonforce receives 20 per cent of any ransom paid.

But not only do the hackers get ransomware for their fee, they also get 24/7 customer support. Not just for them, but also for their victims. The company being hacked gets access to a call centre where, rather ironically, they deal with real people not bots.

Dragonforce will talk a company through the process of how to unlock its systems, offering a ‘proof of concept’ with a test decryption code to unlock a handful of files. Once the ransom is paid, via Bitcoin or another cryptocurrency, Dragonforce will provide a full decryption key which unlocks everything.

‘Sometimes, they will offer security advice to prevent a company getting hit again,’ adds Shapland. ‘They even send customer satisfaction surveys to check you were happy with the call centre’s service. [Cyber-hacking] is one of the most profitable industries you can be in – so it is run like a business with a lot of associated professionalism.’

What can comms do?

‘Do not keep your cyber insurance policy on the server. Make sure it is not discoverable, because that’s one of the first things they will look for to see how much you’ll get paid because they are there, and then they will add a little sugar on top,’ advised Parkin, adding: ‘Don’t keep your crisis plan on the server because they will then know how you are going to respond and react. Where you can go offline, do so as quickly as possible.’

Shapland estimates that just under half of all ransom demands are paid. But, as Parkin argues, the question of payment should now be a C-suite conversation in peacetime.

‘What is our policy if we do get hacked? Are we the kind of organisation that pays or not?’ she posits. ‘We deal in a world where we get asked about everything from what's our position on Palestine right through to who do we think will win the World Cup. And so for us to have an opinion or at least give guidance and counsel on these matters is really important.’

Throughout the day – and I will return to other sessions in the future – one message kept coming through. A company’s biggest weakness when it comes to cyber is its people. And training should not be a box-ticking exercise.

‘How you train your staff is paramount,’ added Shapland. ‘I think companies have fallen into the trap of going for the cheapest option, which is to buy e-learning software and tick the box for cyber training. But I know what I’m like with health and safety training, for example, and we’re all the same. Every year I watch some videos of how to pick up a box, for example.

‘People get their cyber training through and think I haven’t the time to do this, and end up with half an eye on it, and then get to the quiz. Most of it is common sense. For the rest, you flip back through slides and find the answer they want. Complete the training and completely forget about it.’

In the event of a cyber attack, the savings made by using an e-learning platform may turn out to be a false economy.

There’s still time to enter the CorpComms Awards before the early bird discount expires at midnight on 12 June, saving £100 per entry. But if you miss that, don’t worry. The ultimate closing date is still some time away.

Last year Virgin Media O2 swept the board with its campaigning work, as well as picking up the trophy for best in-house team: corporate communications, while Evri was awarded best in-house team for media relations and Rio Tinto emerged triumphant as best in-house team for internal communications.

Who will win the accolades this year? It could be you - but you have to enter first!

What is GEO?

Work in-house and confused about GEO? Well, fret no more. I am moderating a discussion between the aforementioned Kerry Parkin, founder of The Remarkables, and her GEO associate Celia Harding, founder of LEOPRD, to answer the thorny question of what AI is saying about your company.

Our chat will cover issues such as the role of earned media, authority signals and third-party validation in shaping AI content, as well as how to prepare for ‘always on’ reputation exposure.

It’s a free-to-attend breakfast discussion, taking place at the Covent Garden Hotel, on 30 June. Full deets are below. It is only open to in-house comms professionals, so if you’re an agency and try to sign up, don’t be surprised by the rejection.

Managing Reputation in the age of AI Leadership Briefing Tickets, Tuesday 30 June  •  8:30 AM - 10:30 AM | Eventbrite