From Web Developer to Professional Scammer

Kirstan Norman Blog

When considering a career change, it’s always good to stick to an element of what you know and ensure that some of your skills are transferable. When ex-web developer, Chris, made the decision to leave the industry, he never thought he would end up working as a professional scammer.

What do you do at The Antisocial Engineer?

A lot of my time is spent working on our phishing simulations, which is one of the most popular services we offer. Organisations commission The AntiSocial Engineer Limited to test the security awareness of their staff, which includes sending tailored phishing simulations to form educational campaigns. My responsibilities involve creating emails which are designed to test an employee’s aptitude for spotting a phishing attempt. Clicks from these emails either take the user directly to educational landing pages, or login pages designed to imitate genuine portals that gather usernames and passwords. Reporting on any social engineering assessment is just as important as conducting the campaign itself. It’s where the assessment can be broken down and detailed thoroughly, making the client aware of potential vulnerabilities and how susceptible they are to real-world attacks. These are always written manually to ensure every campaign has consultant eyes assessing it.

Why did you decide to change careers?

When I knew I was ready to move on from my previous job, I had no idea what I wanted to do. I hadn’t made a conscious decision to leave web development, but I was definitely open to exploring other avenues as long as I had the right skills. The job posting that I saw for The Antisocial Engineer Limited didn’t give much away, but it was enough to pique my interest. I was confident enough that I had the skills they were looking for, so I decided to send in an application – and almost 18 months later, I’m so glad that I did.

What transferable skills did you have?

I studied multimedia computing and forensic computing at university, with the plan of going into web development. Forensic computing involved a lot of blueteaming, which meant analysing networks and checking for security flaws, and then implementing solutions against simulated attacks – basically the opposite of what I do now!

I’ve been a part of large teams that took doodles on a piece of paper to software solutions being shipped out nationwide, to the sole developer working for several clothing and beverage businesses. I worked in a variety of different sectors within the web development industry including freelance work for hobbyists, building sites for a few dog walkers, first aid trainers, small online retailers and even an angling club up in Scotland.

I have gone from building websites and marketing emails with the goal of generating sales, to using the same methods to create microsites and phishing simulations that aim to capture the recipient’s login credentials or provide education on the dangers of phishing. It’s the same basic principle, but a completely different target.

In this job I get a lot of creative freedom. I generally start by doing research into the target company and finding out what sort of software and the digital environment they use, so that I can construct and craft an effective phishing campaign to find potential weaknesses. I create the emails from scratch and often make them look as realistic as possible, however I often add the odd typo to give the recipient a sneaky clue that it might not be genuine. Previous experience putting together marketing emails definitely helped with this. Analysing and understanding open rates, click stats, user interactions etc is also something that transferred over to this new role easily.

To fully benefit from our AntiPhish service, recipients who click links in our assessments are informed that they clicked on an authorised phishing simulation. So to accompany our simulations, we provide post-click education straight off the bat with a single landing page. We also provide credential harvest simulations designed to steal login credentials. For someone who’s built a bunch of login portals in my time as a web dev, this process is relatively easy.

What new skills have you learnt?

A big part of my job includes research on topics that I was already pretty familiar with, but I now have the chance to take my understanding to a whole new level. I need to stay up to date with the latest security threats, and a lot of this involves following the media. I am always on the lookout for information that criminals could use to their advantage – for example a bank merger, big news in the cryptocurrency industry – even COVID. I have to keep a keen eye out for anything that could make a believable scam. We can then produce material to make the public aware of it, along with tips and tricks of how to spot this kind of scam. We could then even use it as part of our phishing simulations.

A good resource I often use is the National Cyber Security Centre. It provides a platform for organisations to work together to raise awareness of current security threats.

“I will never be the sort of person who would strike up a conversation with the guy behind me in the checkout queue”

I’ve also had the chance to do a lot of work on my people skills. I will never be the sort of person who would strike up a conversation with the guy behind me in the checkout queue, but I would say my confidence has definitely improved over since I joined TAE.

Taking part in penetration testing encouraged me to interact with strangers in a variety of situations, so I’ve gone from seeing myself as quite socially awkward to realising that I’m capable of leading conversations and steering people towards an objective. When you’re dressed as an inspector and trying to convince a receptionist to grant you access to their office complex, you have no choice but to step into character and call on every ounce of confidence in order to get the job done.

Prior to this I was a typical web developer – I had little social interaction and spent most of my days sitting behind a screen. Working in the security industry has allowed me to work a lot more closely with others and step out of my comfort zone. This is now arguably one of my favourite aspects of my job.

Another skill that I have definitely built upon is image manipulation. I’ve had basic Photoshop knowledge for a few years now, however recently I got to expand upon these in some pretty interesting situations. I’ve gone from using basic techniques to remove backgrounds and neaten up images (honestly, mainly just the Clone Stamp tool), to creating realistic copies of ID cards which can then be printed and used to try and gain access to confidential information and areas.

What do you like most about your job?

I am one of those annoying people that can honestly say they love their job. When you do something you genuinely enjoy, it doesn’t feel like work – and that’s exactly how working here has always felt for me. My favourite aspect has to be the amount of freedom. I used to spend so much time staring at Gantt charts and being dragged into hour long meetings about the different shades of blue we should use in our logo. Now I have more fluidity to be able to deviate from the plan and ‘wing it’. As a web dev I used to have to follow a very strict and straight path, if there were any issues it would be a requirement to get back on that path. What I do now though, allows you to improvise and deviate to find solutions.

Image of Bear Grylls with caption 'Improvise, adapt, overcome'
I also love the design aspect. Creating web pages for our phishing simulation without convoluted specs to follow is an absolute dream. I am always looking for new tricks to make each campaign better than the last and learning new techniques.

For the first time ever in a work environment, I also really enjoy the reporting. I love tracking the statistics for each campaign we do and seeing how many people have clicked on the links and how many login credentials we have captured.

However, this part of the job is a double-edged sword. When users click our simulated phishing links or we manage to capture a lot of login credentials, it means that I did my job well – basically that the simulated phishing email and accompanying landing page were convincing enough to make people believe they were legitimate, and as a result, provide us with sensitive information. Unfortunately, it also means that there is still a lot of work to be done.

At The AntiSocial Engineer Limited, we would love to be put out of business. We would much prefer to live in a world where no one is ever scammed and therefore we don’t need people like us to educate the public on how to avoid falling victim. Until that day arrives, we will continue to do our utmost to assist businesses in training and testing their employees to make sure that their confidential data and finances continue to be protected as best they can.