Hacking Humans 3.18.21
Ep 139 | 3.18.21

Ideally, look for someone open to deception.


Brandon Williams: One tip I have is if you can, put rubber bands around your wallet. It makes it harder to pull out of your pocket, and it keeps the wallet closed.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hello, Dave. 

Dave Bittner: We've got some good stories to share this week, and later in the show, Joe's conversation with professional magician Brandon Williams. Joe, why don't we kick things off with some follow-up this week? What do you have for us? 

Joe Carrigan: Dave, remember in our episode that came out on February 18, I talked about some hackers targeting security researchers? And we talked about how they were a watering hole attack on the researchers. It was a blog that these attackers had put out there that had malicious code on it, but their systems were completely patched when they were getting exploited. Well, last week, Microsoft patched the vulnerability. It has a CVE number. That's CVE-2021-26411. And it was rated critical since it was relatively easy to exploit, and this was a vulnerability in both Explorer and Edge. TechRadar has a good story on it. So, yeah, these guys were exploiting a zero-day in the hopes of getting more zero-days. 

Dave Bittner: (Laughter) Zero-days all the way down. 

Joe Carrigan: That's right. That's right. 

Dave Bittner: (Laughter) OK, well, that's good - I mean, good that the patches have occurred and... 

Joe Carrigan: Yep. The patches have occurred, and my computer's rebooted on Wednesday to apply the patches, so... 

Dave Bittner: Oh, really? Was that automatic? Was it something you triggered, or did it say, we will restart automatically if you do nothing? 

Joe Carrigan: I have automatic updates turned on, Dave, as everybody should. 

Dave Bittner: OK. 

Joe Carrigan: So that's what happened. It just went out and got it. I didn't even know this was happening until I saw my computer reboot. And I said, wait a minute. It's a little late in the month for Patch Tuesday, isn't it? It seemed a little bit out of cycle. But yeah, look. There's a critical vulnerability, and Microsoft pushed a patch, which is great. 

Dave Bittner: Right (laughter). 

Joe Carrigan: Good job. 

Dave Bittner: OK, good. Awesome. Well, all right. Let's move on to some stories here. Why don't you start things off for us? 

Joe Carrigan: Dave, I got a story from vermontbiz.com which is talking about the attorney general from Vermont, who has released their report on scams that they received in 2020 at that office. They have a top 10 list. Dave, do you want to do an homage to David Letterman? 

Dave Bittner: Sure. It's time to do our top 10 list, Paul. Here we go. 

Joe Carrigan: All right. No. 10 - bank and financial institution phishing. No. 9 - the grandchild impostor. No. 8 - extortion emails. No. 7 - online classified listings. No. 6 - debt collection. No. 5 - phony relationships, parenthetically not grandchild because that was already No. 9, right? No. 4 was computer tech support. No. 3 - Amazon and package delivery phishing. No. 2 - free money. And the No. 1 scam that the Vermont attorney general saw last year, with almost a third of the complaints, was Social Security number phishing. 

Joe Carrigan: So I wanted to talk about a couple of these. Actually, one of the ones that's interesting is the Amazon package delivery phishing. I was talking with Chris Venghaus, who's our systems engineer at the Information Security Institute, and he was very excited because somebody had sent him a text message or given him a call. I think it was a call. They said, hey; we're calling from Amazon to talk to you about the big purchase that you made in the amount of $800 for a phone. So press one to talk to a real person. And he presses one. He's like, oh, yes, this is going to be awesome. And... 

Dave Bittner: (Laughter). 

Joe Carrigan: The - they say, well, we'll have to call you back. But they never called him back. And he thinks that his mobile provider has screened the call for him or stopped it from happening. But I was really hoping to have a good story about that. But I've seen this happening to people I know now. These are phone calls that come in. It's an automated phone call claiming that you've - that your credit card has been charged by Amazon and they're going to talk to you about it. And really, what they're just trying to do is collect your credit card information because the first thing they're going to do is go, let me - well, let me have your credit card information to see... 

Dave Bittner: Yeah. 

Joe Carrigan: ...If it matches up. 

Dave Bittner: Let me just verify that real quick. 

Joe Carrigan: Yeah. Sometimes I'm amazed these scams work, but then I have to remind myself that these things are plausible, right? 

Dave Bittner: Yeah. Is there anything about the list that surprises you, either what's on it or what's not on it? 

Joe Carrigan: I'm surprised that the grandchild impostor scam is ranked so high. I mean, we hear about these from time to time, and maybe this is just complaints about it. But I know that all the parents that I have and my wife has know the voice of their grandchildren when they call; that if somebody called and said, I'm your grandchild, they'd be like, you don't sound like my grandchild. 

Dave Bittner: Yeah. You know, it's something I worry about as my folks continue to get up there in age and... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, even with just simple things like their hearing isn't as good as it used to be. So... 

Joe Carrigan: Right. 

Dave Bittner: I think just that physical - the natural things that happen as you age - some of those physical limitations could make you more susceptible to something like this. As they grow accustomed to just simply not being able to hear things as well, I could see them falling victim to something like this. 

Joe Carrigan: Yeah, that's a good point. 

Dave Bittner: And that concerns me. Yeah. 

Joe Carrigan: Absolutely. It concerns me as well. I'm surprised that a third of it - I guess I'm not really surprised, but a third of it is Social Security number scam where they're trying to - you receive a phone call - you know, the typical thing. Hey; we've suspended your Social Security number, right? 

Dave Bittner: Right. 

Joe Carrigan: That doesn't happen. It's... 

Dave Bittner: Right, right. 

Joe Carrigan: The Social Security Administration will never suspend a Social Security number. That's not how Social Security numbers work. They need... 

Dave Bittner: Right. 

Joe Carrigan: ...To keep those in effect. The one big one on here that's really not surprising is the free money scam. That's No. 2. This is the nature of every scam. We often say that these scammers are trying to appeal to one of your two base desires of either fear or greed, right? They're either trying to scare you into something or entice you with something. And there is no bigger lure than the lure of free money. So anytime someone calls you and says, hey, we got this money that we have to get to you, but you have to pay some fees or taxes up front, that's always a scam. That is always a scam. 

Dave Bittner: (Laughter) Right. If someone asks you for money in order to get a larger amount of money... 

Joe Carrigan: Right. 

Dave Bittner: ...That is 100% of the time a scam. 

Joe Carrigan: That's right. 

Dave Bittner: I can say with confidence. 

Joe Carrigan: There is absolutely no reason in the world that they can't just take that money out of the money they owe you and send you the balance. 

Dave Bittner: Right. You should never engage with these people. 

Joe Carrigan: Right. 

Dave Bittner: But just imagine what happens if you say - you know, they say, we have $10 million to send you. But first, you have to send me $100. Say, well, just deduct the hundred dollars (laughter). 

Joe Carrigan: Right. Just send me $9,999,900. 


Dave Bittner: Right. And we'll call - I tell you what. Just keep an even grand. We'll call it even. Treat yourself. 


Joe Carrigan: Take your family out to lunch... 

Dave Bittner: Yeah. 

Joe Carrigan: ...On me. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: Remember to raise a glass to me while you're at dinner or lunch. 

Dave Bittner: Exactly. I'm a generous guy. Yeah, yeah (laughter). All right. Well, it's a good list. Interesting stuff. And, of course, we'll have a link to that story in the show notes. 

Dave Bittner: My story this week - this comes from the website WeLiveSecurity. That's from the folks over at ESET, which is a well-known security organization written by Jake Moore. (Laughter) The title of the article is "Not All Cybercriminals Are Sophisticated." 


Joe Carrigan: To say the least (laughter). 

Dave Bittner: This reminds me of - back when I was a teenager, there was a popular radio show on called the "Don and Mike Show." And I think you were a fan of that as well, Joe... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Back in the day. And they used to have a regular segment called Crooks Are Stupid. 


Dave Bittner: And this reminds me of that. They would tell funny stories. Anyway, Jake writes, before I joined ESET, I spent 14 years working in the U.K. police force, working predominantly in the cybercrime unit and digital forensics unit. He says, back in 2011, I needed to buy a laptop but decided to purchase a secondhand one. Using eBay, as always, with any new purchase, I conducted a lot of research to know what I wanted beforehand. I found an HP laptop that I wanted being sold on the site by a seller who had a good seller rating and had sold similar laptops and gadgets in the recent past. I placed my bid and came out on top. I paid by PayPal. And for ease of use and added security, it entered my delivery address. Due to the fact that I was in the office between 0800 and 1700 during the week - that's military time, Joe. I don't know if you know that. It's military time. 

Joe Carrigan: I do. It's from 8 to 5. 

Dave Bittner: (Laughter). He says, I used the police station as my delivery address, so deliveries could be signed for easily at the front desk. Furthermore, I like using the police station as my corresponding address just in case I was ever dealing with a criminal. And therefore, I assumed this particular address of the law would somehow put anyone off sending out stolen goods, especially as my address looked like this, with the words high tech crime unit in there (laughter). 

Joe Carrigan: OK. He's working at this place. 

Dave Bittner: He is working at this place. He worked for the U.K. police... 

Joe Carrigan: OK. 

Dave Bittner: ...In the cybercrime unit (laughter). 

Dave Bittner: Right. So he's just having things delivered to his office, essentially. 

Joe Carrigan: Right. 

Dave Bittner: Which I have done, as well. 

Dave Bittner: In the title of his office, it says high tech crime unit, Ferndown Police Station (laughter). So he gets the computer. 

Joe Carrigan: Right. 

Dave Bittner: It's sort of a mess. It's not well-packed, but inside, there is an HP laptop, which he's happy for. 

Joe Carrigan: Right. 

Dave Bittner: He opens it up. He powers it up. And he's met with a login screen for someone named Sarah (ph). 

Joe Carrigan: (Laughter). I smell a stolen laptop. 

Dave Bittner: (Laughter) Well, let's not get ahead of ourselves here, Joe. 

Joe Carrigan: OK. All right. 

Dave Bittner: (Laughter) So he checks the seller's name. And the seller was not named Sarah, but maybe he was just selling it on behalf of Sarah. So he contacts the seller on eBay to see if they'd sent him the right item. No response. So he thinks, all right, well, maybe this laptop was stolen. But surely, no one would send a stolen laptop to the high-tech crime unit at a police station (laughter). So since he's working with the forensic team, they have tools available to them, Joe (laughter). 

Joe Carrigan: Right, right. 

Dave Bittner: So he's able to bypass the Windows 7 passwords by imaging the drive. He goes in the Documents folder, and he finds some Word documents relating to whoever this Sarah is. 

Joe Carrigan: Right. 

Dave Bittner: And he finds her CV, her resume. 

Joe Carrigan: Yes. 

Dave Bittner: In her resume is her address and phone number, which was not that far away from the seller's address. So he called her up. (Laughter) He said, Sarah, I have a computer here. And it turns out that Sarah's laptop had been stolen. Her apartment had been broken into about a month prior. Her laptop and her digital camera and all of her jewelry was stolen. So Jake forwarded all this information to the local police. This about a hundred miles away from where he was... 

Joe Carrigan: Right. 

Dave Bittner: ...So it wasn't something that he would handle himself. He contacted his counterparts, told them all the events. They were excited. (Laughter) They went to the address of the seller, and they found not only Sarah's camera and jewelry, but they say one of Wiltshire's most prolific handlers of stolen goods, surrounded by what was described as a treasure trove of the country's stolen goods from months of burglaries. 

Joe Carrigan: (Laughter). They caught him red-handed, Dave. 

Dave Bittner: I'm just imagining this guy - I'm imagining this guy sitting on a big pile of gold, like at the end of the "Pirates of the Caribbean" ride at Disney World. 


Dave Bittner: You know, like, he's just got this room full of - (laughter) He's just sitting on top of it, you know? 

Joe Carrigan: He's got a crown on his head that's kind of slanted (laughter). 

Dave Bittner: Right. Yeah. Just - so he's got pearls around his neck and, you know... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: Yeah, and all sorts of jewels and things and I guess a mountain of laptops. 

Joe Carrigan: And the cops come, and he's like, hey, what's up (laughter)? 

Dave Bittner: Hey. Hi. No, no, this is - I'm just - I'm holding these for a friend. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: So Jake contacted eBay, and he got reimbursed by PayPal. And Sarah got her computer back and a lot of her other stuff, too. So happy ending, but Jake kind of caps this off. He says, every time I hear of sophisticated cybercriminals, I now also think of this story (laughter). 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: So (laughter). 

Joe Carrigan: You know, I don't know. Imagine you're this bad guy, right? You've got this good business fencing stolen goods, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And you're doing great. You got eBay helping you out. And then all of a sudden, you sell a computer, and the address is the High-Tech Crimes (ph) Unit. You're like, oh, what do I do here? What do I do? What do I do? Do I not send them the computer? Do I make up some story about - does he then ruin my eBay rating? Because I have a really good rating because I keep sending people things. 

Dave Bittner: Yeah. 

Joe Carrigan: They're not mine, but, like, I'm sending them them. Ugh, I guess I better just go ahead and send it and make sure he... 

Dave Bittner: Right. 

Joe Carrigan: ...Doesn't give me a bad rating and hope it's just a clerk (laughter). 

Dave Bittner: Well, or do I - yeah, exactly. Do I draw undue attention to myself if I make this transaction more complicated than it needs to be? 

Joe Carrigan: Right. Or do I say... 

Dave Bittner: Right? 

Joe Carrigan: Oh, you know what? I'm sorry. Like, I dropped that computer, and it fell apart. I'm very sorry. 

Dave Bittner: Right, right. Yes. Mistake on my end. 

Joe Carrigan: Yup. 

Dave Bittner: Here, I will gladly refund your money. 

Joe Carrigan: Exactly. 

Dave Bittner: Good day, sir (laughter). 

Joe Carrigan: Yes. That's what he should have done, but he didn't do that. 

Dave Bittner: Right. Nope, nope, nope. So good story there. Again, it's from the folks at welivesecurity.com, written by Jake Moore. We'll have a link to that in the show notes. It's a fun read. It's a quick read. It would - definitely an amusing one worth your time to check out. 

Joe Carrigan: Yes. 

Dave Bittner: All right, Joe. Those are our stories. It is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Joe (ph). And Joe writes, hi. Thank you very much for your informative show. It helps both at work and in my family life. Here's an email I recently received. It's not a scam I'd heard of before, and the message was fairly well-written to start with. And they had me reading until it got to the part about IDs, SSNs and Bitcoin. So I went back to the beginning of the email, realized how generically worded it really is - very sneaky. So Dave, you want to read this? It starts off with request for donation. 

Dave Bittner: Sure. It goes like this. (In gravelly voice) Dear Joe, we are a charity organization and are currently collecting money to help people that struggle with the consequences of the COVID-19 pandemic. A friend of yours gave us your email and said that you are a charitable person and maybe want to help us out with a donation for people who need it the most. If you decide to do so, it's really easy and quick. We (ph) currently accepting bitcoins as for (ph) of donations, and this address would be the closest for you to donate. (In normal voice) And then it has an address presumably close to them. 

Joe Carrigan: Right. 

Dave Bittner: It says, (in gravelly voice) link to the ATM for further details and directions. (In normal voice) Now, I assume that this is a - one of these newfangled ATMs that lets you transact with Bitcoin, Joe, right (laughter)? 

Joe Carrigan: Yes. In fact, I actually did a little bit of research on this one, Dave. 

Dave Bittner: OK. 

Joe Carrigan: And the link that Joe provides is to coinatmradar.com, which provides locations of Bitcoin ATMs. And I actually looked up, how do you use a Bitcoin ATM? I mean, you're not going to actually get bitcoins out. This kind of sounds like a scam itself. But actually, what it does is it prints out the private keys for a wallet that are generated on the fly, and then you can transfer control of that wallet and the coins, any coins you buy, to your own wallet. 

Dave Bittner: Huh. And I guess there's a transaction fee from the ATM owner? 

Joe Carrigan: Yes, I'm sure there is. 

Dave Bittner: Yeah. 

Joe Carrigan: I would imagine that's how this works. At the address provided, there is one of these Bitcoin ATMs. 

Dave Bittner: Huh. And then it says (in gravelly voice) what you need to bring with you - the money in form of cash you want to donate, your cell phone for phone verification, your ID, Social Security number for very large donations as a form of identification. What you need to do at the ATM step-by-step - one, select buy bitcoin; two, enter your phone number; three, enter the verification code into the ATM; four, scan the QR code we gave you in the attachments of this email. (In normal voice) What's that, Joe? So that's their Bitcoin account, right (laughter)? 

Joe Carrigan: That's their Bitcoin wallet. Right, that's their Bitcoin address. 

Dave Bittner: Mmm hmm. (In gravelly voice) Five, insert the cash into the ATM and confirm it. Note the process may vary a bit depending on the provider. Here is also a video to see how it's done (laughter). (In normal voice) What customer service here, Joe. 

Joe Carrigan: That's right. So what these guys are doing is they're just sending out - they're spamming people with tons of messages. And what's interesting is they have Joe's last name here, so they've got the data set. Not only that, but they may very well have Joe's location because I don't know if this address they provided is close to where Joe lives, but it is definitely an address that contains one of these Bitcoin ATMs. And they're just trying to get people to go buy bitcoin and put it in their wallet. 

Dave Bittner: Wow. Wow. Playing off of their generosity and also COVID, which we've seen so many times. 

Joe Carrigan: Yup, it's a COVID charity scam. Yup. 

Dave Bittner: Hmm. Wow. (Laughter) All right. Oh, boy. It's an interesting one. Well, our thanks to our listener, Joe, for sending that in. We do appreciate it. We would love to hear from you. If you have a Catch of the Day, you can send it to hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe. You recently had the pleasure of speaking with professional magician Brandon Williams. 

Joe Carrigan: Yes. Brandon Williams is not just a magician. He's a pickpocket and a mentalist as well. 

Dave Bittner: All right. Well, let's have a listen. Here's Joe's conversation with Brandon Williams. 

Joe Carrigan: My guest today is Brandon Williams from Suit and Tie Magic. He is a magician, mentalist pickpocket and a consultant on TV shows such as "The Blacklist" and "Sneaky Pete." Brandon, thank you for joining us today. 

Brandon Williams: Thanks for having me. 

Joe Carrigan: Tell us how you got started being a mentalist and pickpocket. 

Brandon Williams: I guess in short, I started with magic. And then mentalism and pickpocket kind of seemed to be the more real magic, the simpler kind of magic. So, you know, everybody - with actual magic, they believe there's a trick behind it. They think you're hiding something. It's all about misdirection. Meanwhile, mentalism, let's say, seems very straightforward. I read your mind, and that's it. Pickpocket - same thing. It's just more of a kind of visual reveal with not so much secrecy behind it. 

Joe Carrigan: All right. So you moved from sleight of hand kind of tricks into these mentalism tricks and pickpocketing. Was there a time where you had some kind of crossover where you were doing, like, some kind of combination of the two tricks, like maybe mixing card tricks with mentalism? 

Brandon Williams: Honestly, it's a bit of both. It really depends on the situation. Let's say I'm doing a walk-around gig. I'll kind of just do magic and mentalism. If it's a stage show or someone's hiring me for one specific thing, I'll try to keep them separated because if I did a magic trick and a mind-reading trick, people would think I somehow used sleight of hand to look at the cards that you chose or the thing you wrote down. 

Brandon Williams: So sometimes I'll keep it separate. Sometimes I'll put it together. You know, if I am putting it together, let's say - let's just say I'm doing a card trick, you know, not under the guise of mentalism. I'll use techniques to figure out what card you chose. Let's say you're a heckler. That way, if you shuffle the deck or you hide the thing in your pocket, the selected card, I'll know these things. So they do kind of mesh, but sometimes I won't do both at the same time openly. 

Joe Carrigan: So when you're walking around the room and working the room, are you gauging people and doing, like, cold reading on them and then trying to build a persona for them in your head? 

Brandon Williams: Oh, all the time. Just approaching a group, I check to see who's most interested in being performed for, who would give the best reactions, who would be open to, let's say, getting their mind read, their pockets picked or who's a heckler. And honestly, I like hecklers, too. You know, I'll save that heckler for a different trick or try to just plan ahead. So yeah. So the moment I approach a group, I've already kind of scanned that specific group, each person in it. I try to just make certain conclusions about each person so that I can do the right trick for them. 

Joe Carrigan: And how do you pick that right trick? What do you look for in a person? What kind of stands out? What features do they exhibit that you latch onto? 

Brandon Williams: So each person is different. Let's say I'm approaching a group, and someone's laughing a lot. You know, they're probably good at reacting. If someone is standing with their arms crossed or looks very serious or seems to be the alpha male of the group, I more often than not would have a harder time with them. If it's in terms of, let's say, pickpocketing, what kind of pockets do they have? Can I see what's in their pockets? If it's mind-reading, do they look interesting? What I reveal - would it be more interesting than someone who looks very, I guess, bland, someone who would always pick the most common number, someone who would always pick the most common color? You know, I want to go with someone who is more interesting and more open to interact with me. 

Joe Carrigan: So when you're onstage, how do you pick your volunteers? If you're asking an audience for volunteers, what do you look for in the people that are raising their hands? 

Brandon Williams: First off, if I'm ever able to do a stage show where I can perform close up beforehand, that's my ideal way of doing it because then I get to interact with a bunch of these people up close first. If I don't have the opportunity, you know, I look at whoever is clapping hard or whoever is not really turning to their friend and whispering stuff, you know, anybody who looks like they're interested, anybody who looks like they want to engage more. I also look at the speed in which people, the volunteers, raise their hands. If it goes up way too fast, I'm kind of - you know, it can either be they are super-excited to join me or they're super-excited to join me to mess me up, you know? 

Joe Carrigan: Right. 

Brandon Williams: There's just a lot that I need to pick up on. And then sometimes I just say, let's just go with whatever happens. So sometimes I'll throw, like, a light Frisbee into the audience. Whoever catches it, come onstage. I'll just work with that, you know, whether you're a heckler. Sometimes I like a challenge on stage. You know, it gives me an opportunity to use my improv skills. And we just see what happens. 

Brandon Williams: If, let's just say, it's a mind-reading trick or hypnosis stuff, I will do some suggestion kind of tests. Everybody close their eyes. Put their hands forward. Just imagine one hand has balloons tied to your wrist and the other one is holding a bucket of water. They close their eyes. And then if their two hands kind of separate - one hand goes higher; one hand goes lower - they're suggestible. So sometimes I'll do tests like that for the whole audience and see who certain things would work better with. So that's another way I can pick certain audiences. 

Joe Carrigan: Let's say you have an audience of a hundred people. You're looking for suggestible people among those hundred people. What percentage do you find on average of those hundred people - what - how many of those hundred people are what you would consider suggestible? 

Brandon Williams: Honestly, I would say basically 50-50. Sometimes it kind of sways a bit towards one side. But when I go onstage, my first assumption is this is going to work with everybody. If one person sees me doing something for someone - let's just say I hypnotized them or, you know, I do a bit of mentalism and they say it works. Then they believe this works. Sometimes it doesn't stick to that person. 

Brandon Williams: In my mind, it's 100%. Sometimes it whittles down to 50%, you know, if they just have doubts. But I assume it's 100%. I pretend it's 50%, and then it kind of just sways either direction. At that point, it's just a matter of gauging my audience, the volunteers that come up. As I said earlier, I just find which ones still work best for. But I think if you ask another performer, someone who's not comfortable with working with hecklers, then they'll probably say their number is smaller. I like performing for anybody and everybody, and I like the challenge. So in my mind, it's between 50% and 100%. 

Joe Carrigan: All right, so once you've selected the person you're going to use as your volunteer, you have to condition them, right? 

Brandon Williams: Yes. 

Joe Carrigan: How long does it take for you to get them into the condition where the suggestibility works on them? 

Brandon Williams: If I am able to see them beforehand - let's say in close-up performances - I'm conditioning them the whole time. I'm reading them the whole time. If they're new on stage and I just met them, you know, I don't have too long to condition them. It depends on - have I met them prior? How deep do I want them to be conditioned? What do I want to do with that conditioning? And have they seen me or another performer do their thing? Because if they have, then they are open to the idea that this thing's going to work, you know, whatever it is. If I don't know these things and I met you for the first time, I will try to condition the person within three minutes. You know, I'll have a mini conversation with them. 

Brandon Williams: Let's just say for pickpocketing, you know, because I have to touch you to get to your pockets, I will make sure I'm a little more, I guess, physical when I talk - you know, if I tap their shoulder, put my hand on their back, that type of stuff. And I'll try to condition them as quickly as possible, again, depending on what I need to do with them and how deeply conditioned they need to be. But roughly, someone who I've just met for the first time, three minutes is an OK bet. If I've met them before or I'm able to do other things, I'm conditioning them the whole time. So sometimes that'll take 10 minutes or more just to get deeper into it. 

Joe Carrigan: Let me delve into the darker side of things. With scams, the - like con men, they're constantly working the person they're in the process of scamming. 

Brandon Williams: Yeah. I mean, if you take a look at people who do three-card monte on the street all the way to, you know, just someone picking your pocket on the train, there's a whole conditioning bit that's going on before you even get face-to-face with them. Between getting a big crowd and piquing your interest or going on to a train where they're looking for people who are distracted or, you know, with newspaper or music, you're preconditioning yourself for them, and then they can do other things to help condition you more. Again, it's two different kind of styles of the scam. In the case of, let's say, three-card monte on the street, when you walk up to them, they know that you're a potential victim. They draw you in with a smile. They draw you in with - take a look, this is very easy, you have a chance of winning. You know, they're kind of pulling on your financial heartstrings. 

Joe Carrigan: Right. 

Brandon Williams: You know? And you're interested in games. That's that form of conditioning, I guess, as a showmanship scam. If it's them picking your pockets without you knowing, they will look at you from across the room. They will look to see where your attention tends to be. And if you're the right person, they'll walk up to you. They won't pick your pocket right off the bat. They'll kind of bump into you. They will bump into someone else and see if you notice they're bumping into someone else. And if you're still a good candidate for them, they will kind of, like, tap your pocket. They will poke and prod where they can. If you haven't paid attention yet, that's it. You're kind of their go-to. So each situation has its own way of peeking into which person is the best victim. Each situation has its own thing. And they are conditioning people, and they are reading people all the time. 

Joe Carrigan: So I wanted to talk a little bit more about picking pockets. How did you get into picking pockets? You mentioned earlier in the interview that it was part of your performance. But what got you into it specifically? What was the impetus of it? 

Brandon Williams: When I was younger, I mean, I was always a prankster. So between me doing pranks, taking someone's water bottle and putting it in my locker - or one time someone drew a nice picture, and I traced it and pretended to rip it in front of them - you know, anything that I could do to get a laugh after the fact was always good. So once I realized that pickpocketing was a thing, I would start involving that. I would put a piece of shrimp in someone's pocket, take out their wallet, swap out the ID cards. And how I got into actually pickpocketing was - I didn't realize that pickpocketing was, I guess, a showpiece. 

Brandon Williams: Originally, one of my first jobs I worked at was in a magic section in Toys "R" Us in Times Square. And there was this one trick that we always used, that the whole deck would eventually change into the same card, and it would always be the same card. You know, whatever card you picked, it would be that card. So at the time, we were having multiple magicians work a single shift. It could be two magicians, but when one of them was on a sell, the other one would take a break, walk around, do whatever. When I was on my break, I would kind of stick that card that people would choose on the ceiling, on the glass, and then eventually I would stick it in someone's pocket. So I would signal to my co-worker who would have that card in their pocket. Then he would make that card disappear and then point across the room - sir, check your pocket. 

Brandon Williams: Eventually, I kept challenging myself to see how many of those cards I could put in people's pockets in one go, to the point where the guy was able to say, everybody check your pockets. So I got good at that. You know, it was partly a selling point when I was working at the store that you could do crazy stuff with this deck. 

Brandon Williams: They do teach you different ways of putting cards in people's pockets, but this was me trying to do it in real time. So I got really good at putting stuff in people's pockets. You mix that with me doing pranks for my friends and family, and you put those two together. Now, I got really good at putting things in people's pockets, taking things out of people's pockets. And eventually, when I learned that pickpocketing was also an art form and a performance piece, I started to kind of just hone in on that. 

Joe Carrigan: You live in New York City. 

Brandon Williams: Yes. 

Joe Carrigan: When you go out to a busy place, how do you make sure that you don't get your pockets picked by somebody who's looking to steal your wallet? 

Brandon Williams: Before I answer that, let me tell you what certain things pickpockets are looking for. Sometimes, when there are signs that say, beware of pickpockets, you know, people would see them, they would pat their pockets. And that's openly. 

Joe Carrigan: Yeah, telling everybody exactly where their wallet is. 

Brandon Williams: Yes. Basically, between scanning and mentally tapping my own pockets, I make sure that nobody knows where my valuables are. I also switch it up. Sometimes I'll put - I'll get a smaller wallet, maybe, like, a little card sleeve, put that in my sock so I won't have a wallet in my pocket, or I'll use my inner chest pocket of, let's say, a blazer or a coat. Different techniques to avoid getting my own pockets picked. But definitely one of my favorites and the ones that I do all the time is mentally tap your pockets, don't physically do it. 

Joe Carrigan: So stay alert and maybe keep some money in your sock (laughter). 

Brandon Williams: Yeah. One tip I have is if you can, put rubber bands around your wallet. It makes it harder to pull out of your pocket, and it keeps the wallet close. 

Joe Carrigan: Brandon, thank you so much for joining us. 

Brandon Williams: Thanks for having me. This was a lot of fun. 

Dave Bittner: Oh, interesting interview, Joe. Nice work there. What's your takeaways here? 

Joe Carrigan: Number one, Brandon Williams is a very talented magician. I did a pre-interview with him, and he showed me this awesome trick that he had. I have no idea how it's done. Absolutely none. He's phenomenal. I love it when we get to interview these magicians because I become, like, this kid again. Like, show me the trick, show me the tricks. 

Dave Bittner: (Laughter). 

Joe Carrigan: But what I was really more interested in talking with him about was how he uses his mentalism and pickpocketing skills and how he interacts with the people, you know, the software inside the people. It's interesting that he approaches a group of people, he's reading them before he goes in. And he is doing this very quickly, and he uses a lot of body language, which is something I'm terrible at, which is - I'm not really good at reading body language. So I wonder how people do that, and it's kind of a mystery to me I think. 

Dave Bittner: I think it's a combination where some people are just naturally good at it, but I think also you can be taught certain clues, you know? 

Joe Carrigan: Right. 

Dave Bittner: So it's - I think it's both a combination of natural ability, but then in addition to that, having skills that you acquire. 

Joe Carrigan: I would agree. And Brandon is a very skilled professional because he does this for a living. It's interesting what he does to test suggestibility, right? Like, he says, put your hands out and imagine one has a balloon and one has a sack of bricks in it. And if you are able to observe a physiological response from something you implant in someone's idea very obviously, then you know you have someone who's suggestible on your hand. 

Joe Carrigan: And scammers do this, too. In fact, the Nigerian prince scam works entirely on the premise of people being suggestible by believing that this ridiculous tale that I'm telling you is true. It's kind of like a filtering process. We've talked about that as well before. 

Joe Carrigan: I liked it when he says when he's interacting with somebody, he is constantly reading them and conditioning them. And he can condition someone in about three minutes. 

Dave Bittner: Wow. 

Joe Carrigan: In about three minutes, he's got people doing what they - what he wants them to do. I imagine that scammers are very good at that. And depending on the level of the scam, if they're trying to get you to do something that's mildly against your own interest, they can probably get you to do that in three minutes, too. Something much more devastating to you may take more time, but it can be done. One of my favorite things from this is that pickpockets love signs that read beware of pickpockets (laughter). 

Dave Bittner: (Laughter). 

Joe Carrigan: Right? And I think of myself whenever I stand up to go outside and how I - you know, slapping my pockets to make sure I've got my keys, my wallet, my cell phone. I look like I'm a third base coach telling someone to steal second. 

Dave Bittner: (Laughter) Right, taking inventory. 

Joe Carrigan: Right. So Brandon's recommendation here to just mentally feel your stuff in your pockets, don't actually reach for it physically, I think that's a good suggestion. That's a behavior I'm going to try. You know, and it just comes from just being aware of what's touching your skin. 

Dave Bittner: Yeah, that's interesting. You know, this reminded me of how much people want to believe. When we go to a magic show... 

Joe Carrigan: Right. 

Dave Bittner: ...We know we're going to be shown magic. And there's a willing suspension of disbelief that goes with going to see a magic show. I think sometimes, you and I are probably alike that part of the fun for us is trying to figure out how they do things. 

Joe Carrigan: Absolutely. 

Dave Bittner: And it's even more fun when you can't figure out (laughter) how they do things... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Because then it's really amazing. We really want to believe. We want - there's a certain pleasure in the type - in watching the work that magicians do. And there's so much subtlety going on behind the scenes. It's really interesting to watch the - that craft. I always think there's a pleasure in watching someone do their work, someone who is very skilled at the work they do, no matter what it is. 

Joe Carrigan: Right. 

Dave Bittner: There's a certain pleasure in watching someone do that. And I think magicians certainly fall into that category. 

Joe Carrigan: I agree. 

Dave Bittner: All right. Well, our thanks to Brandon Williams for joining us. We do appreciate him taking the time. 

Dave Bittner: We want to thank all of you for listening. That is our show. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.