The People Factor Podcast | Episode #61

How social engineering is shaping talent acquisition

Leslie is the founder of ThePeopleLab, where he helps start-ups in emerging tech such as AI, Blockchain and SaaS build out their People & Culture teams from scratch or improve what they...

Listen the episode on your favourite platform

Contributors
Thomas Kohler

Founder & CEO

Leslie Kivit - Chief People Officer at Xapo Bank, Founder of ThePeopleLab & Workblocks and guest at Thomas Kohler's The People Factor Podcast.
Leslie Kivit

Founder & Chief People Officer

Subscribe to our podcast
We care about your data in our privacy policy
Leslie is the founder of ThePeopleLab, where he helps start-ups in emerging tech such as AI, Blockchain and SaaS build out their People & Culture teams from scratch or improve what they already have. Over the past 15 years, he held HR leadership roles with Xapo Bank, sennder, Meta, Booking.com and Rocket Internet.
We talked about:
  • Fraudulent social engineering in recruiting
  • Social engineering for recruiting, sourcing and evaluating

Thomas Kohler:
Today’s guest, Leslie Kivit. Again, episode two, we talked about social engineering.

Leslie Kivit:
Look, right. I, you know, after this experience, I also dove in a couple of numbers which are maybe interesting also to mention. So basically, according to Forbes, so in the first quarter of 2022, more than 40 million people were actually exposed to stamps and the Federal Trade because Commission. So the FDC in the United States basically said that job seekers lost around $68 million, basically due to fake business and also job opportunity. So it’s a huge number. Obviously, this is data from 2022. But knowing, I think that with the rise of OpenAI and other AI tooling, that makes it easier, I think, to produce text or produce videos. I can only imagine, right, that this amount has probably increased.

Thomas Kohler:
We talked about social engineering, the negative side on how he got fraud at through job interviews and job interviewing as an advisory board member. And then also we talked about the positive things of social engineering, where you can create value in sourcing, scoping a role, evaluation, closing candidates, and just gathering relevant information. Where it’s maybe hard when you not use social engineering tactics, then you can.

On the people’s side. Good morning, Leslie. Again, we already did an episode on freelancing tips and so on. And there is also introduction about yourself, so we don’t need to do that again. So people who are just listening to this episode and want to know, Leslie, please listen to the previous episode with him. Today we are talking about social engineering and talent acquisition. And Leslie, you told me that you had also some stories from both sides, right? Where it was positive and negative. Yeah, a bit of story time.

Leslie Kivit:
So I think this is actually a pretty cool topic. And I think it’s also a topic that is more increasing. Also today, or I guess also yesterday, right. Was the launch of Sona, right. The new OpenAI tool which allows you to curate actually video from text within 1 minute. And if you see all these videos actually have coming out now, it’s truly amazing. So I think it has a lot of positives, I think. But we also need to consider what other side effects could actually be. So, yeah, I have a pretty also personal story actually around the topic of social engineering. So every now and then I also help projects basically with building up the company.

And I remember that at one point I got an outreach via Twitter which basically said like, hey, look, we’re a gaming company and yeah, we looked at your profile and we would actually like to invite you for an advisory role. I’ve been worked in web three and crypto for some time. I’m pretty careful usually with sharing my information, but doesn’t look legit. So I would do what anyone would do. I tried to discover a little bit more about the company. There’s like a very nice website. There was a team basically presented. Their roles were basically presented.

And I thought, okay, let’s just jump on the interview. So I actually did the interview and, well, the person liked basically what they said. And he said, look, the next step for you would be to meet the team. But, yeah, obviously it’s also important that you understand the game, right. That we actually are building and you can probably already feel what happened next. So I went to the website, basically to download the game. And, yeah, within probably four days, the crypto that I held actually, personally was gone, actually on my wallet, on my pc. And I had to wipe my pc. And look, it sounds so stupid. It sounds so silly. There are a lot of red flags, I think, sort of along the way that I spotted.

But there’s like optimism, right, that you have. There’s excitement also, that you have, right, when somebody reaches out to you. And despite all the. All the commercials or all the warnings, maybe that even getting internally, it’s still pretty exciting to also click these links. And especially if you spoke to several members of a team, this is usually how you slim down the chances of potential scam.

Thomas Kohler:
This happened that you got a reach out message through LinkedIn and then it was more like, was it a chat conversation or was it also video calls or.

Leslie Kivit:
Yeah, no. So it was actually a conversation that started over Twitter and, yeah, indeed, this person also referred, as referred and had a LinkedIn profile and, yeah, no, we had a video call. I literally saw the person and then I also met a second person and, yeah, it made total sense to me. Right. If you’re going to work for a gaming company or you’re going to do advisory for a gaming company, I think it’s only logical, right, if you understand what the product is and basically what they do and if you have to install, like, a lounger. That felt normal to me. But yeah, the moment when I basically launched also the game, there was like this error message.

We didn’t allow me to play the game. And that was the moment when I thought, like, maybe there’s something fishy going on, right. And that’s probably the moment where I should have maybe reformatted my entire computer, but my virus can, I didn’t notice anything, so I was absolutely caught off guard. And I was also telling before we moved into this conversation that every time that my laptop is taking a little bit longer than it used to be, I automatically get nervous.

Thomas Kohler:
I think I just, in parallel, want to read out something from Google. There is also a definition for social engineering in terms of security context. Right. And I think this is actually what happened to you. So in the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information.

So that’s, I think, the forum where we should be careful and where it should not be used. But I think in a more positive way. There are so many use cases of just a type of social engineering where it can add value to anyone. Right. So we can call it maybe relevant social engineering or value creating.

Leslie Kivit:
But look, right after this experience, I also dove in a couple of numbers, which are maybe interesting also to mention. So basically, according to Forbes, so in the first quarter of 2022, more than 40 million people were actually exposed to stamps and the Federal Trade Commission. So the FDC in the United States basically said that job seekers lost around $68 million, basically due to fake business and also job opportunity. So it’s a huge number. Obviously, this is data from 2022. But knowing, I think that with the rise of OpenAI and other AI tooling, that makes it easier, I think, to produce text or produce videos. I can only imagine that this amount has probably increased. So, yeah, I think, like my tip, right.

I think to anyone, at least from a sort of applying perspective, right. You know, uphold your standards, right. If salaries are too high, it’s often too good to be true and you need to do your due diligence. And I think we are very good, or I think we’re better as companies equipped, right, to filter out candidates that have also mail intent. I’ve also seen those while I was hiring for the companies that I worked for. But I think when you are applying for roles or when you see opportunities, there is this optimism, right, of you hoping to find that next exciting career challenge. And sometimes you get a bit blinded, perhaps, by the things that are going on. Definitely.

Thomas Kohler:
And I think there is also some checklist which everybody can ask as a job seek that also just researching the company, maybe on LinkedIn, because I think any company kind of has something on LinkedIn or on social media or somewhere where you can research. And if that doesn’t make any sense, then be very skeptical and really ask a lot of questions. And I think by asking a lot of questions and not getting solid answers, then you should later see, okay, either it’s not a confident where I then feel confident working for, or maybe it’s even some kind of scam.

Leslie Kivit:
Yeah, absolutely. But let’s move through the positive side. What did you find? Like, what did you figure out?

Thomas Kohler:
So I think there are several positive examples. For instance, I would say a b. Testing job ads could also be a. Sort of social engineering, right? Where I see a lot of companies. They don’t know what the next level. Of leadership hire could look like. And then instead of just posting one job ad or describing one job, you go out with three, you say, okay, you have three different variations of one. Job and maybe two different seniority levels.

So you have six job ads life, but actually just one job to hire. I don’t think that this is a bad thing to do. I think it’s a b testing and I think it should be done and it gives you way more flexibility in the calibration. I think it’s just important that you are very transparent that you’re doing that and how you’re doing it right. And then I think it’s not a problem at all. And the second piece is also for sourcing sometimes in very niche roles. For instance, let’s take software engineering. If you want to source on GitHub and as a recruiter, you don’t have really high chances to get maybe responses through committing to another repository of an engineer where you know, okay, we want to hire for a very niche skill.

And on GitHub you find certain repositories of this very niche skill. You might not send out a LinkedIn message or scrape the email and then send out a cold email, which is also then a question. In some countries it’s not even allowed, right? If you should do that, if it’s well received. But what if you can go to your engineering manager or to one of the top engineers in your company and say, can you just start committing to the repository of this engineer and then start a conversation with him? Of course with the mindset that at some point we want to hire him. But first, building a relationship on purpose in the environment, they feel comfortable. I don’t think that this is a bad thing, to be honest, but it’s also a sort of no.

Leslie Kivit:
Yeah, no, I agree. I think social engineering, at least for me personally, I think what it also means is that if we talk about the positive side of the topic, I think it’s a way of creating channels that would basically allow you to communicate with the audience that you would like to interact with. And because you don’t always know your audience, I think from the get go, right. You need to basically, like you said, you need to a b test, I think, to sort of try to figure out what actually works. And that, I think, accounts for the candidates that you are trying to hire and that you try to trigger.

And at the same time, it could also count for your employees, because not everybody receives information in the same way. You have folks that would like to read it. You have folks that like to see a video. You have folks, indeed, that would like to see, for example, work actually being contributed to their own work. Right. So I think there are different pieces of the puzzle. I think that’s a really interesting, actually approach to convincing also your candidate that you are the right employer. Because you speak the same language as they do, or maybe you even speak a better language than they actually realize. So I think that’s a really good take, actually.

Thomas Kohler:
And do you also have some use. Cases where you saw this in a positive way, social engineering being used in a positive way for value creation?

Leslie Kivit:
Yeah, I think the most recent example is that at the previous company that I worked for, it’s basically a bitcoin bank. It’s a crypto bank. It means that the audience that’s usually working for companies, for example, and specifically engineers, is not know to be on LinkedIn, but they’re more likely on, for example, Twitter, or they are more likely to be on telegram, which basically meant for us that we needed to sort know, adapt the language that know would speak also with those folks and to find them also on sources where they would usually not be beyond. And it’s not only to find them on those sources, but how to communicate them or how to communicate with them on those sources, because most of them are not doxed, which basically means that their identity is not known. And sometimes they also don’t want to talk about it. And if they don’t want to talk about it, then in the end, it wouldn’t be the right fit for us because we are like a regulated bank. You need to understand what faith is basically behind the computer. But for that specific industry, what usually doesn’t matter is impact, is output, and not sincerely the person who is actually doing it. That led us in really understanding, for example, on what language we would need to speak on a discord.

So we started to create actually our own community on discord, so we could actually speak the language of that particular audience because they would be on discord, chatting about some project or contributing to some project, rather than being actually on LinkedIn. So I think that’s one example where we started to change our approach, our outreach approach and our language.

So suddenly, within the recruiting team, you have a community manager. So somebody that tried to keep the conversation going, try to put in also topics that we find relevant as a company at that point for specific roles that we will be recruiting for. Another thing is that it was a much stronger focus on creating a newsletter, for example, that would speak the language of that specific audience with upcoming roles or with other developments that we deem to be important. And continuously being in a conversation. With your audience of what you’re sharing is actually something that they like. Yeah. So I think these are two recent examples.

Thomas Kohler:
I also think there is another example. In terms in executive hiring, what I saw from an evaluation piece. So you can also use that in the evaluation component. It was an example where a german middlestand company was hiring one of their. Executive team members externally. So not from the family. So then it is always even, I think, more critical in terms of how people behave. And they always wanted to invite candidates. In final stages to a certain side of the company, but it was not. Really about a certain side of the company where then they do a workshop or so on. They just made it up because they wanted. They also co owned the hotel and. They wanted to ask the staff, the. Cleaning staff, the reception staff, the restaurant. Staff, on how this person was dealing.

With them and if they could imagine working for them. And of course, also they then invited the whole family that they really have the real life experience, and that’s also a way of making use of social engineering principles. And I also don’t think that this is something really bad. Yeah. The question is also, is it doing the job, what you want to get out of it?

So I think you need to be very careful in also touching and not going, and not going too far in terms of personal boundaries as well. I think that’s really important. But there are so many use cases for many different examples.

Leslie Kivit:
I think that’s very cool.

Thomas Kohler:
Another one that I also saw is, for instance, back then there was a tool called follower wonk. Do you know that tool?

Leslie Kivit:
Nope.

Thomas Kohler:
It was a Twitter tool. I don’t know if it is still existing for x now, but you could. Just use, for instance, I also use. It for software engineering. We wanted to hire the people that were not available on LinkedIn, right? And then we were looking on Twitter, and we were looking on the top three connected engineers in an exclusive engineering community and put them into full follow wonk. And then you got a ven diagram with three circles and you saw the proportion of Twitter users who are all following the same person and who they are following as well. And then you know, okay, these are the top seven people that are all connected to each other. So we need to reach out to them. How do we do it? We just get one to lunch, not even reaching out, saying, hey, I will have a job for you. Do you want to work with us? It doesn’t work.

It’s like you need to go at a different stage to maybe find something exciting to say, let’s make a community event or a hackathon or something. And can we just meet up front on how we could do that? Right. And then you have a bigger story, but the overall purpose is just, you want access to these people, but there you go a very different route to get there. That they talk to you. Right. And that you gather information and that you then ask, okay, who would be the top three people that come to your mind who should also do live coding or should run a team in the hackathon, for instance. Okay, that name was dropped and suddenly two out of the people they dropped were two out of the seven we were put to target.

Leslie Kivit:
Yeah, that’s awesome.

Thomas Kohler:
But it’s, of course, very high maintenance and very high effort. But I think if something is super critical, for instance, very specific niche roles, but also executives, why not doing something like this, right?

Leslie Kivit:
Because the cost, for example, executive search is already pretty high. So having, like, a system, for example, on board. Yeah, I think that makes a lot of sense. It actually also got me to think, right. I think there are probably already a lot of practices in social engineering or that you already apply, I think, specifically if you work in an in office environment. I remember when I worked at Facebook, I mean, here in Switzerland, so they have this thing here where you got opera at the end of the day. But we would use to do this with our candidates as well.

Leslie Kivit:
So instead of showing them to the cleaner or showing them, for example, to the mate, it’s the team. So we often had our recruiting coordinator that created the most awesome cakes or whatever, and then this person would just have a break right between the three interview rounds, and then this person would eat a bit of cake, whatnot. And often there were deliberately, obviously there were team members then also sent to the Facebook kitchen to basically ask this person what this person is working on. And I think by doing this, you leave these little sort of nudges that should create this authentic sort of interest. And I think another way a lot of people already use is around event recruiting.

I think event recruiting is another really good way, I think, of social engineering, where you are basically hiring by not saying that you’re hiring. So you talk about a very cool sort of project, what excites people. You create side events that sort of double down on those developments or the topic that you’re known for, and then before you know it, there’s an opportunity to interview. So I think that’s another way of how you’ve seen.

Thomas Kohler:
Yeah. And I think also what I also. Saw, but I think companies need to be very careful, and I think it’s even not allowed in some countries. That people are just call other people they know on other people’s opinions for references without consent. I don’t think that this is something a best practice, what I would recommend, but I saw it happening, and I also saw the value for the person calling. Because you get a very, I would say not maybe unbiased, but unsold view of a candidate. Because, of course, if a candidate is giving you a name of six references, the level where this happened was like, salary is €300,000 and plus, right. So they understood of the founders that they wanted to really make sure that if they invest that, not just in terms of salary, but also scope and budget behind that, and decisions that were made that they really want to make sure. And I think it’s also a bit of question about, okay, I just really want to make the right decision. And therefore, I really invest a lot of time in just figuring out what information could I get out there that I maybe don’t get from a regular interview process that helped me decide for a very critical decision.

Leslie Kivit:
Social proof is important, right. But I think there’s, like you said, I think there’s an order also to things. And I do think, indeed, that ceos sometimes have the tendency to ask for these referrals a little bit sort of too fast because there’s also context often also to those referrals. So, yeah, no, I 100% agree. I think these referrals specific for those roles are really important because social proof matters. But I think it makes more sense, right. If you’ve also interviewed and have consent, obviously, of candidate itself, because there might always be reasons why certain adventure didn’t end the way it ended or was supposed to end. So, yeah, absolutely agree.

Thomas Kohler:
When we’re talking about people, who is a person that, you know, I don’t. Know who I should interview as well.

Leslie Kivit:
That’s a good question. Look, I’ve been thinking a lot about AI lately. Everybody has, I think, and I’ve always been excited to learn more about what AI could actually do to make our lives more easier so that we can actually focus on things that really matter. So someone that I would probably recommend you to interview would probably be Paul Carman. He’s making a huge bet, I think, on AI creation in HR, and I don’t think there are a lot of people that have been actually doing that. And so, no, I think he’s a great person to talk to and it could get pretty technical as well, but within the HR side.

Thomas Kohler:
What’s the name again? Paul…

Leslie Kivit:
Yeah, Paul and Paul Carman.

Thomas Kohler:
Do you know him?

Leslie Kivit:
Yeah, I do.

Thomas Kohler:
Can you also ask him or make an intro or should I? Absolutely, yeah. I think that always works well. And if he’s up for it, I definitely want to have you on the show.

Leslie Kivit:
Yeah, I think he’s 100% up to it. I think he’s also building his social presence a bit, so it will be good for him to put his nose out. He won’t like it, but he needs to do it.

Thomas Kohler:
Yeah, sure. So it should be a benefit for anyone, right? For the listener, for him.

Leslie Kivit:
Absolutely.

Thomas Kohler:
Cool. Leslie, I think that was enough content for social engineering. Thank you so much.

Leslie Kivit:
I agree. Thank you so much, so much for everything.

Leslie Kivit - Chief People Officer at Xapo Bank, Founder of ThePeopleLab & Workblocks and guest at Thomas Kohler's The People Factor Podcast.

About the guest

Leslie Kivit

Leslie is the founder of ThePeopleLab, where he helps start-ups in emerging tech such as AI, Blockchain and SaaS build out their People & Culture teams from scratch or improve what they already have. Over the past 15 years, he held HR leadership roles with Xapo Bank, sennder, Meta, Booking.com and Rocket Internet.