Hacking Humans – "Defending against unlimited penalty shots" (Live from Zero Trust World)

Podcast: Hacking Humans
Host: N2K Networks
Date: March 12, 2026
Guests: Rob (Bowtie Security Guy After Dark podcast)
Theme: Deception, influence, and social engineering in cybercrime

Episode Overview

This special live edition, recorded at Zero Trust World in Orlando, Florida, brings together cybersecurity pros to discuss real-world social engineering, phishing, and the ever-faster evolution of digital fraud. Guest speaker Rob (Bowtie Security Guy) shares war stories, pragmatic advice, and candid insights into the challenges of defending human vulnerabilities in organizations. The hosts dig deep into effective training, the failure of "click rates," malvertising, scams, and a fascinating legal case blending human error and cybercrime.

Meet the Guest: Rob (Bowtie Security Guy)

[01:35-02:28]

• Grew up tinkering with discarded computers, early hacking roots before legal frameworks.
• Twenty years at Disney, building out their social engineering and security awareness programs—helped launch and secure MagicBand.
• Now a Fortune 500 security executive and mentor; hosts "After Dark" podcast to help newcomers understand the real cyber landscape.
  • "People think it's going to be constant fun. It's very monotonous, boring work a lot of times." [03:14, C]

The Realities of Cybersecurity Careers

• The journey into cyber is never linear.

• Mentoring is key to retaining passion and breaking social anxiety barriers.

• Success often means managing tedium punctuated by bursts of adrenaline.

  "I build replica movie props in my free time. I worked for Disney for 20 years... now I'm just a boring executive at a Fortune 500."
  — Rob [01:35]

Flaws in Traditional Phishing Awareness

The Click-Through Rate Fallacy

[04:59-06:56]

• Companies over-rely on simulated phishing click rates (e.g., the "1.5%" from Verizon’s DBIR), which are contextually skewed and ignore simulation variables.

• Real attack scenarios are diverse—email language, origin, and content often differ from tests.

• Instead of sim-only metrics, organizations should "bucket" people by behavioral risk and train targeted skills.

  "Focusing on that number [click rate] as opposed to focusing on risky human behavior and training behaviors is much more important."
  — Rob [05:53]

  "When you send a simulation out, you're bypassing all your own security... Many people who are getting the email would never receive an email from an attacker."
  — Rob [05:16]

Microlearning for Maximum Retention

[06:44-07:15]

• People only retain knowledge in short bursts.

• Shift training to "microlearning": 2-5 minute focused segments.

  "If you're giving somebody more information than that, they are not retaining any of it."
  — Rob [06:59]

Gamification & Positive Reinforcement in Training

[07:31-09:35]

• Traditional punitive approaches create resentment; positive reinforcement ("gamification") is vastly more effective.

• Use pop culture references or Easter eggs in phishing simulations; reward employees for spotting them.

  "It trained a behavior of analyzing an email before clicking or doing anything. And you reinforce that behavior... with good things."
  — Rob [08:13]

• Focus on the user: illustrate how a breach can damage their personal brand and relationships, not just the company.

  "No one cares about your company. You do, because you may be the boss, but your employee doesn't care. They just don't want it to hurt them."
  — Rob [08:45]

• Red teaming: use real-world phishing found "in the wild" because "hackers are lazy for the most part" and use easy, optimized paths.

Ethical Debate: Deception in Simulations

[10:57-13:11]

• Simulations can create mistrust if not transparent.

• Intentionally "tricky" emails (e.g., promising a bonus) can backfire or create perverse incentives.

  "Why are you running simulation? ...you're not trying to trick you. I'm trying to be there so if you do fall, I can pick you up easily."
  — Rob [12:21]

• Key: walk employees through the why; avoid adversarial relations. Some units still resist all forms of deception.

• Most real phishing gets stopped by technical controls (SPF, DMARC, etc.) — so simulate wisely and focus on behavior change.

C-Suite Conversations & Data Skepticism

[13:34-15:43]

• Push back on industry click-rate benchmarks—most cannot justify sample quality or simulation context.

• Instead, treat click-throughs as indicators for upping difficulty, not signs of failure.

  "It's a, it's not a matter of if you can be fished. It's just a matter of are they going to catch you at the right moment."
  — Rob [15:46]

• Even experts click: Rob recounts his own embarrassing but instructive moment falling for a simulation during a stressful time.

Phishing is Like Defending Unlimited Penalty Shots

[16:32-17:13]

• Attackers only need to get lucky once; defenders must be vigilant always.
• Rushed users are most susceptible ("every single one [of thousands investigated] that clicked was just in a rush." [17:13])

Roleplay Segment: Financial Advisory Scam & Legal Case

[19:03-28:14]

• Scenario: long-term client requests entire life savings withdrawn for a "real estate" investment (actually a scam).

• Real case in Maine Supreme Court: Victims lied to their advisors under scammer coaching—after losing money, sued the advisor for not seeing "red flags" (despite being deceived).

  "The courts question whether investors have the right to spend their money as they wish 'even if it's stupid.'"
  — Maria [25:12]

• Dilemma: Advisors can't protect clients who purposely deceive them; red flag laws are unclear and only sometimes mandatory.

• Scams made worse by AI-driven evidence falsification and public records abuse (e.g., open DMV information used for intimidation [29:21]).

Malvertising: The Modern Scourge

[34:09-39:37]

• "Malvertising" (malicious online ads) is widespread and lucrative. Attackers place fake giveaways, redirect users, steal card info.

• Confiant Security research found exposed attacker infrastructure—researchers could block domains in advance.

  "The page was publicly accessible...updated with the new domains the attackers plan to use next."
  — Dave [36:08]

• Attackers often use weak passwords, furthering defenses.

• Attackers profit—and so do the ad networks (up to billions in fake ad revenue).

  "I had built a bot that would go and validate every URL...and they permanently banned me and then IP banned me"
  — Rob [38:06]

• Many scammers are forced labor, particularly in "pig butchering" and "lonely heart" scams—some are victims themselves [40:22].

Behind the Scenes: Scam Ecosystems & Social Engineering

[46:51-56:36]

• Small scams (e.g., $50 gift cards for “free money”) mark you for resale on scammer lists.

• Scammers network and share targets; hacking info is easily bought and sold.

• Job scams are rampant — fake recruiter accounts, deepfake interviews, referral fraud, and predatory contracts.

  "All of the job networks...are just flooded with fake jobs because there's a lot of value to it."
  — Rob [53:59]

• Telltale advice: If you get a cold job offer—"it's a scam unless you actively know the person."

• Best way in: network at conferences, volunteer, make yourself known.

• Persistence and willingness to "dig deep" and tinker are vital.

Notable Quotes & Moments

• "Security is like being a goalie and they have unlimited penalty shots. They can just keep shooting at you nonstop and you have no choice but to continue defending."
  — Rob [16:38]

• "Focus on brand damage and personal brand damage… I deputize everyone I would do a class with. I'm like, you are the frontline defense."
  — Rob [09:08]

• "If you're a new person in cyber and you're listening to this and you get a job offer, it's a scam. Unless you actively know the person, it's a scam."
  — Rob [54:36]

• "If you are employed and you are not actively helping at least one person a week, you are doing a disservice to our community."
  — Rob [59:56]

Timestamps for Key Topics

• 01:35 – Rob’s background and Disney days
• 04:52 – Preview: Phishing program talk
• 06:44 – Microlearning, breaking "long training" norms
• 07:31 – Behavioral (not punitive) phish training
• 10:57 – Ethical lines: deceiving employees in simulations
• 13:34 – Convincing execs: trashing data myths, real risk
• 15:46 – Everyone gets phished, even the experts
• 16:38 – Unlimited penalty shots analogy
• 19:03–28:14 – Roleplay: scam case study and legal wrangle
• 34:09 – Malvertising: how threat researchers beat criminals at their own game
• 38:06 – Fighting back against fake ads and banned by big platforms
• 46:51 – Gift card scam dissection; scammer ecosystems
• 54:23 – Job scams, deepfake interviews, how to break in authentically
• 59:56 – Community call-to-action: mentor, support, give back

Final Advice from Rob ("Bowtie Security Guy")

• Find community: In-person events, cons, and volunteering trump online applications.
• Help others: Mentorship is a duty for those already in; he offers resume, LinkedIn, and interview tips for free.
• Stay skeptical: Assume unprompted recruiting—and most "too good to be true" offers—are scams.
• Be aware: Technical controls, behavioral training, and a supportive, open culture are the best defense against sophisticated and omnipresent social engineering.

Resources

• Bowtie Security Guy After Dark podcast (search Bowtie Security Guy on any platform)
• Hacking Humans podcast archives
• Zero Trust World info
• Scambait subreddit for real scam-baiting stories

Outro

"This market we need people who are willing to give time and help people. And it's hard."
— Rob [59:57]

This episode is rich with frontline stories, pragmatic advice, and candid, sometimes laugh-out-loud takes on the realities of cyber defense and the human element. It’s essential listening for anyone fighting on the front lines of cybersecurity—or trying to join.