White Hat vs Black Hat: What Sourcers Can Learn From Hackers – A #SourceCon Royale Review

SourceCon 2018, got straight to the central theme of social engineering in a style fitting to the host city of Las Vegas, Nevada. With Elvis Presley’s Suspicious Minds playing Jim Schnyder and Brian Mork kicked off the keynote sessions.

Or was it Brian Mork….?

In a move pulled out of the Danny Ocean or James Bond playbook, both presenters showed the audience how easy it is to socially engineer a room of 800 sourcers and recruiters. Jim Schynder was on stage, but Mork was not who we thought he was. We were “SourceConned” by a similar looking Bryan M. In the begging of their presentation, both Schnyder and Mork enlisted their friend to come up on stage and act like himself for a short period to illustrate one of the principles of social engineering. People trust people. Even though the “real” Bryan’s picture was displayed as the pair were introduced most of the audience missed it because they were engaged with the two presenters. As both Schynder and Mork continued they would come back to this theme, but it was also apparent throughout other speakers’ presentations.

Social Engineering | White Hat V Black Hat

What is social engineering? Many define and describe it as merely manipulating another person to get something from them, but this is far too simple and unfair to those, who use for ethical reasons. Schnyder and Mork acknowledged the illegal, aka Black Hat, uses of social engineering like phishing or spamming, but also iterated the positive, aka White Hat, ways we use it in our jobs and the many interactions we have with people daily. How many of you have ever tried to engage candidate through a common shared interest? That is social engineering and is referred to as social anchoring. We’ve all experienced the joy of talking to another individual about a personal passion and the bond it creates. Mork does this in a unique adding a quote from a person’s favorite movie to his email signature to get a response. Social engineering has the emotional intelligence to understand another individual and to adjust your behavior to build a relationship or in our cases help them find the next great opportunity.

The Missions

Using their many years of experience Schnyder and Mork took the audience through four everyday scenarios that a recruiter would likely run into and how each would approach it within the context of their professions.

The first and fourth missions involved gathering and verifying personal intelligence on a candidate with only knowing their name and the city they live in. Schnyder used the paid database site publicdata.com to identify the candidate and then verified this information using Facebook and several familiar recruiting tools, like HireTual, Seekout, Prophet, etc.

Mork based most of his search on information available to anyone in the world right now. He researched city, state, and country public records and querying data breaches to identify their email. Like Schnyder, he then scanned social media to build out their profile. When it came to identifying email addresses in the fourth mission, both Schnyder and Mork tackled the problems similarly. Both utilized keyword and Boolean searches, but Schnyder used recruiting specific databases, while Mork looked through public records. For sourcers and recruiters, the key takeaway should be to discover other sources outside of normal channels to start your research. Researching a candidate will require you to can social media, but there are many other strong data sources like public records that can lead you to new information that social media might not be able to.

Article Continues Below

Social engineering came into play again in the second and third missions. Schnyder and Mork needed to get a highly sought-after candidate, who didn’t typically respond to messages, to respond to one of theirs within 90 days. In a somewhat “old-school” approach Schnyder advocated to find their number and call them. Other solutions he suggested were to identify their online hangouts and engage in that context or a highly personalized email drip campaign.

Mork didn’t engage right away. His first step was to learn as much non-work related topics about the candidate through online social media. He would then start to build a relationship with the candidate or at the very least those in their surrounding network. In Mork’s words, if you can’t win the candidate, then “win their references.” As recruiters and sourcers we can’t just approach candidates only with job offers all the time. Like any relationship, there must be a give and take from both sides. Mork and Schnyder showed that giving a candidate your interest in their non-work lives can lead to higher levels of engagement.

While the second mission focused on engaging a candidate the third mission was to see if an engaged candidate was too good to be true. Both recruiters and hackers come across though that do not genuinely represent themselves. How does each discover the truth? Interestingly the recruiter spoke more of the data, and the hacker stressed the importance of the interviewer. Schnyder talked about using archival tools like Wayback machine, internal systems like ATS or CRM. Armed with these facts Schnyder would probe a candidate on any inconsistencies to get their response. One easy technique would be to state that our company conducts background checks, is there anything we should look out for? Mork gave a social engineering technique to use to verify a candidate’s history. He gives false summaries after a candidate gives a summary or purposely misstates a resume fact to see if the person corrects them. The point of this exercise is to test a candidate’s knowledge of their own history to ensure they aren’t making up facts. Here we find the white hats out engineering the black hats.

What to Keep in Mind If You Want to Be a Social Engineer

Taken at face-value many of the different techniques and tools used by Schnyder and Mork might be viewed as some as black hat that is until you ask what the intentions are of the sourcer and recruiter are conducting these searches. Used in the right way and for the right purpose candidates will be thankful that we want to such efforts to get them that next opportunity or dream job. If on the other hand, we use these techniques to pry, spam, or manipulate candidates, we will quickly lose credibility and any possibility of building long-term relationships with them.

Casey is a newcomer to the sourcing and recruiting industry. He began sourcing in 2015 for Adidas. He is a child of the SourceCon community having attended a number of SourceCon conferences and learning from the best in the world.

Topics