Guest: Robert Kerbeck
Today I’m talking about corporate social engineering with someone who knows this world from the inside in a way very few people do. I sat down with Robert Kerbeck, author of Ruse, to talk about how easily a well-trained employee can still be manipulated, how much damage can come from one convincing phone call, and why so many companies still underestimate just how effective these attacks can be.
At first glance, this can sound like a story about one unusually colorful career. And yes, Robert’s background is wild in a way that almost does not sound real. But when you look closer, this conversation is not really about spectacle. It is about method. It is about how trust gets manufactured, how people get read in real time, and how company secrets theft often starts with something that feels ordinary enough to ignore.
That is the part I wanted Fraudology listeners to hear.
Because corporate social engineering is not just a security awareness topic. It is a fraud topic, a customer service topic, a company risk topic, and honestly, a human behavior topic. If someone knows how to sound credible, how to create urgency, and how to get a target talking, it does not take some dramatic Hollywood hack to get real access or real information. Sometimes it just takes the right voice and the right story.
And that matters.
Because the same social engineering techniques Robert used in corporate espionage are not gone. They have just been repurposed, scaled, and adapted for modern fraud, account access, and internal compromise.
Here is what that means in practice:
- Corporate social engineering often works because it exploits trust, not technical weakness
- Phone-based social engineering can bypass strong systems when employees are not trained to slow down and verify
- Customer service fraud prevention matters because support teams are often the easiest path to access, overrides, or information
- Employee verification procedures are one of the few things that consistently interrupt a good ruse before it becomes a bigger loss
What you’ll hear in this episode:
- How Robert Kerbeck became a former corporate spy and what that taught him about manipulation, trust, and human behavior
- Why phone-based social engineering and employee manipulation scams still work so well on smart people
- What ruse tactics look like in practice when the goal is company secrets theft or internal access
- Why executive impersonation risk and customer service fraud prevention deserve much more attention
- How social engineering training and fraud prevention education can help companies strengthen corporate account security
You should listen to this episode if you:
- Work in fraud, security, support, trust and safety, or operations and need a better understanding of corporate social engineering
- Want stronger social engineering training that reflects how manipulation actually works in real conversations
- Care about customer service fraud prevention, executive impersonation risk, and employee verification procedures
- Need better information security awareness for teams that may be targeted by phone or internal-style scams
- Want practical insight into social engineering techniques from someone who used to use them professionally
If you liked this episode, be sure to subscribe and review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts. It really helps with getting the word out.
Episode notes & key takeaways
This episode is one of those conversations that sticks with you because it makes the mechanics of manipulation feel very real. I’m talking with Robert from the perspective of what fraud teams, customer service teams, and business leaders can actually learn from someone who used to make a living getting people to say yes when they absolutely should not have. The stories are fascinating, but the bigger value is in the pattern recognition.
Why corporate social engineering works on smart people
Let’s break this down.
One of the biggest misconceptions about corporate social engineering is that it only works on careless employees. That is usually not true. It works on smart people all the time. It works on experienced people. It works on well-meaning people. And it works because the attacker is not trying to overpower the target. They are trying to guide them.
That is a very different thing.
Robert explains this really well because he understands the human side of the scam better than most people ever will. He knew how to build rapport quickly. He knew how to sound familiar. He knew how to keep someone talking just long enough to get them comfortable. And once that happens, people often start filling in the gaps themselves.
That is the part fraud teams should care about.
Because employee manipulation scams do not usually begin with something obviously absurd. They begin with something plausible. A question. A callback. A little urgency. A little confidence. Maybe a detail that sounds like it should be known already. And if the target is moving quickly or trying to be helpful, the whole interaction can start feeling normal before they have really stopped to think.
- Corporate social engineering often succeeds because it feels routine in the moment
- Phone-based social engineering works by lowering resistance through familiarity and pace
- Social engineering techniques rely on human psychology much more than technical sophistication
- Fraud prevention education should teach employees how manipulation sounds, not just how scams look
How ruse tactics turn conversation into access
Here’s what’s actually happening.
A good ruse is rarely just one lie. It is a sequence. A setup. A way of controlling the rhythm of the conversation so the other person feels like they are moving naturally through it. That is why ruse tactics can be so effective. The target does not feel like they are being tricked in real time. They feel like they are helping.
And that matters.
Because once someone is in that frame of mind, the social engineer can start turning small disclosures into larger ones. A little confirmation becomes a useful internal detail. A transfer becomes access to someone else. A casual answer becomes proof that the story is working. And suddenly the attack has momentum.
We have seen this playbook before.
Maybe not always with the same polish Robert describes, but absolutely with the same structure. The criminal is not asking for everything all at once. They are building a path. That is why company secrets theft and internal exposure often happen step by step, not in one giant, obvious move.
- Ruse tactics work by building trust gradually instead of demanding too much too fast
- Company secrets theft often begins with information that seems harmless in isolation
- Phone-based social engineering turns normal conversation into a collection tool for later access
- Social engineering training should show teams how small disclosures create bigger exposure
Why customer service and support teams are prime targets
This is where things get especially practical.
A lot of companies focus their social engineering concern on executives or security teams. Those groups matter, obviously. But customer service and support teams are often just as exposed, sometimes more. Because they are trained to help. They are measured on resolution. They are often expected to move quickly. And they sit close to account changes, exceptions, and sensitive information.
That usually does not end well without strong process.
This is exactly why customer service fraud prevention matters so much. A social engineer does not always need direct access to the most senior person in the company. They may just need the right support rep at the right moment. Someone who can confirm an account detail. Someone who can transfer a call. Someone who can override a step. Someone who wants to solve the problem instead of delay it.
Right.
That is what makes these attacks so uncomfortable. They exploit the exact instincts companies usually want in strong service teams. Helpfulness. Empathy. Speed. Confidence. Which means the fix cannot just be “be less helpful.” It has to be better structure.
- Customer service fraud prevention is critical because support teams often sit close to access and sensitive workflows
- Employee manipulation scams frequently target the people most likely to want to help
- Corporate account security depends on support processes that do not rely on instinct alone
- Social engineering training should be tailored for frontline teams, not just executives and security staff
Why employee verification procedures matter more than instincts
This is one of the clearest lessons in the whole episode.
You cannot build a reliable defense around hoping every employee will read every situation perfectly. That is not realistic. Especially not under pressure. Especially not when the person on the other end sounds calm, informed, and credible. That is why employee verification procedures matter so much. They create something stronger than instinct.
They create interruption.
And interruption is exactly what a social engineer hates.
Because once the target has to pause, verify, escalate, or move the request into a controlled process, the momentum of the ruse starts to break. The fraudster loses the conversational advantage. The target gets time to think. The request has to stand up to structure instead of personality.
That is a huge difference.
A few things worth tightening:
- Employee verification procedures should be consistent enough that a good story cannot override them
- Executive impersonation risk goes down when people verify requests outside the original conversation
- Information security awareness improves when employees know exactly how to slow a suspicious interaction down
- Corporate social engineering gets much harder when the process is stronger than the caller’s confidence
Why this conversation matters beyond one incredible story
Honestly, the biggest takeaway from this episode is pretty straightforward. Robert’s story is unusual, but the weaknesses he exposes are not. That is why this conversation is so useful for fraud teams and companies now.
The methods still work.
Maybe the names change. Maybe the target changes. Maybe the criminal is after account access instead of competitive intelligence. But the underlying structure is still familiar. A believable person. A plausible story. A well-timed request. A process that can be bent if the right employee feels just enough pressure to let it happen.
That is the part that holds up.
Corporate social engineering is still one of the most effective ways to get around smart people and expensive systems by going straight through human behavior. If companies want stronger corporate account security, they need better social engineering training, better customer service fraud prevention, stronger employee verification procedures, and a much more realistic understanding of how these conversations actually unfold.
