Social engineering tricks: A former corporate spy explains the art of the ruse
Guest: Robert Kerbeck
Today I’m revisiting one of the most memorable conversations I’ve had on Fraudology, and honestly, it still holds up. In this episode, I talk with Robert Kerbeck, author of Ruse, about social engineering tricks, corporate espionage, and how surprisingly easy it can be to get people to hand over sensitive information when the approach feels familiar, friendly, or urgent.
This episode was originally released earlier in the year, and it ended up being one of the most requested picks for this best-of replay. That makes sense. Even if you do not work in fraud every day, this conversation is fascinating. But if you do work in fraud, risk, trust and safety, customer experience, or security, there is a lot here that matters. Because at first glance, social engineering can sound like a people problem. But when you look closer, it is really a systems problem too. It exposes weak processes, inconsistent verification, and all the places where trust gets assumed instead of confirmed.
Robert’s background is unusual, to put it mildly. He started as an actor, then became deeply involved in corporate espionage, using social engineering phone calls and carefully built personas to get employees and executives to reveal information they absolutely should not have shared. And that is exactly why this conversation is so useful. He understands how these ruses worked from the inside.
What I appreciate most about this discussion is that it is not just storytelling. Yes, Robert has incredible stories. But he also explains the mechanics behind them. How he built trust. How he read people. How he got past hesitation. And why smart, well-intentioned employees were still vulnerable. That is the part fraud teams should care about.
Here is what that means in practice:
- Social engineering tricks often work because they feel ordinary, not obviously malicious
- Employee security training needs to go beyond awareness and include realistic process controls
- Customer service fraud prevention is critical because support teams are often targeted for access and overrides
- Fraud and social engineering overlap more than many companies realize, especially when account access or internal information is the goal
What you’ll hear in this episode:
- How Robert Kerbeck used social engineering tactics to pull sensitive company information out of employees over the phone
- Why corporate espionage often succeeds by exploiting trust, routine, and human connection instead of technical vulnerabilities
- What social engineering phone calls sound like in practice and why they can be so effective
- How companies can improve social engineering training without making it boring or forgettable
- Why customer service fraud prevention and internal verification procedures matter so much in stopping these attacks
You should listen to this episode if you:
- Work in fraud prevention, trust and safety, support, security, or operations and want a better understanding of social engineering attacks
- Are responsible for employee security training or information security training and need examples that actually stick with teams
- Want to improve corporate security awareness without relying only on generic annual training
- Need to think more clearly about account takeover prevention and internal access risk
- Care about how fraud teams can reduce the success rate of social engineering tricks before they become bigger losses
If you liked this episode, be sure to subscribe and review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts. It really helps with getting the word out.
Episode notes & key takeaways
Why social engineering tricks work so well on smart people
Let’s break this down.
One of the most important points in this episode is that social engineering tricks do not work because employees are careless or unintelligent. They work because people are busy, they want to be helpful, and they are used to making quick judgment calls based on tone, familiarity, and context. That is exactly the kind of vulnerability criminals look for.
Robert explains this from a perspective most of us do not get to hear very often, because he used to be the person making those calls. He understood how to sound credible. He understood how to mirror a person’s energy. And he understood how to guide a conversation just enough to get someone to fill in the gaps for him.
That matters.
Because when companies think social engineering awareness starts and ends with “do not click suspicious links,” they miss a huge part of the problem. A lot of social engineering attacks happen through conversation. Through pressure. Through rapport. Through what feels like a normal request from the right person at the right time.
Here is what stands out:
- Social engineering tactics often rely on trust signals, not technical sophistication
- Social engineering phone calls can feel routine, which lowers people’s guard
- Company secrets social engineering attempts often begin with small asks that build toward bigger disclosures
- Fraud prevention training needs to address manipulation, not just suspicious emails and links
What a corporate spy can teach fraud teams about process weakness
This is where things get interesting.
Robert’s story is remarkable on its own, but the deeper lesson is about process failure. A corporate spy does not succeed just because they can act well. They succeed because organizations leave too much room for verbal overrides, informal exceptions, and unverified trust.
I have seen versions of this playbook before.
Whether the target is an ecommerce support team, a payments operation, a bank contact center, or a back-office employee, the pattern is familiar. Someone sounds informed. They sound legitimate. They create urgency or connection. Then they ask for just enough information, access, or help to move one step closer to what they really want.
And this is why fraud teams should care. Because social engineering attacks are not separate from fraud operations. They often sit upstream of account takeover, internal compromise, refund abuse, payment fraud, and customer harm.
A few practical takeaways:
- Corporate espionage often exposes weak internal verification controls more than weak people
- Employee security training should include scenarios involving phone calls, internal requests, and executive impersonation
- Account takeover prevention gets harder when attackers can socially engineer support teams into bypassing controls
- Customer service fraud prevention should include strict authentication rules and escalation requirements
Why training has to be memorable to change behavior
Honestly, this is one of the most useful parts of the conversation.
A lot of companies do social engineering training because they know they are supposed to. But the training is generic, forgettable, and disconnected from the situations employees actually face. That usually does not end well.
Robert shares examples that are compelling because they are real. You can see how the ruse develops. You can hear how the trust gets built. And you can understand why someone might go along with it even when they know, in theory, that they should be cautious.
That is the part effective social engineering training should focus on.
Not fear. Not lectures. Not checkbox compliance. Real examples. Real friction points. Real procedures. And enough repetition that employees know what to do when a request feels just plausible enough to slip through.
What strong training should reinforce:
- Social engineering awareness works better when employees understand the manipulation pattern, not just the rule
- Information security training should show how attackers build credibility step by step
- Fraud prevention training needs to be relevant to each team’s actual workflow
- Corporate security awareness improves when companies make reporting and escalation easy and expected
Why customer-facing teams are often the soft spot
If you work in fraud, this probably sounds familiar.
Customer service and support teams are often trained to solve problems quickly, reduce friction, and help good customers. That is important. But it also creates openings. Because an attacker only needs one representative to bend a rule, skip a step, or trust the wrong story.
Not exactly subtle.
And yet it works all the time.
That is why customer service fraud prevention deserves more attention in conversations about fraud and social engineering. These teams are often the bridge between identity, access, and money movement. They reset passwords. They change account details. They unlock accounts. They override normal friction. So when they are targeted with a convincing ruse, the consequences can spread fast.
This is where companies need stronger coordination between fraud, security, and support leadership.
A few things worth tightening:
- Social engineering attacks frequently target support workflows because they offer fast paths to access
- Customer service fraud prevention should include callback procedures, layered verification, and restricted override authority
- Fraud and social engineering intersect when service teams are used to enable downstream abuse
- Social engineering training should be tailored for frontline teams, not copied from general security materials
Why this conversation still matters
The big takeaway from this episode is pretty straightforward. Social engineering tricks are not new, but they are still one of the most reliable ways to get around smart people and expensive systems. That is why this replay still matters.
Robert’s story is unusual. But the weaknesses it reveals are not. Companies still struggle with trust-based requests, inconsistent verification, and training that does not match real-world pressure. And until that changes, social engineering attacks will keep working.
For fraud teams, the lesson is not just “be careful.” It is to build processes that do not depend on perfect human judgment every time. Train people well. Make verification non-negotiable. Support your frontline teams. And do not assume a friendly voice on the phone means the request is safe.
That is the part that holds up.
