Field Dispatches /
Social EngineeringPhishingZero Trust

SOCIAL ENGINEERING DOES NOT NEED TO BE SOPHISTICATED. IT NEEDS TO BE INTERESTING.

2026-07-01 · Brian Deitch

With all the noise around Mythos, the feds supposedly shutting down Fable 5, and everyone arguing about what really happened, I saw an opportunity.

Not to hack anyone. Not to steal anything. Not to harvest credentials like some Temu APT group with a Canva subscription. I wanted to run a simple security awareness experiment and see if I could ethically lure people into doing the thing we all swear we would never do.

Click the dumb link.

Spoiler: they clicked the dumb link.

A lot.

The Setup

I posted a story on LinkedIn claiming that the real reason Fable 5 had been taken offline was not a NSA breach. No, no. It was much worse.

Hackers had allegedly used Claude Mythos to crack the most protected secret in American fast food history:

The KFC recipe. All 11 herbs and spices. Gone.

It was ridiculous. It was stupid. It was wrapped in just enough fake authority, AI hype, government panic, and breaking-news energy to make people pause for half a second and think:

"Wait. Is this real?" That half second is where phishing lives.

LinkedIn Took the Bait

I ran the post for 12 hours. In that window, the post generated:

44,000 impressions 302 likes 43 comments 15 reshares

The place where people put "AI Thought Leader" in their headline because they used ChatGPT to write a resignation letter.

The place where every third post is either a fake humility story, a startup founder crying near a whiteboard, or someone announcing they are "humbled" to be promoted to Vice President of Calendar Invites.

And still, this fake KFC breach story moved. That was the first lesson. People do not need to believe something fully to click it. They only need to be curious enough.

The Landing Page

The LinkedIn post sent people to a page on my website:

briandeitch.com/kfc

The page looked like an exclusive investigation. Dark theme. Big headline. Fake article. Fake urgency. Fake breadcrumbs. All the right security-theater cologne sprayed on top.

The headline:

Hackers Used Claude Mythos to Crack the KFC Recipe

The copy leaned into the joke. Supposed sources. Fake breach timeline. Colonel's ghost. Louisville kitchen systems. The whole thing was absurd. But absurdity does not kill social engineering. Sometimes absurdity helps it. Because people drop their guard when something feels like a joke. They stop evaluating the mechanics of the attack and start evaluating the entertainment value.

That is how attackers win. They do not always need fear. Sometimes they just need curiosity.

The Real Test Was Not the First Click

Getting people to leave LinkedIn was easy. That was not the real experiment. The real experiment was what happened next.

Once people landed on the fake article, I put a fake paywall in front of the rest of the "investigation." The page offered login options like you see everywhere now:

Continue with Phone Number. Continue with Google. Continue with Apple. Email me a one-time link.

The point was simple: Would people try to authenticate to read more? Would curiosity turn into action? Would a fake story about KFC, Mythos, the NSA, and fried chicken push people into a login flow? Yes. Yes it would. Because apparently the Colonel still has pull.

The Ethical Line

Here is where I had to stop myself. I really, really wanted to ask for first name, last name, and email. From a research perspective, that would have been fascinating. From a security awareness perspective, it would have been powerful. From a "let's ruin everyone's Thursday" perspective, it would have been electric. Can you imagine if I knew exactly who fell for the trick?

But I could not do it. There is a line between proving a point and becoming the villain in your own PowerPoint. So I did not collect credentials. I did not collect emails. I did not collect names. I did not capture anything sensitive. When users attempted to continue through the fake login flow, I hit them with the security awareness equivalent of a rolled-up newspaper or grandma hitting you with a flip flop:

Then it reminded them that stolen credentials are still one of the most common ways breaches begin. Again, no credentials were collected. No personal data was harvested. Nobody's work email got tossed into a spreadsheet called victims_final_final_REAL.xlsx.

This was an awareness demo. A spicy one, but still a demo.

The Numbers

Across roughly 12 hours, the KFC page received approximately:

2,200 visits

That alone is wild. But the fake login page is where it got interesting. You already know I'm about my father's business and I used Claude Code to gather as much information about how many times it was clicked. With that said, the next day I did get a nasty gram from Anthropic that I broke the rules, lol.

Out of those visits:

239 total clicks 115 unique IPs

That means more than 200 times, someone clicked toward the fake login experience to keep reading a fake article about AI cracking the KFC recipe.

Do not skip over that. This was not a malware attachment named invoice.pdf.exe. This was not a sketchy text message from "USPS Parcel Department Final Warning Unit." This was a LinkedIn post. On a professional network. Pointing to a personal website. With a fake article about chicken. And people still clicked the login path.

What Emails Would They Have Used?

Here is the part that should make every security team's eye twitch. Had I collected emails, what type of email do you think most people would have used?

Personal? Maybe. But my money is on work emails.

Because this happened on LinkedIn. People were already in professional mode. They were reading something framed as AI, security, government, and breach-related. That context matters.

A consumer scam hits different when it shows up in your personal inbox. But a professional-looking security story on LinkedIn? That feels adjacent to work. That feels researchy. That feels like something you can justify clicking between pipeline reviews and pretending to listen on a Zoom call. And that is exactly why attackers love professional platforms. You are not just attacking a person. You are attacking their context.

The Lesson

Users are still one of the weakest links. Not because they are stupid. Well, not always. Hey hey, calm down, I can say that, I do stupid things all the time. For instance, I microwave food at least three times a week, pick it up with my hand, think to myself "shoot this is burning your fingers... well then quick put it in your mouth." Not a recipe for success. They are humans. Humans are curious. Humans are busy. Humans skim. Humans trust familiar layouts. Humans trust professional platforms. Humans are bad at reading URLs when the headline gives them a little dopamine slap.

Security people love to pretend we are above this. We are not. Give the right person the right headline at the right moment and suddenly Doctor Zero Trust is clicking "Continue with Google" to find out whether the Colonel had a classified spice vault.

That is the point. Awareness training matters, but awareness training alone is not a strategy. Because someone will always click. Maybe not today. Maybe not this campaign. Maybe not this user. But eventually, someone clicks the shiny thing.

This Is Bigger Than Phishing

This brings us full circle. It does not matter whether the initial lure comes from:

A sanctioned SaaS app. An unsanctioned AI tool. A fake article. A browser plugin. Endpoint malware. A chatbot. An MCP server. A supply chain compromise.

Or some bald dude using Claude Code to turn his personal website into a fried chicken honeypot. The problem starts when identity gets popped like a due date.

Once that happens, the real question is not "How did they get in?"

The real question is:

How far can they go?

That is where most organizations still get cooked. Flat networks. Overprivileged users. Legacy VPNs. Implicit trust. Standing access. Internal apps exposed like they are begging to be on a breach report. That is how one bad click turns into a bad quarter. Or worse, a very exciting all-hands meeting where Legal suddenly has speaking time.

Why Zero Trust Still Matters

This is why proper Zero Trust controls matter. Not as a slogan. Not as a sticker on a booth wall. Not as a Gartner drinking game. Real Zero Trust. Reduce the attack surface. Minimize the blast radius. Verify continuously. Use least privilege. Secure entity A to entity B based on identity, context, intent, policy, and data. Stop assuming that because someone authenticated once, they should get the keys to the internal kingdom like they found the golden ticket in a Wonka bar.

And then make life miserable for attackers. Use decoys. Internal decoys. External decoys. Breadcrumbs in Active Directory. Fake admin portals. Fake API keys. AI-based decoys that look like chatbots. Fake MCP resources. Fake internal tools. Fake data trails.

Give attackers something to touch that lights them up like a raccoon in a motion-sensor floodlight. Because if you cannot stop every click, you better be damn good at containing what happens after the click.

Final Thought

A fake KFC breach story should not work. A fake Mythos article should not drive thousands of visits. A fake paywall should not get hundreds of login clicks. And yet, here we are. That is the lesson. Social engineering does not need to be perfect. It does not need to be sophisticated. It does not need to be written by a nation-state genius in a hoodie surrounded by green monitors. Sometimes it just needs to be funny, timely, professional-looking, and one click away. The attacker does not need everyone. They need someone.

For 12 hours, I dangled a bucket of fake fried chicken in front of LinkedIn and watched professionals walk straight into the awareness trap. No credentials were collected. No personal data was captured. No users were harmed in the making of this nonsense. But the point was made.

If people will click through a fake login flow to read about the KFC recipe getting hacked, they will absolutely click through something that looks like payroll, DocuSign, Salesforce, Okta, Workday, Microsoft, Google, or an AI tool their boss mentioned once on a forecast call.

Train your users. Protect your identities. Shrink your blast radius. And for the love of all 11 herbs and spices, stop pretending a bad click is a user problem only. It is an architecture problem. And attackers know it.

Tags:phishingsocial-engineeringlinkedinzero-trustsecurity-awarenesskfc
All PostsDiscuss on LinkedIn →