Skip to content

Why Robbing Banks Is Easy (And Why That Should Terrify You)

A globally recognised ethical hacker shares real social engineering stories from legally robbing banks across five continents. The tools change. The human vulnerabilities don't.

Jayson E Street
Jayson E. Street

Swarm Fellow

Jayson street robbing bank social engineering

Fifteen years ago, I walked into DEF CON 19 and showed a room full of hackers how absurdly easy it was to rob a bank. Not with zero-days or sophisticated malware. With a suit, a rubber ducky USB, and the confidence to walk through the front door like I owned the place.

The crowd loved it. We laughed. We shared the footage of me casually plugging devices into terminals, chatting with tellers, and walking out with access to systems that held millions of dollars.

Here’s the part that’s not funny: I just did the same thing recently. Different bank, different continent, same result. Social engineering. Still undefeated.

The more things change…

You’d think that after billions spent on cybersecurity, threat intelligence platforms, AI-powered defenses, and an entire industry built around protecting financial institutions, things would be different by now.

You’d be wrong.

Sure, the tech has evolved. The phishing emails are more convincing (thanks, ChatGPT). Voice cloning makes vishing scary good. And yes, your EDR solution can probably detectmalware better than it could in 2011.

But here’s the uncomfortable truth: the fundamentals haven’t changed at all. 

When I walked into that bank in 2011, I didn’t need advanced persistent threats or nation-state tools. I needed:

    • A decent suit
    • A plausible story
    • The confidence to look like I belonged there
    • An understanding of human psychology

Fifteen years later? Same playbook. Same results. 

Social engineering attacks that keep working

What’s actually different (spoiler: not much)

The bait has changed, but the fish are still biting.

Back in the day, phishing was like shooting fish in a barrel. “Click here to verify your account!” worked on pretty much everyone. Now? We’ve gotten more creative. We’re using solar eclipse campaigns, fake vendor emails, and AI-generated content that passes the sniff test.

But it still works. People still click. Why? Because we’re testing human nature, not just technical controls.

Voice cloning? Yeah, that’s new and genuinely scary. I can clone your CEO’s voice with about three seconds of audio pulled from a YouTube video. But you know what’s even more effective? Just calling someone and sounding confident. No AI needed.

Those born in the 1900s weren’t ready for vishing in 2009. Gen Z isn’t magically immune to social engineering in 2026. The attack vector changes; the vulnerability doesn’t.

The real problem: we’re testing for audits, not attackers

Here’s where I’m going to make some pentesters mad (sorry, not sorry).

Most security testing is compliance theater. It’s designed to check boxes, satisfy auditors, and make board members feel warm and fuzzy. It’s not designed to show you how you’llactually get breached.

When’s the last time a real attacker:

    • Scheduled their attack during business hours only?
    • Gave you a detailed scope document beforehand?
    • Avoided certain targets because they were “out of scope”?
    • Stopped testing because they hit a dead end?

Never. That’s when.

Cybercriminals don’t care about your pentest schedule. They don’t avoid the legacy system that “isn’t ready for testing yet.” They don’t politely exclude executives from social engineering campaigns because HR said so.

They attack 24/7/365. They go after your weakest link, whether that’s in scope or not. And when they hit a dead end? They find another way in. Because unlike your annual pentest, they’re not working against a clock.

A dead end is not failure. It’s proof.

One of my favorite moments from any engagement is when we hit what looks like a wall. The client’s defenses work. The alert fires. The SOC team catches us.

That’s not failure. That’s exactly what we’re looking for.

Because now we know what’s working. We can show you where your detection is solid, where your team responds well, and crucially where the gaps still exist.

But here’s the thing: we don’t stop there. Real attackers don’t shrug and go home when they hit EDR. They pivot. They try the physical approach. They go after the supply chain. They wait.

If your security testing stops at the first successful defense, you’re not learning what you need to learn.

What actually works (hint: it’s not more blinky boxes)

I’ve robbed banks (legally, with permission – please don’t arrest me) on five continents. I’ve walked into hospitals, cryptocurrency exchanges, SaaS companies, and government facilities. I’ve seen security programs that work and plenty that don’t.

The security programs that actually work share one thing: they think like attackers, not auditors.

They understand security isn’t about preventing every attack. It’s about knowing where you’re vulnerable, detecting threats when they happen, responding fast enough to limit damage, and learning from each attempt. I’ve always said it: prevention is the aim, but it’s your detection speed and response that decide whether your company survives.

This isn’t revolutionary. It’s just… rare.

The uncomfortable questions you should be asking

If you’re responsible for security at a bank, a healthcare provider, a crypto exchange, or any organization that handles valuable data (so, basically everyone), here are some questions to lose sleep over:

Could someone walk into your building and plug a device into your network? Be honest. Not “do we have badge readers?” but “could a confident person in business casual talk their way past reception?”

When was the last time your security testing happened outside business hours? Attackers don’t work 9-5. Why does your red team?

Does your scope reflect how real attackers think? Or does it reflect what’s politically safe to test?

If your phishing training works so well, why does the latest campaign still get a 15% click rate? (And that’s probably under-reported because people are embarrassed to admit they clicked.)

What happens after your annual pentest ends? Does someone fix the findings? Or do they sit in a report that gets filed away until next year’s test finds the same issues?

Stop preparing for audits. Start preparing for adversaries.

The reason robbing banks is still easy has nothing to do with technology. It has everything to do with how we approach security.

We’ve built massive security programs designed to pass audits, satisfy compliance frameworks, and look impressive in board presentations. But we haven’t built programs designed to stop determined attackers who don’t care about scope, schedules, or playing nice.

The fix isn’t more tools. It’s not another acronym-based framework. It’s not even better training (though that helps).

It’s changing how we think about security testing.

Test like your attackers attack: continuously, creatively, and without artificial limitations. Give your defenders the chance to practice against realistic scenarios, not sanitized simulations. Accept that finding vulnerabilities is the goal, not an embarrassment to hide.

And maybe the next time someone like me tries to walk into your bank but now with a BashBunny 2 or O. MG Cable and a smile, your team will catch me before I get to the teller line.

Though honestly? After 15 years of this, I’m not holding my breath.

Want to see what your defenses actually look like against real-world attacks?

Get in touch.

 

Jayson E. Street is a Swarm Fellow at CovertSwarm and has legally “robbed” targets across five continents to help organizations understand their real security posture. He’s been asking uncomfortable questions about security for over 15 years and has no plans to stop.