Speaker: Andrew Nicholson, Film Scout & Location Manager
Background: 6+ years in Hollywood film and television production, credits include Black Lightning pilot and 2018 Dynasty reboot
Key Focus: Social engineering techniques used in film scouting and set security vulnerabilities in Hollywood productions
Introduction: The Film Scout's Social Engineering Playbook
Andrew Nicholson shares his experiences as a film scout, where his job involved convincing homeowners and businesses to allow film crews of 100+ people access to their properties using sophisticated social engineering techniques.
Core Challenge: "I've got maybe 30 seconds, maybe a minute at most through the door to get you disarmed and to let me inside and take some pictures. The first thing I'm gonna tell you is that I'm not here to sell you anything."
Film Scout Responsibilities:
- Receive scripts from producers/directors
- Find suitable houses, businesses, and locations
- Convince property owners to allow film crews
- Manage 100+ person crews and complex logistics
- Build support networks with neighbors and local officials
- Secure permits and handle legal requirements
"For six years, my job basically consisted of getting a script from a producer or director and then going out and finding a house, business, whatever, and then convincing them to let me bring a crew of about a hundred people in there to make a TV show."
Doorstep Social Engineering Techniques
Initial Approach Strategy
"I'm not here to sell you anything" - immediate disarming statement that breaks the expected salesperson script and creates curiosity.
Information Control
Based on homeowner response, control what information is shared. If they've never been approached before, share only positive aspects initially.
Objection Handling
If they've been approached before and said no, ask why and address specific concerns (horror films, inappropriate content, etc.).
Response-Based Strategy Matrix:
Never Been Approached
Control information flow, emphasize benefits, delay discussing negatives. "I get to control the information that I give them and I'm going to give them information that's going to get me a yes."
Previously Said Yes
Leverage positive past experience. "Not a problem, we're usually good to go." Build on established trust.
Previously Said No
Identify and address specific objections. "I'm going to ask why. I'm going to address their apprehensions and alleviate their concerns."
Performance Metrics: "The original team had about three months - they only found 20 houses that would agree to a film crew. My team had a month and we found 35 houses. That's how effective these techniques are."
Advanced Property Access Strategies
When Homeowners Aren't Present:
Leave Professional Letters
Create official-looking letters with property details. "I'm taking a picture of their house and writing down the address so when they call me back I can be like 'Well which house was it?'"
Act Like You're Being Watched
Maintain professional demeanor at all times. "You will not believe the amount of times I've left one of these letters and I'm five minutes down the road I get a phone call: 'We were watching you, you seem like a pretty honest guy.'"
Leverage Law Enforcement
Use police as unwitting allies. "If I'm at someone's fence and I'm peering through and the cops pull up... I am so-and-so, I'm trying to do this, do you know how to get in touch with this person?"
The Honesty Strategy:
"I'm going to be a hundred percent upfront with someone. I'm going to be super candid... I'm going to tell the truth so much, I'm gonna be so candid with you that when I lie you will have no reason to trust me or not to trust me... and you're also not going to have any way to verify that I'm lying."
Strategic Truth-Telling: "I could get in a lot of trouble for telling you this, but the producers really like your house." - Using apparent confidentiality to build trust while maintaining complete control of the narrative.
Institutional Access & Bureaucratic Exploitation
Accessing Different Types of Properties:
Government Buildings
Small towns often have minimal bureaucracy. "One town... 'you should talk to the mayor about that.' The mayor: 'Oh yeah, you guys want to come up here and film? Go for it. Do we need a permit? No, no, just come up here.'"
Universities & Institutions
Identify specific gatekeepers - campus relations managers, facility coordinators. Understand institutional hierarchies and approval processes.
Restricted Facilities
Former military bases, secure facilities. Guardian Center example: former secret military base with nuclear weapons, now disaster training center accessible through proper channels.
Regulatory Loopholes & Creative Solutions:
- Asbestos Buildings: Use OSHA 10-14 day work permits for filming in otherwise unusable buildings (Stranger Things lab example)
- Churches & Religious Institutions: Find alignment with values (LGBTQ-friendly church for gay sex scene in Dynasty)
- Property Managers: Leverage financial incentives - "They can make in a matter of days what might take a month normally"
- Common Security Failures: Address used as gate codes, birthdays as combinations
Guardian Center Access: "This used to be a secret military base installed around the height of the Cuban Missile Crisis with nukes on grounds... The radiation level in one bunker is still too high to let me go in, but we filmed The 5th Wave there."
Film Set Security Vulnerabilities
Industry-Wide Security Problems:
Call Sheet Distribution
"Call sheets are given out like candy by PAs... I'd like to see them signed out and signed back in." Contains all information needed for pretexting.
Personal Email Usage
"People are used to working a job 2-3 months then moving on... using personal email for work including scripts, dailies, confidential information."
Lack of Security Training
"They're not getting security training, they're not getting any type of multi-factor authentication on their emails. Trust me, I've tried to talk my co-workers into this - it doesn't work."
Common Intruder Types on Film Sets:
Unintentional Bogeys
People who accidentally get trapped on set and are too scared to leave. "Someone standing on the street watching something, next thing he knows there's a film crew around him."
Intentional Bogeys
People who deliberately enter sets to see how long they can stay. "They're gonna walk right onto the film set and see how long they can stay until someone takes them off."
Malicious Extras
Legitimate extras who steal from other crew members. "Take someone that makes eight-nine dollars an hour and put them in a room with 200 purses - yeah, things are gonna go bad."
Universal Uniform Vulnerability: "A radio, a headset, and usually a fluorescent traffic vest. Unless you have specific gear that tells me if you're a grip or electrician, I'm just gonna think you're a PA or one of my people."
Social Engineering Detection & Prevention
Identifying Suspicious Behavior:
Behavioral Inconsistencies
"Extras aren't allowed to drink coffee. If I see someone who looks like a normal person drinking coffee, it's gonna give them away." Understand role-specific privileges and restrictions.
Wardrobe Mismatches
"I had someone try to sneak onto my film set wearing a bright pink shirt. The DP would never sign off on that - it throws off color temperature and camera settings."
Procedural Knowledge Gaps
"Extras aren't allowed to take bathroom breaks except at certain times, they have to be supervised. That's gonna give you away."
Verification Techniques:
- Wardrobe Verification: "Every piece of wardrobe has to be approved by a department head. Wardrobe assistants spend 3-4 hours on garments and can instantly identify fakes."
- Department Cross-Checking: "I'm going to go to a wardrobe assistant instead of a PA because they know every approved costume."
- Role-Specific Knowledge: Understand departmental hierarchies and communication patterns to identify inconsistencies.
"The people you see on the film set, they're not talking to each other. They all assume that if you get onto that film set that you're supposed to be there. That's the biggest security vulnerability."
Security Improvements & Best Practices
Implemented Security Measures:
Doubled Night Security
"We started doubling our security because we were finding our security guards were falling asleep. Instead, we double up now with an accountability system."
Integrated Security Positioning
"Put a security guard right in the middle of the set. When security works alongside crew members, they're more likely to identify and report intruders."
Dedicated Asset Protection
"Hire security guards purely to watch extras' equipment, purses, and bags. People want to work with us more because we have security watching out for their property."
Industry-Wide Security Recommendations:
- Call Sheet Management: Implement sign-out/sign-in procedures for sensitive documents
- Email Security: Provide security training and enforce company email usage
- Professional Security Staff: "Don't hire PAs as security guards for $9/hour. That's how people get robbed and shot."
- Crew Verification: Implement dual-check systems at parking and set entry points
- Information Sharing: Establish industry-wide security breach reporting
- Custom Bracelets: Use role-specific identifiers that are harder to fake than badges
- Social Media Enforcement: Strictly enforce no-photo policies and location sharing restrictions
Social Media Intelligence Example: "This took me about ten minutes on Instagram using common hashtags like #filmmaking, #firstdayshooting. Now I know some people that aren't going to be home for 12 hours today. Studios should really enforce their social media policies - this protects their employees who are getting robbed while working."
Key Takeaways for Security Professionals
Essential Security Principles:
- Assume trust is the default - Most people assume anyone on premises belongs there
- Understand industry-specific vulnerabilities - Each sector has unique security blind spots
- Leverage bureaucratic inefficiencies - Small towns, understaffed institutions often have minimal security
- Use strategic honesty - Being mostly truthful makes occasional lies undetectable
- Exploit procedural knowledge gaps - Understand role-specific behaviors and privileges
- Monitor social media intelligence - Public posts reveal security vulnerabilities and patterns
- Implement integrated security - Security personnel working alongside staff detect anomalies better
- Enforce consistent policies - From call sheet management to social media usage
- Train for behavioral detection - Teach staff to recognize procedural and behavioral inconsistencies
- Share security intelligence - Industry-wide information sharing prevents repeat incidents
Core Insight: "As a film scout, you can get into places that most people can't. That's what really attracted me to the job - it's like a dream come true for someone interested in access and social engineering. But this same access creates massive security vulnerabilities that malicious actors can exploit."
Red Team Applications:
- Use industry-specific pretexts and uniforms for physical penetration testing
- Leverage bureaucratic inefficiencies in government and institutional access
- Exploit the "assumption of belonging" that occurs in large, temporary organizations
- Monitor social media for operational security intelligence
- Test security through role-specific behavioral inconsistencies
- Identify and exploit procedural knowledge gaps in organizational security
"If I was still working in the industry, I would not be allowed to be up here talking about this right now. The film industry doesn't want to share information about their security faults and hazards because that's the last thing they want to do. But this information sharing is exactly what's needed to improve security across the industry."