Can you provide an overview of your background? How did you become known as “The People Hacker”?
I had always done Social Engineering in terms of using the human element of organizations and cracking security systems using psychology, body language and other “soft skills.” I was also a consultant and trainer and spent a lot of time speaking at conferences and traveling. I only started promoting the Social Engineering side of things a few years ago as I had mostly worked alone and hadn’t thought it was something that was widely recognized. After I did some work in the private security industry I got asked to do some conference talks on the subject and was interviewed by a “journalist” who dubbed me “The People Hacker” it fitted what I did and the name stuck.
Can you help us trace the evolution of social engineering attacks? When did ‘human hacking’ become common? Why?
Social Engineering is really just the latest term for cons, scams and hustles, so it’s been around as long as humans have lied to each other to gain advantage! The term has become more widely recognized in the security industry as organizations have begun to recognize that there is a “human element” involved in many attacks and breaches. Fortunately, awareness is growing and people are becoming more aware of the contribution “human hacking” plays alongside more technical hacks and scams.
What are some of the new, emerging ways cybercriminals are using social engineering techniques to attack corporations? Which industries are at the most risk? Which lines of business are at the greatest risk?
Social Engineering plays a large part in many cyber-attacks because as technology becomes more sophisticated on the defense side, people can be much easier to fool than the technology. Additionally, malicious social engineers are always looking to “turn employees” into insider threats whether intentionally or knowingly or not. The evolution comes in more targeted, spear phishing attacks that are specifically targeted towards individuals or firms rather than more broad brush techniques such as standard phishing emails that rely on a percentage of people who are always going to click on malicious links etc.
In terms of which industries are at risk, unfortunately most companies are worth attacking as any and all information can be useful or valuable, even if just as a link in a chain to customers, clients and suppliers. What puts a business at risk isn’t what it does but rather how it behaves and lack of awareness, and therefore protection, is very key as to who is hacked and how.
Can you provide two or three real-world examples of social engineering being used to access corporate data?
Most “hacks” that make the news involve some form of social engineering, from Edward Snowden to Ashley Madison, a “human factor” formed part of the attack even if it was after the event or as part of a more technical attack. I have seen many examples of information being harvested from social media and used to profile individuals as a way of getting into the companies they work for. The target is profiled and then spear-phished as a conduit to the organizations they work for and the access they have within them. I recently worked with an organization who lost a 7 figure sum of money through one of their accounts staff being socially engineered via telephone and email conversations over several months. By the time the attacker asked the staff member to change address details on an invoice, they felt familiar enough with the individual to trust them and didn’t question what they were being asked to do. The Social Engineer had spent months chatting and exchanging (false) details with the accounts staff member but had never raised suspicion because it was done so patiently and in a low key way. Suspicion was not aroused and it wasn’t until the financial audit was done weeks later that the fraud came to light.
Another example involved an attacker posing as a journalist looking to interview the CEO and meeting him in his office. Again, by the time they are chatting and sitting at his desk, the target trusted them and left them alone for long enough for his phone and computer to be compromised. These may not sound like sophisticated technical hacks, but they are equally damaging and efficient in their execution.
What can security professionals do to protect their organization from these types of attacks?
The key to protection starts with staff awareness on what suspicious behavior looks like and giving staff clear instructions on what to do if their suspicion is aroused. There needs to be clear and easy procedures for staff to report any behavior that they find suspicious and, crucially, a commitment to supporting people when they fall victim to these scams or flag a genuine customer or client by mistake. If staff feel they will be blamed or punished either for becoming a victim or reporting a false flag, then the company is working with the social engineer and not with its own people.
People should also be made aware of the dangers of “oversharing” on social media and need to understand how they provide links in the chain in order to attack an organization. Once they understand how their own personal details and information can be used to contribute to an attack it becomes personal and that is a good way to get engagement and further commitment from staff. The problem isn’t cured by throwing money at the situation or by ticking boxes, but rather by all companies knowing their employees well and supporting them over time to increase overall security awareness
What’s the future of social engineering? How do you see these techniques evolving in the next 5-10 years?
Social Engineering will adapt with the technology. Years ago if a social engineer was looking to attack a target there was a lot of surveillance and person to person work involved. Social media has made the job easier and faster, and people are much more exposed as a result. However, the attack methods and payloads haven’t really changed, so the future of social engineering is that it will keep up with, and use the tech, to continue to manipulate people into courses of action that are not in their interests. Wherever technology exists people look to get around it and that will continue to be the case with social engineering.
Is there anything we didn’t discuss that you would like to share? Anything else you find interesting about this topic that you haven’t addressed in the questions above?
I would just reiterate that whilst social engineering or “people hacking” is now, and has always been a threat to both individuals and organizations the answer has always been the same, and also lies with people. Attacks that focus on people can be foiled by people and in that there is hope for us all.
Find out more at jennyradcliffe.com