6 lessons from a social engineer

Don't get hacked: 6 lessons from a social engineer

People often ask us: what exactly is social engineering and what can I do against it? A hacker needs information to access a network or system. Passwords, for example. To obtain them, criminals use social engineering. But how does that work? Psychologist Sophie Jellema answers 6 questions about social engineering.

1. What is social engineering?

Social engineering is hacking people, says Sophie Jellema. She is a psychologist at Bureau Veritas Cybersecurity and helps companies as an ethical social engineer. "A social engineer understands how people work and how to get information out of a person. When we think of hacking, we think of cracking codes. But you can also hack people. We see this happening more and more, as companies get better and better at technically securing their information. Criminals are choosing the easiest way in, and that is: people."

Using a workaround

You don't have to be a psychologist to get information out of people, Jellema says. "It's about understanding how people work. Suppose I want to find out your password. I could ask directly, but you'd probably say no. So I use a workaround. I say, 'Isn't it annoying to type 14 characters every time?' You might say, 'No, there are only 8.' Now I know something about your company's password requirements. Because people like to tell their stories, you can find out a lot of information." Social engineers often sell this information through criminal networks.

2. How does a social engineer work?

"I usually use the phone when I hunt for passwords," says Jellema. "I only do this with a company's permission. When I call an employee, I usually pretend I'm someone from IT. I say, 'We see some strange activity on your account, can you help me check it?' I act as if I can see their account. I might ask, 'Is your computer slow?' Computers are always slow, so that's where I get my first 'yes.' I reassure them, we talk."

Within 2 minutes

"Then I say, 'Everything looks good here. You logged on at 8:30, is that right?' Most people log on around 9:00, so that's usually correct. Then I say, 'I also see a password reset here. Was that you? Hm, your password is now 'welcome01'. That can't be right, can it? I'm afraid I do need the right password, can you spell that out for me?' On average, 60% of the people I talk to on the phone give me their password. Within about two minutes."

3. What psychology does a social engineer use?

On the phone, Jellema uses the 7 principles of persuasion established by American psychologist Robert Cialdini in 1984. For example: reciprocity and sympathy. These principles come from marketing, and they work very well to get information out of people. "I might say, 'It looks like something is being diverted from your account right now. I want to solve this for you, but I need your help.' The rules of sympathy and reciprocity apply here. I create a little panic with some time pressure and at the same time I am very sympathetic and understanding; if I help you, you help me."

Guilt

Jellema uses the same tricks as real scammers. "If this were not my job, I would feel incredibly guilty. That's why I always have a follow-up conversation with people I've 'scammed' right away. I tell them what I did, why they might have fallen for it. They may be shocked, so I reassure them. I also always give them my real name afterwards, and I make it very clear that I did this on behalf of their employer."

4. Is phishing social engineering?

There are many forms of social engineering. The best known is phishing. You can fish for information in many ways, Jellema explains: "What I do on the phone is called voice phishing, or vishing. And of course everyone knows e-mail phishing. We also see smishing: phishing via SMS. In the Netherlands, for example, fake text messages from the tax authorities are going around: Please pay us 17.95 euros."

Customized phishing

Lately, Jellema and her colleagues have been seeing more "customized phishing": large-scale, automated phishing using customized e-mails or text messages. "Criminals scrape information from social media for this purpose. The message seems completely meant for you. It's not just, 'Hey, first name, last name,' but also, 'You've been working for this company for four years.'"

Bait

Whichever form of social engineering is involved, according to Jellema, it is always about gaining your trust or piquing your interest. In baiting, the social engineer uses "bait," as the name suggests: "For example, I can attach an interesting attachment to an e-mail and 'accidentally' send it to the whole company. Maybe the file name is 'Bonuses management next year.' My malware is hidden in that file."

Pretexting

Pretexting means pretending to be someone else to gain trust. This often involves several steps. A social engineer may pretend to be someone's daughter. She texts from another number because her phone was stolen. Once the recipient believes that excuse, the social engineer will ask to transfer money to "a friend's account." Because not only has the phone been stolen, but also the wallet.

5. Are there any other examples of social engineering?

A social engineer often uses technology to hack people. But you can also get the job done without using a computer or phone, says Jellema: "I sometimes do physical pentests. I literally get paid to break in. Recently, for example, I did a job in a museum. The assignment was: how far can you penetrate the building? When someone opened a door with their access pass, I put my foot between the door. That's how I got into the corridor that led to the restoration studio."

Toilet stall

An assignment like this can be quite nerve-wracking, Jellema says: "This corridor was hermetically sealed. I saw a camera. A little further on was the guard's shack. Nowhere to hide, except in a restroom. So: I hid in a toilet cubicle for 10 minutes. Finally, the head guards intercepted me and didn't let me go. That's what happens ideally: don't lose sight of me. A guard can drop me off at the front desk, but if they leave me alone, I won't stay put - just like a real social engineer.

6. What can you do against social engineering?

Suppose you're in the office and you see someone who doesn't belong there. What should you do? Jellema advises, "Don't let people without a pass enter the building after you. That may feel a little rude, but I always say to strangers who try to follow me inside, 'I'm sorry, but we agreed to keep this building safe together. So I can't let you in if I don't know what you're doing here.'"

To the front desk

If an unauthorized person is already in the building and the situation feels safe: address the person. "Say, 'Excuse me, I don't know you. What are you doing here?' If someone appears unauthorized, escort them to the front desk or to a contact person, if one has been named. There is no need to handcuff someone. Keep it friendly."

Report

Maybe you're on the phone with someone and you don't trust them. In that case, Jellema advises, "Don't share information. If you already have: end the conversation and report it as soon as possible to someone who can investigate."

"In the Netherlands we have the slogan: 'Stop, hang up, call your bank.' Really do that! Clicked on a strange link on your laptop at work? Call IT. Anyone can be distracted on a Friday afternoon. It happens to me, too: I fall for phishing emails. But report it."