en
Your Challenges
Our services for you
People
Process
Technology
Integrated Approach
Psychologist Sophie Jellema
People often ask us: what exactly is social engineering, and is there anything I can do about it? A hacker needs information to penetrate a network or system. Passwords, for example.
To obtain these, criminals use social engineering. But how does it work? Psychologist Sophie Jellema answers 6 questions about social engineering.
Social engineering is hacking people, says Sophie Jellema. She is a psychologist at Secura and helps companies as an ethical social engineer. ‘A social engineer understands how people work and how you can retrieve information from a person. When we think of hacking, we think of cracking code. But you can also hack people. We see this happening more often, because companies are getting better at securing their information technically. Criminals choose the easiest way in, and that is: humans.’
You don’t have to be a psychologist to extract information from people, says Jellema. ‘It’s about understanding how people tick. Say I want to figure out your password. I could ask you directly, but you would probably say no. So I use a detour. I say: ‘Isn’t it annoying to type 14 characters every time?’ You might say: ‘No, it’s only 8.’ Now I know something about your company’s password requirements. Because people like to tell their story, you can retrieve a lot of information.’ Social engineers often sell this information through criminal networks.
Sophie Jellema doing a vishing call
‘I mostly use the phone when I go hunting for passwords,’ says Jellema. ‘I only ever do this with a company’s permission. When I phone an employee of the company, I usually pretend to be someone from IT. I say: ‘We’re seeing some strange activity on your account, will you help me check this?’ I pretend I can see their account. I might ask: ‘Is your computer slow?’ Computers are always slow, so that’s where I get my first ‘yes.’ I reassure them, we talk.’
‘Then I say: ‘Everything looks fine here. You logged in at 8:30 am, is that correct?’ Most people log in around 9:00 am, so that’s usually right. Then I say: ‘I’m also seeing a password reset here. Was that you? Hm, your password is now ‘welcome01’. That can’t be right, surely? I’m afraid I do need the correct password, could you spell it for me?’ On average, 60% of the people I speak to on the phone give me their password. Within about two minutes.”
On the phone, Jellema uses the 7 principles of persuasion drawn up by the American psychologist Robert Cialdini in 1984. For example: reciprocity and sympathy. ‘These principles come from marketing, and they work very well to get information out of people. I might say: ‘It looks like something is being channeled off your account right now. I want to fix this for you, but I need your help.’ The rules of sympathy and reciprocity apply here. I create a bit of a panic with some time pressure and at the same time I'm really sympathetic and understanding; if I help you, you will also help me.’
Jellema uses the same tricks as real scammers. ‘If I this weren’t my job, I would feel incredibly guilty. That is why I always have a follow-up interview straight away with people I’ve ‘swindled’. I tell them what I did, why they might have fallen for it. Maybe they are shaken, so I reassure them. I also always give them my real name afterwards, and I make it really clear that I did this on behalf of their employer.’
Social engineering has many forms
There are many forms of social engineering. The best-known is phishing. You can fish for information in all kinds of ways, Jellema explains: 'What I do on the phone is called voice phishing, or vishing. And of course everybody knows email phishing. We also see smishing: phishing via SMS. For example, in The Netherlands there are fake text messages from the tax authorities going around: ‘Please pay us 17.95 euro’s.’
Recently, Jellema and her colleagues have been seeing more ‘tailored phishing’: large-scale, automated phishing, using tailor-made emails or text messages. ‘Criminals scrape information from social media for this purpose. The message seems totally meant for you. It’s not just: ‘Hey, first name, last name,’ but also: ‘You’ve been working for this company for 4 years now.’ Romy Schellekens, a member of our team, is currently doing research on tailored phishing - together with the faculty of Mathematics and Computer Science of the TU Eindhoven. Our hypothesis is that a lot more people click on links in these types of e-mails.’
Whatever form of social engineering is involved, according to Jellema it’s always about gaining trust or piquing your interest. With baiting, the social engineer uses ‘bait’, as the name suggests: ‘For example, I might attach an interesting attachment to an email and ‘accidentally’ send it to the entire company. Perhaps the file name is ‘Bonuses management next year’. My malware is hidden in that file.’
Pretexting means pretending to be someone else to gain trust. This often involves several steps. A social engineer might pose as your daughter. She is texting from a different number because her phone has been stolen. Once you believe that pretext, the social engineer will ask if you could to transfer money to ‘a friend’s account.’ Because not only the phone was stolen, but also the wallet.
A social engineer often uses technology to hack people. But you can also get the job done without using a computer or telephone, says Jellema: ‘I sometimes work as a mystery guest. I literally get paid to break in. For instance, I did a job at a museum recently. The assignment was: how far can you penetrate the building? When someone opened a door with their access pass, I put my foot in the door. That’s how I got into the corridor that led to the restoration studio.’
An assignment like this can be quite nerve racking, says Jellema: ‘This corridor was hermetically sealed. I saw a camera. A bit further along was the guard booth. Nowhere to hide except a bathroom. So: I hid in a bathroom stall for 10 minutes. In the end, the chief guards intercepted me and didn’t let go of me. That’s what you want: don’t let me out of you sight. You can drop me off at reception, but if you leave me alone, I won’t stay put – just like an actual social engineer.’
You’re at the office and you see someone who doesn’t belong there. What should you do? Jellema advises: ‘Don’t let people without a pass enter the building with you. That might feel a bit rude, but I always tell strangers who try to follow me in: ‘I’m sorry, but we agreed to keep this building safe together. So I can’t let you in if I don’t know what you’re doing here.’
If a stranger is already inside the building, and the situation feels safe: speak to them. Say, ‘Excuse me, I don’t know you. What are you doing here?’ If someone seems to be unauthorized, escort them to the reception or to a contact person, if they mention one. There’s no need to handcuff someone. Keep it friendly.’
You might be on the phone with someone, and you don’t trust them. In that case Jellema advises: ‘Don’t share information. If you already have: end the conversation and report it as soon as possible to someone who can investigate.
In The Netherlands we have the catchphrase, ‘Stop, hang up, call your bank.’ Please do! Did you click on a weird link on your work laptop? Call IT. Anyone can be distracted on a Friday afternoon. It happens to me as well: I fall for phishing emails. But report it.’
Do you want to train your company's employees against social engineering? Then Secura's Security Awareness & Behavior Programma [SAFE] is for you. Please feel free to contact us for more information.
Mail of bel ons voor een vrijblijvend adviesgesprek over het trainen van de medewerkers van uw bedrijf tegen social engineering. We reageren binnen één werkdag.
