Editor's note: A shorter version of this Q&A appears in the December/January issue of Inc.
Chris Hadnagy breaks into businesses for a living. But not to worry--he’s on your side. Companies hire his firm, Social-Engineer, to test the strength of their security both online and offline so they can identify where they’re weak. Hadnagy and his colleagues specialize in clever social engineering hacks. Social engineering isn’t all that different from the ways con artists have always tried to persuade victims to divulge sensitive information (eg. impersonation scams). But technology has helped fuel ever-more sophisticated cyber security attacks.
I talked to Hadnagy recently about how these hackers operate and what business owners need to know to protect themselves.
Explain the psychology of social engineering.
Here’s the way a con man works: it’s not that he makes you trust him, it's that he makes you believe that he trusts you. When you feel someone else trusts you, your body releases oxytocin, those good chemicals (also called moral molecules), and it builds feelings of rapport. Think of when someone wants to tell you a secret--it automatically endears you to that person. That’s a powerful lesson. Psychologically the goal of a social engineer is to get someone to take an action that may or may not be in their best interest. If they really want you to comply they’ll do it through influence--they use psychological principles to comply with your wishes.
Why are social engineering attacks on business on the rise?
Of the last 20 major attacks on corporations, 12 involved social engineering--that’s over 70 percent. When an ex-Anonymous hacker sparky blaze was interviewed a year and a half ago, she said every attack launched involved social engineering. We see it on the rise because it’s the easiest way into companies. It’s easy to spoof any email address: you can go online and create 500 email addresses in an afternoon. You can get a Skype account and spoof a phone number. You can be anyone on the internet--a 16-year-old woman, a 50-year-old man. Why spend days trying to hack software when I can pick up the phone or look at your social network profile and learn everything about you? It’s very simple and it merits a lot of profit.
Walk me through a particularly pernicious social engineering scam.
WHMCS is a firm that makes online billing and invoicing software that ties into your company’s client data and your financial backend. One of their database administrators loved social media. Now, he wasn’t putting passwords out there or detailed data about company. But the hacking group UG Nazi used his social media profiles to create a document on him that included everything from his kids’ names and his anniversary to his hobbies and interests outside of work. They called WHMCS, impersonating this guy, to supposedly reset a forgotten password. When the rep asked the standard security questions, they knew so much about this guy that they knew all the answers. So the company reset the password, UG Nazi was in, and they proceeded to download 1.1 gigabytes of credit card numbers and erased all of their databases.
Knowing what you know about social engineering what won’t you do online?
I was against Twitter and Facebook for years, but you can’t exit the Internet entirely and run a business successfully. It’s how companies market and how people buy stuff. So here’s what I won’t do: I’m on Facebook, Twitter, and LinkedIn, but you won’t find information about my family, hobbies, likes, dislikes. You won’t see pictures of me and my kids on vacation or check-ins from where I buy coffee. Also, I follow a meticulous process when I receive emails from companies like Amazon. I hover over links to make sure it’s coming from Amazon but I don’t click links from my email. I open a browser, type in the url, and then log into my account. It only adds a couple of seconds.
I do online banking but again, follow procedures. Never log in from a hotel or from a computer that’s not yours. And don’t ever use the same password you use anywhere else. This isn’t about your bank getting hacked, it’s about someone hacking your Facebook account and then trying the same password on your bank account. The chances of running into a scam like that are very high.
One issue, I think, for small businesses in particular is how to train your customer service team to be wary of people who are trying to scam them, but at the same time be helpful to legitimate customers.
It’s about critical thinking--we don't teach that enough. Think of customer support people. Often they’re constrained by unreasonable rules: If you’re on the phone longer than two minutes your pay starts to go down. A malicious social engineer can find that out and then use a delay tactic. Critical thinking goes out the window because now this rep is thinking of his pay grade, so he starts answering questions he shouldn't answer. If you just want people to follow the rules--don't think, just do--you create an easy environment for a social engineer.
Involve people in critical thinking skills: help them think through what do I do if… and tell them where to go to report incidents.
Anything else companies should do today to be more secure?
It doesn’t matter whether you’re a three-person company or a 3,000-person company, review your information release and social media policies. You can't just not release info online--but you can't let employees do whatever they want. What can and can't an employee do on corporate email? Should they be allowed to attach social media pages to corporate accounts?
Second, get security audits or pen tests. It's like going to a doctor and getting a check-up. You need to know your vulnerabilities. Go with a company who can help you fix them.
Third, and most important, do security awareness education. And make sure it’s based on real life examples.