Social Engineering: How Hackers Trick People Into Giving Up Secure Data

Social engineering is the act of manipulating someone into giving up secure data. Unlike more technical types of cyber attacks, which target the zeroes and ones, social engineering’s methods can appear almost charmingly analog, but that makes them no less dangerous. Hackers using social engineering know that the most vulnerable element in any network is often the human being using it.

The late Kevin Mitnick, once known as the world’s most famous hacker, wrote about some of the more cinematic applications of social engineering in his 2002 book The Art of Deception. What many of his methods had in common was the clever use of publicly available information to subvert assumptions.

Over the last 20 years, social engineering has changed significantly—today it more closely resembles what’s known as spear-phishing—but still retains many of its core elements. And, despite enormous technological advances, the human aspect of cybersecurity remains of crucial importance.

Read on to learn more about social engineering: how hackers weaponize it, and how cybersecurity professionals protect against it.

Meet the Expert: Joseph Carrigan

Joseph Carrigan is the senior security engineer and outreach coordinator with Johns Hopkins University Information Security Institute. He is also the co-host of the Hacking Humans podcast and an expert commentator for The CyberWire. He earned his BS in computer and information science from The University of Maryland, University College and his MS in computer science from Capitol College.

Carrigan has been a software engineer for over 20 years and has worked in the security field for more than ten years focusing on usable security and security awareness. He has experience in various fields, including authentication systems, embedded systems, data migration, and network communication.

The Evolution of Social Engineering

“Generally, when we talk about endpoints in cybersecurity, we refer to the endpoint of a computer or a network,” Carrigan says. “But you have to consider that beyond every computer or network, there is a human, and that’s where a lot of the vulnerabilities lie.”

Carrigan relates a story about an organization hiring white hat hackers to do penetration testing on some sensitive backups stored within their facility. The hackers simply showed up at the organization’s front desk. They said they were from IT and needed to scan people’s access cards to ensure they were working. The employees believed them and complied with their requests. The hackers scanned the access cards and cloned them onto new cards, and, now with access to the entire facility, could easily lay hands on the sensitive backups. The total cost to perpetrate this pseudo-attack was little more than pocket change; the loss from it being successful would’ve been catastrophic.

“Social engineering is the biggest blindspot in the cybersecurity industry,” Carrigan says. “You can have the world’s best security posture from a hardware and software standpoint, and it won’t matter if a malicious actor can convince an employee on the inside to install malware.”

In the 90s, a startling percentage of employees would readily give up their usernames and passwords if asked over the phone by someone purporting to be from IT. Fortunately, the average awareness level has improved since then. Contemporary social engineering most often takes the form of spear-phishing: a targeted and personalized form of more generic phishing attempts. But the technologies and delivery methods are also much more sophisticated than they used to be.

“The biggest change most recently is the emergence of large language models (LLMs) that have made social engineering attacks much more effective,” Carrigan says.

LLMs like Chat GPT and its jailbroken counterparts have lowered the barrier of entry for many would-be cyberattackers. Social engineering attempts made via text now have the benefit of perfect grammar and persuasive style all at the click of a button, and they can be manufactured and delivered at scale. LLMs can even analyze a particular individual’s written style and mimic it with a high degree of accuracy.

“Before, you’d have all these red flags around grammar, punctuation, and syntax,” Carrigan says. “But LLMs really increase the effectiveness of the average spear-phishing email.”

How Cybersecurity Professionals Fight Social Engineering

Social engineering circumvents much of the high-tech defense modern cybersecurity professionals provide. Organizations facing modern cyber threats, including social engineering, need to adopt ground-level precautionary measures. Carrigan particularly points to sensitive areas like financial services or secure data, where specific policies and processes can be implemented to act as fences against social engineering.

“Particularly with organizations, the best form of protection is policy,” Carrigan says. “A policy says when someone transfers money, this is what needs to happen. It says when we change our banking details, this is what needs to happen. So there’s a process. It’s not just an email. Someone has to pick up a phone and make a call.”

Another major defense against social engineering is multi-factor authentication. Having it is always better than not having it, but some forms of multi-factor authentication are stronger than others. Carrigan prefers hardware keys that implement FIDO2 specifications, compared to time-based codes like Google Authenticator or Authy. Notably, Google employees must use a FIDO2-compliant token key called the Titan to access their Google Suite accounts. This multi-factor authentication method is as close as one can get to putting a physical lock on a digital asset.

“The FIDO2 hardware keys implement a challenge-response system that can’t really be intercepted, and can’t be man-in-the-middle’d,” Carrigan says.

Multi-factor authentication, combined with clear policies and processes around the movement of funds and secure information, can remove an organization from the most vulnerable list of targets for would-be social engineers. But no organization is infallible, and no network is perfectly secure.

Each form of protection also provides a possible entry point: social engineers could persuade someone to physically give up their FIDO2 key, for example. Furthermore, hackers can be complex and innovative in their forms of attack, especially as new technology unlocks new methods.

“It’s an arms race,” Carrigan says. “The bad guys are financially motivated, and they’re always going to be very creative.”

The Future of Social Engineering

Social engineering is here to stay. The good news is that the good guys’ defense is getting better. Spam email, once the scourge of internet users everywhere, is now close to solved. Best practices around multi-factor authentication are improving, and general awareness around phishing and spear-phishing is improving, too. Carrigan compares today’s moment to the advent of handwashing and disinfectant: small changes could have huge and lasting effects.

There’s still a long way to go. Cybersecurity professionals need to stay abreast of the latest attack vectors and best practices for defense. Organizations need strong and clearly defined cultures of security—not punitive ones, but open ones, where there’s a shared sense of ownership over the organization’s data, finances, and cybersecurity practices. Ultimately, social engineering is a human problem, and the solutions are also human.

“When you have a large organization full of tons of fallible people, mistakes are going to happen,” Carrigan says. “But you safeguard against that by having good policy, having good training, having good hardware, and having a good security culture in place.”