Fear, flattery, greed and timing.
Jenny Radcliffe: [00:00:01] The psychological tools that enable social engineering just don't change. I mean, they're the same con tricks as has always been out there.
Dave Bittner: [00:00:10] Hello everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hi, Joe.
Joe Carrigan: [00:00:29] Hi, Dave.
Dave Bittner: [00:00:30] Later in the show, we're going to be joined by Jenny Radcliffe. She's from Human Factor security. She's an expert when it comes to social engineering and training.
Dave Bittner: [00:00:38] But before we get to all of that, we've got a quick word from our sponsors at KnowBe4. So how do you train people to recognize and resist social engineering? Here are some things people think. Test them. And if they fall for a test scam, fire them. Or other people say, if someone flunks the test, shame them. Instead of Employee of the Month, it's Doofus of the Day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. How about it? What do you think - carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.
Dave Bittner: [00:01:20] And we are back. Joe, before we get to this week's stories, we got some feedback from a listener.
Joe Carrigan: [00:01:25] All right.
Dave Bittner: [00:01:25] There's a gentleman named Eric (ph), and he was following up on some of the stories that we've had about gift cards. You know, this is a common scam.
Joe Carrigan: [00:01:33] Right.
Dave Bittner: [00:01:33] People are asked to go buy gift cards at the drugstore - Apple gift cards, Google gift cards. And Eric wrote us in. He said he enjoys the show. And he said, yesterday, I had to go to CVS pharmacy to pick up a few things. One was a Google Play gift card for a birthday gift. When I went to check out, the cashier got prompted on her computer to ask me if I was buying the gift card for myself or for someone that I knew personally. He says, I was blown away by this. I don't think it will end the current plague of scams, but anything little like this that help raises awareness is a step in the right direction.
Dave Bittner: [00:02:07] I agree.
Joe Carrigan: [00:02:08] I agree. Actually, I've heard of this before. One of our listeners, Super Listener Chad (ph), has worked at CVS and had said this on Twitter, I believe...
Dave Bittner: [00:02:15] Oh.
Joe Carrigan: [00:02:15] ...That this is something that CVS has done. And I hope that I'm getting this right because I'm doing this from memory.
Dave Bittner: [00:02:21] (Laughter) OK.
Joe Carrigan: [00:02:21] But, yeah. That's great. Kudos, CVS.
Dave Bittner: [00:02:23] Yeah, this is great, recognizing that there's a problem here. You know, it's not unlike if you go and buy cough medicine at the grocery store...
Joe Carrigan: [00:02:31] Right.
Dave Bittner: [00:02:31] ...And you try to go through the checkout lane, it'll flag someone to come check and make sure you're old enough to buy that.
Joe Carrigan: [00:02:37] Yes.
Dave Bittner: [00:02:38] Yeah. So this is great. So again, thanks, Eric, for sending this in. It's good to see that the retailers are responding to this sort of thing. That's good news. All right, Joe. Well, what do you have for us this week?
Joe Carrigan: [00:02:49] All right. My story comes from the Toronto Star. And the reporter is Claire Theobald. And this is a very long story...
Dave Bittner: [00:02:56] OK.
Joe Carrigan: [00:02:56] ...So we're going to put a link in the show notes because it talks a lot about money laundering, which we're not really going to touch on here.
Joe Carrigan: [00:03:01] There's a University in Canada, in Alberta, called MacEwan University. It's an actually pretty big university. They have a lot of students. And they're working on Allard Hall, which is a new building that they're putting up. It's a performing arts building, and it's going to cost about $180 million when it's all said and done.
Joe Carrigan: [00:03:18] Naturally, when you're building a new building, there is tons of email communication about process, logistics, finances and things of that nature.
Dave Bittner: [00:03:27] Right.
Joe Carrigan: [00:03:27] And on June 27, an email came in to MacEwan from James Ellis of Clark Builders.
Dave Bittner: [00:03:33] OK.
Joe Carrigan: [00:03:34] The letter starts with a very casual, hiya...
Dave Bittner: [00:03:38] (Laughter) OK.
Joe Carrigan: [00:03:38] ...And then asks the school's accounting department to reroute payments to a new National Bank of Canada account, right? The email has an attachment that looks to be signed by Marc Timberman, who is Clark Buildings' (ph) CFO.
Dave Bittner: [00:03:51] Yeah.
Joe Carrigan: [00:03:51] I think that's a great name for a building executive - Timberman.
Dave Bittner: [00:03:53] Yes, it is. Yeah, that's great.
Joe Carrigan: [00:03:55] Right? It's great.
Dave Bittner: [00:03:56] Very Canadian name, I'd say.
Joe Carrigan: [00:03:57] Yeah. So an accounting technician changed the routing information in their accounting system. And one month later, MacEwan makes a $1.9 million payment to the new account. It bounces back, though. So they wonder what's going on.
Dave Bittner: [00:04:12] Right.
Joe Carrigan: [00:04:12] They contact the National Bank of Canada, and the bank says, that account doesn't exist. Right?
Dave Bittner: [00:04:17] Wow.
Joe Carrigan: [00:04:17] So the accounting tech responds to the original fraudulent email, asking for corrected banking information.
Dave Bittner: [00:04:23] Oh, no.
Joe Carrigan: [00:04:24] Right?
Dave Bittner: [00:04:24] Oh, no.
Joe Carrigan: [00:04:24] So if you're the scammer, you've got to be like, you've got to be kidding me, this actually worked? Right?
Dave Bittner: [00:04:30] (Laughter) Yeah.
Joe Carrigan: [00:04:31] So four days later, he gets an email back, and it's got corrected information to an account at TD Bank and another letter from Marc Timberman.
Dave Bittner: [00:04:40] And this is from the folks who had asked for the initial change in the account information?
Joe Carrigan: [00:04:44] Correct. Correct.
Dave Bittner: [00:04:44] All right.
Joe Carrigan: [00:04:45] This time, it worked. And over the course of one week, the university transferred $11.8 million to that account at TD Bank.
Dave Bittner: [00:04:53] Wow.
Joe Carrigan: [00:04:53] And it took them almost two months before they learned that Clark Builders hadn't received the money.
Dave Bittner: [00:04:57] The real Clark Builders.
Joe Carrigan: [00:04:58] The real Clark Builders were like, hey, where's our money? Prime example of a spear-phishing attack.
Dave Bittner: [00:05:02] Right.
Joe Carrigan: [00:05:02] Right. The person that sent this email - James Ellis - they have no record of anybody named James Ellis ever working at Clark. And the CEO, or CFO, rather, had no recollection, or no - he had never signed this letter. This was completely fraudulent.
Dave Bittner: [00:05:14] Right.
Joe Carrigan: [00:05:15] The story is very in-depth and talks about the laundering process of the money, which we're not going to go into here. It's just way too convoluted to try to talk about on a podcast. But the money, essentially, goes around the world and winds up - there's a number of other parties that they talk to, but it eventually winds up in a legitimate real estate deal in British Columbia. Amazing. All this money goes around the world and comes back very close to home to be used to purchase some real estate.
Dave Bittner: [00:05:44] And is traceable.
Joe Carrigan: [00:05:45] And, yeah, it's traceable. And they've actually recovered about $10.9 million of the $11.8 million.
Dave Bittner: [00:05:52] Still, that's nearly a million dollars (laughter).
Joe Carrigan: [00:05:54] Yeah - $906,000 (ph) that...
Dave Bittner: [00:05:56] Wow.
Joe Carrigan: [00:05:56] ...They've lost in this deal. Definitely not as bad as it could have been, but it's still pretty bad. It's almost a million dollars that they've lost. I've got so many questions about this story. First off, I don't think the laundering was done very well. Right? Because if it's - obviously because they got back more than 90 percent of it. The people who are participating in this real estate deal probably have some inclination that the money they're receiving, they're going to use for it, is not legitimate. Why would you - I don't know.
Dave Bittner: [00:06:23] Who knows? By the time it's made its way around the world...
Joe Carrigan: [00:06:25] Right.
Dave Bittner: [00:06:26] It's hard to...
Joe Carrigan: [00:06:26] They thought they had it done. But there you go. The email address on the email that came in looked like a legitimate email account. It was displayed it as a legitimate email account for Clark Builders. But behind the markup, they had spoofed the email address.
Dave Bittner: [00:06:37] Right. Interesting, too, that at the point where they tried to pay almost $2 million and it bounced back...
Joe Carrigan: [00:06:42] Right.
Dave Bittner: [00:06:43] ...That nobody got on the phone.
Joe Carrigan: [00:06:45] Right.
Dave Bittner: [00:06:45] (Laughter).
Joe Carrigan: [00:06:46] That would have been my first thing, is I would've gotten on the phone. Actually, when I received the - here's how you handle this. When you receive the information that you need to change account routing information for any of your customers or any of your business partners or people that you buy services from, I think that merits a phone call and maybe a policy that says anytime we're going to have these kind of changes during a contract then we're actually going to write you a check and mail you a check. Maybe that's a good way to get around it, as well.
Dave Bittner: [00:07:16] Just some extra steps.
Joe Carrigan: [00:07:17] Yeah.
Dave Bittner: [00:07:18] Yeah. That's interesting - putting that as part of the deal, that as an expectation for everyone's protection.
Joe Carrigan: [00:07:23] Yeah. Accounting numbers will not change.
Dave Bittner: [00:07:25] All right. Well, it's a good one, and we'll have a link to the story in the show notes. If you want to dig into all the money laundering details, that'll be there for you.
Dave Bittner: [00:07:33] My story this week, this comes from Forbes. It's from John Koetsier. He's their consumer tech reporter. And this is about app scams. These are sneaky apps that make their way into the app stores. They purport to be utility apps, but they trick you into paying ongoing money in perpetuity. So this particular story digs into an app called QR Code Reader. Now, this is on the Apple App Store. Now, what's interesting is if you have an iPhone, it reads QR codes right from the camera app.
Joe Carrigan: [00:08:08] Yeah. Just because.
Dave Bittner: [00:08:08] Right. (Laughter). You don't need a QR code reader to do that. But this is one of the most popular apps on the App Store, one of the most profitable apps on the App Store because it tricks users into paying $156 a year as a subscription...
Joe Carrigan: [00:08:24] Wow.
Dave Bittner: [00:08:25] ...When they download this. And here's the really tricky part. Here's why it caught my attention. So the workflow is you download the app...
Joe Carrigan: [00:08:34] Right.
Dave Bittner: [00:08:34] ...And you open it. And when you open it, there's a big start button that says, time to go. Here we go. Time to use your reader. And there is some hard-to-read pricing information. You know, the fine print that most people will skip by.
Joe Carrigan: [00:08:48] The big print giveth, the fine print taketh away.
Dave Bittner: [00:08:51] There you go. And it turns out, this fine print is basically - the big start button that you're clicking on is you agreeing to this ongoing payment.
Joe Carrigan: [00:08:59] Right.
Dave Bittner: [00:08:59] So what it does is then takes you to the Apple payments confirmation screen. So Apple, to their credit, before you can pay for something, they take you to a screen that says, hey, do you want to pay for this? And the app is set up so that it'll be free for three days and then $3.99 a week forever.
Dave Bittner: [00:09:19] So you're at this screen, and you want to get out of this screen. Well, so what's your inclination, once you're in this screen? You're going to want to dump out of this. Right?
Joe Carrigan: [00:09:28] Right.
Dave Bittner: [00:09:28] You're going to want to hit the button on your iPhone to take you back to the main menu.
Joe Carrigan: [00:09:33] Right.
Dave Bittner: [00:09:34] Well, on an iPhone - on many iPhone's that don't have Face ID, they have Touch ID. So what happens when you go to press the button to dump out of the app?
Joe Carrigan: [00:09:44] It reads your fingerprint and authorizes the payment.
Dave Bittner: [00:09:47] Bingo.
Joe Carrigan: [00:09:47] (Laughter).
Dave Bittner: [00:09:49] Bingo (laughter).
Joe Carrigan: [00:09:50] Genius.
Dave Bittner: [00:09:50] Yup. So that's the trick. And so now you're signed up for $4 a week, $156 a year, for an app that does nothing that your phone doesn't do on its own.
Joe Carrigan: [00:10:02] Right.
Dave Bittner: [00:10:03] And this story lists a bunch of other apps that are up to similar tomfoolery and no good. There's a weather app that charges $260 a year. There's a VPN that's $520 a year. There's a web translator for Safari that's $4,680 a year.
Joe Carrigan: [00:10:23] My God.
Dave Bittner: [00:10:23] Yeah.
Joe Carrigan: [00:10:24] Is Apple doing anything about these apps?
Dave Bittner: [00:10:26] Well, Apple takes them down when they get alerted to them. But I think it's a game of whack-a-mole.
Joe Carrigan: [00:10:31] And do they stop the payments, the recurring payments?
Dave Bittner: [00:10:34] Apple - in my experience, Apple is very, very good about refunding your money and cutting off subscriptions and things like that.
Joe Carrigan: [00:10:42] OK.
Dave Bittner: [00:10:43] You know, I think this is a volume game, as well.
Joe Carrigan: [00:10:45] Right. Right.
Dave Bittner: [00:10:46] Now, one of the other things that this article points out is that this scam app has a 4.6 out of five rating.
Joe Carrigan: [00:10:51] So they're buying reviews.
Dave Bittner: [00:10:53] They are absolutely buying reviews. They have a five-star review for this QR reader app, and the review reads, staff is fun and friendly. Sports on the beach volleyball, and tug-of-war Captain Dave is a good guy.
Joe Carrigan: [00:11:06] What?
Dave Bittner: [00:11:06] So it's word salad. (Laughter).
Joe Carrigan: [00:11:08] Right.
Dave Bittner: [00:11:08] Just randomly generated.
Joe Carrigan: [00:11:10] Ugh.
Dave Bittner: [00:11:10] So they purchased a bunch of good ratings, and people fall for it. So buyer beware. These things are out there. There's many of them. This is one of those whack-a-mole things. Before you download an app, check to make sure that it's something that actually isn't already included in your phone.
Joe Carrigan: [00:11:26] Yeah. You know what I do when I'm looking at things like this is, I go to the one-star reviews and I read them. And this applies to anything I buy on Amazon or any apps I read. And I see what they're complaining about. Newegg is a prime example. When I see that all the one-star reviews are about, you know, like, hardware failures or something like that, or something that is kind of benign, I would think...
Dave Bittner: [00:11:46] Yeah.
Joe Carrigan: [00:11:46] ...I don't drop my consideration of the app. You know, I got it. It arrived, and it was broken.
Dave Bittner: [00:11:51] Right.
Joe Carrigan: [00:11:52] Or this app doesn't work on my phone.
Dave Bittner: [00:11:53] Sure.
Joe Carrigan: [00:11:54] Right? But if somebody starts saying, this is a scam in the one-star reviews, that's when they get my attention.
Dave Bittner: [00:11:59] Yeah.
Joe Carrigan: [00:12:00] So I check the one-stars.
Dave Bittner: [00:12:01] Yep. Yep. Worth it to take the extra time.
Joe Carrigan: [00:12:03] Yep.
Dave Bittner: [00:12:04] All right. Well, Joe, it's time for our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:12:10] This is another one that was sent in from one of our listeners. This was a listener named Kevin. And he said, the following arrived in my inbox recently, and I thought it might be of interest. So here is the note that Kevin received.
Dave Bittner: [00:12:23] It says, (reading) greetings to you. I'm Miss Zara Diane (ph). I'm contacting because I want to be your friend and confide in you because I have in my possession now 92 kilograms of gold bars. Quality, 23 karat, purity, 96 percent, that I inherited from my late mother, which I want to ship to your country and sell for investment in your country because I want to leave Cote d'Ivoire - I can't - I'm not French so - and relocate to your country and continue my education in your country. I want you to stand by me as my tutor and ship this gold bars to your country and sell for investment in your country. Note that I am writing you this email purely on the ground of trust because I don't know you, and we have not met before. I found you here, and my mind convinced me that I can trust you. Waiting to hear from you. From, Zara Diane.
Dave Bittner: [00:13:16] So the gold bars is - that's a twist.
Joe Carrigan: [00:13:19] Right. That is a twist. Gold bars. How are you going to get 93 kilograms of gold bars to me?
Dave Bittner: [00:13:24] Yeah. What's 92 kilograms in real weight? That's - (laughter).
Joe Carrigan: [00:13:30] It is different 'cause this is actually mass. Ninety-three kilograms is a - 92 kilograms is a large mass of gold.
Dave Bittner: [00:13:35] Right. (Laughter).
Joe Carrigan: [00:13:37] Why are you buying gold bars that are only 96 percent pure? Generally, these gold bars are a lot more purer than that, I think.
Dave Bittner: [00:13:43] Well, all right. But they got them from their late mother so they inherited them.
Joe Carrigan: [00:13:47] OK. Maybe they're old gold bars.
Dave Bittner: [00:13:49] Yes. The lore is they - at any rate, gold bars are valuable. They're also heavy.
Joe Carrigan: [00:13:53] Yes. Very much so.
Dave Bittner: [00:13:55] So it would be expensive to ship. So I'm guessing probably if you followed up on this that you're probably going to be on the hook for some shipping fees.
Joe Carrigan: [00:14:00] So you think it's a kind of a small scam?
Dave Bittner: [00:14:02] I don't know. I don't know. I mean, a few-hundred dollars to ship a few-hundred pounds of gold? That makes sense to me.
Joe Carrigan: [00:14:10] Right.
Dave Bittner: [00:14:11] Yeah. I don't know. It's also funny, that, my mind convinced me that I can trust you.
Joe Carrigan: [00:14:17] Right. (Laughter). Your mind.
Dave Bittner: [00:14:18] Well...
Joe Carrigan: [00:14:19] And then I'm supposed to tutor you in something when you get here. Right?
Dave Bittner: [00:14:22] Right. So the intentions are pure. They just want to get out of their country, they want to be educated, and they want your help. They want to be your friend...
Joe Carrigan: [00:14:29] Right.
Dave Bittner: [00:14:29] ...Confide in you.
Joe Carrigan: [00:14:30] Can you help me?
Dave Bittner: [00:14:31] So playing off of that trust.
Joe Carrigan: [00:14:33] The four most powerful words in social engineering.
Dave Bittner: [00:14:35] There you go. Well, Kevin, thanks for sending that in to us. That is our Catch of the Day for this week. Coming up next, we've got my interview with Jenny Radcliffe from Human Factor Security. But first a quick message from our sponsors at KnowBe4.
Dave Bittner: [00:14:50] Let's return to our sponsor, KnowBe4's, question, carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture, and sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives in KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:15:37] Joe, I recently had the pleasure of speaking with Jenny Radcliffe. She is the proprietor, owner, CEO at Human Factor Security. She specializes in social engineering and training to protect people against it. Really interesting conversation. So here's my talk with Jenny Radcliffe.
Dave Bittner: [00:15:55] What was your pathway to get into this particular line of work?
Jenny Radcliffe: [00:15:58] I'm asked this a lot. And really, I'm not that old, but I've been doing this for over 35 years because I started when I was really little. I was just a kid. So I grew up in Liverpool in the northwest of England, and I used to be babysat or looked after by my cousins. And half of my family are very senior police officers and military, and the other half were not so much. And it was the other half that I used to hang out with. Whilst my parents thought I was tucked up in bed reading, you know, books, we actually - we were out exploring empty buildings and sites in Liverpool. And I'm learning how to get into places, how to run away very quickly. And then as I sort of grew up and sort of got an education, I still did it.
Jenny Radcliffe: [00:16:49] So I still was interested in locked doors and the things that people didn't want us to see, things that happened after hours or behind the scenes. So I was always just really interested in that. Never to steal anything, never to break anything. Just curiosity. By the time I was asked to do this for money, I'd already been kind of doing it anyway for a long time, and it was about 10 years ago that I first heard the term social engineering.
Jenny Radcliffe: [00:17:19] Someone said, you know, the job that you do, you know, talking your way past security guards, talking your way past receptionists, sort of getting into buildings to see how it was done and then reporting back to the firm that asked you to do it, that's called social engineering. And in the U.K. at the time, it just wasn't that well-known. I mean, I kind of knew it was. You know, I guess the answer to the question is, I kind of always did it. I always had a disposition for this type of work. And fortunately for me, the industry legitimized it, and it became a job. (Laughter).
Dave Bittner: [00:17:49] (Laughter).
Jenny Radcliffe: [00:17:50] But it could have been so different. (Laughter).
Dave Bittner: [00:17:54] Do you have any particular interesting stories to share about some of your professional exploits?
Jenny Radcliffe: [00:18:00] I mean, I talk about this a lot when I do conferences and things. But I mean, I can tell you the first time, when I was really little, I was about 8 years old. And we got into a zoo that was near where I lived, a - one of these awful zoos that's been closed down because of animal rights. But I was really interested in going there. And this particular night, we were looking for somewhere to explore. And I asked if we could get into the zoo. And, you know, back then, there was no CCTV. There were no real alarms or even a security guard on the site. So at night, they just locked the gate and left it.
Dave Bittner: [00:18:34] (Laughter).
Jenny Radcliffe: [00:18:35] So we climbed over the fence. And the reason I was really interested was I was interested in seeing the lion that was in the zoo because I'd sort of seen it during the daytime when I'd gone with the school and with my parents. And I wondered if it slept at night (laughter).
Dave Bittner: [00:18:51] (Laughter).
Jenny Radcliffe: [00:18:51] And it was pitch black and deadly quiet, which should have been, you know, a warning, really, because I now know, professionally, that places are not quiet at night. But this was silent. And we sort of wandered through the zoo. And I had a little Sesame Street torch. And I shined it to where I thought this lion's cage was. And it was, like, literally about a foot in front of me. It was right up against the fence. And it went crazy and growled and flung itself against the fence. And we all ran out...
Dave Bittner: [00:19:18] (Laughter).
Jenny Radcliffe: [00:19:18] ...And climbed back over the fence to run away. And I guess that should have put me off, but it didn't. And so after that, we broke into funeral parlors and offices and museums and fairgrounds. And, you know, right up until sort of the present day, where I've found myself, you know, in infrastructure buildings, you know, very secure sites, some of the best known buildings in the U.K., and, you know, falling off roofs and things, you know, for like I say, about 30 years.
Jenny Radcliffe: [00:19:51] What I feel is doing all of those things is at least protecting people. And if I can do it and tell the firm how I did it, then they can protect themselves from the bad guys doing it. So that's the line that I put out when people ask me about it in case they think, you know, I'm actually a criminal, which I'm not (laughter).
Dave Bittner: [00:20:07] Now, when you were a kid and doing this, it was driven by curiosity. You weren't out there, you know, stealing things from these places you broke into.
Jenny Radcliffe: [00:20:15] Oh, God, no. You see, I'm a good girl.
Dave Bittner: [00:20:17] (Laughter).
Jenny Radcliffe: [00:20:17] I always was. I wouldn't dream of doing anything naughty. But yes, we were just curious. I mean, there was a big museum in the town. And I mean, it's still there. And it was just curiosity. It was one of those things where when I talk about this at conferences and things, people come up to me afterwards. And they say, you know, we did that as well. You know, there was a haunted house in your neighborhood. And, you know, we think it's haunted. Should we go in at night? You know, it's daft things that kids do. And so no, we - it really was just purely out of curiosity.
Jenny Radcliffe: [00:20:47] And I say now on the job, if you're social engineer, if you're a pen tester, you have to be the most ethical person in the building. You have to be beyond reproach because obviously, you know, the job is full of temptations and everything else. There has to be very clear line between what we're doing and, you know, any kind of criminal activity. And I just never felt that way inclined. Even though I suppose technically, we weren't supposed to be there (laughter). We never did any harm.
Dave Bittner: [00:21:15] Right. Trespassing is trespassing, right? (Laughter).
Jenny Radcliffe: [00:21:17] Trespassing is trespassing, absolutely (laughter).
Dave Bittner: [00:21:20] Now, one of the things that you do, you do a lot of training with people, with organizations on social engineering. And so what are some of the insights you've gained from that? Are there things that surprise you - sort of, you know, universal things that you'd think people would be better equipped to handle than they are?
Jenny Radcliffe: [00:21:37] It's so funny because the psychological tools that enable social engineering just don't change. I mean, they're the same con tricks as has always being out there. So I always talk to people about, you know, fear or anxiety is something that people still respond to. It sort of - when the brain gets frightened, it knocks out its decision-making capacity a little bit. And, you know, it's how phishing emails work, or ransomware. You know, I'm going to frighten you a little bit. I'm going to make you feel a little bit anxious. And in that moment, if a social engineer can lead the person down an easy route out of that situation, people will always follow it. And, you know, it's just the right combination of psychology for everyone. All of us are susceptible to it.
Jenny Radcliffe: [00:22:21] And I think what surprises me is just how efficiently that psychology can work. You know, you've got that fear. You've got sort of greed or sort of the promise of something coming to you - or then there's flattery as well. And, you know, so I sort of say, fear, flattery, greed and the right timing in whatever combination of those things works for the person, that script will work on nearly everyone. And really, that's - it surprises me just how true that remains, really.
Dave Bittner: [00:22:50] I often think about, you know, how many times in all of our lives have we looked back on how we had responded to something earlier in our lives and thought to ourselves, goodness, what was I thinking?
Jenny Radcliffe: [00:23:00] Yeah. And - you know, and the thing is a social engineer's job, certainly from the malicious side - and actually, anyone hacking an organization through any means, really, is to make that thinking fuzzy, you know? So they - so you're not really thinking straight. Your decisions aren't the best decisions. And as I say, you know, hindsight's a wonderful thing, but we're all susceptible to it. And that's why these attacks can be so successful.
Dave Bittner: [00:23:27] Now, in your own life, how do you combat social engineering? Do you find yourself having a constant level of vigilance? Or are you - how does that affect you personally?
Jenny Radcliffe: [00:23:38] Well, yeah. I mean, I think, you know, we have to practice what we preach to a certain extent. And I'd like to think I'd spot, you know, most attacks that came my way. But we're - none of us are immune. And I think what happens is, in common with many security professionals, there's massively increased paranoia that you have in your lives. You know, so if the pizza guy rings and asks for my address, I kind of say, well, why do you need it, you know?
Dave Bittner: [00:24:00] (Laughter) Do you or do you not want this pizza? (Laughter).
Jenny Radcliffe: [00:24:04] Yeah. You know, prove to me that you're delivering a pizza. And they're like, well, you rung us.
Dave Bittner: [00:24:09] Right. So what is your advice to people, to organizations? What is the best way to protect yourself against this in a realistic, practical way?
Jenny Radcliffe: [00:24:18] Well, what I say to people is, you know, unfortunately, we don't live in the world we used to live in. And we do have to be more vigilant towards attacks on ourselves than before. And I think the advice is when anyone's trying to educate people about social engineering, it's to make it personal.
Jenny Radcliffe: [00:24:37] So when I educate organizations and staff, what I say is, protect yourself and your information because by default, that protects the company. And that's why, you know, companies pay me to do it because they know that we make that personal connection. And then people say, oh, well, you know, I didn't realize that sharing all this stuff on social media or re-using a password - you know, all those things, they sort of don't really make that connection.
Jenny Radcliffe: [00:25:01] So the advice I give to people is basic things that we'd all understand in the industry - you know, like, be careful what you share on social media. Don't have open profiles. Use strong passwords, and don't reuse them. But I also say to people, from the human side, if somebody contacts you - whether that's in-person, over the phone or via email - and actually, increasingly, snail mail as well. You know, that's a big attack vector in the U.K. right now for seniors particularly. But if - you know, if someone contacts you and you feel any heightened emotion - so if you're really happy because there's the promise of something coming your way or if you feel slightly anxious, if they ask about money or personal information, you know, those are red flags.
Jenny Radcliffe: [00:25:44] And what you need to do is take a step back, verify them independently, and, you know, just really let that kind of emotion subside a little bit before you take action or make a decision because nearly all approaches rely on, you know, a quick decision made in haste, made in the heat of emotion. And sometimes when we take a step back from that and just give ourselves a little bit of time, then, you know, it becomes clear that perhaps that's not the best course of action.
Jenny Radcliffe: [00:26:10] And there's actually a couple of really good campaigns in the U.K. right now. One of them is called Take Five. So you take five minutes and in a very Brit-friendly way, they say, someone asks you to do something. You get an email asking you to do something. Go and make a cup of tea. Drink the tea. And after that, make the decision, you know? And, of course, by the time you've done those things, you've got a little bit more rationale coming back to sort of your mental space. And we make better decisions.
Jenny Radcliffe: [00:26:37] But the best advice is if someone asks you personal information, if someone makes you emotional or if someone asks you to do something, especially in haste, you know, don't do it straight away. Take time to think about it. And you might see, you know, that it's not the best course of action. And I think it's really that simple. It's simple advice but difficult to execute when you're at the end of a, you know, professional con artist.
Dave Bittner: [00:27:00] Joe, what'd you think?
Joe Carrigan: [00:27:01] This makes me want to go out and break into things, Dave.
Joe Carrigan: [00:27:05] I won't, but it makes me want to (laughter).
Dave Bittner: [00:27:06] Yeah. Yeah. I think we all had those little times when we were kids when we went exploring, I guess (laughter).
Joe Carrigan: [00:27:14] Yeah, or places we shouldn't have been.
Dave Bittner: [00:27:15] That's right. That's right.
Joe Carrigan: [00:27:16] Yes.
Dave Bittner: [00:27:16] That's right.
Joe Carrigan: [00:27:17] I like one of the things she points out. Curiosity is probably the fundamental personality trait of a hacker, and she is no exception. It's great. She touches on ethics. Ethics are very important. A couple of weeks ago, we talked to Christopher Hadnagy, who's building a code of ethics or has built a code of ethics...
Dave Bittner: [00:27:33] Right.
Joe Carrigan: [00:27:33] ...For social engineers. I think that's great as well.
Dave Bittner: [00:27:35] Yeah.
Joe Carrigan: [00:27:36] From a standpoint of how to defend yourself, I like that she talks about fear disabling your critical thinking process.
Dave Bittner: [00:27:44] Right.
Joe Carrigan: [00:27:44] The social engineer will scare you and then say, let me show you an easy way out of this...
Dave Bittner: [00:27:48] Right.
Joe Carrigan: [00:27:49] ...Which is not something in your best interest.
Dave Bittner: [00:27:50] So they short-circuit that rational part of your brain, and...
Joe Carrigan: [00:27:53] Exactly.
Dave Bittner: [00:27:53] Yeah.
Joe Carrigan: [00:27:54] She says that they have a campaign in England now called the Take Five, which I think is great.
Dave Bittner: [00:28:00] Yeah.
Joe Carrigan: [00:28:00] You know, that's a great suggestion. Something comes up to you - these social engineers are going to try to always create a sense of urgency. It's an artificial sense of urgency, artificial time constraints. And you're also going to feel these heightened emotions. And she says let that be a red flag.
Dave Bittner: [00:28:14] Right.
Joe Carrigan: [00:28:15] So if you're getting any kind of heightened emotion, whether it's, hey, I'm going to be rich, you know, like...
Dave Bittner: [00:28:18] Right, even if you get excited.
Joe Carrigan: [00:28:20] Right, like you and I get every time we read one - our Catch of the Day.
Dave Bittner: [00:28:23] That's right (laughter). That's right. That's true.
Joe Carrigan: [00:28:23] We know that we're going to make millions...
Dave Bittner: [00:28:25] Yeah.
Joe Carrigan: [00:28:25] ...With gold bars coming in.
Dave Bittner: [00:28:26] That's true.
Joe Carrigan: [00:28:27] Be aware. Be cognizant of that. Oh, hey, I'm emotional. Maybe I should just think about this or go get that cup of tea, she says - or in my case, maybe coffee, although I can't have too much of it.
Dave Bittner: [00:28:37] (Laughter) Well, and run it by a friend.
Joe Carrigan: [00:28:38] Run it by a friend.
Dave Bittner: [00:28:39] Yeah.
Joe Carrigan: [00:28:39] That is a great suggestion. Any time you have something like this, even just saying it out loud to somebody else, you'll be like, hey, this person says I should change the bank account information - oh, this is a scam. I got it.
Dave Bittner: [00:28:50] That's right.
Joe Carrigan: [00:28:50] Never mind, sorry to bother you.
Dave Bittner: [00:28:51] Yeah. That's true.
Joe Carrigan: [00:28:52] Right.
Dave Bittner: [00:28:52] That's true.
Joe Carrigan: [00:28:53] Just saying it out loud might even help. But no, say it to somebody else, and see what they say.
Dave Bittner: [00:28:57] Yeah.
Joe Carrigan: [00:28:57] That's a great suggestion as well.
Dave Bittner: [00:28:58] Yeah. Well, I really enjoyed the conversation with Jenny. And again, the name of her company is Human Factor Security. Our thanks to Jenny Radcliffe for taking the time for us. And thanks to you for listening.
Dave Bittner: [00:29:09] And, of course, thanks to our sponsors at KnowBe4. They're the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can get at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:32] The Hacking Humans podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:48] And I'm Joe Carrigan.
Dave Bittner: [00:29:49] Thanks for listening.