Jenny Radcliffe is a UK-based “People Hacker”. An expert in social engineering, she has helped hundreds of clients protect themselves from malicious social engineering attacks by using human psychology to obtain access to buildings, offices and systems or solicit data through fake calls. “I didn’t even call myself a social engineer for a long time as it wasn’t a widely used term. People do understand though, that it’s the oldest trick in the book to lie your way somewhere and try to take something that they have”, says Jenny.
In this interview, Jenny shares her insights on what it’s like to be a social engineer, skills needed and common challenges. Find out how to protect yourself from scams and delve into the future of social engineering.
Skills you need
Jenny’s passion for reading led her to study English and literature. After her Master’s degree in strategy she went to work in supply chain procurement. “During that experience I dealt with a lot of different people from suppliers to maintenance. You need to get a good sense of an organization in this way, which helps if you want to crack their security,” she says.
Jenny also took a bunch of acting classes as you have to be able to act. “To do the job well you need to think on your feet and improvise. You have to inhabit a role and believe that you are that person. There is a lot of person-to-person interaction which is not genuine – it’s improvised. You must be comfortable talking to people,” says Jenny.
If the acting classes were not enough, Jenny did training in influence, persuasion, negotiation, lie detection, body language and many courses on profiling people. She adds: “When you go in, you need a reason to be there. You must have a story and the best social engineers have 2-3 stories that they work with. You need to keep your story simple as you can. The more complicated your story is the more difficult it is to maintain.”
As being authentic matters a lot in being a social engineer, sometimes being the way you are might not work in your favor. Jenny mentioned that as a social engineer it can be helpful not to stand out too much so you are not so easily noticed. There are occasions when, having big muscles and a shaved head might draw people’s attention and security may notice you walking into a building, whereas someone who just looks like a normal staff member is less obvious and could slip through.
What social engineering looks like from inside
One of the social engineering examples Jenny gave us was about a bank in Germany. “The bank had a good enough security but they wanted to see if someone could talk their way into the office and other secure areas. I was really worried about it because I didn’t speak German. But what helped was that I didn’t look dangerous. I looked like a regular businesswoman who was there for a reason. And I made my way into the secure areas, obtained access to computers, documents, secure items which would have completely compromised bank’s security if we would have been the bad guys. To prove I had gained access, I had to plug in things, take photographs and leave cameras. Ultimately, the bank was pleased because we showed them their vulnerabilities. I do around 10-20 of similar jobs a year,” she says. To add some mystery Jenny mentioned that when she gets into a CEO’s office – she leaves a little silver octopus on their keyboard.
What is challenging
“I’ve done over 600 jobs and if someone says they’re not nervous doing it – it probably means they’re missing something. You should not want to get caught, either by security people or sometimes even dogs, so it is an emotionally charged assignment. Leaving the building is often more difficult than getting in. Sometimes you need to wait on rooftops or inside cupboards to get out. You cannot always just walk out, so a degree of nerves goes with the job,” says Jenny.
How to protect yourself from social engineering
One of the biggest things people can do to protect themselves and their companies against social engineering is to be more private on social media. Jenny explained that before social media was such a widespread tool, a social engineer often had to sit and wait outside the buildings to figure out who is who and then physically follow people, and perform surveillance. These days much of the research happens using Facebook, Instagram, LinkedIn or Twitter.
“Within an hour or two you can construct a big map of key people, with their likes, interests, dislikes and patterns of behavior. That is often enough to formulate a believable attack on people, by sending a personalized email, for example. If someone is a big fitness fan, we can send an email that relates to that hobby. If every Thursday you check in on Facebook for a 7pm Zumba class, then on Twitter you say that your train was cancelled, it doesn’t take a lot time to build a whole pattern of your life. So if I want to engineer a meeting or send someone an email with a malicious link, I have all the information I need before I even speak to you. Think twice before posting things online: who needs to know this, who can see this and what would a malicious person do with this information. Once people start to get into that mindset, they pull back a little bit on what they share and start to think more carefully about their privacy,” Jenny explains.
A scam formula you should be aware of
When you get a fraudulent call, hackers try to heighten your emotions and then force you to take action. Jenny says: “To frighten people, a hacker might say that they’re calling from this company and you’ve done something wrong, or your computer has got a virus, or you won a prize or a compensation. It is often something that makes you a little bit worried or scared to easier manipulate your emotions. Because when your emotions are heightened your decision-making capacity goes down. The second thing is a call-to-action so the email might ask you to click on a link, or login to an account. The third thing is that if the communication is about money or revealing personal information, it should be a “red-flag” and be seen as potentially suspicious, you should hang up and independently verify that call. If someone calls you and says they’re from the bank, mentions your address and says that you spent money at Starbucks yesterday, ask them for a reference number for this case. Then find the number independently on the legitimate website or the one provided on your bank statements, but not the one they give you. Then you can independently verify if the call is real.”
“My typical day is never typical! One day I could be doing a talk at an event or a private company awareness training, the other – interviews and press. My job involves a lot of online work as well as sitting in cars for long periods of time observing people and organizational life. The downside is that drinking too much coffee isn’t good because you don’t want to be going to the bathroom often! When I’m on a job, it takes a lot of people-watching and general observation in order to accurately get the mood of the site you’re about to get into. Sometimes it takes months of preparation, but once you have managed to get in and infiltrate a site, ideally you would be looking to get out in 90 minutes because if you stay longer, people start to notice,” says Jenny.
The future of social engineering
When talking about the future of social engineering Jenny thinks it’s the same as its past. She says: “I often say I’m a “retro-hacker” who works largely without too much technology. Social Engineering is a relatively new term for an old career, basically trying to trick people into giving money or giving you access to places. Talking to someone to see if they fall for a scam will always be part of security. What has changed is that technology has enabled me to do my job quicker and better, but it has also enabled criminals to do things quicker and better. To defend themselves from social engineering attacks people should be more suspicious, guard their privacy well and question people’s identity.”
Jenny’s top 3 reading tips
Familiarize yourself with scams and cons that appear in the news, or online, try and understand how the techniques used could be applied to your own life or firm.
Follow anti-fraud or security blogs and accounts online such as @antisocial_eng or @gcluley on Twitter.
Look for government information sites like Action Fraud or Cyber Law Enforcement initiatives to stay up to speed on the latest advice and help.
You can reach out to Jenny and see what she’s up to at jennyradcliffe.com