Let’s talk about digital identity with Jenny Radcliffe, The People Hacker.

In episode 84, ethical burglar for hire, Jenny Radcliffe, joins Oscar to discuss the importance of educating your staff to help protect your company against social engineering attacks – including the main vulnerabilities that social engineers exploit, how individuals and businesses can protect themselves online and how user authentication technologies can help, as well as how ransomware links to social engineering.

[Transcript below]

“Two factor or multi-factor, in any form, is always going to be a good thing. It’s better than, like you say, one thing, which can be found out or hacked like a password.”

Jenny RadcliffeJenny Radcliffe is a world-renowned Social Engineer, hired to bypass security systems through a mixture of psychology, con-artistry, cunning and guile.  A “burglar” for hire and entertaining educator, she has spent a lifetime talking her way into secure locations, protecting clients from scammers, and leading simulated criminal attacks on organisations of all sizes in order to help secure money, data and information from malicious attacks.

Jenny has received many industry awards and was most recently inducted into the prestigious InfoSec Hall of Fame in 2022.  She has also been named as one of the top 30 female cyber security leaders in 2022 by SC Magazine, one of the top 25 Women in Cyber by IT Security Guru, and as a Top 50 Women of Influence in Cyber in 2019.  She was nominated in seven categories for the 2021 Security Serious Awards in 2021 including the prestigious “Godmother of Security” award in 2020 winning the “Most Educational Security Blog” for her show The Human Factor podcast interviewing industry leaders, bloggers, experts, fellow social engineers and con artists about all elements of security and preventing people from becoming victims of malicious social engineering.

Jenny is a sought-after global keynote speaker at major conferences and corporate events and is a multiple TEDx contributor. A go-to guest expert on the human element of security, scams, cons and hacks, she has appeared on numerous television and radio shows, as well as online media and traditional press outlets, and helps create unique content for international brands and organisations. An experienced podcast host, panel chair and interviewer she hosted the live weekly cyber talkshow “Teiss Talk” for two years and is frequently asked to chair live events for clients both virtually and in-person.

Jenny’s upcoming book People Hacker – Confessions of a Burglar for Hire will be released in February 2023, published by Simon and Schuster.

Connect with Jenny on LinkedIn or Twitter.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Come and meet the Ubisecure team at the Gartner Identity and Access Management Summit, in London, on the 6th and 7th of March. To find out more, take a look at the Ubisecure events page – https://www.ubisecure.com/events/.

Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk about digital identity, particularly for us, myself, working on companies that are building technology products to protect, secure people on Internet. It’s always surprising when we hear stories, when there are people, they just get tricked by other humans and voila, the result is – the company is hacked.

Today we’ll hear fascinating stories about social engineering, and for that we have, special guest Jenny Radcliffe. She’s a world-renowned social engineer who is hired to bypass security systems through a mixture of psychology, con artistry, cunning and guile. Jenny has received many industry awards and was most recently inducted into the prestigious InfoSec Hall of Fame 2022. She has also been named as one of the top 30 female cybersecurity leaders in 2022 by SC magazine, one of the top 25 women in cyber by I.T. security guru and in the top 50 women of influence in cyber in 2019.

Jenny is a sought-after global keynote speaker at major conferences and corporate events and is a multiple TEDx contributor. Jenny’s upcoming book People Hacker Confessions of a Burglar for Hire will be released in February, this month, published by Simon and Schuster.

Hello, Jenny.

Jenny Radcliffe: Hi, Oscar. How are you?

Oscar: Very good. Happy to talk with you. This going to be super, super interesting.

Jenny: It’s great to be here.

Oscar: Fantastic. So, we would like to start hearing more about yourself and your journey to what you do today.

Jenny: Certainly. So, I’m a social engineer and I specialise in the human side of security, and that means non-technical hacking. So, my two specialisms are psychology of scams and cons and fraud. But also, physical infiltration, so that’s the kind of red team tests that help us to infiltrate buildings and client sites for educational purposes. So, I’m an ethical burglar for hire as opposed to just a burglar for hire. And then we educate for awareness exercises and to harden the security for our clients.

Oscar: Fantastic and I understand that you started very early in your career, correct?

Jenny: Yes, it was something that – we didn’t used to call social engineering, social engineering. You know that term is relatively new and I’m older. But yes, when I was little, I had a group of cousins and family around me who looked after me, but they also enjoyed urban exploration. You know, and that means getting into empty, derelict buildings, looking around, not to take anything or break anything, but just to look around. And you learn very quickly when you do that kind of job to – a little bit about alarm systems and locks and things. But also, how people work, so that we have to talk way in or, you know, instead of breaking something to get in, a lock or whatever, it is easier to talk your way in.

So that’s where I started and pretty quickly it led to some paid work. And then with the dawn of cyber and cyber security, it was actually the cyber community that sort of told me that there was another name for it and that there were more people than me that did it. So, I’m always grateful to the cyber community for doing that because it gave the jobs. Made it legitimate, and it made me realise that there could be a business in that and a career. But I’d done it since I was really small.

Oscar: Yeah, fantastic. Super interesting and yes, you said, I don’t know how – you have said that the social engineering term is relatively new. Yeah, I hear it for the first time around 2005, I believe. So, I don’t know how long it has been for that –

Jenny: It’s nearly 20 years, Oscar. That’s the thing, time flies, but it’s still quite new, you’re right.

Oscar: Yes, yes, yes. So since then, to now, has it changed? What you would say is, what would define social engineering today?

Jenny: I think today, firstly, in the industry, in the security industry, it’s a really well-known term now because we’ve realised that a lot of the security problems that companies face and that we face as individuals come from our own human characteristics and ways of thinking. And so now it’s incorporated into lots of pen tests, but also a security awareness training for teams of for staff is so big.

And because social engineering is at the heart of almost everything, you know, so all the cyber – the breaches, the phishing, the phone, scams. A huge proportion of those are down to people being manipulated or making mistakes. So, I think what’s changed in social engineering now, is that it’s a widely known term and that it has shifted the emphasis towards humans.

But of course, humans can only do so much. And so, we need tech as well to do kind of the heavy lifting, to block as much as we can and to stop people being in a position where they have to make a decision as to whether to trust someone or click on a link or open an attachment. So, it’s changed that it’s more widespread but also, it’s now in a nice marriage with technology, which is, which is a good thing.

Oscar: And as you say, your story – you started the with like a playing with entering into houses, abandoned housing, some property. Then it became like a real job entering into properties. Now you have moved to, from physical, good doing these physical attacks, intrusions. To online attacks, you are now online hacker, as that’s my understanding. So, how enjoyable has it been for you, this switch?

Jenny: I mean we still do have to do some physical security. I do less of it now because I’m older and I have a team that, that would do that instead, that I put together a lot of the time. But I still do a few of them because there’s nothing so, so good at proving to a client that there are some issues, than showing them how something was done, you know. So, we do what the bad guys would do, up to the point of harm. So, we still do some of it.

But you’re right, a lot of the job now, did move online because so much of what we all do is remote. And so, the persuasion techniques, the influence techniques, the look – you know, the understanding of human psychology, is very important in terms of what happens with phishing emails or with business email compromise, scams, and breaches. So, we do a lot of those kind of, crafting those messages to show how criminals might do that. And then it’s part of education and awareness to say, well, this is how you might be caught, and this is why it works. So that if people understand how it works, they might be able to protect themselves against it. But you’re right, so much more of it now is online than it used to be. But I don’t think the physical side will ever go away completely.

Oscar: And is it still fun doing that?

Jenny: It is fun. You see, that’s the other thing Oscar, I’m always going to tell you I still do it because it’s still fun. It’s more fun than sitting at a computer but it’s scary as well. Whenever I do a talk or an interview like this, you know, I get lots of DMs from people, lots of emails saying I want to do that job. Can you train me? Can I work with you? Because it does sound like fun and a lot of the time it is quite fun. But it is also dangerous and it’s very hard work. So, to do it properly and professionally requires a lot of research online, and a lot of planning. But I think, people sometimes think, you know, we just tailgate and walk in. And we do that sometimes, but mostly it’s a lot of planning.

Oscar: Yeah, a lot of planning, that might not be the funnest part.

Jenny: No, it really isn’t the fun part, but it’s necessary to do the job properly. I think that’s the thing that, I just need to emphasise in the interviews I do, is that it is a professional part of security. It’s just that it sounds and is more fun than the hours we all spend looking at logs and, you know, sitting at the keyboard. But yeah, it’s still a professional part of the business.

Oscar: Yeah, absolutely. You already mention email, which seems to be – that’s my impression from hearing so much – that it might be the top way of getting hacked today and you know better that. So, why email is still one of the ways to get hacked? Even though there are so many advanced email protections, so I hear for instance, there is nowadays advanced filter, an artificial intelligence protection. A lot of these things that are being added to the mail systems, email system. Yeah, but besides that, there’s so much being hacked.

Jenny: First of all, we all receive so many emails every day. So, email is a huge part of our professional and personal lives and that means that we are – it is necessary for all of us to click on links and open attachments and join conversations with people that we’ve never met before, legitimately, as part of business. The technical tools that help with blocking malware and, you know, emails that carry payloads or that will take us to sites that carry payloads, that’s great and it does block a lot of things. But a technical solution has to be looking for something technical to block, the reason emails still get through and are so effective in social engineering attacks, is because that email may not necessarily contain a malicious file, but it might be the opening of a conversation and that’s difficult to detect with technology.

So, if you look at something like business email compromise, which is when, you know, a criminal will infiltrate someone’s email, pretend to be the boss or the finance director or someone we know and ask them usually to transfer money. That will not necessarily have any viruses or malware in that email. But it’s still an attack because they’re asking that person to do something criminal. The problem is, is it’s difficult to detect because it’s words, it’s language, its persuasion, it’s influence. And, you know, the criminals know that, and they know if they get the tone right, if someone has not been trained properly or if what they say is something that resonates with the target, that there’s a chance of that getting through.

So, I think the technology is, you know, amazing these days to help us with emails and to block some of this malicious files and malicious emails and we need it. We need that tech to do it, so that when we see an email that does get through. We’ve not got 15, or 50, or 500 emails to make decisions on whether or not to follow them up and to engage with the with the person. We’ve only got a few and it’s only on a small amount of emails that we really need to worry about people making their mind up about.

So, the tech is brilliant because it’s preventing so many things from getting past. But we still need humans to understand what a malicious approach looks like. And that’s where the awareness and everything still comes into it because they still get through despite the technology.

Oscar: Yes indeed. As you said, if they, if that first email just passes, doesn’t have anything of, anything malicious at all, it just passes that level of trust – that okay, I trust in this email I continue the conversation in.

Jenny: But you know, just to say is – so for example there are systems and there is technology in place that for example, will block key words as well. So, it might block invoice. And so, I had a colleague who hadn’t been paid by a client and when they followed that up, it was because his email with ‘invoice – to be paid’ as the title, their sort of filters caught that and stopped that getting through. But that was a legitimate email, and this is the problem, right?

The problem is, is that, of course, criminals are going to use language that we need to use to carry on with our business. And sometimes we have a sort of a false positive and a genuine email get stopped. But actually, it’s probably better that that’s the case, than have all the bad ones get through, you know.

Oscar: Yeah, certainly. That’s why, as you mentioned, education many times is focus key of this helping us. If you move to authentication – thinking of a password. A password can be stolen there, you know, there are many ways to steal a password, if the protection is only based on password. Okay, you steal a password, and you get in. So, it’s hacked.

But nowadays with more advanced technology standards, multi-factor authentication you have here, of course, WebAuthn, Fido. These more advanced authentication techniques. Are people less vulnerable, what would you say?

Jenny: Yes. I mean, I think technology helps massively, you know, and things like, let’s say like FIDO and WebAuthn. All of those things are an extra layer, and the more layers that a criminal has to get through, the harder their job is and that’s what we want. But I think for me, the sort of physical security keys that are in the marketplace, they have a sort of a another positive to them, which is – if you are using one of those things every time, you need to plug that into your machine, every time you touch that, it’s reminding you that security is something we need to be aware of.

So, I love the idea – I think anything is bypass-able, you know, because we can always get the person who’s holding the key or using the technology to go around it. They can be persuaded. But in and of themselves, it’s an extra different type of security that people are using and therefore I’m all for it. I think it’s a great, a great thing to do.

Nothing. Nothing is bullet-proof, but it’s a very good start. And two-factor or multi-factor authentication, is one of the things that I urge everyone to talk to teams about, to talk to their families and people outside of the business about. Because although it can be bypassed and got around, it would stop an awful lot of individual attacks and sort of misery. So, two factor or multi-factor, in any form, is always going to be a good thing. It’s better than like you say one thing, which can be found out or hacked – a password.

Oscar: Yeah, exactly. If you see from the perspective of companies like Ubisecure, and many other companies that are building technology products, security products, identity products. What is your best piece of advice for the ones who are building these, these tools, these cybersecurity tools?

Jenny: My advice would be, you have to make them easy to understand and use, right? It has to be easier for a person, a customer, to use your security product, whatever that is, than to get round it and forget about it. People, if something is difficult and it’s easy to do the wrong thing, they will always do the easy thing.

So, people need to understand how to use them. It needs to be as straightforward as possible. And then we need to tell them the why. You know what this prevents, why it matters and why it’s important. And then we need to trust that they will do it, you know, and check-up occasionally, of course. But that’s the key. The key is – make it easy for them to do the right thing and let them understand why it’s necessary.

Now, let me give you an example of something that’s not always good. If we look at one of the things, we tell people in security is to use VPNs, right? Because of course, we know in the business, in the industry that a VPN sort of protects your traffic to the Internet. So, people can’t do man in the middle attacks and things like that. And again, not completely impenetrable, but very good.

But if you ask people and I just mean normal people on teams, not normal people in the street, if you ask them about what a VPN is, it’s hard for them to explain what it does. But then also when you load those up onto your devices, onto your phone and your laptop, you know, this often problems, technical problems, VPN sometimes block websites people want to use. And I’ve had that myself, where I had a VPN on a phone I used, and I couldn’t use the phone because it was so secure that it was stopping me from doing normal things like internet shopping and banking. So, in the end you switch it off and this is the problem is unless people can use that easily, they will just eventually just ignore it.

So, my advice to anyone who makes this type of product and provides these services, is the most important thing is the UX, it’s the user experience every time. Because then they will adopt it and eventually hopefully become advocates for your product. But if you make it difficult, they will abandon it.

Oscar: Yeah, that’s the worst that can happen of course. That you have the best possible tool, but people abandon it because, as you said, it’s not simple enough.

Jenny: Right.

Oscar: Besides email, email phishing. I think, one word that comes up all the time, when we talk about, we hear about hacking breaches is, ransomware. So, what is the link between social engineering and ransomware?

Jenny: So, there are really two, I guess. Ransomware obviously is, gets onto someone’s system becomes a problem through the social engineering methods that we’ve already talked about. So often, these things start with an email, or they start with access escape because someone doesn’t update software. And then, you know, the attackers get onto the network and become, you know, and sort of sleep on the on the network for a while and spy on you and then a ransomware attack is then initiated.

But I think the real link to social engineering is, the key emotions that are used in ransomware, even if no conversation happens between the criminals and the target. Because what ransomware really depends on, are the things that malicious social engineers use all the time. You know, fear and shame are two of them.

So, you know, we’re on your network, we’ve got your files, we’re going to delete them or release the data. Well, people will – that’s a scary thing for a business. It makes your emotion high, your fear high and also, that fear that, you know, this will affect our brand, we’ve missed something on security, we’ve been sort of lax on security and, you know, that will be a problem. So, it relies on a very human emotion in order to make people want to comply with that.

And then there’s that very clear business decision of, you know, do we pay this, because it’s cheaper and easier to pay it than to go through all the problems that might cause if we don’t pay it. And in security, we always say, don’t pay, but it’s not always that simple. For a small company, they might be covered by insurance, pay the ransom and be able to get on with their business in a day’s time, which is a tempting thing. So even though we in security know you should never do that, it’s hard for people in reality to make that decision sometimes.

And it also relies on a big psychological tool, which is urgency. So, you know, typically ransomware, you have a time frame in which to pay the ransom. Usually, they add sort of psychological elements, like you will see counters and, you know, messages telling you the time is running out. And all of that kind of stops us making rational decisions because it’s hard to make good decisions when you’re worried and frightened and anxious about the business and, you know, the time is the factor.

So, it’s important for all those reasons, I always say that ransomware is a big part of social engineering – well, social engineering is a big part of ransomware. In as much as however distant and remote the attacker might be, even if there’s no conversation, the attack, by its nature, is a social engineering attack. It’s putting a human being or a group of human beings under pressure to do something that is not in their interest and that makes it pure social engineering.

Oscar: Yeah, very interesting that viewpoint, you talk about. The ransomware, it shows why many people are unfortunately paying and that this type of criminality continues. I’d like to hear how, I guess some time you have been – someone has tried to social engineer you, I guess. If you can tell us if that happens, if that you have ever felt that you were close to, to fall and how you protect yourself normally if someone wants to attack you this way.

Jenny: I get lots and lots of attempts at social engineering. Obviously, because it would be great to catch me out, as I’m the person that talks about it, probably, or one of the people that talks about it the most. It would be great. So, I get lots of attempts that are very obviously social engineering and particularly the ones that use all my advice or examples I give in keynotes. That’s actually quite strange.

I’ve been caught out a couple of times, one time was, I was at a conference and there was the guy at the conference who I knew, and his wife was pregnant, and she was heavily pregnant. So, she, you know, he was sort of on standby to go home in case anything happened. And he came to me, and he said, my phone’s died, I got a call from my wife, can I borrow your phone? I need to call straight back, because I knew both of them. And then he took my phone and took a picture saying I hacked Jenny’s phone, you know. But, you know, he’s dead now. No, I’m joking. So, there was that.

But no, I get quite funny attempts from kids. So, I think children sometimes see me on social media, maybe. I’ve done a few sorts of shows on social media that – I did an interview for LadBible, which is a quite a big platform. And someone had chopped up the interview and put it on TikTok and of course all the kids watch TikTok more, more I think than adults, right. And I started to get these emails that were, that were really quite funny. So, it was like – I got some that were just threatening, so it was, but really obviously a kid.

So, it was like, we’re going to get you through social engineering, click on this link and quite a lot with QR codes that led to the Rickroll, I got those. Which we open on our dirty machine in the office that we can open things on, and they were quite funny. And I knew they would be Rickroll’s before I did it, but still. I get things like that, and I also get things that try flattery, you know, so, we’re such big fans, and we took a photograph of you at an event, do you want to see and there’d be a little link, you know. And I kind of, when I know it’s just people sort of trying to catch me out and it’s not really malicious, it’s sort of a joke because it’s me, I don’t mind that.

And then I think the rest of the time when they are serious attempts by people who are criminals, I hope I catch most of them, but I would never say I caught all of them. None of us ever do. And that’s really the message is always – it doesn’t matter who you are, if it’s the right script at the right time, we will all fall for it. However alert you think you are, we’re all human and there are times when we just – our guard is down. So, people do try all time, in person I don’t think they try very much, I think probably I would know they were nervous, you know, I’m just thinking of a few times. And they probably know that. But you know, again, you can’t always say it.

Oscar: Yeah, super interesting. Yeah, of course, everybody has to be well protected and as you said, it’s a lot about getting educated, really understanding, how real hackers are acting.

Final question, for all business leaders that are listening to us now, what is the one actionable idea that they should write on their agenda today?

Jenny: So, I’m asked this a lot, you know, and there’s lots of advice that we give. We can talk about the red flags of social engineering. You know, I mentioned a couple of them, you know, getting your emotions high, urgency. We could talk about cyber hygiene, we’ve spoken about that, you know, have multi-factor in place, use good tech.

But the key really for me, the thing that I want businesses to do is – you’ve got to know your people better than the bad guys. And what that means is, a really serious attack on a business will look across all of your teams, all of your operations, your network, your architecture, and they will really dig into that to find the best way to get to you.

And if we understand that people are probably the easiest way in, a lot of the time, what we have to be able to recognise is when someone is behaving strangely or has done something wrong – and that means a culture of acceptance and of understanding and of education. So, we need to know those people, that work for all of us, have to feel confident that they can come to you and say, I think I clicked on a link that might be malicious. I think I forwarded money to someone that might not be the finance director or the CEO. I feel that – I’ve been talking to someone on social media and now I’m not sure whether they’re genuine. So, know your people well enough so that they feel they can come to you and not get into trouble for falling for a con by professional con artists.

And if you can put those things in place, we know when someone’s worried, we know when someone is scared or when someone has made a mistake, then we can help prevent it. Because what criminals are relying on, a lot of the time, is isolating their target within a business and making their target too scared to really ask for help and to tell people this might be an issue.

And that’s something that is not easy, because it requires – especially in a huge company, that means line manager level, you know, your level, knowing the people, knowing your team, looking if someone is stressed, helping someone if they’ve got issues outside the workplace, and also knowing if their behaviour is different online and in-person as well, you know, is there a break in the pattern? Are they downloading files, are they being blackmailed into helping someone from the outside?

And to do that’s not easy. It requires time and focus and a genuine interest in your people, but it doesn’t require necessarily lots of money. And I think that’s the thing. I would say, do not think you can throw money at the problem, and it be fixed. Get good technical products, good technical services. Make sure that you have the best technology that you can afford to protect your business, but at the same time, work in harmony with your people so that they are the eyes and ears for your organisation and for their security.

Oscar: Yes, I couldn’t agree more. It’s a really very good reflection and thanks a lot, Jenny, for telling us your stories. Educating us a lot about social engineering and getting protected. Please tell us, how people would like to know more about yourself on the net, how they can find you.

Jenny: It’s been such a pleasure chatting to you Oscar. If people want to find out more about me, I’m known as the People Hacker online and that’s Jenny Radcliffe. You can find me mostly on LinkedIn and Twitter and Instagram and my website’s humanfactorsecurity.co.uk and as you say the books out in February 2023, and it’s called People Hacker and you should be able to find it at most, at this point, in Europe. So, the EMEA countries; Europe, Middle East and Africa. The distribution’s a little bit weird, but you can definitely get it in the UK and then soon to be the US and further afield. So, if you keep an eye on my post, you’ll definitely see me shout about that.

Oscar: Excellent. Definitely will read your book. Fantastic.

Jenny: Thank you, Oscar.

Oscar: Again, Jenny. It was a pleasure talking with you and all the best.

Jenny: Thank you, Oscar. Goodbye.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.