It’s how Ferris Bueller took his famous day off.
It’s how Sherlock Holmes, Walter White, and even Hannibal Lecter got information they were looking for.
So what’s their secret? Social engineering.
Social Engineering: An attack vector that uses psychological manipulation and deception in human interactions to obtain sensitive or confidential data.
In the world of information security, these types of attacks are on the rise. In 2013, a Verizon study revealed that 29% of breaches were linked to social engineering tactics. And according to a survey of security professionals, 85% of respondents reported being the victim of a phishing attack in 2015, which is a 13% increase from 2014.
Social engineering is tremendously effective because it preys on weaknesses in human behavior. It uses confidence tricks to exploit people’s natural tendency to trust. You don’t need sophisticated software or technical expertise to pull it off, either.
Take a look at how easy it was for Jimmy Kimmel to trick people into giving out their passwords — just by asking them a few simple questions:
For decades, Hollywood has had a field day with social engineering in movies and television. Here are the most common social engineering tactics, how they’re used in movies, and why they’re so effective in real-life scams.
Pretexting is when attackers fabricate a believable scenario in order to access confidential information. Trust is a key element here, so social engineers will do some research, as well as strategic impersonations, in order to build a sense of a trust and dupe the victim.
We see this technique used time and time again in popular movies and television shows. Not only is it entertaining to watch, but it also works like a charm.
In Breaking Bad, Walter White impersonates a New York Times reporter on the phone in order to track down his targets’ home address. In Sherlock, Sherlock Holmes shows up on a woman’s doorstep, bleeding and injured. Claiming he was just attacked, he successfully manages to gain access into her house. In Ocean’s Eleven (2001), Matt Damon’s character impersonates a gaming commission agent in order to obtain the vault access codes.
In fact, some movies are based entirely on pretexting.
- Six Degrees of Separation (1993): Will Smith plays a con artist who shows up, bleeding from a stab wound, at a wealthy Manhattan couple’s apartment. He claims to be a college friend of their children, and the son of Sidney Poitier as well. The couple, impressed by him, lets him live in their home and even lends him money. This was based on a true story.
- Catch Me If You Can (2002): Also based on a true story, this film might be the granddaddy of all social engineering movies. Leonardo DiCaprio plays Frank Abagnale, a con artist who impersonated a PanAm pilot, a doctor, and a prosecutor, and stole millions of dollars too — all before he was 21 years old.
- Ferris Bueller’s Day Off (1986): Who can forget Matthew Broderick’s performance as breezy truant Ferris Bueller? In order to play hooky and pull it off, there were a lot of impersonations that went on, both in-person and on the phone.
Why is pretexting such an effective tactic? It’s because these made-up stories are engineered in such a way that they appeal to our inherent desire to help and trust others. They prey on innate human emotions like fear, sympathy, confusion, guilt, and flattery. Here are some examples:
- Hackers (1995): A hacker calls up the security desk, impersonating someone from the accounting department, and claims his file was just wiped out. All the classic emotional manipulations are there: Urgency (“I got this big project due tomorrow”); sympathy (“I’m in big trouble”); and fear and guilt (“If I don’t get it in, he’s going to ask me to commit hara-kiri. Can you read me the number on the modem?”)
- Red Dragon (2002): The infamous Hannibal Lecter impersonates a book publisher from a jail cell and wheedles the temp who answers the phone into giving him an address he’s looking for. Again, the emotional appeals are there: Urgency (“Gosh, I have to catch FedEx in about 5 minutes”); sympathy (“He told Linda to send it tonight and I don’t want to get her in trouble”); and flattery (“Be a darling”). He even jokingly employs another social engineering tactic called quid pro quo, which involves promising a benefit in exchange for information. He jokes, “I’ll dance at your wedding if you read it to me.”
Even though the movies are fictional, pretexting is very much a real social engineering technique, and it can pose a serious security threat. For instance, social engineer Jessica Clark recently demonstrated just how easy it was to hack a reporter’s cell phone account by pretending to be his wife. To do so, she spoofed his phone number and acted like a frazzled new mother (with the help of a YouTube video of a baby crying in the background).
Phishing is when attackers send persuasive messages containing malicious links, files, or attachments, in order to acquire personal information.
In 2015’s Blackhat, hackers send a phishing email asking employees to change their password and download a password security PDF, which installs a keylogger in the process. While many viewers felt that the plot devices and hacking in Blackhat were unrealistic, security experts agreed that the phishing scam in it was downright plausible.
Phishing is a highly effective social engineering tactic because the messages usually sound urgent, prey on people’s fear, and look like they come from legitimate sources. It’s resulted in many high-profile breaches in the past few years. Most recently, Snapchat suffered a data breach when an attacker impersonated their CEO in an email and an employee divulged sensitive payroll information. In 2015, a London hedge fund lost $1.2 million when the CFO fell victim to a vishing scam and gave out confidential bank details.
Baiting refers to dangling “bait” in front of victims and piquing their curiosity. This could be a file disguised as a free music or movie download, or a malware-infected USB flash drive with your company logo on it, left out in the open. Once the file is downloaded or the device is inserted, malicious software is installed, allowing attackers to access your system.
In Mr. Robot, a television show about a cybersecurity engineer and vigilante hacker named Elliot Alderson, we see an example of baiting. Elliot, who is trying to hack into a prison’s computer system, has his friend “accidentally” drop a handful of infected USB sticks all around the prison parking lot, in the hopes that an employee will insert it into a device and thereby grant Elliot system access.
While this might seem like an unrealistic plot device, it’s not that far-fetched. Back in 2008, a single infected USB stick set off the most significant cyber attack ever against the US military. And earlier this year, in a social experiment where 200 unbranded USB sticks were dropped in public spaces across Chicago, Cleveland, San Francisco, and Washington, DC, almost 20% of them were picked up and plugged into a device.
Tailgating is when an unauthorized person gains entry into a restricted area by following behind someone who is authorized. Another common scenario is when an unauthorized person claims he forgot his ID, or has his hands full and can’t swipe his ID, and asks to be let in. This is an effective tactic because it’s human nature to want to help, and people want to be polite.
We see this technique in the show White Collar. Neal Caffrey (played by Matt Bomer) is a criminal consultant for the FBI. In one episode, he manages to bypass security and sneak into a newsroom because his hands are full balancing two massive trays of coffees, and the security guard buzzes him in.
And here’s an oldie, but a goodie: 1992’s Sneakers. Robert Redford’s character, who has his hands full with a cake and colorful balloons, pretends to be heading to a birthday party upstairs. Standing at the turnstiles, he urgently barks at the security guard, “Buzz it, okay? We’re late for a party on the second floor.” Meanwhile, Redford’s partner creates a commotion at the security desk, distracting the guard and adding to the furor, until Redford finally shouts, “Push the damn buzzer, will you!” and walks through.
Cyber Risks: The Danger is Real
Most sexy Hollywood plots are fictional, but the dangers of social engineering are real, and they’re something that security teams need to pay close attention to. Despite technological advances in security measures, humans still remain the weakest security link. The first step in protecting your organization is educating your employees on the dangers of social engineering — instill a culture of security and empower them to recognize possible threats. To identify weak areas, test your systems for vulnerabilities, and create an incident response plan. These steps are just a few of the ways you can mitigate information security threats.