Social engineering is effectively hacking human thought processes.
The usual interpretation of blackhat hacking is the manipulation and repurposing of electronic systems to perform unintended actions for personal or national gain. Social engineering is a major factor in the overall process but is not directly part of repurposing electronic systems.
Nevertheless, a social engineer is usually classified as a hacker, and is sometimes described as a people hacker. The social engineer specializes in manipulating the human subconscious into doing something unintended – or more specifically, doing something intended by the social engineer that will lead to immediate financial gain or subsequent future electronic system hacking.
Put simply, a social engineer manipulates human thought processes rather than electronic system processes and requires a different set of skills to the computer hacker. For a better understanding of the social engineer, SecurityWeek spoke to Stephanie ‘Snow’ Carruthers, whose official title is Chief People Hacker at X-Force Red, IBM Security.
The making of a social engineer
The desire to be a hacker is usually innate, and commonly emerges in early life: teens or even pre-teens. This did not happen with Snow: she was a married freelance special effects makeup artist when it all began.
Her partner planned to attend DEFCON. She went with him, more for Vegas than DEFCON. But after falling asleep in a reverse engineering malware presentation (“It went completely over my head,” she explained) she was encouraged to go and find something of more interest. She did, and found a lock-picking village. Within a couple of hours, she had picked her first lock.
“There’s something magical that happens when you pick a lock for the first time. It’s like this light bulb goes on: Oh, that was so cool, and that was so easy. And then you start thinking about everything in your life that you assume is safe and secure behind a lock, whether that’s your front door, or your safe. That’s when I first started to see the importance of security.”
She moved on, looking for ‘more trouble to get into’. She came across the social engineering village but didn’t – at first – understand what was going on. Then she realized that this person on the phone was trying to get information from that person at the other end of the phone. She thought, I could do this, I’m a friendly person, and this is really fascinating.
“I thought this is hacking too. Just because it’s not a computer doesn’t mean it’s not hacking. They’re trying to get information from someone over the phone. And so, I left DEFCON on fire and excited to learn everything I could about social engineering and physical security. I found every book I could. I started branching out and reading different types of influence techniques and psychology practices and cold calls and body language – just from a pile of books.”
She went back to DEFCON the next year and the next and competed in the Capture the Flag contest – not seeking to win but because it provided an environment to test her new learning. On the third attempt, she did win, and was awarded a DEFCON Black Badge. In little over three years, she had transformed from a special effects make-up artist into a social engineer. She was not a born hacker, as many computer hackers describe themselves, but had shown that with enough interest, intent, and dedication, you can teach yourself hacking.
A legitimate profession in social engineering
Snow got her first break into the world of white labeling (similar to a writer ghost writing content anonymously rather than a freelancer who contributes openly for different clients) almost immediately. A member of the audience asked her to test his employees to see how they stood up to social engineering.
A demand for ‘whitehat’ social engineering services was evident and growing, so she branched out into freelancing, including with cybersecurity consultancies. Many had their own pentester hackers. “They were very technical, and very good at their job. But they didn’t want to do social engineering, which is not surprising since it involves a completely different skillset,” she explained.
“I was able to work for a handful of different consultancies full time and, and finally landed at IBM. I’ve been here five years and I now lead a global team of social engineers. We provide social engineering awareness assessments for clients.”
She had started by falling asleep at a malware reverse engineering presentation, stumbled into lock-picking and social engineering villages, and progressed into a professional, and legitimate, chief people hacker with a major global company.
The people hacker
For the computer hacker, the basic motivation is almost curiosity to the point of compulsion. Some in this series have said that when they receive a new system, the very first thing they want is to take it apart and remake it to perform the unintended. It’s different for Snow – she doesn’t meet someone new and immediately wonder how she could manipulate that person. For her, the motivation is two-part.
The first part, she said, is, “I love a challenge. And I feel like this world of social engineering is constantly a challenge, and I’m constantly learning and understanding how people work. So that’s half of it.”
The second part is her love of helping people (which, ironically, is one of the key human attributes that makes people susceptible to being engineered). “At the end of the day. I want to be able to help clients be more secure and help them find their vulnerabilities so they can fix them before an attacker finds them.” It’s that combination of loving the intellectual challenge of manipulating people but at the same time as helping them, that makes Snow a whitehat people hacker.
That second part, probably an aspect of the elusive concept of ‘moral compass’, also explains why she has never used her skills maliciously as a blackhat people hacker. Many juvenile computer hackers start by hacking their friends’ computers just for fun and to be the cool kid on the block. But at some point, their built-in moral compass points them towards wearing a black or white hat. “The thought has never crossed my mind,” she explained. “When I started, I just wanted to learn how to do it. When I knew how to do it, my only thought was how I could use this knowledge to help people be more secure.”
Snow believes a social engineer must possess a solid understanding of psychology but doesn’t need to be a psychologist. The required information can come from watching people and reading books, and then applying what is learned. There are three elements to social engineering: people (that’s the psychology bit), technology (understanding how to deliver the social engineering without being discovered), and business risk (understanding who to target and for what purpose).
“There’s no training course that ties these three elements together. So, for me, it was just a lot of book reading, in situ practice with clients, and learning from doing.”
In the real world, there are two primary types of social engineering-powered phishing: the large scale mass spray and pray email campaign, where one template is used for all targets; and the more narrowly targeted spear-phishing aimed at a single person or small closely related group. The former is a numbers game where criminals are statistically guaranteed to catch a number of victims, but don’t know who they will be. The latter is used when the target is known and desired. That requires more time and skill: Snow can do both.
An interesting question today is whether the arrival of gen-AI will be able to combine targeted spear-phishing with mass email campaigns. AI will obviously boost the mass campaigns in speed, size, and content; but Snow is not sure it can replace the skilled spear-phisher. The problem is emotional intelligence: humans have it, but AI does not. LLMs are not good at recognizing nuances and translating them into emotionally persuasive arguments.
“Psychology remains the most important part of social engineering,” says Snow. “You can have AI improve the mechanics of construction and delivery, but it cannot yet improve the emotional persuasiveness of the skilled social engineer.”
An example came when we discussed the emotional triggers that the engineer might use in a phishing email. “Many people have an underlying desire to be helpful,” she said, “and appealing to that desire can be effective.” But other people can be selfish, and asking a selfish person to be helpful is less productive.
The skilled human social engineer with emotional awareness can determine such psychologic nuances from the target’s social media posts in a way that AI cannot – at least, not yet.
The criminal element of social engineering has a similar divide: successful engineers with an understanding of human psychology are likely to engage in spear-phishing – with a quality that most people cannot recognize as a phish and cannot be trained to do so. Less skillful engineers will simply use trial and error using text-book triggers (fear, greed, urgency, etcetera), and repeat whatever is successful. Social engineering awareness training is more successful in this area.
Social engineering versus computer hacking
Social engineering and computer hacking are often part and parcel of the same company compromise, with the former preceding the latter. There are sufficient similarities in intent to bracket them under the single term ‘hacking’. Both attempt to coax an unintended response from a system — a human nervous system for the social engineer, and an electronic man-made system for the computer hacker.
The difference is in complexity: a machine is its manufacture plus patches common to hundreds, thousands and possibly millions of instances; while a nervous system is the sum total of a lifetime’s experiences, unique to every individual (yet with enough commonalities to make email phishing campaigns statistically successful).
When any victim is the target, the spray and pray type of email phishing campaign is still effective. This will continue to be a major problem for all businesses and will likely increase over the next few years. Phishing-as-a-service organizations will multiply the number of criminals engaged in the activity, while gen-AI will automate its generation and distribution, and improve its appearance and grammar. But it will remain possible for awareness training to reduce its efficacy because of its lack of emotional intelligence.
Spear-phishing from an elite social engineer is different. The process cannot be successfully automated by current AI. Spear-phishing at the highest level chooses a specific high value target, studies the target’s personality and life preferences, and tailors an attack accordingly. Social engineering at the highest level is undetectable.
The difference between elite social engineering and computer hacking is the difference between an art and a science. The attack path for computer hacking is ultimately visible; the attack path for the social engineer is only discoverable by inference.
Related: Hacker Conversations: Chris Wysopal, AKA Weld Pond
Related: Hacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd
Related: Hacker Conversations: Youssef Sammouda, Bug Bounty Hunter
Related: Hacker Conversations: Inside the Mind of Daniel Kelley, ex-Blackhat
