Home  >  General / Technology

How I Used Social Engineering to Hack My Team

I have a confession to make. I… am a hacker. It’s not a full-time gig or anything. In fact, most of the time I’m a relatively mild-mannered IT professional. But every now and then, when the moon is full, the evil genius inside me (“Evil-Leslie”) will rise. I’m just kidding – it has nothing to do with the moon. And Evil-Leslie almost always has good intentions. Let me explain…

Background

I oversee the information technology (IT) at Milestone Health Care Quality Unit (HCQU) West. As part of my role, I occasionally provide cybersecurity training for the HCQU staff. We talk about all the ways cybercriminals use social engineering to take advantage of us. Social engineering is a way that attackers trick people into giving away personal information or access to systems. Instead of hacking computers directly, they use psychological manipulation to exploit human nature.

For example, an attacker might pretend to be someone you trust, like an IT support person, and ask for your password. Or they might send a fake email that looks like it’s from your bank, asking you to click a link and enter your account details. In short, social engineering is about tricking people rather than breaking into systems directly.  

Over the years, the HCQU staff have had multiple cybersecurity trainings so they’re pretty well-equipped to protect our agency’s network and our professional integrity.

How It Began

I work with some very special people. Each of them is amazing at what they do and their compassion for the people we support is immeasurable. Not one of them would ever hesitate to help someone in need, whatever the need, regardless of the personal cost. Unfortunately, these qualities also make someone a prime target for social engineers and cybercriminals.

While developing our annual cybersecurity training, I was trying to come up with an activity to help drive that point home. Then, when I reported at a staff meeting that we would have our annual cybersecurity training at our next meeting, it hit me.

I always try to include a fun quiz of some kind at the end to gauge what people learned, so a couple people confidently joked, “Bring on your quiz”! I laughed along, but in my mind Evil-Leslie raised a perfectly-sculpted eyebrow and whispered in her Cruella DeVille-like voice, “Look at them. So confident and sure of themselves. You know…. you could use social engineering on them…”

And an evil plan (with good intentions) was born.

The Hoax

Here is the story of how I socially engineered my team.  A couple weeks before I would give the cybersecurity training, I enlisted the help of a colleague in our main office, and I crafted an email for him to send to the HCQU West team. The intention of the email was to trick everyone into believing that I was going to get an award and then get them to divulge sensitive information about me. The email said:

Hello,

Your IT Administrator has been nominated for EMPLOYEE OF THE YEAR! For the ceremony, we’d like to gather a little information about your IT administrator. Please fill out the atached form. When you’re are done, reply to this email and attach your completed form. Please do as soon as possible. Your help is much appreciated.

Shhhhhh Don’t tell the employee. It’s a surprise!

Image of actual email. Notice the intentional spelling and grammar errors!

Attached to the email, was a fillable Word form. It contained questions asking for information about the “EMPLOYEE”, such as:

  • Name
  • Job Title
  • Email address
  • Mobile number
  • Marital Status
  • Spouse’s Name
  • Number of children and their names
  • Number of pets and their names
  • Parents name and contact info
  • Sibling(s) name and contact info

The Results

On the day of the training, I went through all the different ways that cybercriminals can trick us into giving up information we normally wouldn’t. I threw in a couple quiz questions, which they quickly answered correctly. I could tell they were feeling confident and pretty good about themselves.

Then, I revealed an image of the email they had all received. And I watched their faces as they realized they had been duped….and by me of all people!

It probably goes without saying, but my team failed… miserably! They ignored every single red flag and their better judgement. A whopping 70% responded to the email and sent the completed questionnaire back as instructed. One person even went so far as to reach out to my mom and my best friend on Facebook! Another offered to do some additional investigation to get more information about me. And the few who didn’t respond? Well, they freely admitted they would have if they had any additional information to share.

Hindsight: Always 20/20

After my scheme was revealed, everyone said there were a couple things that seemed “off”, but they shrugged them off because they were so excited that I was getting an award! I felt loved and terribly guilty at the same time. But the takeaway is that they were led by their emotions to do exactly what I, the social engineer, wanted them to do.

So, what if this had been a real social engineering scheme? With the information they gained about me, any reputable hacker could have turned my life upside down. The weight of that thought hung heavy in the room as we talked about how they were so excited for me – again, I do feel terrible about that! – and how that excitement lead them to throw caution to the wind and give up everything they knew about me.

Conclusion

Many of us who’s vocation is in social and human services, are most vulnerable when we think we can help someone in some way. So, it is important to be self-aware and mindful of our own vulnerabilities. Most of us know when something doesn’t feel right, and I hope you will trust that instinct from now on.

Social engineers prey on those qualities that makes us human – sympathy, empathy, curiosity, fear, common courtesy, etc. It’s very important to know what might make you click a link, open a document, download a file, or give out information. So, when you find yourself hovering over a button, link, or attachment, pay attention to the emotion that’s driving the temptation to click and learn from it.

To My Fellow IT Professionals

If you are able, I encourage you to try socially engineering your team. Standard phishing tests are great and do offer some insight into how well trained your workforce is, but at the end of the day, most cybersecurity training is just checking a compliance box. The team of people you support spend the majority of their time serving their fellow man. They may be sufficiently freaked out after cybersecurity training, but they’re not likely to retain much of the information because it doesn’t connect to their everyday experience. But if you help them connect to it on an emotional level, they will have a deeper understanding, making them better equipped to protect themselves – and your organization – from cybercrime.

The overall reaction to the experience was very positive. The team appreciated the lesson and understood the importance of being vigilant against social engineering attacks. Many of them mentioned that the experience made the training more memorable and impactful because it raised their self-awareness. Some even said they were more cautious and aware of potential threats in their daily work afterward.

It turned out to be a valuable learning experience for everyone involved, and it sparked ongoing conversations about cybersecurity within the team. How do you think your team would react to a similar exercise?

Need some other ideas on how to make cybersecurity training more fun and engaging? Check out the suggestions in this article on Companywide Cybersecurity Training: 20 Tips To Make It ‘Stick’!

Categories:GeneralTechnology

Tags:

Leslie Dollman

Leslie is the MIS Administrator at Milestone HCQU West.

Related Posts

Verified by MonsterInsights