Meet the people hacker trying to improve cybersecurity

30 Sep 2024

Jenny Radcliffe. Image: Martin Hobby

Jenny Radcliffe went from getting into abandoned buildings just to see if she could, to becoming a ‘burglar for hire’ – but only to weed out the security weak spots.

Can you hack a person? With social engineering, you kind of can.

Social engineering is the psychological manipulation of people. In terms of cybersecurity, this is usually in order to get them to do things like clicking suspicious links or divulging confidential information.

Jenny Radcliffe, a self-professed people hacker, says social engineering is “every bit as lethal as a technical hack, but it doesn’t use technical means”. While some forms of social engineering can use technology as an aid, ie, through emails or with the help of some AI-generated deepfakes, it all comes back to human psychology.

Radcliffe will be the keynote speaker at an upcoming cybersecurity lunch and learn event, hosted by Viatel Technology Group, on 4 October 2024 in Dublin. Her LinkedIn profile says she’s a “burglar for hire” – but in conversation with me she hastens to add that, while it’s a flashy tagline and technically true, “I only rob you if you pay me and if you ask me to do so”.

Essentially, she uses her skills of ‘breaking in’ for good, looking for the weak links in a company’s security system to help them strengthen their fortress. Her own interest in this kind of work started all the way back when she was a kid trying to break into abandoned buildings just to see if she could.

Of course, at the time, this wasn’t the kind of work your career adviser told you about. However, as she grew up in Liverpool and got talking to people she discovered how it could be a job.

Chatting to soccer players who were having robbery issues, Radcliffe opted to figure out if they had a security problem by getting into the house and then telling them how she did it. Now, it has expanded to businesses.

“There’s two parts of the job, so there’s the physical infiltration, but often to get to do that, we have to create an approach and an online relationship of some kind, just to gain the information we need, but through that same psychology and understanding how human beings work and what makes us click on a link or open an attachment, we also construct scripts for ethical phishing and approaches by phone and all these different things,” she says.

“The same skills we use the persuade our way into a building, you can also use to persuade someone to click on a bad link or to give information over.”

She stressed that all of this is intended to educate a company or a person so that they know and understand why they fell into the trap that was set ethically so that they won’t do it when it happens for real.

Stop telling humans they’re weak

Humans are often deemed the ‘weakest link’ in the security chain and in some respects it can be true. Based on Radcliffe’s whole job, the right type of psychology and social engineering, combined with catching a person at just the right time, means they’re the easiest gate for a cybercriminal to try and crack open.

However, Radcliffe also warns against the language that is used in this respect because it can have a negative impact.

“By nature of being human, we sometimes get tired or sick or our attention goes the wrong way, we make mistakes. But if we keep telling people all the time in the press, in the industry, that you’re the weakest link, that doesn’t really get people on board, confident that they can do something against the breaches, the scams, the social engineering maliciously that they face.”

While she knows it is used to simplify things, she says it’s important to change it up a bit more to stress that humans are one weak link, but they don’t have to be. “We can make ourselves stronger and more resilient if we do things like basic cyber hygiene and we learn a little bit, educate ourselves about how this stuff works and what we can do to prevent it,” she says.

‘We’re all vulnerable’

“We need to stop – in the security industry – being so binary that some people are good, some people are bad, we’re weak or strong. It’s not like that. Like everything else in the world, this is more complicated. It’s more nuanced. If we keep on telling people that they’re weak, they tend to switch off.”

Similarly, Radcliffe says it’s important not to presume that any one demographic is more likely to ‘fall victim’ – another term she’s not a fan of – to a phishing scam.

“The way that you’re caught by these things often is tailored more to you and so it has got more resonance. So, the hacks that people fall for in terms of social engineering are often ones that you’d expect them to fall for.”

While young people might be more likely to be targeted through scams on Snapchat or TikTok, professionals might be hit with a job offer scam and older generations might be subjected to more investment or pension-based scams.

Radcliffe says even she nearly fell for one when she received a very convincing PayPal scam about an invoice for an Apple watch that came at a time when she had bought a family member an Apple watch as a gift.

“When we talk about how often people are hacked and why they’re successful, that was me still in bed, drinking the coffee, looking at my phone…no glasses on, just woke up, little bit foggy, drinking my coffee, perfect. I didn’t click on it, but I nearly clicked on it,” she says. “We’re all vulnerable.”

The changing cybersecurity landscape

While technology is constantly evolving and changing the threat landscape, the first major trend that comes to Radcliffe’s mind when I ask her is actually about the amount that it is talked about in the media nowadays.

“People have got scam fatigue,” she says. “It’s all over the papers, all of the time and the story becomes repetitive and people get bored.

“So the security industry has a problem that people fatigued by it. I always say, you know when you get on a plane and they go through the safety thing before you take off, they do the seatbelt and the mask etc. And once you’ve flown a few times, you do tune it out…it’s that that we’re up against because it’s still very important and it still needs to happen.”

Unsurprisingly, the second trend Radcliffe mentions is AI, which can be used to write these social engineering scripts, firstly very quickly, which means a much higher volume of scams, but also potentially more targeted, making them more effective against people.

“For the more targeted attacks, those deepfakes [and] voice cloning attacks are very convincing and because that puts a person in an emotional frame of mind, that’s when it’s more difficult to make the right decision.”

However, she did have some optimism about the future because younger generations are almost being brought up surrounded by this technology, making them potentially more perceptive about what’s real and what’s fake.

“They don’t expect things that they see online or in the news, they don’t just assume that that’s true until proved otherwise. They always seem to say, ‘well that could be fake’. So I think that’s a positive that we should encourage.”

Advice for leadership

Cybersecurity has become one of the most important considerations for leaders today, and therefore it should not solely be left in the hands of the chief security officer. According to Radcliffe, one of the biggest problems the industry has is around communication and messaging, so who better to ask for help in that area than marketing professionals?

“Within a business there are people whose whole job it is to communicate effectively,” she says. “[These are] people who are not necessarily technical but are good at getting messages out there.

“If you can push it away, a little bit from the expert side and share the workload, I think it’s effective and it will also give technical people more time to deal with the increasing threats they face.”

She also warns that when it comes to educating staff about cybersecurity, leaders need to make sure they’re using the right method. What may be boring for one person could be the best way to train another person, so find what works, but repetition is key.

“Try and provide a couple of different things to do, but you can’t just give people awareness training and then never talk about it again.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Jenny Darmody is the editor of Silicon Republic

editorial@siliconrepublic.com