This week, I had the good fortune to see a presentation by Kevin Mitnick, the former hacker who now makes a living as a security consultant. I went into the talk expecting a 90-minute lesson on the latest tools and toys that hackers might use to steal my identity. Instead, Mitnick’s very engaging lecture was about a low-tech trick that hackers have used since hacking began, and that they continue to use today: social engineering. Simply put, good hackers can get the information they need simply by asking for it, bypassing technology entirely and focusing on the weakness of the human being.

Mitnick described how easily a hacker might call a company, ask for some seemingly-harmless information, and use it to get more sensitive information out of the company’s computers. He spoke about how smooth-talking tactics from someone who claims to be part of the company are sometimes all that’s needed to get to the important data, and that the criminals play on the fact that we as humans have an inherent desire to help others, even when we don’t know them personally. Mitnick painted a picture of a hacker (he used to be one of the best) who could simply use the staff directory information posted on a company’s website to call the right people, say the right things, and hang up with the keys to the kingdom. He made it sound both simple and widespread. The presentation left me and my fellow listeners a little stunned, and more than a little paranoid.

The main issue at the heart of social engineering tactics, Mitnick said, is that we as humans are trusting, helpful people. We don’t really believe someone could steal our identities until it actually happens to us. We don’t think to question it when “Bob from Accounting” calls for some simple information, even if we’ve never met Bob personally. And the helpfulness and trust don’t stop at work; Mitnick mentioned how nine out of ten people in London were willing to tell a stranger their password in exchange for a cheap pen, and how others will happily disclose their pet’s name or the school they attended, forgetting that those questions are the same ones used to verify accounts online (Privacy Council posted an article about protecting those security questions in September).  Psychological manipulation, he noted, is easier than breaking into a computer system.

Phishing is one form of social engineering attack, since it tries to trick the victim into clicking a link in an email and giving away sensitive information. Phishing works because it often attempts to use fear and urgency as motivators, sometimes by saying “your account will be closed if you don’t click immediately.” More recent phishing attacks contain a phone number for victims to call to “verify” their information, but instead of calling the bank or other organization, the victim is calling the hacker. This combination of deception and manipulation can lead to disaster for those who trust it.

Mitnick did touch on some newer technology threats in his talk; for example, USB drives left lying around can contain malware that lets a hacker see and manipulate the computer desktop of whoever plugs the drive in. He also rehashed old-school hacking techniques, such as Dumpster diving (it’s amazing in this day and age that many companies still don’t shred sensitive documents before putting them in the trash). He handed out business cards that double as lockpick sets, and he played with Caller ID spoofing technology that allows a caller to fabricate the number on a victim’s Caller ID. He told tales of past hacks, both his own and those of other notorious hackers, and he engaged and entertained the crowd for nearly two hours. But everything he said and did served to bring home an important lesson: To have an adequate security system, companies and individuals have to have not just technology, but also people and processes that are prepared to handle all kinds of high- and low-tech attacks.

So how can you protect yourself and your company against social engineering? Don’t share your information unless you REALLY know who’s asking for it, and train your staff to do the same. Test your staff by calling and pretending to be someone else who needs data, and see how they respond. Also, don’t ever write down passwords and put them on Post-It notes on your computer screen or under the keyboard. Shred everything that contains information about you or your company, from credit card offers to company directories. Adopt a “less is more” approach to information-sharing. Don’t use your mother’s maiden name, Social Security number, or birthdate as the security answers on any sensitive accounts (SS numbers, birthdates, addresses and even mother’s maiden names are part of the public record in many states and can be accessed for a fee). Play your cards close to your chest, and you have a chance of protecting what’s yours.

There’s no way to avoid EVERY attack, and a talented hacker might still use a combination of technology and manipulation to gain information. But you can still try to be ready for the worst; if anything, think like a hacker, and don’t share your information unless you’re sure!

For more information about Kevin Mitnick’s services and books, visit Mitnick Security.