HHP – Hackers Hack People

“Whaddya mean?”

People. From apparent or known facts, people make assumptions of what lies beyond their knowledge. They draw conclusions. Apply intuition. Make deductions. “Elementary, my dear Watson.” This capability is very powerful and has led to many scientific advancements, political successes, and not a few disasters. Extrapolation is exploited by fraudsters who use persuasion, confidence and pressure to defraud victims.

Interpolation? Selecting small, established facts and facets known to both victim and fraudster as leverage. The CEO’s name. An email address. A known person. A favored brand. A phone number. Date of birth.

Hackers stick to narrow points of reference, because they are focused on hacking the victim through keeping the victim focused on their extrapolated self-delusion. Hackers hack people by sticking to the facts.

At its core, cybercrime is not about “cyber” – it is crime that takes advantage of the impersonal, non-physical, “card holder not present” nature of the internet. It just gets a slick cyber prefix to make is sexy.

97% of cybercrime losses stem from social engineering. That’s fraud, spoofing, bluffing, impersonation, etc. Con Artist stuff. The other 3% is like burglary, breaking and entering, car theft, shoplifting etc. Technical hacking. Like in the movies.

They used to say, 30 years ago, that “on the internet, no-one knows you’re a dog.” That is a techie, “if x and b then Y”, logical viewpoint. We’ve come a long way since then.

Now, everyone knows your usernames, password habits, IP address, social media profile, hobbies, email addresses, home town, car, marital status. Governments capture your SMS messages, emails, calls, spending habits, driving and flying routes. Who you work for. Who you vote for. Darknet monitoring solutions are superb resources for all organizations who want to know what hackers know about them and their people.

So there are many aspects from which darknet predators can interpolate.
All they have to do is text the “mark” (victim) saying “This is [name of your boss]: I need a favor. Email me asap on my gmail account boss@gmail.com!”; use a fake LinkedIn account (~30% of LinkedIn accounts are fake) to make a few common connections, get a supplier’s email address of the darknet and spoof it to run a Vendor Email Compromise scam; call the helpdesk as an IT admin and get a password; fire off phishing emails; send an email with a Secure PDF that needs the mark to click on a “secure link” which downloads malware.

The victim does what all people do – they extrapolate.

Cybersecurity starts with psychology, because that’s what hackers do. They hack people. Hackers don’t wear hoodies – they are smart, astute, savvy and take their work seriously.