Something that bothers me, and I often comment about during my presentations is the media’s portrayal of a “hacker”. Hackers are shown as someone wearing gloves and a ski mask on a computer. I know that this is for effect to show criminal activity, but the issue here is that these sort of ideas stick in people’s heads.
To prove my point, I recently watched a “security awareness” training video on how to spot a social engineering attack. Throughout the length of the video, the attackers were seen wearing ski masks along with their business casual attire, and even a brief case.
The video mentioned a few good points about how social engineers will try to convince you to give out sensitive information, but not once did it mention that social engineers, or at least a good social engineer, will do their research to make sure they blend in as much as possible. The whole point of a social engineering attack is to gain trust, and to obtain information without arousing suspicion, and you’re certainly not going to wear a ski mask while doing these attacks face-to-face.
Again, I know that the ski masks in the videos were for dramatic effect, but how much more effective would this video have been if the attackers looked “normal”? If they didn’t stand out so much? If it focused more on attack methods and techniques instead of visual appearance? This then would have allowed the viewer the opportunity to look at behavioral patterns to try and identify the attackers themselves, instead of the dead giveaway with the ski mask.
Because others have written great articles on types of social engineering attacks and techniques, I’ll link to those instead of re-inventing the wheel:
- https://www.mitnicksecurity.com/site/news_item/how-to-recognize-social-engineering
- https://www.lifewire.com/recognizing-a-social-engineering-attack-2487780
- https://www.swordshield.com/2018/06/how-to-spot-a-social-engineer/
- https://www.fairwarning.com/blog/common-social-engineering-tactics-and-how-to-identify-them/
The whole point is that social engineering attacks aren’t often noticeable, especially from a skilled, well-prepared attacker. They will be smooth in their efforts to get you to divulge sensitive information after building trust, or pressure. They will not stand out as shown in the video, so you’ll need to use your best judgement and ask good questions.
Also, not all hackers are bad! Yes, there are criminal hackers. But, there are also good hackers who work to help protect from malicious attacks. The media should attempt to show this separation by calling them criminals, instead of just ‘hackers’.
Here are some more screenshots of the social engineering video training for your displeasure:
Seeing these awful images gave me the “brilliant” idea of searching Amazon.com for a “Hacker ski mask”, and this is the result.
Yes, it’s true! For only $14.99, you too can be a hacker or even a real life Social Engineer!
*face palm*
I digress.
