Skip to content

For Better Security, Understand Social Engineering and Patching

Roger Grimes talks about cybercrime, security, social engineering, and what you can do about all of it.

Scams, hackers, and other cybercriminals are everywhere. They’re creative and clever, and they’re doing their best to infiltrate your world and get whatever they can out of you. Over the past several decades, their attacks have increased, and there’s no end in sight. But you can take steps to protect yourself. If you want better security, social engineering and patching are the two things you need to pay attention to. Being aware of these two things can protect yourself from most attacks.


See 4 Ways to Reduce Cybercrime with Roger Grimes for a complete transcript of the Easy Prey podcast episode.

Roger Grimes is a Data-Driven Defense Evangelist with KnowBe4, the world’s leading company trying to fight social engineering. He has been doing computer security for thirty-five years. He has also written fourteen books and over 1,300 articles on computer security. In his professional life, his focus is all about computer security, stopping hackers, and fighting malware.

Getting Out of the Wrong Career

While he was in college in the late 1980s, Roger connected with John McAfee on the very earliest version of the internet. He spent a lot of time disassembling viruses for him. But he wasn’t focusing on computers in school. In fact, he started as pre-med and ended up with an accounting degree.

Roger passed the CPA exam and got hired at an accounting firm. To this day he doesn’t know how he passed the exam, because he was a horrible accountant. His bosses kept handing him stuff he’d never heard about and was way over his head. Often he would get so overwhelmed that he would ignore the work and poke around on the computer.

After nine months, the partners asked him to a meeting the next afternoon. He knew it wasn’t good – the partners only asked for a meeting if you’re doing really well or you’re going to get fired. And Roger was not doing really well. He spent the whole morning dreading that meeting.

Then the phone rang. It was one of the partners. They had accidentally deleted a file that a customer needed and couldn’t get it back. There was five million dollars on the line. They knew Roger did stuff with computers – could he help? He could. Roger got the file back, and the partners were so glad they even brought out champagne.

Roger got home that evening, thought about it, and realized he was in the wrong career. In accounting, he couldn’t do anything right. But with computers, he was celebrated. The next day he put in his notice with the accounting firm and has been working with computers ever since.

It’s Not Getting Better

Roger has always been interested in fighting hackers, viruses, and malware. But he spent many years just doing it on the side. In the early 1990s, nobody was certain that hacking, viruses, or malware were really going to be a big problem. When he started doing security full-time twenty years ago, it was unclear if he could really make a career out of it.

Now, you may laugh that he was ever concerned. But nobody could have imagined back then how bad it would be today. People ask him all the time if he thinks it’s getting better or worse. Every time, he tells them that for the past thirty-five years, it’s only gotten worse.

If there are any signs that we’re coming close to resolving the problem [of hackers and malware], I just don’t see them.

Roger Grimes

Ransomware is taking over cities, closing hospitals, and targeting law enforcement. Scammers are going after disaster victims, travelers, the elderly, and everyone on Facebook. With the state of security, social engineering, hacking, malware, and scams, some people wonder how it could get any worse. But in Roger’s experience, it somehow always does.

Social Engineering and Patching, the Keys to Security

The way that hackers and malware attack hasn’t changed in thirty-five years. Even with all our advances in security, social engineering is still the number one way they target us. Often, it’s by email. But it could involve a text message, a website, or something else. Social engineering is involved in 70%-90% of all attacks.

The second major risk to security is unpatched software or firmware. A patch is an update to a device’s code that will update, fix, or improve it. Patches are often used to fix security vulnerabilities and make devices more secure. About a third of all attacks on businesses involve unpatched technology. This number is probably slightly higher for residential targets.

Social engineering and unpatched software account for almost all compromises – I mean 90-99%.

Roger Grimes

Social engineering and unpatched software are the biggest security risks and involved in almost all compromises. It’s been that way since the beginning of computers. Roger keeps expecting it to change, but it never does. Some things happen to change the percentages a little bit. Viruses were big in the late 1990s, and now we’re seeing a rise in compromised logins because people are reusing passwords. That’s why tools like multi-factor authentication (MFA) and password managers are so important But overall, the core problems are the same.

There are really four things you need to do to have great security: Watch out for social engineering, patch your software and firmware as best you can, use phishing-resistant MFA where you can, and use a password manager to create and store long, complex passwords that are unique to every site. If everybody did those four things, we’d see a huge drop in cybercrime.

Patches for Security

Technology is complicated. If you go to any store, most of the time the owners don’t know how the cash registers work or how their website works. They’re relying on outside consultants. That makes it very easy to have a cash register or a website that hasn’t been patched in years.

Patching your software and watching for social engineering are the two best things you can do for security.

When Microsoft puts out a patch, about half of people install the patch within the first month. Another quarter of them patch it within the first year. But between 13% and 25% of people never install patches. Microsoft has had auto-patching turned on for decades. But it can get turned off to do troubleshooting, and the device has to reboot to turn it back on. If nobody reboots the device or manually checks if there are patches, it won’t get patched.

If you’re unpatched, you could possibly still be exploited.

Roger Grimes

A lot of people don’t know to or don’t think to patch their stuff. If you monitor internet scans, you can see old stuff like Code Red, a computer worm from 2001. That means that there are websites out there that were compromised over 20 years ago that still haven’t been fixed!

In addition, patching isn’t always easy. Roger can’t tell you if his cable modem has been patched. He has no control over it and would have to call the company to find out. But he has a wifi router that he patches once or twice a year. Probably 99% of people with wifi routers don’t patch them. It’s sad that we don’t have technology that auto-updates when needed.

Patching Doesn’t Have to be Complex

Only 2%-4% of announced software vulnerabilities are actually being used to hack anyone. So you really don’t need to patch everything. In reality, you only need to patch the small percentage that are actually being used against real targets.

You might say, “That’s great, Roger. How do I tell what I really need to patch?” Roger doesn’t have a list – but the Cybersecurity and Infrastructure Security Agency (CISA), does. They have a list called the Known Exploited Vulnerabilities Catalog. If you subscribe to that list, they’ll send you regular emails about what hackers are actually exploiting.

A lot of time Roger doesn’t recognize the things on the list. But when you subscribe to that list, watch out for the things that you recognize. If you see software or firmware you use on the list, patch it. And don’t worry about version numbers and all of that. If you have a D-Link and you see anything on the list about D-Links, patch your D-Link. If you see something about a C-Link, use that as a reminder to check your D-Link. Try to stay on top of what’s on the list, and remember that if it’s not on the list, you don’t need to worry bout it. But if in doubt, patch it anyway.

How to Spot Social Engineering

Most social engineering involves two or three specific elements. You need to retrain your brain to watch for them. If any of these things are present, it’s time to slow down and research first.

Social engineering is all about getting you to perform an action that is harmful to yourself or your organization’s self-interest.

Roger Grimes

About 50% of social engineering attempts are asking for your password. If you’re using a phishing-resistant MFA, it doesn’t work. Other methods might try to get you to run a piece of code or provide information. But no matter how you receive a social engineering message – email, call, text, in person, or otherwise – it’s important for your security to recognize the three traits that mean it’s probably a scam.

First, it’s unexpected. It showed up in your inbox unprompted, or you got a call you didn’t anticipate. Second, it is asking you to do something you’ve never done for this person before. Third, doing that thing could harm your self-interest or the interest of your company if the requester is malicious. If a message has those three elements, stop and do some research first. Don’t click the link or call the number they gave you. Use a known good phone number or type a known good URL into your browser.

This can be challenging because requests from your boss may be legitimate but meet all three criteria. The key is to get in the mentality of slowing down and recognizing something may be off. If your boss sent you an email asking you to buy gift cards, for example, call them or walk down to their office to confirm before making purchases.

When Harm is Hard to Discern

Many social engineering scams involve technology. For people who aren’t tech geniuses, it can sometimes be difficult to determine if what the person on the phone or sending the email wants you to do is actually dangerous or not. Most of us know that we shouldn’t give out our passwords or credit card numbers to random callers. But if they’re claiming to be from the cable company and want you to reset your router, is that dangerous? If you don’t know what kind of harm could happen, it can be hard to judge if a particular situation meets the criteria of “could harm you if it’s malicious.”

It's good for security to be suspicious of unexpected messages - they could be social engineering.

If you don’t feel confident identifying the harm in a particular request, that’s fine. Most of the time when Roger talks about the criteria of social engineering, he only talks about two. You can protect your security perfectly well if you only pay attention to unexpectedness and if they are asking you to do something you haven’t done before for this person.

Pretexting and Social Engineering

If you’re aware of security, you may have heard that some social engineering attacks involve “pretexting.” In these attacks, the scammers will set you up for a scam by calling or emailing in advance. Then when they eventually ask you to what they really want, you’re more trusting. For example, a scammer may call the Accounts Payable department at a company pretending to be with a vendor and say that they got a new boss who’s a jerk and will be changing all of the company accounts to his favorite bank. Then when they email a few weeks later and ask Accounts Payable to change the deposit account of the legitimate vendor to the scammer’s fake account, the person isn’t suspicious. They were expecting the change, so they do it.

Pretext scams are a long game. They’re also a very small percentage of social engineering attempts. But they are out there, which is why whether you’ve done this particular thing before for this particular person is the best indicator of social engineering. Scammers may even request you do something that you have done before, just not for them. Going back to the previous example, people in Accounts Payable change account information every so often. But have they changed account information for Company X before? If so, was John Smith the one who gave them the new information? If anyone asks you to do something you haven’t done before, or asks you to do something you have done before but not for this person, be suspicious.

Security Doesn’t Require These Signs of Social Engineering

One of the most common “red flags” people talk about when they discuss security and social engineering is urgency. Scammers want to pressure you into acting before you think. That can be another indicator of social engineering. But it doesn’t have to be. Not all attacks involve urgency. And if you pay attention to unexpectedness and if you’ve done this thing for this person before, you don’t need to watch for urgency as much.

Another common warning sign people talk about is errors and language issues. But with tools like ChatGPT and other AI software, that’s not necessarily reliable anymore. AI can generate social engineering messages with perfect grammar and no errors. And advanced bots can come up with really realistic-sounding excuses, reasoning, and logic. The requests don’t sound as ridiculous as they used to.

You can no longer be guaranteed to be able to see the normal “legacy” clues of misspelling and strange requests.

Roger Grimes

AI can even be used to imitate voices and sound realistic on the phone. That’s why you can’t rely on metrics like whether the request seems reasonable or if it sounds like your boss on the phone. Instead, consider if you’ve done it before for that person. Has so-and-so at this company ever asked you to change account numbers before? Has your boss ever asked you to buy gift cards? Sometimes these requests may be legitimate. But it’s essential to verify first.

Why Smart People Fall for Social Engineering

Roger lives in the Tampa, Florida area and uses an app called Nextdoor to keep up with his community. He noticed a lot of people getting scammed by calls from “utility companies” claiming payments didn’t go through and they needed gift cards. Scammers wouldn’t be doing it if it didn’t make money. So he did a survey. Around 10% of the people he surveyed fell for this social engineering scheme. That included doctors, lawyers, and smart people you would assume knew enough about security to spot it. And they all knew it was a strange request.

So he asked why they bought the gift cards. One man explained he got the call on his way to pick up his mother from cancer treatment, and he didn’t want to lose electricity while she was recovering with him. Another explained that her husband was always mailing checks out late and she assumed that’s what had happened. Every one of the people who bought the gift cards had a good reason.

I’ve seen very smart people – doctors, lawyers, Nobel Prize winners – be compromised.

Roger Grimes

The scammers were taking advantage of circumstances. Most of the time, these people could have spotted that something was fishy. But if the social engineering attempt caught them when they were busy, stressed, or distracted, they weren’t thinking about security. The electric bill seemed like a small inconvenience, and the consequences of not paying seemed big.

Improve your Security with Social Engineering Awareness

The biggest risk in security is not knowing. People almost always fall for social engineering because they didn’t know it was a scam. Once you’re aware that the electric company will never ask you for gift cards, you’re less likely to fall for something like that.

The best way to defeat scammers is a healthy level of skepticism. Roger recently got a Facebook friend request from an old high school friend. He was surprised but glad to reconnect with her. They chatted for a bit, then she started trying to sell him a scam. The scam was a new rebate offering retirees, veterans, and some other people could get up to $100,000. Because Roger was aware, he figured out it was a scam. But scammers wouldn’t do it if it wasn’t successful. There is some percentage of people who just don’t know.

I don’t think we’re ever going to stop [hackers]. It’s like trying to stop all crime.

Roger Grimes

Some people say we just need the right solution. Eventually we’re going to have the right technological security features to defeat social engineering, scams, and cybercrime for good. But Roger has been waiting thirty-five years, and we don’t seem any closer. Whatever defense we come up with, attackers find a way around. But you can reduce it and be aware. Just like you lock your house at night, you can take simple steps to improve your safety. We’re never going to have perfect hack-proof hardware or software. We’ll always have to be educated, recognize what social engineering and other attacks look like, and stop it.

You can find Roger Grimes on LinkedIn. He tries to write 1-2 useful, actionable articles a week. You can also find his most recent book, Hacking Multi-Factor Authentication, on Amazon.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
Best VPN Trials for 2024

Choosing from the Best VPN Trials of 2024: Which One is Best?

Whether you are shopping for a VPN for the first time or you are ready to make…

[Read More]
Types of AI Models

Guide to Types of AI Models and How They Work

When you think of AI (Artificial Intelligence) models, you may automatically think of generative AI like OpenAI’s…

[Read More]
Andrew Costis talks about adversary emulation and why businesses should do it.

Adversary Emulation for Business Cybersecurity

Security risks are constantly changing. Projects start and end, employees leave and are hired, new tools replace…

[Read More]
Lockdown Mode for Apple Devices

Should You Use Apple’s Lockdown Mode? Here’s What you Need to Know Before You Decide

With the releases of macOS Ventura and iOS 16 in 2022, Apple rolled out a new feature…

[Read More]
Amitabh Sinha talks about how to protect against ransomware in your company.

Protect Against Ransomware by Planning for Ransomware

Ransomware is a huge cybersecurity threat, and it’s only growing. It’s especially a risk for businesses, but…

[Read More]
Private Internet Access

PIA: Private Internet ACCESS

The Private Internet ACCESS VPN will deliver the security, performance, and online access most users want. Behind...

[Read More]