The people hacker.
She’s been called a ‘social engineer’, ‘human lie detector’, and ‘security Jedi Knight’… and she can definitely break into your company’s office without you even realising.
Sporting a bandaged hand and a big bundle of folders, Jenny Radcliffe heads towards the reception’s secure-access doors. The high-rise office is guarded by a cutting-edge security system with bio-technology fingerprint recognition. With one finger half pressed on the entry pad, she swears loudly at the sound of the negative beep: access-denied. After numerous failed attempts, she swears even louder – enough for the security guard to hurry over.
Accepting Jenny’s explanation (“here to provide a training seminar”, “injured hand”), he helps press her finger on the pad. She yelps in pain, the bundle of folders crashing to the floor. Irate and flustered, he instinctively says: “Oh just go on up”.
Just like that, Jenny was ushered into the London HQ of one of the world’s most influential finance companies. The problem? She wasn’t who she said she was, and she certainly wasn’t there to deliver a seminar.
Any good security strategy will prioritise the human factor, and an even better one will design the technology around that.
“For all intents and purposes, I’m a pretty average person,” claims Jenny Radcliffe. “I don’t arouse suspicion, attract attention, or cause people to feel threatened. When you’re taking advantage of our human instinct to trust or ignore typical behaviour, appearing average is a great quality to cultivate. In the case of the company with finger-print recognition security, I got in because of two main factors: seeming like a harmless woman struggling with technology, and creating a scene that the security guard wanted to resolve quickly.”
The irony of Jenny being so good at going unnoticed is that her ability has resulted in world-wide exposure. In recent years, she has shaken up – or perhaps more appropriately, broken into – the corporate security industry. You may have seen her putting her skills to the test on Channel 4’s Bafta-nominated show Hunted, where security and tracking experts try to catch members of the public who voluntarily go on the run. By day, as a ‘social engineer’, she works with major global companies, law enforcement, politicians, and even poker players, educating them on the art of ‘people hacking’.
So, what is people hacking? In the security world, it’s also known as social engineering: the manipulation of people through psychological or non-technical means to access data, information, or premises/goods. When it comes to the prevention of attacks, scams, and cons of all kinds, understanding the psychological and situational methods used is just as vital as security systems.
We are all at risk from malicious social engineers; however, company employees are especially vulnerable as they provide a good route to accessing an organisation’s information and data.
“Most big organisations now spend a lot of money on ‘online hacker’ security,” Jenny explains. “But they often forget the importance of human error, or of people overriding security systems. Any good security strategy will prioritise the human factor, and an even better one will design the technology around that.”
Liverpool to London
The heady mix of psychology, persuasion, influence, distraction, and acting techniques needed for her job is something Jenny honed as a teenager.
“I have a big extended family, and my cousins and I used to love exploring some of the empty houses and buildings that were dotted around Liverpool in the early 80s. It was just curiosity, but we actually got really good at breaking into them, and people started to acknowledge the skillset required. Eventually, while I was studying for my degree, I got asked by a local business owner to test the security of some buildings. I’d point out how we’d try to get in, where the weak spots were, and which people we needed to watch etc. Eventually, businesses started asking me to attempt a break in at their offices and see if I could take files or do certain things – and it escalated from there. It was always just something I did and, though it started as a sideline, it gradually became the biggest part of what I do. Yet, it wasn’t until seven or eight years ago that I felt I could talk about it in public.”
When Jenny began what would become her career, there were just a few books on the psychology of the con, which she devoured in her spare time. Now there’s an ever-growing pool of neurological, psychological, and social studies that shed light on how people can be manipulated.
“Despite all my experience, even I could fall for many of the techniques that are used,” Jenny says. “For example, any tactic related to raising our human emotions is widely effective. “The need to be polite, to follow rules, to reciprocate, to be helpful, to be professional – all of these are examples of automatic behaviour that we, as human beings, can find really hard to override. That’s why, when I’ve succeeded in breaking in somewhere, we make sure the people who fell for the techniques aren’t blamed. They are thoroughly debriefed, informed that it was a professional who did it, and that the company isn’t going to single them out. All employees are then taught about the psychological weaknesses and external social factors that allowed me to break in. The truth is, you can be professional, polite, helpful etc… and still not be naïve. I often say to people that we tell children not to trust strangers, yet we forget to apply that to ourselves as adults. It’s about teaching people to take the time to think before they make what often seem like insignificant decisions. The idea that they are at the heart of security resonates with employees; it makes them feel more empowered and, in turn, gives the business a more secure mindset.”
In the moment
It’s clear Jenny has an incredible track record when it comes to people hacking. But humans are pretty unpredictable... How does she deal with situations where her targets react in an unusual way?
“A massive part of what I do is improvising in the moment. There’s the strategic side – the planning for A, B, and even C scenarios – but then everything can change instantly once you start interacting with people. There’s a dual skill of knowing how to communicate with people to get what you need, but also to get them to leave you alone really quickly. Most people are – quite rightly – happy to help you if you ask, but there are some who are super keen whether you’ve asked or not!"
Good and bad
It’s clear that Jenny loves what she does, and it’s probably one of the truest examples of ‘every day is different’. So what are the good and bad things about her work?
“I do see or hear about the worst of humanity in this job, and it can make you an overly suspicious person sometimes. However, I also see some of the best of people – how they can learn, adapt their thinking, and help each other. It always cracks me up when I see people suddenly thinking like a criminal. If I ask employees in an organisation to put themselves in my position (being paid money to try and hack into the company), any ideas I have are nothing compared to what they suggest! It’s hilarious to see that the loveliest, most innocent looking people often have the most evil ideas.”
But perhaps the biggest negative of the job, according to Jenny, is the stairs: “I spend a lot of my time on top of roofs, locked inside cleaning cupboards, and running up and down stairwells (there’s loads of security cameras in lifts). There was one job I did in London at an office on the 24th floor and – believe me – after 42 flights of stairs, I was ready to retire!”