Troy Hunt is a Microsoft regional director and MVP for Developer Security, an ASPInsider, and an author for Pluralsight. Troy has been building software for browsers since the very early days of the web and possesses an exceptional ability to distill complex subjects into relatable explanations. This has led Troy to become a thought leader in the security industry and produce more than twenty top-rated courses for Pluralsight. Currently, Troy is heavily involved in Have I Been Pwned? (HIBP), a free service that aggregates data breaches and helps people establish the potential impact of malicious web activity. Troy blogs regularly about web security, and is a frequent speaker at industry conferences across the globe and throughout the media, discussing a wide range of technologies. Troy has been featured in a number of articles in publications including Forbes, TIME magazine, Mashable, PCWorld, ZDNet, and Yahoo! Tech. Aside from technology and security, Troy is an avid snowboarder, windsurfer, and tennis player.

We're all born as adept social engineers. I can't recall precisely how effective I was when I was only a few years old, but I've watched my young children in action and they seem to be rather good at it. We learn from a very young age about how to appeal to human emotions so that we can bend them to our will; we make people anxious, fearful, sympathetic, greedy, and eager by pushing just the right buttons. Most amazingly of all, we do it from such a young age without even needing to think about it.

But there are those who think about it a great deal, and indeed, the adept social engineer can turn it into something of an art form. We're all subject to being the victim; it happens every time we see an advertisement. The advertising industry is full of social engineering: buy this product if you want to stay healthy/get rich/ have a better bedroom life with your partner. The information-security industry is another that leans heavily on manipulating the feelings of those it targets with promotions—in reality, those hooded bandits in dimly-lit rooms hacking websites are often teenage kids in their bedrooms, but that doesn't create quite the same sense of fear now, does it?

One of the drivers I personally see accelerating the growth of social engineering is the prevalence of data breaches. Here, we have a situation where billions of our personal data records are being taken from systems every year by unauthorized parties. Data on our names, our addresses, our phone numbers, our dates of birth, and, in some cases, even deeply personal attributes such as our sexual preferences. Now think about what that means for social engineering.

Remember what we're dealing with here—social engineering is about the manipulation of humans such that they perform an action or divulge information that they wouldn't normally do had they not been duped into it. Considering those data breaches for a moment, think about what it means for an attacker if they can convince the victim they are indeed that person's bank because they know certain information about them. If someone calls up and says "Hi Mr Jones, this is your bank, do you still live at 27 Smith Street?", that immediately gives the victim a much higher degree of confidence in the authenticity of the social engineer. This is increasingly possible because those personal-information attributes are being leaked all over the place.

It's not just data breaches either; there's the whole Open Source Intelligence (OSINT) space, which relies heavily on information that we ourselves provide publicly. Social media is a great example of that; we leak enough information deliberately to make it significantly easier for those attempting to impersonate us, and, consequently, socially engineer banks, Telcos, and other institutions that rely on this information for identity verification. We're doing it more too—a growing proportion of the population are digital native; that is, they've never known a time where we didn't willingly share information of this nature socially. It's the new normal.

I was recently invited over to Washington, DC to testify in front of US Congress on precisely this—the impact of data breaches on knowledge-based authentication. During my testimony, I relayed a recent story of how my father attempted to change his broadband plan, which involved calling up the Telco and verifying his identity. They did this by asking him his name, phone number, and date of birth. You know, the same thing that people put on their social media profiles, or, for the cautious folks who don't, have disclosed anyway courtesy of friends who share photos of all the fun they had at a birthday party. It's a genuinely serious issue as it calls into question the very premise of being able to prove one's identity based purely on things they know.

Part of the problem is that the organizations we deal with simply aren't conditioning customers to look for the signs of social engineering. I had an incident recently where I received a call from an individual claiming to be from a bank I have an account with. The phone rang and there was a long period of silence followed by what was clearly a VOIP connection and a foreign accent. The caller claimed to be from my bank and said they just needed to verify my identity first, could I please provide my date of birth:

"Sure, but I need to verify your identity before I provide you with that information."

"But, sir, we're your bank, you can trust us!"

"Well, you say you're my bank but how do I know you are? Can I call you on the phone number on the website?"

"No, that's not the best number, let us give you the number to call."

Yes, that's really how it went down! I told them I believed it was a scam and hung up. I also told the next two people who called over the following days the same thing until I got so frustrated about it that I called the bank themselves (through the number on their website), to report a concerted social-engineering attack. And my account was overdrawn. The calls were real. I was so frustrated by the experience that I lodged a complaint with the bank after which they reduced my home loan rate as a sign of good will! True story.

So, companies themselves are setting people up with behavioral patterns that condition them to be socially engineered. Mind you, the fix can also be quite easy, and it was around about the same time as the aforementioned bank situation that American Express called me due to allegedly fraudulent activity on my card. We did the same dance with them asking me to verify myself and me asking them to do the same, to which they responded, "Sure, turn over your card and call us back on the number you see there." What a gloriously simple mechanism that showed, not only had they given this thought in advance but that the operators at Amex were actually trained to handle this situation.

Another very common social-engineering attack I tracked for a time was the Windows tech-support scam. Every day, we had people all over the world receiving calls from overseas, allegedly from Windows Support. They'd claim the victim's PC had viruses, but they didn't worry, Microsoft was there to help them! The scammer would then take the victim through a series of steps that usually began by opening the Windows Event Viewer and asking the victim to look for errors. Of course, there's always errors in the Event Viewer, but it would cause the scammer to excitedly exclaim, "See - they're viruses!" They'd then have the victim grant them remote control to the machine through freely available remote desktop software, perform some fixes, and then demand money. Many people paid.

As much as I hated witnessing these scams, I always marveled at how well they demonstrated so many fundamental social-engineering techniques:

1. A sense of urgency was created when the victim was led to believe their PC was infected
2. Salvation was promised by the scammer—they were there to help!
3. Trust was established by showing the victim the errors on their own machine
4. A false sense of value was created when the fix was implemented
5. Relief was felt by the victim once Microsoft confirmed the machine was now fixed

Finally, of course, it all culminated in monetization. Consider the rollercoaster of emotions this process took the victims through—it genuinely scared people to the point where they behaved in a way they never would have had they not been manipulated. And, the thing is, we can all easily picture people we know falling precisely for this scam because a technical concept such as your PC has viruses is beyond their comprehension.

These are just a few examples of the basic mechanics of social engineering, and, as we create more data, leak more information into the public domain, and get more people using more connected systems, attacking the human becomes more and more prevalent. And the scariest thing of all is that anybody can do it—after all, we've been practicing since birth!