In the high-stakes world of information security, social engineers—hackers who use deception to manipulate their targets into divulging confidential info—are both a constant threat and a secret weapon. So why are women so much better at this job than men?
Alethe Denis always wanted to be a spy. She first experienced the thrill of changing identities as a teen when she divided her time between South Africa and California, bouncing between different cultures, learning how to fit into a variety of situations. While she spent her days trying to make new friends and fit in whenever she changed schools, she began experimenting with how far her shape-shifting abilities could take her. She discovered that she could get away with making her own counterfeit bus passes, and was soon talking video store employees into letting her open accounts that she was too young to have. "I got well-practiced at presenting the image people wanted me to have and then manipulating that," says Denis. Now in her 30s and a renowned cyber security consultant based in Northern California, she's a Def Con Social Engineering Capture the Flag winner, having taken home the prized "Black Badge" from that notorious hacking competition in 2019.
In the world of information security and hacking, "social engineering" is a broad term that refers to collecting information from targets by tricking them into making security mistakes or unwittingly giving away sensitive information. Ranging from simple "phishing" scams—such as fraudulent emails that convince a target to click on a link and give up passwords or download malware—to sophisticated phone hoaxes, social engineering relies on psychological manipulation and human interaction rather than technological methods to gain the sort of access that allows for cybercrime to occur. And it is painfully effective. According to a 2019 Kaspersky report, the vast majority of corporate data breaches are the result of worker mistakes and misbehavior, and an FBI report from that same year reported that a single type of social engineering scam accounted for over $1.7 billion dollars in losses.
In Denis' line of work, however, her skills aren't used to manipulate—but to protect. As a senior consultant at Critical Insight, a computer and security network company, she helps client organizations safeguard themselves against social engineering hacks by breaking into sites herself and exposing their vulnerabilities. But her path to social engineering stemmed from a desire to go rogue. She took up computer coding in high school to learn how to cheat at her favorite video games. Later, she studied molecular biology and computer science at the University of Cape Town. Upon returning to the U.S., she worked various gigs including one at a title property company that taught her the hacker-friendly skill of detailed investigative research. There were also stints in social media and marketing where she learned to write copy that could manipulate users to click on a link.
In 2016, Denis and her husband, with whom she co-owns a voice-over-IP telephone provider, decided to attend the Def Con hackers' convention—the world's largest hacking conference, attracting an estimated 30,000 attendees annually—to learn more about how to protect their clients. That's when she stumbled upon the Social Engineering Capture the Flag competition and found herself enthralled. "I thought, This is what I've been doing my entire life," she says.
Are women more likely to succeed because they're more empathetic, are better at listening, and are better at reading the room? Or, on the flip side, do women excel because they're able to exploit patriarchal biases to their advantage?
During the contest, competitors sit in glass booths in front of a large audience as they make phone calls for 20 minutes trying to hack into an unsuspecting company's system. For the first two years she attended the event, Denis only watched. The third year, she competed, coming in fifth place. "I didn't strategize correctly at all," she admits. The next year, in 2019, she took to the Internet and social media ahead of time to study her targets, memorizing the names of their kids and their favorite activities. She also landed on what felt like the perfect pretext for gaining trust: posing as an internal employee helping the IT department replace remote employees' laptops. "I asked, 'Do you have a couple of minutes to go through software and applications that you're using so we can make sure we set up your machine correctly?'" Denis recalls. "And they were like, 'Of course, I want a new laptop!'"
Afterwards, Denis was thrilled to win. But she also wrestled with a sense of guilt. "I felt like garbage," she says. "But through that experience I also [realized] I wanted to do this for a living. I wanted to save people from themselves.
Though generally speaking, IT security is a male-dominated industry, when it comes to social engineering, women like Denis have found their niche and are making their presence known. In 2012, Security Through Education, an online hub for security professionals, conducted a poll on social engineering, asking voters to break down the topic by gender. The results, it reported, were surprising: 86 percent of respondents believed women were naturally better at it. And the results of Def Con's Social Engineering Capture the Flag competition bear this out: over the last several years, women have dominated the competition. A 2013 PC Magazine feature on the hacking contest excitedly noted that women had "obliterated" their male competitors, winning three of the top five slots, with the top scorer outranking her nearest (male) competitor by more than 200 points.
But the reason why women might be better at social engineering remains enigmatic. Are they more likely to succeed because they're more empathetic, are better at listening, and are better at reading the room? Or, on the flip side, do women excel because they're able to exploit patriarchal biases to their advantage?
The answer, Denis says, is complicated. A woman who's good at social engineering, for example, might be better able to navigate that world because it's easier to slip through the cracks when no one views you as a threat. Then again, there are many situations in which a woman will stand out more, be it in a dude-heavy tech office, or over the phone where the sound of a female IT support person might raise suspicions. "But the fact is, women are better at it," says Denis, and part of that has to do with unconscious bias and underestimation. "The patriarchy sees women as weak," she says.
The emergence of women as especially adept social engineers dates all the way back to the earliest years of information technology. In the 1970s, a teenage hacker named Susy Thunder (neé Headley)—a former sex worker and rock 'n' roll groupie who claimed to have bedded all four of the Beatles—became a social engineering legend using the same techniques to successfully hack phone systems that she'd once used to get backstage at concerts: by pretending to be someone who had the right to access the information or space in question. Thunder, alongside her cohort of self-proclaimed "phone phreaks," was able to talk untold numbers of corporate employees into giving her sensitive security information over the phone.
According to Hugo Cornwall's 1985 book The Hacker's Handbook, in 1977, Thunder, then 17, became "one of the earliest of the present generation of hackers" by allegedly hacking the U.S. phone system. And in 1982, Thunder and her friends breached U.S. Leasing, a San Francisco-based company that leased electronics equipments and computers. Though there are conflicting accounts of who actually hacked what, one detail is crystal clear: In 1983, Thunder soured on her collaborators, turned over sensitive data to the FBI, requested immunity from prosecution, and retired from hacking.
"But the fact is, women are better at it," says Denis, and part of that has to do with unconscious bias and underestimation. "The patriarchy sees women as weak," she says.
Now, just as in Thunder's day, contemporary women who are making waves in social engineering are finding success by subverting the sexist assumptions made about them in the corporate world. "You have to be resourceful," says Stephanie Carruthers, a New York-based "chief people hacker" with IBM and another Def Con SECTF winner, "and sometimes that means using different stereotypes or predictive behaviors to understand your target."
Other female social engineers agree that women in their line of work should exploit sexist and misogynistic behaviors whenever possible. "I say play to the stereotypes," says Amélie Koran, 47, a Washington D.C.-based cybersecurity expert with years of experience, including in the federal government. "Gender has always been used against women in business environments. Why not take advantage of it now?" Tanya Janca, a one-time social engineer in her early 40s, concurs. "If a beautiful woman in a really nice dress is juggling four coffees and walking towards the door as she tries to bypass security...every man nearby will open the door for her," explains Janca, who is the founder of She Hacks Purple, a Canadian-based online academy dedicated to teaching people how to use and create secure software.
Much like Carruthers, Koran, and Janca, Denis has concluded that female social engineers mainly thrive because they are able to manipulate societal biases by playing the role of a damsel in distress. "Women are more comfortable both offering and asking for assistance," she says. "It's normal in our society for a woman to ask for help. [But] if a man were to ask for help, people might get a little suspicious." Women are also naturally inclined to have empathy for others, she adds, which can help build rapport.
But empathy or not, women can be just as ruthless as men—if not more so. That's a common sentiment among social engineers, even those who use their skills for good. "The only difference between what I do and what a criminal does is I have consent first," says Rachel Tobac, who is in her early 30s, and is a social engineering whiz with several Def Con black badges to her name. Based in San Francisco, Tobac has a buzzy online presence with YouTube videos demonstrating how easy it is to hack just about anyone, including the billionaire media mogul Jeffrey Katzenberg. She's also CEO of SocialProof Security, a company that, like the work Denis does, uses tactics such as "penetration testing"—using social engineering tactics to expose corporate security weaknesses at the employee level—to help organizations defend against attacks.
Tobac says she took a circuitous route into the field after attending her first Def Con in 2014, where her husband suggested she join the same Social Engineering competition that mesmerized Denis. "He said, 'Hey, you know how you always call the cable company and get our bill lowered? I think you would be good at this,'" recalls Tobac.
She struck out on her first attempt—both of her calls went straight to voicemail. But Tobac, who has studied neuroscience, behavioral psychology, and improv acting, was not easily deterred. She applied again, and this time fared better. "My background in improv supported me in character building which we call 'pretexting' in hacking," she says, adding that much of the skill comes down to knowing how to make friends. "If you're on the phone and you hear a dog barking in the background, you go 'Oh my God, that sounds like my chihuahua's bark,'" Tobac says, "I know they have a chihuahua because I saw it on their Instagram. I've already looked up everything I need to know."
A good social engineer, she says, makes it look easy. Take, for example, that hack on Jeffrey Katzenberg. To make him more likely to click on a nefarious link, Tobac scoured his LinkedIn profile for valuable information, including contacts. After landing on a connection that appeared to be a close friend of the billionaire, she created a lookalike email account from which to send him a message. Meanwhile, Katzenberg thought he was in on the ruse. Tobac and her husband, along with a film crew, had persuaded him to take part in a video that would demonstrate that he was hack-proof. "He had no idea what was going to happen live on camera," she says.
What happened next went off without a glitch, technical or otherwise. As the crew films, Katzenberg gets a call from his supposed friend—but it's Tobac on the other end, using a tactic known as voice elicitation or "vishing" to persuade him to open an email. "I'm on the other end using voice-changing software and I can't do [the friend's] voice so I used background noise of a crowd to make it sound as if I was in a loud conference space as I tell him he needs to check his email," Tobac recalls. "Katzenberg can barely hear me, but he knows it's his friend, so he's like, 'OK, fine, I'll check.'"
"We're hyper-sensitive to what's going on around us, and maybe a man would be less so," say Tobac. "Whereas a man might notice less if someone caught on to him, I pick up on it immediately."
And just like that, in the middle of filming, Katzenberg stopped to check his email, clicked, and delivered the goods as malicious spyware overtook his computer. Important documents, pictures, contacts—Tobac got everything. "You only see 30 seconds of the hack, but we put in hundreds of hours of work to lead up to that moment," she says. "I would have been shocked if it didn't work."
Tobac believes being a woman is definitely a benefit when it comes to this type of hacking. "We're hyper-sensitive to what's going on around us and maybe a man would be less so," she says. "Whereas a man might notice less if someone caught on to him, I pick up on it immediately: The tiny shift in conversation, the tiny tone change. I have to be aware of those things because I have to be aware of my safety in everyday life."
There's also value in being underestimated. "When I walk into a building, people don't question what I'm doing," she says. "I'm 4'10 and right away they're thinking, 'Oh, I'm labeling this as a non-threatening situation."
When it comes to using the "non-threatening" angle, Jenny Radcliffe, a U.K.-based hacker and founder of the firm Human Factor Security—an organization that offers consulting, training, and cybersecurity assessment services—was a child prodigy. Now in her 40s, Radcliffe was just 7 when she was kidnapped—only for a day, but long enough for her family to decide she needed to become more streetwise to survive their tough Liverpool neighborhood. Radcliffe's cousins took on the task, sending their younger, smaller relative to break into vacant buildings on a lark. It became her entry into the world of physical infiltration as a teenager, when word got around that she was the go-to person for weaseling her way into tough situations to extract information and, sometimes, money. "I just looked innocent; I was small—just a girl," she says. "Nobody, not for a minute, thought I was up to no good."
Radcliffe went on to study English and literature, but eventually returned to her roots. Not through formal education, but with a network of people who showed her how to build a persona and then use it to enter off-limits spaces. "I was mostly self-taught, but I also learned by doing—and doing it badly for a really long time," she says.
These days, Radcliffe, who is working on a book about her experiences, is on the right side of the law, but she still calls herself a con artist and "burglar for hire." Cheeky, yes, but it underscores her instincts and adaptability. "There's an idea of knowing the heartbeat of a building and knowing when the energy changes because security's been alerted," Radcliffe says. "It's about knowing the culture of a place and its hierarchical structure."
"I don't look physically threatening, so that's a whole level of suspicion that's removed," says Radcliffe.
Radcliffe doesn't think women are necessarily better at social engineering but does admit others' perceptions may lend a critical assist, since this is a business in which patriarchal systems may inherently benefit women who aren't deemed to be threats. "I don't look physically threatening, so that's a whole level of suspicion that's removed," she says. "I present as a businesswoman, someone who is very busy and superior, so I can channel that sense of being important." Unfortunately, she says, race can be a factor, too. "I'm also a white woman," Radcliffe says, "and that gives me heaps of advantages when it comes to people's prejudices around what a criminal looks like."
Thanks to social engineering competitions like the one at Def Con, YouTube videos, and tech podcasts like Darknet Diaries that celebrate prominent social engineers, hackers like Denis, Tobac, and Radcliffe are now enjoying a kind of cult celebrity status that is attracting other women to the field. And since there's no formal educational path for this kind of work, professional organizations are being established to fill that void. Tobac, for example, is on the board of directors for Women in Security and Privacy, a group that helps foster the careers of women who want to do the kind of legitimate social engineering work that helps companies keep themselves safe. "Social engineering is a nascent field and we're starting to proliferate within the organizations that are a part of everything we do," she says. "And among the major players in this space, a lot of us are women."
More women in security, however, may mean a shift in the traditional dynamics that social engineers rely upon, because women can also be less trusting of women than men are. Which means, in the future, as more women gain prominence in all areas of information technology, the sexism that one underpinned women's innate advantage in social engineering could become a thing of the past. "Women will notice more things about me, and it's generally another woman who will be suspicious of me," says Tobac, contemplating a future with more women on either side of the social engineering equation. "I've been caught more by female security guards than male ones. And given that there are still far fewer female security guards than men, that's impressive."
Social engineering, she adds, is a nascent, but increasingly vital line of work, and one in which women stand to benefit professionally. "Security awareness is so important and I think folks are starting to [ask], 'Who are the major players in this space?'" she says. "And a lot of those players are women."
Illustration by Daniel Zender
This article originally appeared in BUST's Summer 2022 print edition. Subscribe today!