Is a Teen Behind That Phishing Email?

When examining news of recent hacker arrests, one common thread that emerges is youth. Many cybersecurity attacks involve young people, even teenagers — at least, they’re often the ones who get caught. Security professionals with decades of expertise and a wealth of defense technology may imagine that their toughest adversaries are equally seasoned cybercriminals. But plenty of serious attacks come from young people with a knack for social engineering — and these are among the attacks driving the need for effective security awareness training.

Teen Hackers on the Rise

The US Justice Department and FBI have noted the recent rise of adolescent hackers, according to CyberScoop.com. Part of the reason is that the dark web has made exploit kits and other inexpensive, easy-to-use tools more available to young hackers. The upfront cost and level of technical skill needed have fallen, while the promise of financial rewards has made hacking more attractive to young people.

While some teen hackers have highly sophisticated coding skills, others have a less advanced skill set — but that doesn’t leave them out of the money-making game. Younger generations have a basic comfort level with technology that allows them to make the most of even moderate technical savvy. Phishing emails and other social engineering attacks — such as business email compromise (BEC) — can be a perfect fit because paydays are tied to end-user mistakes rather than execution of computer code. 

Kane Gamble is a good example of a young hacker who accessed highly sensitive information by relying primarily on social engineering. Now 18 (and up for sentencing), Gamble was only 15 when he gained access to intelligence operations in Afghanistan and Iran by pretending to be the head of the CIA. As a founder of the group Crackas With Attitude, Gamble claimed responsibility for compromising email and phone accounts of several high-profile figures in US intelligence.

At a sentencing hearing, prosecutor John Lloyd-Jones QC said, "Kane Gamble gained access to the communications accounts of some very high-ranking US intelligence officials and government employees,” but he objected to Gamble and his group being referred to as hackers. “The group in fact used something known as social engineering, which involves socially manipulating people — call centers or help desks — into performing acts or divulging confidential information."

Protecting Against Social Engineering Attacks

What stories like Gamble’s illustrate is that attacks don’t have to be carried out by cybercriminal masterminds to be successful. All these attackers need is for people to make (often understandable) mistakes. Those mistakes can be as simple as clicking on a link, opening a malicious attachment, or following the instructions of an attacker impersonating a trusted organization or colleague.

The proliferation — and success — of young hackers underscores the importance of training employees to recognize and avoid phishing and social engineering attacks. In this regard, simply making information available to employees is not enough to reduce risk — the goal should be true behavior change among end users.

One of our recent case studies provides a great example of how security awareness and training solutions can help organizations thwart social engineering attacks. The City of Garland, Texas, used Wombat anti-phishing training tools — a combination of our ThreatSim® Phishing Simulations, PhishAlarm® email reporting, year-round interactive training assignments, and business intelligence — to reduce phishing susceptibility by 80% and build a stronger culture of security.

The cybersecurity education delivered to employees helped Garland avoid a BEC attack that started with a vishing phone call, then progressed to email. An alert — and trained — employee questioned the cybercriminal’s request and halted the attack. Another Texas city wasn’t so fortunate; an employee fell for the same type of attack a week later, wiring hundreds of thousands of dollars into a fraudulent account.

While anyone can make a mistake, educating and training employees greatly reduces their susceptibility to BEC and similar attacks. 

Bringing Teens Into Cybersecurity Careers

It’s clear that attackers of all ages can pose significant threats to your organization, even with relatively simple attacks. In a perfect world, young people with an interest in hacking would be positively mentored and steered into cybersecurity careers, helping to simultaneously reduce crime and fill the industry’s hiring gap. Several high school programs already exist to help students envision careers in cybersecurity, and both Europol and the FBI recommend that “alternative educational opportunities should be provided to at-risk youth, who may be attracted to cybercrime,” according to CyberScoop.

Even if these programs become widespread and prove effective — and we hope they do — there will always be those who opt for a black hat over a white one, which means there will always be a need for employee security awareness training. You never know when your end users will receive a phishing email or a phone call from a seasoned social engineer, determined to compromise your organization.