Inside the Mind of a Hacker: How Scams Are Carried Out

Enterprises should complement cybersecurity measures like next-generation firewalls, multi-factor authentication, penetration testing, and vulnerability assessments with a cybersecurity-focused culture and an investment in employee security training.

David Balaban

September 9, 2024

5 Min Read
Enterprises should complement cybersecurity measures with a cybersecurity-focused culture and an investment in employee security training.
(Credit: Klaus Ohlenschlaeger / Alamy Stock Photo)

The term hacker is a loaded one, especially now that there's quite a catalog of pop culture references to draw on. As is almost always the case, the truth is both more mundane and more insightful.

In this article, I venture into the hacker’s mind to uncover the motivations and goals behind their dubious actions. I will then hone in on scamming, one of hackers’ most distasteful acts, and examine the process in more detail. By the time you’re through, you should have a better understanding of what makes hackers tick and, more importantly, how to apply that understanding to bolster your cybersecurity defenses.

What Motivates Hackers?

Hacking is, first and foremost, a mindset. It’s a likely avenue to pursue when you're endowed with an organized mind, a passion for IT, and a boundless curiosity about taking things apart and understanding their inner workings.

Since highly publicized cases usually involve the theft of exorbitant sums, it’s logical for the public to assume that monetary gain is the top motivator. While it’s high on the list, studies that explore hacker motivation consistently rank the thrill of circumventing cyber defenses and the accompanying display of one’s mastery as chief driving forces.

Hacking is both technical and creative. Successful hacks happen due to a combination of high technical prowess, the ability to grasp and implement novel solutions, and a general disregard for the consequences of those actions.

The Bigger Picture

It’s important to remember how motivation in the community is nuanced, ranging from common goals like prestige and monetary gain through revenge and competitiveness to altruism, patriotism, and an internalized sense of justice.

The white hat employs many of his nefarious counterparts’ tricks and tactics to weed out vulnerabilities in cyber defenses. The red hat punishes malicious hackers by targeting their resources. Various groups have sprung up over the years that use hacktivism to draw attention to societal issues and perceived injustices, suggesting they have a strong sense of (self)righteousness.

The lone wolf is another stereotype that’s increasingly out of alignment with reality. Joining hacking communities is the norm and makes sense since members get easier access to knowledge, share risk, and develop a sense of belonging.

Yet, the fact remains that hackers’ main damage to society is a combo of financial loss and erosion of trust. It’s bad enough when they find and exploit computer system shortcomings, but setting their sights on unsuspecting, innocent people and upending their lives via various scams is something few will have sympathy for.

How Do Hackers Carry Out Scams?

Scams are a subset of hacking operations motivated by illegal gain that aim to access confidential data, networks, or valuable assets by manipulating and exploiting human nature. They involve careful planning and may take months to succeed. However, the potential payouts make it worthwhile. Here’s the pattern most such attacks follow.

Identifying the Target 

Scam targets fall into two broad categories. On the one hand, some individuals and organizations offer little resistance due to a lack of knowledge and cyber defenses. For example, hackers rely on the fact that a concerning number of users never bother to change their passwords or make them hard to brute force. Employees are also not exempt from this list, yet it’s not a concern that a tad bit of cybersecurity vigilance and enterprise password manager cannot solve.

Such credentials are readily available through dark web data dumps, and finding a match is only a matter of spraying them against email or common account logins due to the sheer quantity of available data. The hackers can then take these accounts hostage or use them to orchestrate more sophisticated attacks.

On the other hand, some hackers zero in on high-profile targets. They’ll identify organizations with substantial capital and subpar cybersecurity and then target individuals with authority in hopes of direct financial gain or access to the most delicate and lucrative information.

Choosing the “Right” Scam

The type of scam a hacker will employ after picking a target depends on the scope and end goal. If they have a list of account details for millions of X/Twitter users, hackers will likely create various phishing emails. They’ll pose as the platform itself or a well-known service that presumably everyone uses to try and dupe the victims into parting with even more information, such as their banking details.

Spear phishing and whaling are more sophisticated. They require the fraudsters to thoroughly research specific targets and craft convincing emails that ask the recipient to divulge information or download malware. Business Email Compromise (BEC) is similar in that it asks employees within a company to perform financial transfers on the authority of a high-ranking executive’s compromised or spoofed email account.

Social media is another haven for social engineering. Since people readily give up and make personal information public, it’s easy to identify vulnerable or gullible individuals and then use a tried and tested social media scam to trick them.

Getting Away with the Goods

The last step involves capitalizing on a hacker’s ill-gotten gains. Those who have managed to convince someone to transfer funds use mule accounts and money laundering schemes to eventually get a hold of them. Hackers who get their hands on a company’s industrial secrets may try to sell them to the competition. Data obtained through breaches finds its way to the dark web, where other hackers may purchase it in bulk.

While high-profile cases litter the media, many scams go unidentified, let alone prosecuted. The fact that the most successful hackers operate far from the jurisdiction of targeted areas also makes prosecution and extradition difficult.

Conclusion – How to Beat Hackers at Their Own Game?

There are no 100% effective security measures or programs whose vulnerabilities won’t eventually be discovered. On the other hand, you don’t have to worry as much about the hacker who applies their “craft” to gain prestige as the one who’s in it for the money. Their modus operandi is to identify and exploit the easiest targets, which means there’s power and protection in making yourself and your organization not worth the trouble.

Employing cybersecurity measures like next-generation firewalls, industry-leading password managers like NordPass, multi-factor authentication, regular penetration testing, and vulnerability assessments is a solid foundation. However, promoting a cybersecurity-focused culture and investing in training that helps all employees develop the necessary skills to identify, sidestep, and thwart hackers' activities will be more effective in the long run.

About the Author

David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights