SALT LAKE CITY — You can have the strongest, most secure password in the history of cybersecurity, but the bad guys know there is one weakness they can use to hack into your system – you!

Just recently, Uber got added to the ever-growing list of companies defeated by social engineering when a hacker tricked a contractor into granting them access to his Uber account. From there, they got into the rideshare giant’s internal data systems.

Oh, and the alleged hacker? Just 18 years old.

“I’m actually not too surprised,” said cybersecurity expert Zulfikar Ramzan, Aura Labs’ chief scientist, and CEO. “There was nothing sophisticated. It was all fairly straightforward.”

Ramzan said that while Uber’s hacking may sound like something out of a heist film like Ocean’s Eleven, it isn’t.

“This is more like a 7-Eleven smash and grab,” he said. “The reality is in this day and age; those attacks tend to be quite effective. You don’t need to be very fancy.”

Ramzan said social engineering is classic con man stuff – faking legitimacy. The bad guy might pose as a government agency, your bank, a work colleague, someone in your IT department, a friend, or others. And they will use emails, texts, social media, whatever they can to reach you.

“It’s just about being able to trick you into doing something that compromises your own security,” he said. “It only takes one person to let you in the front door, and from that point onward, you may have access to most rooms in the house.”

Often, the trick is to get you to follow a link, or they will get you to send them a code to defeat two-factor authentication or to get you to use your real login credentials on a fake website.

And it works well.

According to the FBI’s latest Internet Crimes Report, cybercrooks stole $6.9 billion last year, much of that is through social engineering.

New data from virtual private network company, NordVPN found that 84% of Americans have run into some kind of social engineering. Of those, 36% actually admitted to getting duped. Ramzan said it could happen to anyone at any level of tech savviness.

“We have these amazing street smarts and tell us when we go to the physical world – what a good neighborhood is or a bad neighborhood as we can tell something’s wrong because we’ve owned our physical street smarts in really deep ways,” he said. “Unfortunately, we haven’t grown our digital street smart, and so we don’t have that same level of intuition – those “spidey senses” that tell us that we’re potentially in danger.”

Ramzan said the explosion of remote work throughout the pandemic has dramatically accelerated social engineering attacks.

“Your IT department is incentivized to set up a world where anybody can access critical services from anywhere. Unfortunately, that also means hackers can access that same information potentially from anywhere,” he said.

So, how to keep the bad guys from getting their foot into our front door? Ramzan said anyone asking for login credentials is a huge, stinking red flag. Next, use multi-factor authentication everywhere you can. Then, watch what you post about yourself online.

“Even though you might think you’ve got a small role to play in whatever is out there, you might be one or two connections away from someone who could have a massive impact,” Ramzan said. “If somebody can get to you, they may be able to use you as the next step in a chain of events to get into something much more nefarious.”