January 16, 2026

How Hackers Really Hack and How to Best Defend

By Roger A. Grimes, KnowBe4 CISO Advisor

If you believe mainstream media and Hollywood, every hacker is an uber genius who can break into anything at will and can guess anyone’s password in under a minute — especially when threatened with a gun held to their head by their mob boss.

Hacking really doesn’t work that way. A hacker can’t just magically guess anyone’s password in seconds. They can guess at people’s passwords, sure, but it takes longer and isn’t nearly as easy or successful as shown in the movies.

Hackers aren’t even that smart; they’re average. Like those in skilled trade positions, they learn how to use particular tools to do particular things. In the same way a plumber uses a pipe wrench and an electrician uses a voltage meter, a hacker uses particular hacking tools for particular tasks.

As such, the right tool is essential to doing the best you can on a particular job. It’s the way a skeet shooter always chooses the right shotgun and choke for an event. How hackers hack hasn’t changed since the beginning of computers and isn’t likely to change anytime soon.

Beware of Social Engineering’s Effectiveness

At the approaching SHOT Show®, I’m going to cover how hackers really hack during a SHOT University™ session Jan. 21 at 1:15 p.m. I’ll reveal a little of the thunder here: 70–90 percent of successful hacking involves social engineering.

Social engineering is when someone pretends to be someone or a company they aren’t to motivate a potential victim to perform an action against their own self-interests. It’s a criminal con. It bypasses every technical defense and policy you throw in its way. It gets past the firewalls, antivirus programs and security monitoring software.

Social engineering can come in many forms, including email, social media, text messages, phone calls and in person. Anyone can be scammed from the right approach at the right time. (Or is it the wrong time?)

I’ve been in the cybersecurity space for 39 years and educating people about social engineering has been my full-time job for nearly a decade. But even I can be scammed; the scams are remarkable.

A hacker can call claiming to be from your phone company, offering you a 30% discount for joining a new promotion. They can pretend to be a vendor you use who claims not to have received your payment. They can have intimate details only the legitimate vendor with whom you do business would know. They can be the local court system, saying you’re going to be arrested for ignoring jury duty notices. They can be a kidnapper claiming to have kidnapped your spouse or child and have that spouse or child’s voice in the background, screaming out in pain while apparently being tortured. They can be your boss calling you or on a Zoom call telling you to do something quickly or a big business deal is going to fall through.

Deepfakes: What’s Real?

Today, anyone with a picture of someone and just six seconds of their recorded voice can create an AI-enabled deepfake video of anyone saying and doing anything. Even you. I’ll show you how.

Someone can call and ask you if you want an extended auto warranty. Simply saying “no,” and telling them not to bother you anymore before hanging up can give them the audio they need to create a deepfake video.

It’s getting harder and harder to figure out what’s real and what isn’t.

The second most likely way to be successfully hacked is unpatched software or hardware. It’s involved in a third of all successful hacking. We know we need to be fully patched. And yet, most organizations have thousands to hundreds of thousands of unpatched things in their environment. People have dozens and dozens of unpatched things in their house. I’ve scanned millions of systems in my career and I have never come across a fully patched system — ever!

Your Best Defense

Social engineering and unpatched software and firmware (have you patched your home Wi-Fi router lately?) are involved in 90–99 percent of successful hacking. Everything else you are told to fear almost doesn’t matter. Firewalls won’t protect you. Antivirus software won’t protect you. But there are simple things you can do to be far more resistant to hacker attacks.

Attend my SHOT University session, and I’ll share the few simple things you can do to protect yourself. And, no, it’s not a product or group of products — it’s a mindset. Once you master it, you’ll be far less likely to be scammed. See you there!

Will You be at the SHOT Show?

An effective cybersecurity strategy starts with a mindset. Those who attend Roger Grimes’ SHOT University session will come away with practical tools to safeguard their homes and organizations from hackers.

In his session, Roger will discuss how today’s real-world mix of malware and human-directed sophisticated attacks happens. This session includes an update about the new sophistication of AI deepfake attacks. Most importantly, attendees will learn the five best computer security practices, which will significantly lower their risk of being a cyber victim.

The “How Hackers Really Hack and How To Best Defend” SHOT University session will be held Wednesday, Jan. 21 from 1:15 p.m. – 2:15 p.m. in The Venetian Expo, Level 3 (Murano Ballroom).

Learn More and Register

Enroll in this and other educational opportunities during the SHOT Show registration process, or add sessions anytime to your registration.

Seats will be limited. Enroll early to get your spot! Enrollment Fees Per Session: $40 NSSF Members | $75 Non-Members. Learn more about NSSF Membership here.

About the Author

Roger A. Grimes is a 39-year computer security consultant, instructor, Data-Driven Defense Evangelist for KnowBe4, Inc. and the author of 16 books and over 1,600 articles on computer security, specializing in host security and preventing hacker and malware attacks. Roger is a frequent speaker at national computer security conferences and was the weekly security columnist at InfoWorld and CSO magazines between 2005–2019. He has worked at some of the world’s largest computer security companies, including, Foundstone, McAfee, and Microsoft. Roger is frequently interviewed and quoted in the media including Newsweek, CNN, NPR and WSJ. His presentations are fast-paced and filled with useful facts and recommendations.