Human hacking: how an understanding of social engineering can combat crime

March 22, 2021

We hear a lot about technology in anti-financial crime, but human beings can often be the weak link. Chris Hadnagy, ahead of his FinCrime World Forum appearance, talks about the psychological techniques criminals use to deceive humans and what we can do to counter them.

Our interview on Zoom Is barely a few minutes old and Chris Hadnagy is rearranging his bookshelf behind him to display the front cover of his book Human Hacking: Win Friends, Influence People and Leave Them Better Off for Having Met You.

The placement of particular books behind speakers on video chat, says Hadnagy, is an example of social engineering, which Hadnagy defines as “any act that influences a person to take an action that may or may not be in their best interest” In this instance, he is hoping I might perhaps go out and buy his book.

But social engineering is increasingly being used for far more sinister purposes, says Hadnagy.

Hadnagy says: “There’s a positive form of influence to get someone to do something that will be good for them, because it will benefit them, but it is also used negatively where they get you to part with your money by making you feel like they are your friend.”

In both instance, social engineering “encompassing the acts of influence, rapport, trust manipulation, and nonverbals and the way we communicate”, he says.

In a nutshell, Hadnagy, through his company Social Engineer, specialises in understanding how attackers exploit human weaknesses through manipulation and deceit and provides services to companies to help them address these weaknesses.

Taking the example of trying to influence me to buy his book., Hadnagy says : ”So let’s just say, I want you to come away from this interview, wanting to read my book, and use the skills to better your life

“To do that I need to make sure I give you clear concise answers to your questions. And that I use knowledge from the book and reference it, so that may pique your interest.

“And then when you are inquiring about more, to maybe reference a certain chapter in the book.”

The use of non-verbal signals and cues to win trust and influence is crucial, says Hadnagy:” If I want you to feel like you are enjoying this interview than I use open ventrals and I better use gravity- defying facial expressions.”

Match this with adept use of clever use of rhythm, speed, volume in tone of voice and a pitch that is on the up, instead of down, and you can leave the other person feeling positive and open to your message.

“You have to understand how your tone, and your nonverbals will all feed into the pretext of what you’re saying you are”, he says.

It is not hard to see how, fraudsters can make use of these techniques to trick people into parting with their cash, particular during a pandemic.

“Scams are so advanced today that we need to educate people on the ways in which they are advanced”

Investment scams are also increasingly common, with criminals playing on the Fear of Missing Out (FOMO) factor.

Hadnagy says he is working on a case right now involving a crypto fraud that is making heavy use of social engineering techniques.

He says: “This particular fraud organisation actually has a platform, a physical software platform that looks like you’re making money and investments and has all these beautiful colour charts that flip up and down, with tickers and everything.

“And when you see all this you think ‘wow people are making money”.

This particular scam involves the use of ‘social proof’ via fake reviews from users saying how they made money through the site.

“All of this goes into the person’s mind and leads them to think ‘I want to be part of this group that’s making money.’

So how does the fight back against all this begin?

Hadnagy says awareness is key, and there has to be a realisation that things have moved on rapidly in the last couple of years.

“Awareness has to be there, the public needs to be warned that these aren’t the type of scams that we used to think of, the ones that have poor spelling or bad grammar and or be from someone pretending to be a prince from Nigeria. those are old time scams,” he says.

“Now, they look real, they sound real they have real domains, they have software involving in producing them, they have call centres calling you… Scams are so advanced today that we need to educate people on the ways in which they are advanced.

“Sometimes I see public education bodies using things that are six or seven years ago, that’s not good enough, we’ve got to do better.”

Hadnagy’s real ire though is focused on law enforcement and the banks.

It is a source of frustration to him that the US federal government “won’t get involved” in smaller crimes.

“Sometimes you have these fraud cases and the amount stolen is everything that this person had in their life, maybe $20,000, It was everything in their bank account, and that’s gone.

“But federal law enforcement won’t get involved because it’s not big enough and the criminals know that” he says.

He also thinks banks could do a lot more to help. “This bank owns my data, not only do they own my data, they own all the money I need to live and my employees need to live. I want them to take security seriously. I don’t want them just to do enough to check a box to say they’re compliant I want them to go above and beyond what it is right.”

So how does Hadnagy put his knowledge of social engineering to good use?

Social Engineer, the company founded by Hadnagy for which he is now Chief Executive and President, offers consultancy services but it also carries out simulations to work out where the human security weaknesses are in a business.

For instance, it will carry out thousands of simulated vishing (phishing via phone calls) calls on a company a month to try and get data and various phishing scams and then Social Engineer will tell the company where the vulnerabilities are.. It will make recommendations, such a company putting in place better procedures, and then it will repeat the test. The recommendation is for staff to be educated rather than punished. It carries out open-source intelligence gathering into potential targets with in a company and warns them what information could be used against them.

“We focus fully on the human element and try to use the science behind social engineering to help affect a change inside of a company when we find vulnerability”, he says.

Not content with using social engineering to try and combat fraud, Hadnagy also founded the Innocent Lives Foundation in 2017, which brings together various cyber specialists to provide quality information about potential child sex abusers to the attention of law enforcement bodies. “Law enforcement oftentimes don’t have the budget or the training to do the things that we do”, he explains.

”The largest threat to most companies today is the humans in the company – but they are also each companies’ greatest asset”

He adds: “We hand that whole file over to a law enforcement agent, and now they can go and start a case. In the four years of our existence. We have handed over 327 cases with 245 of them leading to being active with law enforcement around the globe.

“We’re not vigilantes we don’t hack things, we don’t do illegal things, we don’t break into servers…,because a cop couldn’t use that. We do everything legal and above board using our skills as social engineers and as hackers.”

Ultimately for Hadnagy what began as a passion into understanding how behaviour can affect other’s people’s decision-making has morphed into a deep desire to help people.

“Seeing how attackers used this [social engineering] knowledge to hurt people I began to wonder if we can use the same skills to help people,” he says.

“In my career I have not only seen this work for security but for marriages, friendships, employers, therapy and everything in between. The largest threat to most companies today is the humans in the company – but they are also each companies’ greatest asset. Learning how to motivate, protect and secure that asset is one of my goals in life.”

Hadnagy leaves me with one final thought and that is that every single one of us is susceptible to being scammed.

“It’s about finding the right target at the right time and any human is susceptible. “I have sent 19 million phishing emails in my career, but I’ve fallen for a phishing email’, he said.

“I order everything on Amazon, and I got an email that said one of my recent Amazon orders wasn’t going to be shipped to do with the client credit card and I clicked on it, despite knowing all the rules.”

Chris Hadnagy is speaking at ”Hacking the Criminals. A conversation with Chris Hadnagy” at 5.30pm on 24 March at FinCrime World Forum