The Science of Social Engineering with Chris Hadnagy

06/07/23 • 41 min

You may be shocked to know that master manipulators utilize special tactics to impact human behavior and emotions by more than just instilling a sense of urgency. The art of persuasion can be used for both good and evil. Today’s guest is Chris Hadnagy. Chris is the author of five books on the topic of social engineering. He is a professor of social engineering at the University of Arizona as well as the CEO of Social Engineer LLC, the Innocent Lives Foundation, and the Institute for Social Engineering.

Show Notes:

[0:57] - Chris shares his background and how he found himself in the field of social engineering and understanding human decision making.
[2:38] - It is not the case that only stupid people fall for scams and phishing emails.
[4:04] - There is good social engineering and Chris gives some examples.
[5:47] - The release of oxytocin is researched to show that it is linked to trust.
[7:58] - You can have oxytocin and dopamine separately but together they build a bond.
[9:17] - Marketing and advertising land in the gray middle area of social engineering. Is it being used for good or bad?
[11:14] - It is important to look at things through the lens of purpose. What is the intent behind it?
[12:35] - All social engineering, good and bad, use the same principles. But malicious social engineering triggers different emotions, namely fear.
[14:37] - Preying on fear is one way people are socially engineered, but Chris gives an example of how a company as large as Toyota was impacted by the sense of urgency.
[17:12] - There are so many stories of social engineering that are extremely plausible and believable.
[21:04] - The trend now is to use social media data and information to target people for spear phishing.
[22:30] - If you feel any strong emotion after a request, it is a great time to pause and consider if you are being manipulated.
[24:21] - If you ever fall for something, don’t let embarrassment make you sweep it under the rug.
[27:31] - The idea of an authority figure is a principle to remember, but it doesn’t always work.
[30:10] - In some countries, fear of authority isn’t present. But social engineers will look for the weaknesses to exploit in different environments.
[31:16] - Voice phishing is currently on the rise.
[33:21] - Chris shares about the uptick on LinkedIn requests that even targeted the US military.
[35:28] - Although we will see some good from AI, Chris has many concerns.
[37:33] - Chris describes some of the classes he teaches at the University of Arizona specifically about Social Engineering.
[39:17] - You can take classes online from Chris on Social-Engineer.com.
[40:21] - We need to understand social engineering to keep our children safe. Start having conversations early.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.

Links and Resources:

Show Notes:

[0:57] - Chris shares his background and how he found himself in the field of social engineering and understanding human decision making.
[2:38] - It is not the case that only stupid people fall for scams and phishing emails.
[4:04] - There is good social engineering and Chris gives some examples.
[5:47] - The release of oxytocin is researched to show that it is linked to trust.
[7:58] - You can have oxytocin and dopamine separately but together they build a bond.
[9:17] - Marketing and advertising land in the gray middle area of social engineering. Is it being used for good or bad?
[11:14] - It is important to look at things through the lens of purpose. What is the intent behind it?
[12:35] - All social engineering, good and bad, use the same principles. But malicious social engineering triggers different emotions, namely fear.
[14:37] - Preying on fear is one way people are socially engineered, but Chris gives an example of how a company as large as Toyota was impacted by the sense of urgency.
[17:12] - There are so many stories of social engineering that are extremely plausible and believable.
[21:04] - The trend now is to use social media data and information to target people for spear phishing.
[22:30] - If you feel any strong emotion after a request, it is a great time to pause and consider if you are being manipulated.
[24:21] - If you ever fall for something, don’t let embarrassment make you sweep it under the rug.
[27:31] - The idea of an authority figure is a principle to remember, but it doesn’t always work.
[30:10] - In some countries, fear of authority isn’t present. But social engineers will look for the weaknesses to exploit in different environments.
[31:16] - Voice phishing is currently on the rise.
[33:21] - Chris shares about the uptick on LinkedIn requests that even targeted the US military.
[35:28] - Although we will see some good from AI, Chris has many concerns.
[37:33] - Chris describes some of the classes he teaches at the University of Arizona specifically about Social Engineering.
[39:17] - You can take classes online from Chris on Social-Engineer.com.
[40:21] - We need to understand social engineering to keep our children safe. Start having conversations early.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.

Links and Resources:

Previous Episode

Preventing Email Attacks with Kiri Addison

Phishing emails are constantly evolving to take advantage of current trends, news, and holidays. Typically poor grammar or the time an email was sent could help you identify if it is authentic. But with AI, these obvious signs may soon disappear.

Today’s guest is Kiri Addison. Kiri is the Detection and Efficacy Product Manager at Mimecast, working on security products to defend against new and evolving threats. Previously she was head of data science for threat intelligence and has worked in the public sector creating systems to detect and prevent cyber attacks and fraud.

Show Notes:

[0:59] - Kiri shares her background and what her role is at Mimecast.
[3:03] - Email scams are still the number one attack method and they tend to follow trends, news, and holidays.
[5:17] - Technology is improving and there is better protection of basic attacks, but with how fast threats evolve, there are still areas of improvement.
[7:34] - Kiri shares some statistics on the improvement made after implementing phishing email training.
[8:26] - With the use of ChatGPT, our usual red flags to look for will change.
[10:12] - In the advice and training by Mimecast, they explain the impact on the end user.
[12:08] - Kiri explains some of the different types of security measures available.
[13:47] - A lot of companies only implement the training with their employees to check off the compliance.
[16:50] - Be suspicious and take some time. Don’t feel pressured.
[20:05] - Look for anything abnormal, even if it is something unusual from a sender you know.
[21:44] - If you receive word from someone you know but it seems odd, contact the person directly to find out what’s going on.
[23:10] - Mimecast works primarily with corporations and businesses, but there are some personal phishing email attempts.
[24:44] - Some attacks combine safe sights with malicious links.
[26:00] - Kiri describes some of the recent trends they are seeing.
[28:58] - As AI evolves, it is going to become harder to protect. However, it all comes down to end user awareness.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.

Links and Resources:

Next Episode

10 Types of Identity Crimes with Eva Velasquez

Recovering from identity crimes can be daunting and take a toll on your entire life, not just financially and emotionally. Once someone gains access to one of your accounts, they can work to manipulate your friends and relatives as well.

Today’s guest is Eva Velasquez. Eva is the President and CEO of The Identity Theft Resource Center. She previously served as the Vice President of Operation for the San Diego Better Business Bureau and for 21 years at the San Diego District Attorney’s Office. She is an author, public speaker, and a recognized expert who has been featured on CBS Mornings, NBC Nightly News, New York Times, NPR, and numerous other media outlets.

Show Notes:

[1:02] - Eva describes her role as CEO and President of The Identity Theft Resource Center and what the organization does.
[2:11] - Eva began her career in law enforcement and learned firsthand how dismissive we are of victims of identity crimes.
[4:26] - The great majority of these crimes go completely uninvestigated.
[5:48] - Your energy is best spent on recovering what you’ve lost rather than trying to convict the perpetrator.
[8:03] - Identity theft isn’t the only identity crime.
[9:47] - Most scams and data breaches at this time can be considered an identity crime.
[11:06] - The majority of identity crimes that are reported at The Identity Theft Resource Center are caused by social engineering.
[13:42] - If you see some unusual activity or communication on social media from someone you know, let the real person know.
[16:17] - Chris shares a strategy for family passwords to verify their identity.
[18:11] - There are several different types of identity fraud. A lot of it is credit cards, but it could be other types of loans or accounts.
[19:54] - Identity fraud is complicated to solve.
[21:00] - Eva shares the story of a victim who was car jacked and has had non-stop identity theft issues.
[22:24] - People who are victims of identity theft may even have major problems in getting jobs.
[23:42] - The number of victims who have felt suicidal after identity theft has increased year over year.
[25:37] - The Identity Theft Resource Center is like AAA roadside assistance. Reach out to them.
[28:00] - Eva shares that this is her life’s mission. She would love a world where The Identity Theft Resource Center wasn’t needed.
[29:22] - Password management needs to be improved.
[31:03] - Multi-factor authorization is absolutely necessary.
[33:28] - If you ever get a call from someone claiming to be from your bank, hang up and actually contact your bank using the number on your card.
[34:42] - We need to flip our view of “annoying” security measures.
[41:57] - Safeguard access to all the accounts you have, even email accounts.
[43:16] - It can take anywhere between a day and ten years to resolve identity fraud. It is very situational.
[46:03] - It may also be possible for something to appear solved but then it is in remission.
[47:20] - There is no shame in asking for help. It is very complicated.