Skip to content

Human Hacking: How Social Engineering Manipulates Our Minds

Peter Warmka talks about human hacking and why it's so dangerous.

Today’s security threats aren’t just clever hackers and tech-savvy scammers. Social engineering uses the art of “human hacking” to turn our own psychology against us. By establishing trust and building relationships that feel genuine, they can make you more susceptible to their tactics without realizing you’re being manipulated. And tools like social media make their job easier.


See Human Hacking with Peter Warmka for a complete transcript of the Easy Prey podcast episode.

Peter Warmka spent over two decades of his career with the CIA, including twenty years working deep undercover overseas. For most of this career, only his wife knew who he was working for. But when he retired, he started telling his family what he really did – and realized he could use his skills to help organizations. He founded Counterintelligence Institute, a consultancy firm that helps organization understand what threats are out there and that they don’t always come through technology.

Skills from an FBI Career

Some of the skills Peter needed for his CIA career were natural, and some he had to learn. The biggest one was elicitation – some people are naturally good at it, and others can learn. Elicitation is the art of getting someone to share the information you need. It’s especially useful if the information is sensitive or if you don’t want the person to know that you’re interested.

There are a lot of techniques involved in elicitation. You need to be able to identify a person who may have the information you need, meet them casually, strike up a conversation, and move that conversation around to get specific information. Sometimes it also involves trying to get a follow-up conversation or developing a social or business relationship with that person to get more information later.

The key to this human hacking strategy is building trust. In many cases, Peter has been included in his target’s close circle of friends. Americans in general are pretty trusting, but in other countries their circles of trust can be much smaller. Peter’s goal was always to get trust to the point where when he asked the person to do what he really wanted, he knew they would agree. During his whole CIA career, no one ever turned him down. That’s because he focused on getting that person to trust him and building a relationship first.

Peter prefers the term “human hacking” over “social engineering” because that’s what it is. You’re basically “hacking” someone’s mind and using their own psychology to manipulate them.

Social engineering is individual … You are hacking into someone’s mind and getting to know how that mind works and how you might be able to manipulate [them].

Peter Warmka

Confirming They’re Ready for the Request

Sometimes Peter would do minor tests of trust to see if the person was ready for the request. He would start by learning as much as possible about them. And he would intentionally try to meet them away from the office many times so the person had a chance to share all the things they couldn’t confide to someone at their workplace. It both built that relationship and helped confirm that they had access to the information he thought they had. Sometimes he would ask for smaller tests of trust before making the big request, like sharing sensitive information or bringing him a sensitive document.

Getting to know the people also helped him determine their motivations and vulnerabilities. Financial stress, marital issues, drinking, drugs, all of those are big vulnerabilities that he could leverage. Revenge could even be a motivation, if someone doesn’t like their employer. There are lots of ways to push emotional buttons and get people to cooperate. Peter wanted to make proposals that were win-wins – he got the information he needed, and the other person got their needs met. It made it easier for them to agree.

There are a lot of different motivations or needs that people have, and it’s not only the motivations, there’s also vulnerabilities.

Peter Warmka

Psychology is an important tool in espionage. But it’s not just espionage – individuals and companies can use this information to thwart threat actors using these human hacking techniques against you. You don’t have to have classified information to be a target. Human hacking can target anyone.

Human hacking can target anyone, and the culprit may not be suspicious.

Foreign Intelligence is Using Human Hacking

When people think of threat actors, human hacking, and social engineering, they often think about criminals. And if you look at the pie chart of who’s using these techniques, a large portion of them are criminals. But they’re not the only ones. Intelligence services also use these techniques. And sometimes intelligence services partner with criminal groups to hide their own involvement. In fact, the number one group involved in ransomware is the North Korean intelligence services. So it’s not black and white.

Foreign intelligence services are also sometimes behind data breaches. There have been four major breaches between 2014 and 210 – OPM, Marriott, Equifax, and Anthem. When a criminal group breaches an organization, they put the information up for sale on the dark web. But those breaches aren’t on the dark web. So most likely they’re being used by foreign intelligence for something else. The Office of Personnel Management is a clearinghouse of information collected in background checks before you get a security clearance. Equifax has Americans’ credit info; Anthem has medical information; Marriott has all the data hotels collect about you when traveling. These are all things foreign intelligence agencies could use to target you with human hacking.

Social Media Helps Human Hacking

Whether the threat actor is a criminal group, foreign intelligence, or a competitor engaging in some corporate espionage, the methodology is the same. Human hacking starts with collecting as much open-source information as you can. In the past, that required going to the library and physically looking around where you could. Now so much information is available on the web.

An important element is identifying potential company insiders who may have access to networks or facilities. In the past, that wasn’t very easy – occasionally Peter could get an org chart that may or may not have pictures, and all he had to go on was names and possibly titles. Now, LinkedIn is a human hacker’s best friend. A quick search can give you a good list of potential insiders.

Next, they can use other networks to collect information and assess motivation and vulnerabilities. Developing a one-on-one relationship like Peter did took time. Social media makes it easy to move faster because you can get a lot of information without ever having to talk to the person. LinkedIn provides your academic and work background, which can give insights into your career progression and aspirations. Facebook can tell you someone’s hobbies, interests, favorite sports teams, travel destinations, and friends and relatives. Twitter/X lets you get into their head and see what they’re thinking and what they believe. Instagram reveals the patterns of their life, so you can not only learn what they’re doing when they’re not working but get ideas of where you could arrange to bump into them in real life and start a relationship.

[Anyone] can use a lot of social media platforms to collect that assessment information, that motivation, those vulnerabilities … [and] use that information for actually targeting individuals.

Peter Warmka

How Human Hacking Starts

Today, most human hacking is conducted through one of four communication channels: Email (phishing), text message (smishing), phone calls (vishing), and face-to-face. Emails and text messages often include links you shouldn’t click on and attachments you shouldn’t open. They can be done as mass messages, or as spear phishing targeting individuals. Spear phishing is especially dangerous because it may only take a few hours to put something together based on information available on the internet, but the person is almost guaranteed to take the bait.

Vishing over the phone is also powerful because the human hacker can not only use whatever pretext they want, but they can monitor how the person is responding and adjust accordingly. We can also now spoof calls to look like someone you might know and clone voices with AI, so they really can be whoever they want. And vishing can do multiple things. It might be to collect additional info to target you or someone else, or it might actually be the attack trying to get you to reveal information or give the caller access to something.

Face-to-Face Strategies

The final method is face-to-face attacks, which are still incredibly effective, especially when they take the time to build trust and a relationship. A simple example that Peter still sees work today is a fake interview attack. The human hacker calls the target and pretends to be an executive recruiter with a job available. It may have a better title, a larger salary, or something to set the hook. Even if the target isn’t looking to change jobs, they often don’t see the harm in interviewing. And in an interview, it’s normal to share some things about what you do and what your company does.

Often, they say the opportunity fell through but they have another you could interview for, and after a few rounds of that they invite you to be a consultant – keep your job, but meet with someone once a month to talk about your industry and get paid for your insights. All of it sounds plausible, and people hardly ever believe that this is human hacking. But either way, the person they’re “consulting” with will use elicitation on them and get the information they want. This can go on for years, with the individual coming to depend on the consultant fee. Meanwhile, the company is hemorrhaging information, and they don’t know why because it doesn’t look like a traditional breach.

Human hacking can be subtle but cause huge problems.

We have to get away from the idea that the IT network is the only way threats are going to come in and information is going to be stolen. Sure, there are a lot of threats that try to attack through your technology. But that’s not the only way it happens.

We have to get away from the silo approach that all the threats are coming through the IT network.

Peter Warmka

How to Protect Yourself from Human Hacking

If you want to protect yourself from human hacking, first you have to be careful about what information you’re putting out there. Some people think they’re safe if they have their privacy settings configured properly. But even if your privacy settings are perfect, your info can still be hacked.

Most of us, if not all, have been victims of data breaches. Peter’s personally identifiable information is out there. Yours probably is, too. We have to work from a defensive stance. If our information is out there and can be collected and used to target us, we need to think about how we’re going to protect ourselves from targeted attacks.

We have to work now from a more defensive stance. … How do we prevent ourselves from falling victim to that targeted attack?

Peter Warmka

Human hacking is going to happen when someone contacts us, whether that’s by email, text, phone, or even approaching us in person. They’re going to tell us a story, and it will sound believable and convincing. We need to have a healthy sense of paranoia. If someone is asking us for sensitive information or to send money and its fraud, it can have terrible consequences. We have to stop ourselves from reacting automatically and verify it’s a legitimate request.

The old saying goes, “Trust, but verify.” In today’s world, that’s backwards. We have to think of it the other way – verify, then trust. Following that simple phrase can save us from the majority of attack attempts.

Verification Methods

Caller ID used to be a good verification method. Now it’s easy to spoof. With AI in the mix, it’s much harder. We have to do other searches. Does this person show up somewhere that’s not LinkedIn? About 15% of LinkedIn profiles are fake. So you have to search them through other methods too. If you don’t know the person, Google them to see if they really exist.

AI tools can help unmask AI deception, but the average person doesn’t have the money to buy those tools ourselves. And a lot of AI looks really good and convincing. The tech is there to use these features against us. So we have to be smarter with how we react to requests. Again, verify, then trust.

One easy way is to do a quick Google search with the name of the person or company and the word “scam” or “fraud.” If someone has reported it, that will pop up. In most cases, identifying a scammer is that easy. If they aren’t reported as a scam but also don’t seem to exist, that’s suspicious, too.

You Can Train Employees to Defeat Human Hacking

Some tech companies will say that training people isn’t effective and tech is the only solution. But that’s just not the case. There’s no way for tech to protect your company from the fake recruiter human hacking strategy from earlier. Companies have to train their people to be smarter – it’s possible, and you’re leaving yourself vulnerable if you don’t.

We’ve gotten to a point where you cannot believe that you cannot train your people to be smarter.

Peter Warmka

The problem is that most training is for compliance, not learning. The employee watches the videos and takes the quiz because they have to show their manager that they did. But they can re-take the test until they get a high enough score and they don’t have to learn anything. Instead, companies should sell training as a benefit. It’s teaching employees how to protect themselves and their families from human hacking and fraudsters trying to steal your money or identity. If they can apply the skills to their lives, it will come back to use in the workplace.

We also need more firsthand accounts from people and organizations who have dealt with human hacking. A lot of companies aren’t learning how hacks are happening because other companies aren’t sharing. And hearing from individuals can be great for learning and for emphasizing the seriousness of the issue. Testimonials carry a lot of weight and can help us all work towards solutions.

Connect with Peter Warmka on LinkedIn, where he has a lot of information. Learn more about his company, Counterintelligence Institute, at counterintelligence-institute.com. Peter also does presentations to organizations, companies, and associations, both in-person and virtually, so reach out if he can share something that would benefit you or your organization.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
Christiaan Brand talks about passkey security and why it's the future of authentication.

Passkey Security is the Future of Account Access

Phishing and account breaches have been a problem for years, and it’s not going away. In fact,…

[Read More]
Kelly Hood talks about the NIST Cybersecurity Framework and how it can help.

A Cybersecurity Framework for Protecting What Matters

The world of online threats is ever-changing. Sophisticated phishing, AI-powered attacks, and more are making it ever…

[Read More]
Safe account scams start with a terrifying phone call.

There’s No Such Thing as a Safe Account

You get a call from your bank’s fraud department. There’s been fraud on your account – a…

[Read More]
Emotional support is going to be a huge help if your loved one lost money to a scam.

What to Do if a Loved One Lost Money to a Scammer

Scams and scammers are everywhere. Even if you haven’t personally been caught in a scam, you probably…

[Read More]
Mona Terry talks about identity crimes.

Identity Crimes: Impact and Recovery

It’s not just identity theft anymore. Criminals have expanded to a whole range of identity crimes. And…

[Read More]
Dr. Leslie Becker-Phelps talks about how to set good new year resolutions and how to actually achieve them.

How to Set (and Achieve) Good New Year Resolutions

It’s the time of year when people start thinking about New Year resolutions and making changes in…

[Read More]