Skip to content

Learn How Social Engineering is Tricking Your Brain – And What to Do About It

Chris Hadnagy talks about what social engineering is and how it works.

Most of us are aware that there are tactics that people can use to influence your opinions and actions. In both legitimate marketing and scams, for example, urgency can convince you to do something before you think it through. But urgency isn’t the only strategy. Social engineering is full of tools and tactics that influence your emotions and behavior. And though it can be used for good, it’s often used for evil.


See The Science of Social Engineering with Chris Hadnagy for a complete transcript of the Easy Prey podcast episode.

Chris Hadnagy is a security consultant and a professor of social engineering at the University of Arizona. He is also the author of five books on social engineering and the CEO of Social Engineer LLC a company that provides security awareness managed services and training to defend against social engineering tactics. He started his career in exploit writing, training, and network penetration testing, but realized quickly that he would never excel in that skill. Instead, he started focusing on human vulnerability, and wrote a framework for something called social engineering. That led to his first book, Social Engineering: The Art of Human Hacking in 2010, which then led to his company. He focuses on understanding human decision-making, why people are vulnerable, and how to help them be more secure.

Social Engineering is a Danger to Everyone

Chris emphasizes that anyone can fall for social engineering. He has, and he teaches people about it for a living. There’s a common phrase in the security community that says “there’s no patch for human stupidity.” Chris hates that phrase, because it makes it sound like the only people who fall for social engineering are stupid people. But that’s not the case at all. Social engineering is a risk to everyone, no matter how smart or knowledgeable.

I hate the phrase “there’s no patch for human stupidity” because it makes it sound like only stupid people fall for these things, and that is not the case.

Chris Hadnagy

Throughout his career, Chris has sent over nineteen million phishing emails, and his third book was about the psychology of phishing. Yet he still fell hook, line, and sinker for a phishing email. The email pretended to be from Amazon, he was in a rush to get to the airport, and he clicked on the link. He was saved at the last minute, but he nearly gave all of his credentials over to the scammers. If someone who sends phishing emails and teaches people about what social engineering is and how to defend against it for a living can fall for a phishing email, anyone can.

Defining Social Engineering

If you search for a definition of social engineering online, you’ll get results saying “social engineering is malicious use of this, this, or this.” When Chris started working on his framework, though, he realized that social engineering wasn’t always bad. In fact, sometimes it could be good.

His definition of social engineering is “any act that influences a person to take an action that may or may not be in their best interest.” It’s a very broad definition, but it captures both the good and the bad aspects.

When Social Engineering is Good

Under Chris’s definition, parenting is good social engineering. But there are other examples, too. Imagine you have a really good friend who is doing something really bad for his health, like smoking or drinking too much. You’re really concerned for his health. You could tell him, “Hey, you need to stop drinking.” But that’s not social engineering, it’s just telling your friend what to do.

In this situation, social engineering is thinking about how you can motivate your friend to stop drinking. For example, you could tell him you’re trying to cut down on your drinking and invite him to switch to non-alcoholic beer with you. It’s influencing him to do something for his health without saying “You need to do this.”

“Neutral” Social Engineering

There is a middle ground where social engineering is neither particularly good nor particularly bad. Marketing is an excellent example of this. It uses the same principles of influence, but it’s not necessarily good or bad.

I’m sure we’ve all seen this commercial: It features a famous singer, there’s a sad song in the background, and the screen shows pictures of malnourished dogs in terrible conditions. Then comes the pitch of “just $1 per day” – the music lifts and the images change to healthy and happy dogs. Paying $1 per day is linked to happy dogs, while not paying is linked to sad and starving dogs. That’s what social engineering is – it affects your emotions to encourage you to take a particular action. In the case of this commercial, it’s trying to motivate you to donate to charity.

There’s a very fine line here, because marketing can also be very manipulated. Shopping malls pump smells through their air vents to make you shop longer or make you want to buy something. It’s influential, but it can also be manipulative. The key is intent. If the other party’s intent is to help you, social engineering is positive in that situation. But once your interests are no longer aligned, it becomes negative and manipulative. If marketing just wants to make a sale and doesn’t care if you need it, you want it, or it will actively hurt you, then it’s bad.

I think intent – what is the intent? If my intent is to help you and I use positive forms of influence, I look at that as the positive side of social engineering.

Chris Hadnagy

When Social Engineering is Bad

Malicious social engineering uses the same principles as any other type. But malicious social engineering is also open to using emotions like fear, anger, or lust. Fear especially is a potent driver of action. When you’re afraid, your amygdala takes over and shuts down the critical thought in your frontal lobe. You start reacting based on experiences and feelings, not thoughts and logic. If you think your account was really hacked or the IRS is really on the phone ready to arrest you, you will act.

If I can get you afraid, you’re more likely to take an action that you shouldn’t take.

Chris Hadnagy

Chris read a story about a woman who got a call. The voice on the other end sounded like her daughter, and she said “Mom, I made a mistake. They have me and they’re gonna hurt me.” Then a man came on the phone and demanded money. Chris deals with this kind of thing for a living, and if something like this happened to him and he wasn’t completely sure his daughter was safe, he would probably pay just to make sure his daughter wasn’t going to get hurt.

Malicious social engineering focuses on creating an environment where your critical thought is not even possible.

Chris Hadnagy
Social engineering is great at engaging your emotions so you can't think critically.

Social engineering is about subverting the decision-making controls of your brain. In business email compromise (BEC) scams, scammers often pretend to be vendors that accounting hasn’t paid. Toyota fell for this and lost $34 million dollars. Someone in accounting got an email or phone call that they hadn’t paid a bill and the next shipment would be stopped. They didn’t want the plant to shut down because they didn’t pay a bill – they would be fired. So they paid out of fear of losing their job.

Scammers are Using Targeted Attacks

A landscaper did a lot of work for fast food clients, and one restaurant suddenly stopped paying. When he asked them why they hadn’t paid, hey said they had, and showed him proof. But the account they sent the money to wasn’t his. When he pointed that out, they said he had called and changed his account.

Social engineering is not necessarily complicated. The landscaping company was probably proud of the work they did for fast food companies and listed it on their website. Scammers found the website and used it. With one ruse call to the fast food restaurant, they got the account updated so the landscaper’s payment came to the scammers instead. It’s not the landscaper’s fault, because he did the work and should get paid for it. But it creates a legal mess and is complicated for all parties involved.

Fairly innocent and innocuous information can be used against you. Social Engineering LLC doesn’t list clients on their website for just this reason. If you have a sign for your security system in your yard, that can be an opening for scammers to call you and say “I’m with X Security Company, there’s a fault with your alarm system and we need to fix it.” Most of us probably wouldn’t think twice about it.

Social engineering is often targeted. The FBI reported that over eighty percent of spear phishing attacks reported used information from the target’s social media. The attackers went to social media, looked at the accounts, collected data on the people, and used it in specially targeted attacks. It’s a lot of work if you think about it, but social engineering is full of opportunities for big payouts. If they can get you emotionally invested, it’s worth their time.

Using Your Biochemistry Against You

Chris’s daughter has gotten him to do crazy things, like paint his nails and put on makeup. Now that she’s older, she convinces him to ride roller coasters, which terrifies him. The reason he does these things is that he loves her. The love induces biochemical changes in his brain, which affects his decision-making process.

If you came up to Chris on the street and asked him to go on a roller coaster, his brain would go through a process. He would recognize that this is a request, evaluate the request, realize that going on roller coasters is something he does not want to do, and say “No, thank you.” But when his daughter asks, his brain releases neurochemicals because he loves her. He loves her, he wants to make her happy, and saying yes would make her happy which makes him happy. The chemical processes makes him say “Yes” to her when he would normally say “No.”

The Chemical Process in Your Brain

In his book The Moral Molecule, Paul Zak explores research about oxytocin. It’s released into the bloodstream to create feelings of trust and rapport. A lot of it is released during intimate moments, like a mother breastfeeding her child. But it is released to some degree in any moment of connection. Say you have a great conversion with Chris and feel like you really like and trust him. An hour later, you send him a connection request on LinkedIn, and your brain releases oxytocin again, strengthening that connection even more.

Dopamine is another neurochemical that’s a kind of “happy drug.” It rewards us and makes us feel good. Dopamine has been studied heavily because it’s involved in things like video games that makers want you to keep using. You get a hit of dopamine when you do something good for you or that you enjoyed.

Combining those two chemicals makes a chemical soup of goodness in your head. If someone gets you to release oxytocin and dopamine, you trust that person, you like that person, and you want to make them happy. Those two together build a bond. This is great when it happens naturally. It’s how you love your family members and how you feel a connection with friends. But social engineering is great at tricking your brain into releasing those chemicals and liking and trusting someone who wants to scam you.

Warning Signs of Social Engineering

Social engineering is often subtle, especially if you’re not watching for it. But when you know what warning signs to look for, social engineering is easier to identify. Chris has three steps that he recommends everyone take to help spot social engineering strategies. It’s not an exhaustive list, but it can help.

In addition, reading articles like this are extremely helpful. Sometimes we just don’t know what threats are out there. We have to have the knowledge first, and then tips can help.

If you don’t know what’s happening, then you can’t possibly defend against it.

Chris Hadnagy

Beware of Strong Emotions

Attackers will always want to use emotion against you.

Chris Hadnagy

If you feel any type of strong emotion after you get a request, that’s a great time to pause and think. Social engineering is great at using emotions against you. That doesn’t mean there shouldn’t be some emotion in a conversation. But if someone calls you and you have a good conversation, they sound nice and get you laughing, and then they have a weird request, it’s time to notice it’s weird and stop to think. If the IRS calls and says you haven’t paid your taxes and you’re going to be arrested right now, you’ll feel some strong emotions. It’s a great time to pause and think.

Use Critical Thinking

If you get that call from the IRS, it’s time to think critically about it. Think about your life. Has the IRS ever called you for anything? No, and they’re not going to. If they do anything, they’ll send you a letter in the mail and give you thirty days to pay. The IRS is never going to call and demand payment, especially not with gift cards or Western Union. A little critical thought can help you spot these social engineering attempts.

Critical thinking can help you identify when social engineering is targeting you.

However, critical thought can’t always fix the problem in the moment. A big personal scam right now is grandparent scams – someone calls your grandma pretending to be you and tells a story about how they’re in trouble and just need some money for bail. When emotions run high light that, critical thinking can be difficult. That’s why it helps to do some of your critical thinking ahead of time.

You have to do some critical thought ahead of time.

Chris Hadnagy

Chris set up an authentication system with his grandma. By her phone, he put a sticky note with their password. Nobody should know this password, and Grandma will never need to say it. If Chris calls and asks for money, she asks what the password is. Grandma knows to hang up the phone if “Chris” doesn’t know the password. If Chris is too drunk to tell her, Grandma will hang up the phone and Chris will call her back when he’s sobered up. This system keeps her from being scammed.

Don’t Sweep it Under the Rug

Social engineering is a danger to everyone, no matter how smart. Anyone can fall for it. When that happens, a lot of victims are embarrassed that they fell for it. They sweep it under the rug and don’t want to tell you. Older adults and people who fell for romance scams are especially reticent to say so. Calling your bank, financial institutions, or whatever you lost and reporting it immediately can help.

Being open about falling for social engineering is a two-way street. If you fell for it, it’s important to report it. And sharing your experience can help protect others. But as a family member or a friend, it’s important to not respond by blaming the victim. If you say things like “This was obviously a scam,” or “How could you be so stupid to fall for that?” people won’t want to be open about it.

Social Engineering is Evolving

Vishing (voice phishing, or phishing over the phone) has increased 554% in one year. Chris gets scam calls daily. In between text messages and phone calls, there’s dozens of scammers contacting him every day. He doesn’t even answer the phone if the number isn’t in his contacts, and if the caller doesn’t leave a voicemail, they’re not getting a call back. In the US, T-Mobile, AT&T, and Verizon were breached, putting millions of phone numbers (and other contact information) up for sale to scammers. Similar things happened in the UK, Ireland, Italy, and other parts of Europe. Social engineering is happy to use scam calls to target you.

Another trend is fake social media accounts. There was a major attack on the US military using social media accounts. A group created fake LinkedIn accounts of attractive female reporters in the US. They contacted four-star generals close to retirement and asked to interview them about their illustrious career in the US military. Some accounts asked about certain things, and other accounts asked about different things. The group was able to combine these data points and get a lot of information about classified military operations. Social engineering is a great tactic to create those kinds of massive leaks.

Other groups saw that success and decided to try it. Chris gets a dozen fake LinkedIn requests per day. Since he put his position at the University of Arizona on his profile, he’s received a lot of requests saying they admire what he’s doing there and want to help him with it. He knows those are fake because if they’d read past the first entry of his profile, they would know that his teaching is a very small part of what he does.

The Role of Technology

Social engineering is a major threat to everyone. From a corporate perspective, there are great tools out there now. Oracle has one that’s like a firewall for your phone network. It analyzes incoming calls, and gives you a notification if it’s not coming from where it claims to come from. It can even be set up to block calls from specific areas where there are a lot of vishing rings.

The technology for businesses is out there, but social engineering is not just a problem for businesses. Social engineering is a threat to individuals too, and those tools aren’t available for the average consumer. Right now, education and awareness are the best tools we have to protect ourselves.

We’re still relying on critical thought and education to be the thing that helps mom, dad, uncle, grandma, grandpa, and our kids.

Chris Hadnagy

Training can be very valuable in dealing with social engineering threats. Chris’s class at the University of Arizona is a seven-week class on social engineering. It’s part of a cyber drill curriculum where students learn open-source intelligence, social engineering, and more, and even have volunteers from the local government they can attack to practice their skills. Social Engineering LLC does offer a number of training classes. The primary class is Foundational Application of Social Engineering. They have taught it to salespeople and psychologists, MI5 and MI6, SOCOM, and other places all over the globe. They also offer a practical class similar to the one at University of Arizona.

Learn more about Social Engineering LLC and their classes at social-engineer.com. The best way to connect with Chris Hadnagy is on LinkedIn – as long as you don’t write a chain email that’s missing information, he’ll probably connect with you.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
Best VPN Trials for 2024

Choosing from the Best VPN Trials of 2024: Which One is Best?

Whether you are shopping for a VPN for the first time or you are ready to make…

[Read More]
Types of AI Models

Guide to Types of AI Models and How They Work

When you think of AI (Artificial Intelligence) models, you may automatically think of generative AI like OpenAI’s…

[Read More]
Andrew Costis talks about adversary emulation and why businesses should do it.

Adversary Emulation for Business Cybersecurity

Security risks are constantly changing. Projects start and end, employees leave and are hired, new tools replace…

[Read More]
Lockdown Mode for Apple Devices

Should You Use Apple’s Lockdown Mode? Here’s What you Need to Know Before You Decide

With the releases of macOS Ventura and iOS 16 in 2022, Apple rolled out a new feature…

[Read More]
Amitabh Sinha talks about how to protect against ransomware in your company.

Protect Against Ransomware by Planning for Ransomware

Ransomware is a huge cybersecurity threat, and it’s only growing. It’s especially a risk for businesses, but…

[Read More]
Private Internet Access

PIA: Private Internet ACCESS

The Private Internet ACCESS VPN will deliver the security, performance, and online access most users want. Behind...

[Read More]