Creating a perfect storm using social engineering: a talk with Christopher Hadnagy

In the rapidly evolving landscape of cybersecurity, understanding the intricacies of social engineering is crucial.

Christopher Hadnagy, a renowned expert in the field, sheds light on the complexities and nuances of social engineering in an enlightening interview. His insights dive deep into the psychological roots of cyber-attacks, offering a unique perspective on how cybercriminals exploit emotions and trust.

This article breaks down key insights from the interview, giving valuable knowledge to professionals and the general public. It serves as a guide to comprehend the current state of cyber threats and prepares us for the emerging challenges in the digital world.

The interview’s highlights

• Expert vulnerability to attacks. No one is immune, as Hadnagy’s personal encounter with a phishing scam proves the universal vulnerability to cyber-attacks.

• Social engineering tactics. Primary social engineering methods evolve with the advent of new technologies and methods like QR code phishing and online chat scams.

• Emotional exploitation in decision-making. ‘Amygdala hijacking,’ where intense emotions can overshadow logical thought, is a technique to elicit quick, emotion-driven decisions from victims.

• Manipulating trust through oxytocin. It’s difficult to protect against the manipulation of trust, as oxytocin, a natural facilitator of human bonding, can be exploited by malicious actors.

• Nonverbal cues and deception detection. To dispel nonverbal cues of deception, focus on the mismatch between words and body language and trust one’s intuition.

• Industry-specific vulnerabilities. Heightened susceptibility of certain sectors like healthcare, banking, and utilities to social engineering, with specific challenges faced in effectively training staff in these areas.

• Future trends and AI in cyber-attacks. AI in cyber-attacks will get more sophisticated, making it necessary for advanced defensive strategies.

Key insight #1: social engineering is getting at you at the right time and context, not an intelligence issue.

NordLayer: How can even experts in social engineering become victims of cyber-attacks?

Christopher Hadnagy: Despite being an expert, the story of falling victim to a phishing attack stresses the human element in cybersecurity.

Social engineering targets our emotional responses, not our intelligence or lack of it. If an attacker aligns their approach with something personal and emotionally significant—and times it perfectly—anyone can fall victim.

My experience with the Amazon phishing attack is a classic example. I’ve placed an order on Amazon and was about to rush through the door for the airport with luggage in my hands. This was the time when the phishing email dropped into my inbox, saying something went wrong with the payment card.

The combination of being rushed, emotionally charged, and the contextually relevant pretext made me susceptible at that moment.

Key insight #2: phishing attacks are the most common reason behind breaches, and they evolve constantly.

NordLayer: What are the most common social engineering tricks used to gain access?

Christopher Hadnagy: The landscape of social engineering is diverse and continually evolving.

The primary categories include phishing emails. Everyone’s heard about them, but they are still the number one threat when it comes to breaches.

Then there’s voice phishing (vishing) and SMS phishing (smishing). Smishing became prolific after major telecommunications providers in the U.S. were breached, and all phone numbers were out there. Hence, I receive 10-12 weird text messages every day.

Impersonation is becoming a growing problem as there are two different attack types. One can be someone coming into your business as your employee or colleague. Another one is social media impersonation, also known as catphishing. We see many people making fake LinkedIn accounts and believing there’s someone they’re not.

Technological advancements have emerged in new methods like QR code phishing (wishing) and online chat phishing, especially prominent in the support chats category.

These attacks exploit the increasing amount of personal information available due to data breaches, creating more opportunities for targeted and convincing scams.

Key insight #3: a blackout of logical thinking for one minute can result in thousands of dollars lost.

NordLayer: Could you explain how threat actors use the science behind emotions like fear or urgency?

Christopher Hadnagy: Dr. Daniel Goldman coined the concept of ‘amygdala hijacking,’ where intense emotional responses overshadow our logical thinking, which is a critical tool in a social engineer’s arsenal.

Research subjects were shown something scary or sad and then asked to do math problems. They saw that the frontal cortex went completely dark, and the amygdala in the center of the limbic system was all lit up.

This neurological response diverts all processing power from the frontal cortex to the amygdala during high-stress situations, hindering critical thinking.

NordLayer: How do we make decisions that we normally wouldn’t make when these emotions are involved?

Christopher Hadnagy: Attackers exploit this by creating scenarios that evoke strong emotions like fear, anger, or urgency, leading to hasty decisions made without logical reasoning.

It only takes 30 to 60 seconds, and our brains return to normal once we’re done with the emotion. This is why scam emails never say, ‘click this link tomorrow’ because, between now and tomorrow, we will have time to think and be in the right state of emotion.

Instead, they create urgency. Giving you no time to think critically creates a perfect storm for a social engineering attack.

Key insight #4: as humans, we are trustful by nature, and safe words can save us from scams and paranoia.

NordLayer: Your TED talk mentioned oxytocin and its role in trust. How do social engineers exploit this aspect of human biology, and what can we do to protect against such manipulation?

Christopher Hadnagy: Oxytocin, known as the ‘moral molecule’, plays a vital role in building trust, a mechanism frequently exploited by social engineers. Without it, we would die off as a human race because this love hormone is a part of how we are as humans and not just a bunch of paranoid hermits.

It’s about striking a balance between being cautious and maintaining the natural human tendency to trust.

While it’s challenging to safeguard against this manipulation without becoming overly distrustful, awareness and simple protective measures like establishing a family password can be effective. Then they—your child or grandparents—don’t have to know anything about neuroscience or cybersecurity, but remember one code name and use it once necessary.

Key insight #5: a combination of nonverbal signs or simply trusting your gut can help you avoid becoming a cyber-attack victim.

NordLayer: In your book, ‘Unmasking the Social Engineer,’ you emphasize the importance of nonverbal communication in detecting social engineering attempts. What are some key indicators that someone might be attempting to manipulate or deceive us?

Christopher Hadnagy: Deception detection through nonverbal cues is complex.

There’s no definitive set of nonverbal indicators of deception Instead, we look for inconsistency between someone’s words and body language.

Your body and your brain are constantly looking for nonverbal signs. We do it all the time, unwillingly looking for little things like a head tilt or a nod—nonverbal signs to evaluate our trust in that person. Virtually via email or a phone call, it’s much harder to put someone to a nonverbal test, so look for the smallest signs and inconsistencies in speech.

Understanding nonverbal communication can alert us to discrepancies in a person’s intent versus their verbal communication. Moreover, trusting our intuition or ‘gut feeling’ when something feels off can be a reliable guide, especially in situations that make us feel uneasy or unsafe.

Key insight #6: the intense nature of some industries requires a full attention span to do their jobs well instead of being concerned about breaches.

NordLayer: From your experience, which industries are currently most vulnerable to social engineering attacks, and why are they particularly targeted?

Christopher Hadnagy: The medical field, banking, and utilities are particularly susceptible to social engineering attacks. The healthcare industry, for instance, struggles with cybersecurity training, often choosing inappropriate times or methods, leaving staff unprepared for social engineering tactics.

The integral nature of these industries, involving high-stress environments and sensitive information, makes them prime targets.

The medical field is probably one of the biggest threats out there. Doctors and nurses are doing a hard job attending to saving our lives or dealing with sicknesses—there’s no time to do cybersecurity training while a bunch of documentation and patients take all your attention.

Key insight #7: AI is to create sophisticated attacks and to be used to prevent them.

NordLayer: Looking ahead to 2024, what major trends do you foresee in the evolution of social engineering tactics, and how should organizations prepare?

Christopher Hadnagy: The future of social engineering is increasingly intertwined with advanced technologies like AI.

The use of AI in attacks is becoming more sophisticated, making them harder to detect and counteract. AI will likely be used in phishing emails, voice cloning for scams, and deepfakes.

The increasing brazenness and callousness of attackers, targeting even the most vulnerable, is a disturbing trend.

However, there’s hope for increased education on social engineering and the development of AI-based defensive tools. It’s crucial for organizations to invest in both technology and training to stay ahead in this evolving threat landscape.

Thank you.

Christopher Hadnagy, CEO & the founder and CEO of Social-Engineer. Chris has over 16 years of experience as a practitioner and researcher in the security field. His education and awareness efforts have helped expose social engineering as a top threat to security today. 

Chris established the world’s first social engineering penetration testing framework and the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals.

Chris is also the best-selling author of three books: Social Engineering: The Art of Human Hacking, Unmasking the Social Engineer: The Human Element of Security, and Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails.

How NordLayer can help

Awareness is the first step in preventing cyber-attacks. Training, education, and constant reminders significantly help organizations minimize the risks. However, being human is in our nature. Additional tools like NordLayer as a threat prevention measure can help automate some processes to save time, maintain our focus, and create additional barriers for malicious attackers to stumble upon.