Hacking the Human OS: Insights from Social Engineering expert Christopher Hadnagy

Secure Talk - Episode 8 Christopher Hadnagy

Justin Beals:  Hello, everyone, and welcome to Secure Talk. This is your host, Justin Beals. I'm always glad to have you joining us. Today, we have an exceptional guest. I'm very excited to chat with him. Chris Hadnagy is the CEO of Social Engineer, LLC, and he has written a number of books on social engineering and really one of the foremost experts in this particular space.

The one that I've had a chance to really delve into recently is “Social Engineering: The Science of Human Hacking”. Chris, thanks for joining us today. I really appreciate it. 

Christopher Hadnagy: Thanks for having me on. I really appreciate being here. 

Justin Beals: So, one of the things that we love to chat with,  we have a lot of early and career listeners, and we kick off our conversations this way is we'd love a brief introduction about yourself and, specifically, how did you get interested in security, or, Computer science, you know, what were those formative experiences?

Christopher Hadnagy: I wish I had a, like an Elon Musk story or something, you know, that made me look really smart, but it's like a series of really dumb mistakes that led me to something great. But I would say my first love, I always liked computers. And my father was an early adopter of computers, like way back when there was not even hard drives, you know, and he was an accountant.

And I remember his very first computer was $7,000. And he was bragging to his friends that when he hits this button, all your taxes will be done in 45 minutes. And they were marvelled at 45 minutes, right? Can you imagine waiting 45 minutes now? And I had a Commodore 64 and I was programming things.

You just got interested in it. And I went to my very short stint in college was I was in for computer programming and modems had just come out, and I had written what today would be called a war dialer, but I was a phone freaker, and I was interested in how phones work. So I thought, well, if I can do that with like a whistle, I wonder if I can do it with a computer.

So I played with different tones, not just a 2600 megahertz one, and by mistake, used the tone that told the phone to shut itself off. But I didn't do it to just one phone. I threaded two 2400 baud modems together, and I ran a script for a couple hours, and I ended up shutting down Sarasota County's phone system.

The police came to the college, and they were like, and there was no laws at the time, and they were like, hey, who did that? I'm like, that was me. They're like, why'd you do that? I'm like, I would just run. I was doing a test. I didn't even know that was the tone. They're like, okay, please don't do that again, and the college kicked me out. And I was like, this is what I'm going to do with my life. Like, this was amazing. So, moving on down the road, I started working for a company called Defensive Security, and we were doing exploit writing and teaching and training. Amazing organization. I learned so much from them.

And one of the main things I learned about myself was that I really stink at coding. I mean, really bad. But I was really good with people. So when we would have a pen test, I would go and try to do the phishing or the vishing or the physical entry. And I didn't understand why it was working. And that irritated me, you know, as I was, I wanted to understand it.

So, I started reading like all the books I have behind me on psychology and influence and persuasion and non-verbals. And then I would document. And that process is what became the social engineering framework that lives on social engineer. org still. I put that out there, 2009, um, and within a couple months, Kevin Mitnick's publisher had called me and she said, I want you to write a book on that framework.

And I said, no, no, like I'm not an author. And she goes, no, but really, no one's ever done this. No one's ever classified science and psychology into social engineering, you know, please consider it. So, I ended up writing that very first book, “Social Engineering, The Art of Human Hacking”. If you haven't read it, don't read it.I t's very old, right? So it's, it's not, the science one is the newer, newer one. So, definitely read that one. But that book is what, you know, the, the long answer to your question, which I'm sorry, is that book is what led me to where I'm at right now. Because when that came out, companies started calling me and saying, no one writes about this. Can you consult us? Can you come teach? Can you do this? 

And then I wrote a class, and that class got taught to, I taught it to MI5 and MI6. I taught it to US SOCOM. I taught it to the FBI. I was getting, I was at the Pentagon debriefing, which was mind-blowing, right? That I was at the Pentagon debriefing on social engineering.

And that opened my eyes that this could be it. A job, a career. So I started Social Engineer LLC in 2010 and never looked back, you know, and this is what I've been doing now since then. 

Justin Beals: That's really exciting. Well, a couple of things definitely resonate for me. I still have my old copies of Hacker Quarterly, 2600, the old war days, and one of my first jobs was programming AT commands for Hayes Oh my! British telecoms.?  We're old. We're old now. 

Christopher Hadnagy: For you youngins listening to this, you don't even know what that is, do you? 

Justin Beals: No. But it was a brand new world, wasn't it? You were like, oh, this, the interconnectedness is this, and I have this, like a Commodore 64 was such a powerful computer. And you could really reach out and touch a lot of systems with something like that. 

Christopher Hadnagy: time. It was amazing. Yeah. 

Justin Beals: Yeah. Certainly I, programming is its art form, right? Like you have to be in the practice to be good at it and you're doing it daily. And if, you know, my job is the CEO, I'm, I'm far enough away from it that they won't let me touch the get.

Christopher Hadnagy: I get that. I get that. My team does the same thing. Here's just tell us what you want. Don't touch it. We'll do it. You know, 

Justin Beals: One of the things that I kind of learned as I was reading about your work and reading your book and reading about your company is thatyou've been deeply involved in Red Team. And certainly I think different organizations add red team activities to their companies at different times along the journey as the company's growing. And, you know, I've talked to friends that are working at banks and they're running a full time staff, but what do you think about from a red team activity for mid-tier companies and smaller companies that certainly are probably a target. 

Christopher Hadnagy: Yeah. So this is a really interesting question because I got into red teaming before normal people call red teaming what they think it is today, right? So if we go back, like, you know, our days Red Teaming wasn't a thing you did in 24 hours or 48 hours or four days. Red Team, when you got hired for a red team, you were a month,two months, three months, right? 

And they hired you to simulate the adversary to make believe you were a nation state or a competitor. So we would stalk the guys. We would take pictures. We would follow them to the gym. We would go out to their locations and tag their cars. We would, you know, go to their homes and make believe we were a pyramid.

We would get involved in their life and such. Well, I had a job once where I got hired by the company. For two weeks, right? I actually got a job and I went inside to see if I can be an insider threat. And I, you know, I had an office and a computer and everything, an RFID of all of a fake ID. And, and I got hired and I sat in their office for two weeks.

People just assumed I was an employee. And then I'm packing my box up after I completely owned the company. Like I'm quitting, you know, I'm leaving. And the guys are like, Hey, what are you doing? I'm like, Oh, today's my last day. They're like, Oh, you know what? We gotta take you out for lunch. And I had a company bought lunch.

You know, like this. These things were months long, so, okay, so that doesn't really answer your question, but I wanted to define that because what we call Red Teaming, say like, people will call a pen test a red team, and it's not, you know, it's a completely different thought when you ask that question. I think, well, when a company comes to me and says, do you think I need this? I say, what are you protecting? And if you can answer that clearly, and then tell me, who were you afraid of taking it? Right? If, if your, if your fear is only, let's say, online threat actors from the dark web, then maybe you don't need a physical entry, Red Team.

But if, if you're, if you're worried about insider threat, If you're worried about somebody coming in from another nation or another area or competitor actually trying to infiltrate your, your physical network and regardless of your size, you need, I mean, I've done red teams for companies that were 150 people, but they were making pharmaceutical things that were going to change the world, right? And I've done red teams for companies that have 200, 000 people, everything in between. And it, it just depends on what you're protecting and how badly you're worried about getting lost. 

Justin Beals: Yeah, you know, very true on the like, what are our crown jewels? Why are we trying to hold on it? And who are the threat actors that are coming after it to help decide what the value is?

And certainly to your point, we see small companies that are building, you know, very valuable solutions that would be useful on the black market or from an information perspective. So it's not always just the most massive companies that need to think about that. So now I'm, I'm drilling in a little bit.

Scope is always really important to me as a product leader. And so one of the things that are going to help us define the scope on the red teaming work is what are we protecting and who's coming after it. 

Christopher Hadnagy: Yeah. And for us, and I'm sure it's the same in your business scope is our Bible. I tell my team, we never, ever break scope. So it is our, it is my job. I feel when I find, if I was sitting with you as a prospective client, I need to ask you, can I do this? can I do that? can I mimic your employees? can I actually enter your network? can I steal something? can I send a fish? can I do a Vish? can I record all that stuff? Every question has to be asked because if you were thinking one thing and I was thinking another, and I do the thing that's not written in scope.

Especially when it gets to these physical jobs, because this is, I mean, I've been in some hairy situations like guns pulled on me and stuff and these red teams. So you need to be prepared and have everything laid out so you don't get stuck in a  situation that can, that can be really dangerous. 

Justin Beals: Actually, that was one of the areas I, I was curious about, you know, there's an ethic thing.To doing this the right way, and you certainly talked about communicating effectively what's in scope. What are some of the other ways that you think about the ethics of this particular practice? 

Christopher Hadnagy: Yeah, I actually love this question. Thank you for asking this, Justin. One of the things I've noticed in the industry that has kind of been disturbing me is that people say, well, because we're simulating the adversary or the threat actor, that means I should do everything they do.

And that's not true, right? Because my, my philosophy is like, if I'm working with your company, I want you to love me and I want you to retain me for years to come, but you're not going to do that if I make your people feel dirty or abused or violated. So I refuse to use pretexts that elicit intense fear.

Like I'll give you an example. I heard a story of another red teamer who during COVID put a gas mask on. To enter a company and people were so afraid that she was thoroughly sick that they didn't even touch her. That's horrific if you think about that like to use that level of fear During a global pandemic where millions of people were dying.

That's not ethical, right? So we don't we don't I don't like those kind of stories. So we refuse to do that I refuse to use pretext that will threaten someone's job I have no clue where you are in your life. And what if this last week you had a bad divorce and you're in millions of bills and you were thinking of ending it all.

And now I come in and I threaten your job. I don't want, I,, that, that liability? No, no. When it comes to phishing emails, you see these things that were there use someone's bonuses. Terrible. So for me, um, to sum it up ethics, you have to think about how your attack is going to affect the target. And if that attack could affect and every attack is going to leave someone feeling a little bit bad, but I do not want psychological trauma or harm or the feeling of hopelessness in my targets.

I want them to have the opportunity to stop me. It doesn't mean I make it easy, right? We don't make it easy on them, but I don't want someone to feel like their life, their job, their family is over just because of my testing, right? . I wouldn't want someone to do that to me, so I would not do that to someone else.

Justin Beals: Yeah. You know, in an adversarial approach, it's really hard to humanize the adversary sometimes, but we are humans on both sides of this work. And the goal here, I think what you're trying to deliver is better security. By learning what the, where the vulnerabilities might lie that that are being tested.

Christopher Hadnagy:  I'll give you an example if you'll let me. So we were doing a, a test for a company and one of the targets that we had, we found a slew of nude pictures of her and they weren't revenge porn. They were artfully done. She had them, she had them taken when she was much younger, but then someone leaked them online.

Justin Beals: Yeah. 

Christopher Hadnagy: Never use that. Ever. Like that doesn't become part of the attack, but I also didn't ignore it. So what I did is we attacked the company completely different way,  after it was done. I said to my point of contact, I don't want to hand these links in to a whole male security team. Would you allow me? And I said, I won't charge you guys.

Will you allow me to work with her privately? To get those pictures taken off. And the reason I feel really strong about it is because they paid me to find vulnerability and that's a vulnerability. So rightfully, they could have said, no, give us the links, right?  And I said, but let me work with her. And if I can't get them removed, then I will report back to you. But will you, and they said, yeah, sure. I worked with her for two months. We got every one, but one link to remove. The company said, we don't care. It was on some Czechoslovakian porn site and page 82 or something. And her name wasn't even attached to it. So they said, we don't care. You can, you can ignore that one, but we got them all.

And that to me is ethics, right? I see this and I would go, Whoa, this is a major attack vector. But can you imagine the humiliation on her? If afterwards she found out it was a company sponsored test and everybody in the company saw her naked. Oh my gosh, like I, it would be violation, right? And I could not right away, and when that happened in the company, we limited the team that worked on that target to another female and me. And that was it. No one else saw those pictures. We told her that when we met with her, that we limited the team. So that way she wasn't embarrassed by us. She wasn't embarrassed by her company, and those things never got used in an attack.

I think it's really important if you're in this field, that that becomes a major point of focus for you, that you're really thinking about the ethics on how to do this so you don't leave people feeling worse for having met you. I 

Justin Beals: mean, I get a sense of caring for the people that, you know, you're trying to engineer a social outcome for, you know, you, you certainly understand the impact of the work you're doing, and that it can be hard to learn that you make a mistake,and at the same time, you can, you know, in this digital age, you can learn of things that they're not even aware of that are out there. 

Christopher Hadnagy: That's a great way of putting it because really ask yourself this question. If you're in this industry, why are you here? If your answer first is money or cause it's cool, or I want to look awesome, that's the wrong reason, right? 

I'm in  this industry because I really like helping people. And this is a talent I have to help people. So if I go into my job every day with the goal of. I want to help this company be the best they can be, then I'm not going to do things that are going to harm them or make them feel angry because you're not teachable, right?

If you came up to me and said, Chris, I want to learn how to fight. Can you show me? And I go, sure. Bam. And I break your nose. You're like, well, you're the worst teacher on earth. I don't want to learn from you anymore. So don't do that digitally to your, to your targets, right? When they say, okay, teach me how to be secure.

Don't embarrass them in front of everybody because they're not going to want to learn from you. 

Justin Beals: Yeah, you're going to close them off, right? They're going to be like this person hurt. Yes. There's no way i'm open to working exactly Right. Yeah, and 

Christopher Hadnagy: who would right? I wouldn't and I tell people this all the time if you think about uh, Your family you wouldn't do that to your children. If your child made a mistake, You wouldn't pull them out in front of a good parent wouldn't pull them out in front of all their friends and humiliate them This kid says look how stupid he is, he made a mistake Like no one would do that to their kids. We hear that and we're like that would be the worst parenting on earth 

So why would you do that to your employees? You Right. You just don't. Yeah. If you wouldn't do it to your kids, don't. And if you would do that to your kids, you're probably shouldn't be a boss.

Justin Beals: Well, it's refreshing to hear that you have a deep perspective on the ethics of the work. And it's the criticism that I've had of, I think, our industry. A lot of times, both business and technology, we don't think very often about the impact of what we're doing. And there is always, right?. If you're automating something, someone may be losing a job.

It may still be the work you're doing, but you just need to be aware of what those impacts are. 

Christopher Hadnagy: And I like that thought because, you know, anything that we do in this AI now, I'm not a believer that AI is going to replace all humans, but AI definitely is going to replace some jobs, right?  I was able to successfully use chat GPT to write a script that I needed for a tool that I was building, and I didn't need a human interaction.

And all I had to do was learn how to talk to the bot to give me the right output. So as long as I can be a creative human, I didn't go anywhere to hire a programmer now. I did this, and I even said, get fancy, build me a GUI. They built me a graphic user interface for this thing. I mean, ridiculous, right? So I mean, yes, AI will produce that, but now I wouldn't want to go, okay, fire every programmer in my company because I have AI.

Right? So, yeah, I like the way you worded that because we do have to have that mind that technology and things are going to advance and it's going to mean some bad things for some people. But how we word that and how we work with them can make all the difference in the world. 

Justin Beals: Yeah. One thing that I learned in reading your book is that a lot of times you talk about This social  engineering work that you're doing as a part of a broader penetration testing effort.

You know, as a CTO, I've always viewed penetration testing as something that we did in a very cybersecurity way. And we went through the list of the typical hacks and that the patches are in place and you've got the right encryption. But I loved including this idea because you have a surface area, right?

Yeah. How do you introduce that conversation of social engineering as a part of the broader penetration testing? 

Christopher Hadnagy: I say, have you read the Verizon DBR report? Yeah. Have you seen the scattered spider hack on MGM? If you read the Verizon DBR report, then you saw that 96% of all ransomware is being delivered by phishing emails.

You're seeing that phishing is becoming the number two vector for getting ransomware and trojans installed on networks. So how can you do a pen test or an adversarial simulation and not include social engineering? Because you're leaving out a major vector. Your firewall may be perfect. Your IDS, IPS, your intrusion systems may stop every attack that I can launch from a digital perspective.

But if I can get someone inside the IT team to allow me in, because I sent them a phish and to send me a reverse shell, Now, all that technology doesn't do anything for you. So how do you completely understand your vulnerability and your threat risk if you don't include social engineering in your adversarial simulations?

Justin Beals: I mean, some of the statistics that blew me away as I was starting to research the space that we operate in was that 70 % of breaches were coming through third-party vendors, you know, to your point, how much of this is human engineering, because it is not that difficult to set up a firewall, you know, it's not that difficult to set up a way to connect in an encrypted fashion to critical systems. And, of course, when those are breached, it's catastrophic. You know, it's a big loss, but the ransomware install is coming through. We have a thing at our company where it's like you've passed your, the first 24 hours is when you're going to get an SMS as someone posing as the CEO to ask you to provide them information. 

Christopher Hadnagy: It happens at my company too. Soon as someone goes on LinkedIn and says, I started with social engineer. I tell them you're going to get a text from me. It's not going to be from me. And they're going to ask you to go to CVS and get some gift cards.

And the only reason I know that this is one of my employees fell for it a couple of years ago. So we ended up having to say, okay, guys, this is going to happen every time we hire someone. So just, you know, be aware. 

Justin Beals: Yeah. And it's these communication patterns that don't require a login and from physical through to SMS to email, there's just no authentication to be on that platform for  communication.

Christopher Hadnagy: And if the pretext is believable, right? So, for this particular attack on my company, I was in a classroom with students. I was with some clients, and I had told my EA, who was brand new, Hey, I'm not going to be able to talk to you today for very much because I'm going to be; I'm in a classroom with a bunch of students and clients.

So I'm going to be busy. I don't know if. They knew that I was teaching a class cause they did go sent on my on my schedule. Cause it's online, but they texted her and said, Hey, this is Chris. I'm in the class. I need you to go get me some gift cards for students. She was like, okay, well, he just told me he was there.

I don't recognize this number, but it all makes sense. So she goes out $2 000 later, right?. And then I get back to the office, and she's like, so did you get the gift cards? And I'm like, yeah. You're joking, right? Like you're telling, tell me you're just pranking me as your first-day prank. And she's now you can see the fear, right?

She's like, wait, wait, wait, wait. And she, I'm like, Oh crap. No, I'm like, you, you actually, you did it. I was like, how much? She's like $2000. I'm like, Oh, Oh, ouch. This hurts. Right. It happens. Right. I mean, you know, we didn't, we didn't fire her. We didn't do anything. We just said, okay, this is, this is a good learning lesson. So, let's see how we can learn from this and move on. 

Justin Beals: Well, and to the title, social engineering, we are human creatures. We can be engineered. I oftentimes, when coaching software development teams, I'm like, Oh, this is a human engineering issue. We need to coach this person on how to be successful. And therefore, we're all susceptible myself and everyone else to being influenced.

Could you take us through just maybe briefly or at a high level your pyramid? OSINT, pretext attacks. I thought it was super helpful for me and understanding how these attacks get perfect. 

Christopher Hadnagy:  So the life force of every social engineering attack is information. So OSINT has to be the biggest block of thing that you do, right?

Because OSINT will generate your pretext, OSINT will generate your attack vectors, OSINT will tell you is phishing better than vishing, what kind of software that they use, what kind of exploits might be able to, Are they big on social media? All these questions get answered with OSINT. So that has to be the very first stage.

After you do OSINT, that's when you start attack planning. So you actually look at your OSINT, and you say, okay, what's my goal? So I know my end goal. Let's say my end goal was the penetration of the network and owning of some data. Right. So I have to get into this section of, I have to get admin access on the network.

 Okay. Now I have the OSINT. So what's going to give me that access. So I need to start planning my attacks. I'm going to do phishing here, spear phishing here, vishing there. I'm going to do some network intrusion here. You know, I'm going to start doing all of that stuff. Once I plan the attack, now it's actually launching the attacks.

So I start to launch those attacks because I, you know, once you're planning, sometimes you're planning an attack, and you're like, Hmm, I need to change this because as you're planning it, you know, maybe the OSINT changes or something else happens or this has happened to us a number of times. We find a piece of data that tells us in two days, there's something happening that we have to use.

So forget the timeline, like get going quick on this one thing. We'll do more OSINT later, but you've got to do the attack on this one thing, right?. And then, once you launch the attacks, then of course, it's data collection. Achieving the goal in report writing and I gotta stress even though that's the smallest section It is the most important thing, and every young person who I ever mentored and talked to your clients are not paying you to be cool and to hack them even though you might think they are They're not paying you to hack them.

They're paying you for that report So that report better be solid and it better not be a dump, a copy paste of every piece of OSINT. It better tell a story and it better explain to them the thought process, what you did, how you did it, what worked, what didn't work. Tell them where you failed. Tell them where they stopped you.

That report better be, if it's going to be long, which most SC reports are, it better be a storybook that they can't put down because that's what the money is for. That money is for that report and then your mitigation steps afterwards. 

Justin Beals: Certainly you talk about in the book that the best defense. Or one of the important defensive tactics around all of this is understanding social engineering itself.

And then to your point, you know, that story about how I perpetrated the hacks that I was working on and what blocked me is a more precise story about your particular organization. 

Christopher Hadnagy: I love that. I mean, imagine if you went to a doctor and the doctor said, okay, you got, you got, you got cancer. Okay, see you later and just walked out. You'd have what type of cancer is it curable? Give me details.  How did I get it? What stage is it at? You know, you have a million questions So if your report is this basic like okay, you guys are how we hacks or you're leaving your client with a bill And they're go. What did I just pay for, right? . So the bad guys can do that for free. They're Is that evidence that this is what we did and this is how you can fix it.

Justin Beals:  Now, I wanted to talk a little bit, continue the discussion on this thread around those defensive measures. That you might think about implementing; first off, let me just say that trying to say that defend against social engineering seems incredibly overwhelming, You know? You can take the number of people you have how unique you are multiply it by the number of tax credits.

So, how do you think about developing a defensive posture around Social Engineering?

Christopher Hadnagy: A really wonderful question. So, I have a couple of tiers that must take place when it comes to defense against SE. So first is you have to educate everybody about the vectors. And when the best way that I have found to do that is by actually performing safe real-world attacks on your people.

So, fishing them, vishing them, smishing them, doing red teams, right? This lets the company know, Oh, that's what it feels like. When I get fished, Oh, that's how I should take care of it. And that, Oh, that's how I report this by doing those regularly. You're building muscle memory. You almost think of it like going to for a boxing lesson, right?

They teach you to; they hit the bag, you hit the heavy bag that way. If you're ever in a fight in a ring, your muscles should be like, Oh, I know how to block; I know how to punch, right? I know what to do here. So that muscle memory is that education. That's the very first part. Sometimes companies go, well, we taught them, so they should be secure, right?

No, now there's tech that you have to install. I'm a big proponent for password managers, and people go, yeah, but you know, they got hacked last year. Yeah. One of them did doesn't mean don't use them. Right. Because I can't remember the thousands of passwords that I have to remember. And if I have to remember them, they're either going on paper or I'm coming up with a pattern.

So password manager, MFA on everything that you can possibly have MFA. And if you can avoid a text and you can have an app. Then that avoids SIM swapping, right? So you want to have MFA on everything. You know, I know antivirus, it's a, it's a pain in the butt.  You got to have it, right?  You got it because it's going to stop 99 % of the known viruses that are out there.

So people go, yeah, but it doesn't really do much. Yeah. It's not going to stop a no-day. Okay. But it's like, it's like get your vitamins, you know, stay a little healthy because that's going to stop some of the viruses that are out in the world today, right? Get you, get your immunity shots, and you're, you know, you're, you're, you're better last but not least, you know, having that internal security team that doesn't speak to your people like they're idiots. but that actually cares about them. You want them to be their advocates, not their adversaries. So if your team is not that, replace them, get a new team, because I have seen companies do a 180 because that team, I have a client right now, this team loves their people so much that when they do a test, they tell me that they'll call in and thank them.

Man, I know I fell for it this month, but thank you. I learned so much. And I'm like, what I love about you because you care so much about your people. They're thanking you for fishing them. Right? Like, that's amazing to me. So those four things I say, like, that's like maybe a starting script, but those, those are the things I say you have to do if you want to defend against SE.

Justin Beals: Yeah, You know, you had a phrase in your book that you mentioned that you carrying the stupid humans approach is a non-starter to being an effective social engineering tester. And look, this is true. I've met a lot of engineers in my career, and this attitude that you don't understand what I understand makes you stupid. It's really a poor way to engage colleagues. 

Christopher Hadnagy: Terrible way, right? Yeah. And that the bumper sticker that says there's no patch for human stupidity. First, that means that you think that only stupid humans can fall for SE. And second, if someone falls for SE, then they're stupid. And both of those, both of those attitudes are horrific and trying to fix the problem.

You know, again, go back to your doctor. Imagine if your doctor came in and you had cancer and he goes, well, you know, only people who have really poor health got cancer. And you're, you'd be like, ow, that hurts. Like, you know, only people who, who like, who do bad things with their health, die from cancer, you're like, that's  horrible.

Like don't do that. Right. That would be a horrible doctor to have. So you don't do that to your people, right? It's, I have fallen for an SE attack, a real one. I've sent 19 million phishing emails in my career, and I've written five books on the topic. And this is what I do every day. And I've, I've fell for insider threat, and I've fallen for a phish. So honestly, and I'm not saying I'm anything special, but if I can do it, I think anyone can do it, right? 

Justin Beals: Yeah. Cause it's a very human response. We are all human beings. We are governed by the biology and chemistry that we have going on our own aspirations, all the data we put on the internet or intelligence at work. And we also typically, many of us want to connect with other people and have a positive experience. Yeah. It just makes you deeply vulnerable to those types of outcomes. So the other thing that I loved is it felt like to me being good at social engineering or as a security expert inside your organization also involved letting go of your ego, which is a big part of just doing social engineering, you know, hard thing to do to let go of who you are. 

Christopher Hadnagy: Very much so. Very much. So, actually I learned that in the hard way, but it was a lesson that I think changed the nature of my company. When I realized that ego suspension was going to make me so much better at this job, it was like a light bulb moment, right?

Because before that, I was one of those guys that always had to win, right? We were bragging about a 100% win. And then I had a client say to me once, well, if you're always going to win, then what's the hope for me, right? . Like, what's the hope? And I started thinking, like, he's right. Like what a terrible sales pitch. Hey, give me $60,000 and you're going to lose. Like, who would do that? Right. You know, it's like, like that's a horrible sales pitch. So I started thinking, yeah, like that's all ego-driven. And when I was saying those things, it was about me. Not about you as the client. So when I realized, okay, let me make believe I'm the client, I'm sitting across from Chris Hadnagy and what do I want him to say to me? I want him to say that, Hey, listen, we're going to work together until you're beating me so [ bad that I feel horrible about myself. That's what I want to hear, right? That I'm going to help train you to stop me, right? That's what I want to hear.

And I'm like, okay, but that means I have to sit there and be willing to take the ego hit that I'm going to lose eventually and not on purpose, but that I'm going to lose as soon as I got used to; oh, yeah You got to lose the ego in this industry because egos they wreck everything they wreck your relationships, they'll wreck your business, they'll wreck your your employees, they'll wreck everything, and I've worked with too many people that their egos get in the way. And it just doesn't; it doesn't work for effective things. So yeah, I'm glad you pulled that point out. Mastering ego suspension, which is a lifetime learning lesson and the constant thing that you have to work on, it will change your business, but it will also change who you are as a communicator. It will make you so much of a better communicator. Really, it will. 

Justin Beals: I think it's almost impossible to be a great leader and to lead with ego at the same time.100% Right. Like if I'm so right and everyone else is so wrong, then, then it's going to be really hard to take input from my team and provide input in a way that they can digest and feel excited about, you know, changing their own work or perspective or the outcome.

Christopher Hadnagy: I have this wonderful thing we talk about in the company I've, I. I had this woman we hired brand new to the industry,I mean, she was in hotel accounting before she worked for me. So nothing to do with cyber whatsoever. I mean, she doesn't have like a technical bone in her body right now. We're on this vishing client, and we had instituted something for this client where, like kind of a human MFA where they had a color of the day. And it wasn't something like yellow-blue. It was like, you know, chartreuse green or something that was only on the intranet, and it changed every day. So if, as a tech support person, if I call you and I'm asking you questions, you're supposed to say to me, Hey, what's the color of the day? And if I don't know it, you hang up.

So, the client said, wow, this has really been working great, but now we want to see if you can bypass your own protocol. So I'm sitting in a meeting with the team, like, okay, guys, we've got to come up with a plan. How are we going to do it?And this person who has zero experience in the industry, gave the idea, right?  She says, well, we don't even call about that. We call and we ask them some outrageous question. Like you have some problem with the computer. I need your password. And when they reject it, you say, okay, no problem. I understand. That's a weird question, but I need to log this. So what's the color of the day, so I can log your rejection. We get it from one person and then I give it to the team. And I was like, Whoa, I'm like, do it. Do it. She did it. It worked. And then every day we're owning. We're bad, bad, bad, bad. And I'm like, what now? Now we're going to come up with a fix to our broke, a broken thing that we fixed before, right?

The client's like, I knew you were going to do it, but now how are we going to fix that? And I'm like, okay, there is an answer. The answer is only the person who initiates the call says the color of the day. And if the person who initiates the call ever asked for it, your team has to know to reject it. And that stops us now.

But it's like it was the point was it was this brand new person. And if I was like, Hey, look, you're not even an industry. You don't have any ideas. So I'm not even gonna invite you to this meeting. Right. I'm going to get the guys here from the industry. I would have lost out on having this amazing idea from this person who's got zero experience and ended up owning the whole program because she figured it out, right?  And I've been in the industry for what? 19 years. She just started, and she had the answer. I didn't. Right? 

Justin Beals: Sometimes it's that beginner's mind, right? The willingness to not know what the right answer is.

Christopher Hadnagy: That's why I love it.

Justin Beals:  Another part of your book that I really enjoyed is “I can see what you don't say”.And I'll confess that my school career, my academic career is basically a degree in theater. We spent a lot of time saying, this is what the script says. But this is what you're really saying. And how do we say words that are oftentimes counter to the way our body needs to be? You talk a lot about nonverbal communication and the psychology of it. And I'd just love for you to elicit a little bit on how critical it is to social engineering. 

Christopher Hadnagy: So I know that there's some who will put a percentage on it. But one of the things I learned, I had the wonderful privilege of my second book was written with Dr. Paul Ackman. He's a mentor of mine, a hero of mine.

One of the things that he taught me in working with him was that You can't say it's 80%, 90%, 96% of what we say is nonverbal because it depends on the medium, right? So right now you and I can only see from our chest up, which means you can see my hands. If I'm using them, you can see my face, but you can't see my hips, my feet, you can't see much else, right? So you're stuck at not knowing all of my body language, right? You can assume I'm facing you because I'm facing the camera, but you know, I mean, you know, I, it could be the camera can be over here for one time,regardless of what it is, if it's 50, 60, 70,90 of what we say is, is on our face and our body language, then the words that we're saying, right? And think of an example for that. You could say, wow, man, you're such a dummy or man, you are such a dummy. And what's the difference with that? The same exact words. One of them's cute, right?

Or you walk into your dog and you go, I'm going to kick you in the face, or I'm going to kick you in the face. The dog knows by the tone, doesn't understand the English words by the tone, it says, Oh, I'm in trouble. The other one, it goes, Hey, he's going to pet me. He's going to love me. So the nonverbal piece of language where it's our tone, our facial expressions, our body language, our the way that we're using our hands, the way our feet and hips are placed.

 Learning to read these things can tell you during a social engineering engagement if you're actually doing good or not. And it also can make you a better social engineer. Because when you're on the phone, the way that our body posture is when you're doing vishing, the way that your face is, will affect your voice, right?. A smile versus a frown, or if you're stressed and you're tense, having this kind of a tense face will change the tone of your voice, which will come across to the target. And then they feel tense and they don't know why they feel tense, but they start to feel that. So nonverbal understanding, nonverbal communication  to me as a life skill, not just social as a life skill is something I wish we were teaching kids in school.I really do. I wish we were teaching them. 

Justin Beals: I certainly believe that when we're communicating with another human being. We interpret as truth the nonverbal cues, and then we layer, like metadata, the verbal cues in a way 

Christopher Hadnagy: a 100%

Justin Beals: Is like the true fundamental relationship that's happening 

Christopher Hadnagy: Yeah, and if you think about this, I usually when i'm teaching a class i'll ask women this: have you ever been in a room where someone kind of creeps you out, but they didn't say anything. They didn't do anything. They didn't come near you They didn't touch you, but you left it going. I don't really like that guy.?  I say why I ask them Why do you do that? No, I don't know just Just the way that he made me feel and I'm like right because your body is constantly like a radar, looking for signs for danger and it's giving your brain is now saying oh, there's a threat over here Now, maybe you didn't identify what the threat was. Maybe he just leaned a little too close, so he looked at you weird and your your verbal your your visual caught it, but you didn't actually see it. It's just your brain is always looking and scanning. And now your brain is saying, Hey, there's a thread over here. I don't want you going over this way. 

That nonverbal radar is so important to us. It's life-saving. It's life-saving. That's why I got my daughter, man. I taught her this stuff from when she was three years old, and now she's an expert. And I'm like, you need this in your life. You need to know how to do this because this is not just about being a social engineer. She's an esthetician, right? But this is about just knowing how to communicate and how to keep yourself safe also. 

Justin Beals: You know, this whole conversation, when we have it, makes me incredibly comfortable about like, how am I holding my hands, where are my shoulders at? 

Christopher Hadnagy: Everyone always says that when I'm talking about this, but it's perfectly fine, it really is.

Justin Beals: What am I saying to people? I think being deeply aware of it, and even in the digital spaces, there are cues that we add to that email that we're sending out the punctuation that we're putting around it. And of course,] things like emoticons that aren't a real word. 

Christopher Hadnagy: Why do we create emojis? Why? I think about it. If you read the science, some of the scientific research that's been done, emojis got so popular because we love expressing emotion in our communication. And it's like the same thing I said before, like, I'm going to kick you in the face, or I'm going to kick you in the face. Well, between an anger face or a smiley face, you know that I'm joking or I'm not joking.

But you send that same text with no emoticon and guess what? I don't know. Is he mad at me? Is he not? I'm not really sure what's happening here?. So I, I'm not, I'm not clear what's going on with this message. Like, are you mad at me, Chris? Right. You don't know that that emoji tells you what's going on in my head and in my heart. So we created them because nonverbals are so important to our communication. 

Justin Beals: Yeah, yeah. And, it elicits a different style of familiar familiarity between, uh, the communication that you're providing. Well, um, I wanted to talk a little bit about the future. You know, it's social engineering, especially,  of course, one thing that I'm very curious about is now we have large language models and they're working fairly well.

I think we've seen social engineering at scale. In the past, it's happened, but it's the ability to kind of rapidly communicate with an individual with an interface that feels like another human being has got to change the dynamics of your work a little bit. 

Christopher Hadnagy: It does extensively. I was in a conference in Spain a couple months ago, and from there, there was a couple federal agents from Japan, and they were giving a speech, and they said up till about a year ago, fishing was barely a threat in Japan because anyone know why?

And I really could not come up with an answer. So, no hands went up. A couple people had some guesses, but none of them were right, and he said, The reason is, is that Russians didn't speak Japanese very well. But now, because of ChatGPT, you can translate any email into a perfect language for another language.

I could say, take this message and write it in Japanese, and it will be perfect, grammatically. So we're seeing AI being used in phishing. There's a tool out there which just blows my mind. That is a legitimate tool, but it's being used by threat actors because,, they realize that certain accents will elicit distrust in us as Americans.

Someone built an AI driven tool that removes accents from, from telemarketers. Now, threat actors are using this. So we don't know they're Indian or from Pakistan or from wherever they're at. We, they're, they're, they're have an American accent. Fraud GPT, if you haven't heard of it for pennies for the year, you can have access to a fully functional evil version of chat GPT that writes malware, that writes website code, that will write phishing emails, that will send phishing emails, that will steal credit card data.

This thing is unbelievable. So to answer your question, I think what we're going to see. And this is the bad side. Then I'll tell you the good side. From the bad side, we're going to see AI being used more and more and more in attacks. That thing in Hong Kong, if you heard about it, that, the digital skin that this threat actor built, and then he got on a video call with a subordinate of the CFO, but what he was seeing was the CFO, and he said, I need you to transfer $25 million.

The guy went and did it. Why not? His boss told him to go do a wire transfer. So he did it. One meeting and that threat actor now is 25 million. We're going to see this more and more. Okay. Now that's all the bad side. And that's all the, that's all the, you know, the negative. What about the good side? I think we're going to start seeing AI being used in more and more in defense.

Right now, we have paperwork out for a number of grants and trying to use AI and LLMs to build defensive models and to helping dictate deception to understand when malicious intent is being used so we can build better defenses because, As you kept saying, for this whole podcast, we're humans. So we're going to have human reactions.

We need to start using the tech because I don't want to teach your people to not be kind and to not have empathy and to be paranoid about every phone call that comes in. I want your customer support people to be as awesome as they are right now. So what I want is technology so your customer support people can be awesome.

We can’t stop the badness from happening. So I think from both ends, we have to start seeing a, we're going to AI is already being used in the bad side, but we just start seeing it being used much more on the positive side. 

Justin Beals: It's intriguing. It's a really intriguing idea. I hadn't thought of it where you're literally training a model to have a discussion on a, on a communication channel to try and suss out what the motivation is of the communication coming in is, and if you're sensing that they're asking for you to operate a transaction or share data, you know, the machine is going to be a lot less emotionally attached to the communication they're getting. And it is a very powerful defense mechanism. It actually dehumanizes, maybe in an appropriate way, something that could be engineered for a house. 

Christopher Hadnagy: Well, you know, what's wonderful about it. If you think about it, if we feed that, that bought the rules for my company, like let's say I'm a bank and the rules are, I will never ask you for a password. Ever. No bank employee will ever ask you for a password all of a sudden on this call, and I built so much rapport. I'm doing amazing. We're laughing. Now we're talking about our kids, our dog, what we need for dinner. And I'm like, Oh, Hey, yeah, before we log off, I just need to get your password so I can, you know, log this call. That's when the LLM jumps in, and maybe a little red light comes up on the screen, or something happens on the phone that says, Hey, this, this call may be fraudulent.

That question shouldn't have been asked enough to break the hijacking of the emotion and bring back critical thoughts so that the target can go, Oh, wait, yeah, wait, I can't give you that. I'm sorry. I can't give you that. Right. And it's just a matter of listening to that call doing the analysis for that intent with your present rule set for your company.And I believe that we can, you know, what's one of the things we're working on now, and I believe that we're going to be able to get there. 

Justin Beals: Chris, this has been an exceptional conversation. I'm a big fan of the book. Reading it was. It's super helpful for me for thinking about this subject area, helping make our business more secure and also kind of understanding the mechanics of the psychology of the work.

So it's been a real treat to have you, and I wish you lots of luck and looking forward to connecting at some of the conferences. I'm sure we attend every year. 

Christopher Hadnagy: Yeah. Thank you for having me on. This was a great conversation.