Social Engineer Chris Hadnagy visits Fraud Busting. His specialty is the human side of security. You’ll be amazed at his stories of breaking into companies (at their request) to test their security. And we’ll chat about how to use the tools of persuasion that the bad guys use to make the world a better place so you win friends, influence people and leave them better off for having met you. His new book Human Hacking is hot off the presses. You’re gonna want to make sure you get a copy of it.
Traci Brown: I am so thrilled that you and your people said yes to letting you come on my show because I have watched your work for a long time.
Chris Hadnagy: Oh, thank you.
Traci Brown: I was always kind of looking for a reason to reach out, and then I saw you had your book come out which your folks were nice enough to send me an e-copy of it. I’ve got to tell you, I love it. It is fantastic. I wish that I had written it. I love it that much.
Chris Hadnagy: That’s a nice compliment. Thank you very much.
Traci Brown: The thing is, I don’t love books. I write books, but I’m never like, oh my God, that was amazing, like some fiction a little bit, never a professional book. I was sucked in from the first paragraph on the first page. Let’s talk a little bit about you and what enabled you to write these amazing stories, because there are so many of them in the book. Let’s just . . . It’s called Human Hacking. I know it’s coming. What’s the date on it?
Chris Hadnagy: Yea. January 5th it got released, if you can believe that.
Traci Brown: Yea. So it’s brand new. It’s on Amazon, everywhere you get your books. Let’s talk a little bit about you, and then we’ll back into the book and how all that came about. Tell us about your background and what enables you to write these. Essentially, they’re spy stories is really how I’m going to classify them. Tell us a little bit about you and your background and how we got to here, to today talking about social engineering.
Chris Hadnagy: So, I don’t know how far back you want me to go, but I think the most relevant part of the story is I was working maybe about 15 or 16 years ago, or 17, as an operations manager for a pen testing company. We were doing network pen testing which meant companies hired us to hack their computers, and we tell them how we did it. A lot of guys at that time, including me, we were coding exploits. I stunk at it, so whenever we would have a pen test, I would be the guy who would like call someone up on the phone and get them to give me a password, or walk up to a security guard and just get them to let me in the building. It always worked, but I didn’t know how, so it felt like I was a Jedi or a magician or something, but it irritated me because the hacker mentality is you want to know how things work. I started to read books on psychology and read things on nonverbals and read like Cialdini’s Influence, Paul Ekman’s Emotions Revealed, and Joe Navarro’s, What Every Body is Saying. I started to read all these books that started to explain, oh, wait, I’m doing that, or I’m trying that. I didn’t know. I unconsciously didn’t know it. I came back to my boss at the time and I said, we should write a course on this thing called social engineering. No one has ever written about it. He said, well, we have to write a framework first. He said, this is your thing. You write the framework. So, I wrote a framework. It still lives today on social-engineer.org. I released it, and I thought, okay, a few people will be interested in this. It became an overnight sensation in the security field. I got called by a publisher and invited to write my very first book, so this is going back now 11 or 12 years. I wrote that book, and that launched the company I have today. You jump through – I won’t go through all those hoops – you jump through like 12 years of running this company, and like you said, there are just so many stories and so many ways that I’ve used these skills that I said, you know what, this book needs to be written because it’s not just about security anymore, especially in a world where we can’t seem to have a conversation without violence, a book about how to just be a human, how to be empathetic, how to converse, how to stay safe from scams. These things are so important that I think it needs to happen, and that really was the motivation for it through the years.
Traci Brown: Here’s what I really liked is because I’ve always thought of, because I’m a body language expert, and I focus really on two areas. One is persuasion and influence and the other is lie detection and fraud prevention. The reason I really like your book is because you took what can be a dark topic, which is social engineering. Now, I know you have a great definition of social engineering. Let me tell you mine, and then you can tell me yours. Because I always termed it as high stakes persuasion, but you have a different definition of that. You want to jump into that a little bit?
Chris Hadnagy: Yea. It’s any act that influences a person to take an action that may or may not be in their best interest. I go with a broad definition because I think that there are positive, as well as negative, sides to this persuasion or influence that we can use in a good way or it can be used in a very bad way.
Traci Brown: Well, right. Let’s talk about some of these ways that you’ve been hired to use this, and then let’s flip it and talk about some ways that maybe more for social good, as opposed to somewhat nefarious uses. You’ve posed as a delivery guy to get into a building. It sounds like from some of the stories in the book, like using ladders to hop ever fences and secured areas. What are some of the fun ones that you’ve done where you’re like, oh my gosh, I can’t believe I pulled that off.
Chris Hadnagy: Yea. Let me see, one of the crazier ones was last year, of course pre-COVID, one of my guys, Ryan and I, we flew to Jamaica and we broke into three banks.
Traci Brown: Really?!
Chris Hadnagy: It’s a crazy one because before that I haven’t done much bank work outside of this country. We get to Jamaica. We’re hired. We’re supposed to go break into these banks. We pull up to our first bank. I’ll tell you the pretext in a second. But we were looking at the bank from across the street, and there are these guys on dirt bikes with shotguns on the side patrolling the grounds. That’s their security. I’m like, wait, no one told me about that.
Traci Brown: Oh my God.
Chris Hadnagy: I didn’t know there were like dudes in shotguns. They had these weird masks on that had like teeth and jaws on them and stuff.
Traci Brown: Uh-huh.
Chris Hadnagy: I’m like, this is not like American security, you know, they say Security, they’re in a bullet-proof vest, and all. You can tell them. These were like young guys with guns. I’m like, oh, we’re going to die here, you know. Okay, okay. We can do this. We can do this. We came up with this pretext because the other thing about social engineering is you kind of have to be very aware of cultural biases and cultural norms.
Traci Brown: Yea.
Chris Hadnagy: Because they play a huge piece. Right. So, me and Ryan were two white guys in an area of Jamaica where we probably are the only two white guys, and we’re going to go break into these banks. I’m like, we’re going to stand out. There’s no way we’re blending in.
Traci Brown: Yea.
Chris Hadnagy: So, we need a pretext, we need a reason that we’re there that makes a lot of sense. We made up a story that we were from America as auditors for the bank. We’re going to do business in America with this bank, and we have to audit their security. Now, we have kind of scoped out the building a little bit and saw they had security right inside the door. There are two guys with guns sitting at this desk, and we have to bypass that. We got a local, we hired a local, and we said, look man, we need you to go inside. Here’s a few bucks. Just go and talk to security about what you would need in order to get into the building to do some work. While he’s at the front desk, I grab my cell phone and a clipboard, and I say, Ryan, just follow me. I get on my phone and I’m like, “Yea, hey Steve, yea, we’re here. We’re going to do the audit now. We’re coming upstairs.” I’m saying this on my cell phone as we walk in the front door.
Traci Brown: Uh-huh.
Chris Hadnagy: Then I just walk right past security and up the stairs, and they don’t stop us.
Traci Brown: Oh, my gosh.
Chris Hadnagy: Right. Because I’m on the phone. I’m saying, “Hey Steve, we’re here. We’ll be right upstairs.” We get upstairs and we’re both like just breathing and sweating and everything. I’m like, okay, I can’t believe that worked. We walk upstairs and there is a woman who’s entering this door, and on the door, it says ATM Testing Center. She has a big badge and it has a keypad on it. She swipes it and we just follow her in. She’s startled, so she looks. She’s like, “Oh, what are you doing walking in behind me?” And I said, “Oh, we’re auditors from America. We’re doing a bank audit.” And she was like, “Oh, okay.”
Traci Brown: She took your word.
Chris Hadnagy: Yea, she just took my word. Now we’re roaming. We had the bank. We roamed. We were in a call center. We got access to computers. We were in that bank for like an hour and a half before anybody stopped us. It was literally that simple. It was truly one of those jobs where we left there going, wow. We could have been shot at any time, but that was amazing. We left there very energetic, I could say.
Traci Brown: I guess so. Hopped up on adrenaline. So let’s talk about how to prevent something like that, because I work with a lot of banks, bank associations, and things like that. Is this like a prestige suggestion? Because you’ve embodied the mannerisms of an auditor, someone who knows better than everyone around, or is there something else you’re exploiting there in the human psyche to get this accomplished?
Chris Hadnagy: Yea. That’s a great question. Let me tell you another part of that story where we failed, and then I think it will be clear what we can do. So, we left that bank, because we had three, and we went to another branch of that bank. This is where the servers were, what they call the NOC, the network operation center. That building, it was in the bank premises, but it was surrounded by a huge fence with barbed wire and had armed guards inside of it. The only way to get the gate open, because there was no way from the outside, you had to have a special badge and then the gate opened. We get there and I’m like, man, we’re not going to breach the fence. It’s broad daylight.
Traci Brown: Right.
Chris Hadnagy: So I ring the bell. The guard comes out. I said, “Hey, we’re here from America to do an audit.” He’s like, “What’s your name?” I give him our fake names. He looks at his clipboard. He’s like, “You’re not on the list.” Now, I knew the guy in the bank that should have fool proofed us, but it was all fake, but I said, “Oh, didn’t Randy put us the list?” He’s like, “No. Randy didn’t put you on the list.” But now I’m getting somewhere because he heard a name that he recognized. We had known, just because of OSI, open source intelligence, that Randy was actually not there today. He was on a business trip.
Traci Brown: Oh.
Chris Hadnagy: And he couldn’t be reached. So, I said, “Why don’t you call Randy and maybe he can confirm that we’re supposed to be here.” He was like, “Oh, that’s a good idea. You wait here.” I said, “Hey, before you, we’re Americans and we are not used to this heat. Can we just come inside and wait while you make those calls?” He says, “Yea, okay.” So he buzzes us in. We get in. Now I say to Ryan as we’re walking in, “When he leaves to go make the calls, let’s hack the computers.” We’re sitting in the front office. There are all these computers around. He’s like, “I’ll be back in a minute.” He rounds the corner and he says something to one of his buddies, which we couldn’t hear, and a second later this dude who was like the size of King Kong, I mean this guy had to be 6’8” and 6 feet wide. He comes out. He’s got a billy stick. He’s got a shotgun. He’s got a taser. He just stands in the doorway with his arms folded, looking at us.
Traci Brown: Um-hum.
Chris Hadnagy: Brian and I are both like, ugh, what do we do? So Ryan just slowly tries to go towards the computer, like maybe I can distract him and he’ll slip a USB in. The guy goes, “Uh, uh.” We’re just like, oh, we weren’t going to touch it. We’re not doing nothing.
Traci Brown: (Laughing).
Chris Hadnagy: This guy could have picked me up and ripped me in half. That was the right way. So, he did a kind thing. He let us come in from there, and then he put a guard in front of us so we couldn’t touch anything. Now, he goes in the back. Now I’m thinking, oh, crap, he’s going to call Randy and not get confirmation, and we’re going to get arrested. This guy’s going to break us in half. He comes back out and he’s like, “Look, I couldn’t reach Randy. I keep getting his voicemail.” I’m like, “Oh, okay. Hey, man, so why don’t we just do this. We have another branch to go to. We’ll go do that. We’ll call Randy and we’ll come back when we’re on the list.” He was like, “Okay. No problem.” We high tailed out of there and never came back.
Traci Brown: (Laughing).
Chris Hadnagy: They stopped us. Right. They in essence stopped our attack, even though he was kind, by making sure someone was watching us. That first branch, if they had stopped us, and not trusted that we were just auditors because I said it out loud, they would have verified that we weren’t on the list, and they would have stopped us.
Traci Brown: Oh, wow. So, a little bit of checking goes a long way.
Chris Hadnagy: A long way.
Traci Brown: Here’s what I was so curious about as I read your book. You seem to think on your feet really quickly.
Chris Hadnagy: You have to.
Traci Brown: Well that, but it goes along the line of your principles, right, which is set the pretext. But you had some other ones in there that I thought were really interesting based on, I think it was rapport. Tell us how you got people’s pin numbers in the Italian restaurant and how else have you used that one because that was fascinating.
Chris Hadnagy: That’s a great story. Thanks for bringing that one up. That’s in the chapter about elicitation and what I wanted to do with, not many people have written about elicitation in books, and I wanted to start teaching it in my course, but, for me, to teach something I want to make sure that I had it down pat and I understand it. So, me and a buddy were like, okay, we’re going to try this practice on elicitation. We’re going to see if it works, and if it does, I’ll be able to write about it. Part of the principles on elicitation is using like false data, like you quote something really important and people will believe it. So, we had this ruse. We’re in downtown DC. We’re looking for a restaurant. There is this Italian restaurant that has like the little tables that are all close to each other, so we knew without wouldn’t be separated by booths. We go in there. We sit down. There are a whole bunch of people eating. We have this conversation that goes like this. We’re doing it loud enough for people to hear, but not boisterous or making it sound like we want you to listen. He says, “Hey Chris, did you read that USA Today article? About 68% of all people use their birthday as their password?” I said, “I didn’t see the article, but that makes sense. I do. It’s really easy to remember 0871.” He goes, “Really? That’s your pin?” I’m like, “Yea. It’s easy to remember by date of birth.” The guy sitting next to us looks at his wife and goes, “I told you. You’re just another statistic. You should never use your date of birth for your pin.” And she says, “But it’s really easy to remember 0763.” And he goes, “Yea, but that’s why you shouldn’t use it because you’re just a statistic.” She goes, “Well, I can’t remember your pin, like 041826.” He goes, “Of course, you get it wrong. You always mess it up. It’s 041862.” He goes, “Stop mixing up the last number.” We’re both like, oh my God, these two people just gave out their pins like out loud. The waitress comes over, and she says,”You know, I use Bank of America, and they allow me to use letters and symbols, so I just use my daughter’s favorite stuffed animal and her month of birth, so it’s panda7.” We’re all like, oh! This group of people are now giving us their pin numbers because we didn’t ask for them. That’s what elicitation is. It’s getting information from people without directly asking for it. We did this thing, and nobody knew that we were doing it.
Traci Brown: Well now, if you were a bad guy, let’s just say, and you had that all of a sudden in an Italian restaurant in DC, what would your next step be?
Chris Hadnagy: Sure.
Traci Brown: What else would you elicit there? How would you do it?
Chris Hadnagy: Now, let’s just say the guy next to me, let’s use that couple, right, so the guy next to me. I have both of their pins. Now maybe my buddy might lean over and go, “Yea, that’s what I’m telling him, the same thing you’re telling your wife, like don’t use that. That’s too easy, right.
Hey, what’s your name? Oh, Paul. My name’s Chris. Hey, nice to meet you guys.” Now we start to learn. Do you live here? We’re down here for business. Oh yea, you live right around the corner. What do you do for work?
Now, I’m finding out, okay, their name, where they live, what they do for work, and it’s only a matter of time before I can either clone their cards, right, you lift the RFID on their credit cards, steal their wallet now that I have their pin number and their ATM, or at least make them a long-term target. Now, I know her date of birth. I know her name. I know where they live. I know where they work. Now they can become a target for maybe even a bigger scope attack because I have all these details on them.
Traci Brown: Oh yea.
Chris Hadnagy: Details make you feel like I can now be your buddy. I can be your friend. If I bump into you tomorrow at the Starbucks, you might not think, oh, he’s following me.
Wow, you sitting over here? What a coincidence. Hey, I met you from the restaurant yesterday, right. Yea. Beth, it’s really great to see you again.
Now I may be able to further my attack of her because of that rapport that I built using elicitation methods.
Traci Brown: Yikes. Okay. Okay. Because most of us think hacking is faceless and out of our control, but it’s right in front of us as well.
Chris Hadnagy: Yes.
Traci Brown: How can we use some of these tools for good?
Chris Hadnagy: There is a story I use in the book that kind of follows along with this same thing where it was the first time ever that my wife and I got first class upgrades on a flight. It was totally unintentional. We actually had said on the way to the airport, we had a really long trip, and I was really tired, and I just said to her, hey, it was my daughter, my wife, and I, I said, when we get there, let’s just ask how much it would cost to upgrade, maybe they have a sale or something and we can afford it. Right. So we had this plan to ask. Well, I’m wheeling our cart in. We’ve got tons of luggage and I hit this bump and all this luggage spills over, and I make a joke about dumb American, had an accident on the M5, which is a major highway in London. Right. And all these Brits laugh. One of the women behind the counter who’s doing the flights, she looks at me and she chuckles. I said, oh, she’s a good person to go help us because we have rapport now. She laughed at my joke. We go up to her counter and she is laughing at the joke still. My wife – and this was unplanned – my wife, who is the kindest person on the planet, she looks at her and she goes:
Your makeup is immaculate. Not only that, but wow, it matches that scarf. It’s so beautiful.
This woman, like you could literally watch her body language change. Her shoulders went back. Her chest went out. This huge smile on her face. They’re talking about the time they spent for makeup this morning. My wife is from Thailand so she loves all these bright colors. So, she says, “That scarf reminds me of my home country. Can I buy one?” She’s like, “Oh, no. They’re only here if you work for Virgin Airlines. You can’t really buy one.” Now, they’re having this amazing conversation and as a social engineer now, I’m seeing, you can almost see the oxytocin dripping from her nose, you know, like it was that much. So I lean in. I put my arm around my wife, and I say, “You know ma’am, we probably can’t even afford this, but I’m just curious, are there any chances for upgrades? You know, it’s a really long flight back.” She doesn’t even look at me. She looks straight at my wife and goes, “Let me see what I can do.” She was typing, typing, typing. She goes, whispers right up to us, “Hey, I’m going to put all three of you in first class.” I’m like, “Oh, my gosh, that’s amazing. How much do you want for that?” She doesn’t even look at me, again, straight at my wife. “I’m doing it as a present. Just have a great time.”
Traci Brown: Oh!
Chris Hadnagy: She does that. Right. Okay. It was the most amazing experience, but we took that, and we tried it six more times and it worked four out of six times.
Traci Brown: Really? Oh, that’s good because I have a segment on teaching people how to get first class upgrades as well, and it’s just human connection and a compliment goes so far.
Chris Hadnagy: Exactly.
Traci Brown: Because people in the airline industry, and especially now, it’s tough. There are delays and people are mean. If you can just stand out and be nice, it is amazing what will happen.
Chris Hadnagy: Yea. And what I found for me is that when I offered to pay for it, I don’t say, here’s a compliment, hey can you give me something for free? I compliment them. I get them happy. Then I say, how much would it cost for me to do this? Four out of those six times they said, “You know what, let me just give it to you.”
Traci Brown: Oh, I love it. I love it. I also have a system for how to talk you way out of a traffic ticket.
Chris Hadnagy: Oh, I need that. (Laughing).
Traci Brown: (Laughing). I used to close my persuasion keynotes with it because it was kind of like the final capstone to everything. I didn’t realize I was doing it, kind of like you. I realized one day, I had been pulled over 10 times at a certain point in the past three years and I had only gotten one ticket.
Chris Hadnagy: Awesome.
Traci Brown: Yea, but it’s all about connection and understanding what the other person is looking for.
Chris Hadnagy: Yea.
Traci Brown: Now that I’ve hinted at that, I might as well just tell everybody. The cops they don’t know who they’ve pulled over, so if you make yourself seem safe, then you’ve gone really far in the direction of not getting a ticket. If all else fails, you can cry. That work sometimes as well.
Chris Hadnagy: It might work for you. I don’t know if it would work for me.
Traci Brown: It might work better for you, Chris. You never know. You haven’t . . .
Chris Hadnagy: Let me try. How do you make yourself seem safe though? What do you do to make yourself seem safe?
Traci Brown: First thing, you’ve got to roll down the window. Roll down the front window. Roll down the back window and turn on the dome light if it’s dark. So, let them see in. Right. Then, just keep your hands on the steering wheel. Just keep them on the steering wheel. They’re going to ask you three questions really reliably. One is, where are you going? The answer is not, why the hell do you want to know? Right. Just make something up if you don’t want to tell them, but you’ve got to keep a nice, easy voice. Then, they’re going to ask you, they’ll probably ask you, do you know why I’m pulling you over? That kind of thing. Just keep calm, keep calm. But then if your hands are always on the wheel, they’ll ask you for your driver’s license and your registration. You go, you know what, that is in my purse and in my glove box. Is it okay if I reach there to get it? What you’ve done is put them in the power position, and you’ve told them exactly where your hands are going to go.
Chris Hadnagy: I love it.
Traci Brown: It really works.
Chris Hadnagy: I’m going to try to get pulled over and try it.
Traci Brown: Oh, well, I wouldn’t suggest trying to get pulled over.
Chris Hadnagy: Oh darn, okay.
Traci Brown: I think, Chris, it will happen naturally. Just keep doing what you’re doing.
Chris Hadnagy: Happen naturally. (Laughing).
Traci Brown: Okay. What else? Tell us about your company. I know you have a big conference that you do. Then I also want to know about the craziest break in you’ve ever tried ever.
Chris Hadnagy: Okay. Let’s see. Company. I run a couple things. My main company is Social Engineer LLC. We only do human-based corporate pen tests. We do phishing as a service. Right now because of COVID, we’re not doing many break ins. We’re not flying anywhere. But we do that. Pre and post COVID, we do those things. A lot of consulting on human based, a lot of education speaking, training, and things like that. That can be found at Social-Engineer.com. I also run a nonprofit. It is called The Innocent Lives Foundation (ILF). I’m the CEO of that.
Traci Brown: Cool. Tell us about that.
Chris Hadnagy: The nonprofit. What has happened a number of times in my career is while working with corporations, I’ve uncovered people who were using their corporate machines to exploit children, so to create child pornography or to trade in child abuse material.
Traci Brown: Oh no!
Chris Hadnagy: I’ve worked with law enforcement over the years to have those people apprehended and arrested. I thought one day, I wonder if other people in my industry are having the same experience, but not knowing what to do. I found that more did. I started the ILF three years ago to bring together people from my industry that have amazing talents, and we work closely with law enforcement to use our talents to unmask people who are abusing children and then get them arrested, especially on the dark web and on websites where they’re grooming children. As of this third year, we have finished 305 cases with 247 of them being active with law enforcement. A lot of our work has led to arrests and things like that. We have 50 volunteers, five fulltime employees, and we’re a 501 (c)(3). You can find out more information on InnocentLivesFoundation.org. That’s one thing.
And then you mentioned the conference which is aptly named The Human Hacking Conference. It will be our second year this year. What I loved about my work is I got to work with and talk to so many great people, people like you that aren’t in info sect, but do things that are really much like it, like Joe Navarro.
Traci Brown: Oh yea, what a classy guy. Huh, Joe.
Chris Hadnagy: Joe’s amazing. I love that guy. I got a chance to meet him and work with him. Then people like Robin Dreeke, who was the director for the FBI at the BAU for so many years and now he runs a company consulting people on how to earn trust and built rapport, people like Stephanie Paul who was an actress and she does some great things now with consulting, the list can go on and on. But I gathered all those people together and said, would you teach half-day courses to help anyone who wants to learn how to use the skills you have to become better? We started The Human Hacking Conference last year. It was really successful. This year, of course, COVID is kicking us, so we’re doing it virtually
Traci Brown: Oh cool!
Chris Hadnagy: March 11 through 13. All those trainers, plus a dozen more, will be there. Chase Hughes, Dov Baron, Ian Rowland, who is like the world’s leading cold reading expert, our Paul Wilson, who is like a con man, a legitimate conman, all these people are coming in and doing trainings. You can sign up for it and come to these trainings virtually and learn from these folks. I’m really excited about that conference because it’s just one of those things that, if it was there, I would have been going to it for years. I made the very thing that I’ve always wanted, which is really cool.
Traci Brown: Ooh, I love that. I’ve got to tell you. You have the biggest names in the business.
Chris Hadnagy: Thank you.
Traci Brown: They are so. . . No one is going to be able to knock your credibility.
Chris Hadnagy: I hope not. I hope not. What we did is we got people who really have established their names for years. Just one second to hopefully not be too brag-gy, but I’m really proud of this. Joe Navarro and us have signed a contract that says only US-based training will be at our conference.
Traci Brown: Oh, really?
Chris Hadnagy: Yea. He’ll do private trainings, of course. I want to make sure people know that. But it’s only public US-based training is with The Human Hacking Conference now.
Traci Brown: Wow! You got exclusivity on this.
Chris Hadnagy: Since last year was so good, he is just, he is such a master at what he does.
Traci Brown: Isn’t he.
Chris Hadnagy: I love working with him, and I love being mentored by him. To have that, it’s like people need to come and just learn from him. But we have so many others. Mark Bowden is coming.
Traci Brown: Oh good.
Chris Hadnagy: Mark Bowden is coming. He’s doing a class on nonverbals. The list just goes on. It really is, like I went out and I said, who would I want to learn from? And I invited all those people. Magically, they all went, yea, I’d love to come and do that.
Traci Brown: Oh, fun! Well, one day, you’ll hire me, I know.
Chris Hadnagy: Yes! I want to have you come in and do body language stuff.
Traci Brown: Oh yea!
Chris Hadnagy: Even those little tips on persuasion and things are awesome because these are things that people don’t really think about and that you can use every day. Like you said, they portray hackers as these hoodie wearing hoodlums in the basement and not like hey, every day you can use these skills and not have to be a jerk to people. You can be a great person and use them.
Traci Brown: You can use it to make people’s lives better is the thing.
Chris Hadnagy: Right.
Traci Brown: Let’s talk about deception for a minute. How can we use detecting deception to make people’s lives better. I’ll go and then you go.
Chris Hadnagy: Yep.
Traci Brown: We were remodeling our house. It’s been five years ago. My husband is really good. He does it all himself, won’t let anybody in the house with a tool. He’s a rocket scientist, like a real rocket scientist.
Chris Hadnagy: Really?
Traci Brown: Oh yea.
Chris Hadnagy: Wow.
Traci Brown: Oh yea. He’s a farm boy and everything is built, and it is double built and perfect. Right.
Chris Hadnagy: Wow.
Traci Brown: So, we didn’t have a kitchen. He had torn everything out of the kitchen, and he wanted to build it back how we wanted it. All I have. . . we’ve been working all day, and it was 8 o’clock at night. We’re so hungry. We go to the store. The store is like three blocks over. We go to the store. Now, see, he’s picky. Right. You know that chicken that they have at the store, the rotisserie chicken in the little heated section. You walk by and it smells so good, like I feel like it’s like, you know those smell waves on the curtains?
Chris Hadnagy: Yes.
Traci Brown: Yea. I feel like that, and so I’m floating over towards it. He doesn’t like the chicken.
Chris Hadnagy: I’m with him.
Traci Brown: Because. . . Now, I want to find. . . now, why don’t you like the chicken?
Chris Hadnagy: It’s always so greasy and I just don’t . . . I can make a better chicken at home than they can make there. But I’m with you. When you walk by it, my brain just goes, I want that chicken!
Traci Brown: Yea, yea, totally. He doesn’t like it for a different reason. Because he’s an engineer, right, cost/benefit analysis. He thinks it’s too much work to get the chicken off the bone for the amount of chicken that you actually end up with.
Chris Hadnagy: Wow. Okay. No, I would not have gone that deep.
Traci Brown: This is who I’m dealing with at the house. Okay.
Chris Hadnagy: (Laughing).
Traci Brown: So the smell waves have floated me over to the chicken. Remember, I’m hungry. It’s 8 o’clock at night. I’m like, “Matt, can we just get a chicken tonight? Can you just make it work?” He goes, “Yea.” Like that. Seriously, he’s telling me no with every fiber in his body, and he goes “yea.” I’m like, okay, I stop in the middle of the grocery store. I’m like, “You just lied to me.” I said, “You just lied to me. I know you did, so we need to not have the chicken and I need you to tell me the truth from here on out.” So, he goes, “Oh, my gosh, yes. I don’t want the chicken.” So we looked on the top of the shelf and I’d never seen this before, and I’ve never seen it since, they had a turkey breast in one of those bags that was sitting there heated. I said, “Would you like the turkey instead?” He was like, “Yes! Can we just get the turkey?” I’m like, “Great.” You can actually make someone’s life better by detecting deception. They may be just lying to make you feel good or to smooth things over. What do you got? How do you use your powers for good?
Chris Hadnagy: Wow, that’s great. That’s a great story. I don’t know if I can top that one. Wow. I think for me the ways that I’ve been able to use these skills successfully is with my family. I think there’s a lot of misconceptions when it comes to body language that are taught out there. I had the amazing privilege. My second book was co-authored with Dr. Paul Ekman.
Traci Brown: Oh wow!
Chris Hadnagy: Yea. It was, honestly, with that alone, I could just end my career and be like, that was it. I’m done. That was awesome.
Traci Brown: It’s all downhill from here, Chris. So for people who don’t know, Paul Ekman really started the whole study of microfacial expressions, and he did that back in – what was it? – the 1960s?
Chris Hadnagy: The 1960s.
Traci Brown: And he went to – well, I’ll let you tell how he did it because you can probably tell it better than me.
Chris Hadnagy: He had this notion that we have these base emotions. He counted seven base emotions and that we express them all on our face exactly the same way, regardless of culture, gender, race, religion, age. He said that we do that, and he wanted to prove it, so he flew to places like Papua New Guinea that had no newspapers, no radio, no TV, and he filmed people making facial expressions during emotional triggers and then compared that to people in Western societies and was able to prove scientifically that we do. We have these universal facial expressions. Then he worked with a couple other great minds in what’s called FACS, which is the Facial Action Coding System which codes every muscle fiber in our face and the directions it moves.
Traci Brown: Isn’t that crazy?!
Chris Hadnagy: Yea, it’s crazy. It allows us to understand that a facial movement, a muscular movement could indicate a certain emotional trigger. Working with him, one of the things I learned was that there are a lot of misconceptions when it comes to nonverbals out there, both body language and facial expressions. We hear this all the time in sales. People will say, well, if you cross your arms, you’re closed off. Maybe you’re cold.
Traci Brown: Maybe, yea.
Chris Hadnagy: Maybe you’re cold. Maybe you are closed off. Maybe you’re cold. Maybe you’re comfortable. Who knows? We don’t know. Right. The way to get from the maybe to yes, this is what it means, is by asking questions.
Traci Brown: Exactly.
Chris Hadnagy: I’ve been able to use that with my kids because like my son . . .
Traci Brown: Now, how old are your kids? Tell us about your kids.
Chris Hadnagy: My son is 28. My daughter is 16.
Traci Brown: Okay.
Chris Hadnagy: Now, my son still does this, but when he was much younger, he had his perpetual motion leg, like it never stops moving.
Traci Brown: Yea.
Chris Hadnagy: I remember parenting books even saying this, that if your kids are fidgeting, they’re probably deceptive. I’m like, that doesn’t ring true because my son was never a liar. He was always one of those people that was like insanely honest. One day he goes to this gathering, this party, and someone called me and says, “Hey, Collin was in a fight with one of his friends there. You might want to talk to him about it.” So, he comes home and I’m like, “Hey, how was the party?” He was like, “Great.” And that’s all he says, and he leaves. I’m like, okay, he doesn’t want to talk about it, so I’ve got to figure out how I’m going to get him to talk about it. The next day we’re sitting there, you know, Collin’s leg is always moving, and I said, “So hey, who was at the party?” He names off all of his friends, and then he didn’t say Stuart, which is the guy he fought with, so I said, “Oh, was Stuart there?” His leg stopped completely.
Traci Brown: Oh, busted!
Chris Hadnagy: And he says, “Yep.” Then his leg starts again. I’m like, “Oh.” I said, “Okay.” I said, “Didn’t you tell me like before that you and Stuart were going to a movie this weekend?” “Plans changed.” Leg stopped. Right. Every time I mentioned something about Stuart, his leg stopped, which to me wasn’t an indication of deception. It was an indication that there was an emotional change there at that time.
Traci Brown: Right.
Chris Hadnagy: Using those methods, I was able to communicate with him and get him to open up and tell me what happened without having to go the “Tell me what happened. You’re in trouble” kind of thing.
Traci Brown: Oh, that’s good. I like that.
Chris Hadnagy: We were able to work it out. I’ve done that with my daughter over the years. I’ve done that with him, my wife. My daughter, when she was really young is when I started my work on all of this, and she’s had the opportunity to be mentored by Dr. Ekman and I use her face in the books and stuff because she’s a natural at a lot of the facial expressions just by birth and training and whatever. For me, what that has done for them, is it’s given them a leg up on noticing people who don’t have good intentions. My daughter can read facial expressions from an expert level and she can see that and go, I don’t know if I trust that person. I have enabled her, and my wife and I have enabled her through the years to not ignore that nonverbal radar. So, if someone feels unsafe to you, then avoid that person.
Traci Brown: Oh, yea.
Chris Hadnagy: We can prove it or disprove it later, but don’t go the normal route where people go, “Oh, you’re just being a silly girl. He’s fine.” Don’t do that. No. If you feel unsafe, then he’s unsafe.
Traci Brown: Oh yea. I’ve done that before, and I’ll tell when I did it. Because I had another life when I had a real job and I could never quite hold a real job, but I could get them, and I was a night manager in an ice cream plant down in Denver, like a big one, and we had to bring in temp employees and they had this guy.. I was the only manager there at night, and they were like, “He’s going to be on your shift.” I got that vibe from him and I was like, “No. He’s not.” I go, “He can stay, or I can stay. And that is it.” They listened to me and they sent him home.
Chris Hadnagy: Yea.
Traci Brown: That’s super important. And I didn’t know any of this back then.
Chris Hadnagy: But it’s really important that people know they can be empowered to do that, especially women in this society. I have so many times heard male co-workers or male cohorts say, “You’re just being a silly woman. He’s fine. He’s safe.” That’s what people said about Ted Bundy. He’s fine. He’s good looking. He’s safe. He was a serial killer. So no. If you have a feeling in your gut that this person is making you feel unsafe or a little creeped out, go with that.
Traci Brown: You’ve got to listen to it.
Chris Hadnagy: That’s how I’ve used the skills.
Traci Brown: Well, I think so, and I’m just going to say this, and then we’re going to jump into your story here on fraud, it’s a cool story, but the basis of it is you only get treated how you let yourself get treated.
Chris Hadnagy: Yea.
Traci Brown: I think as women we forget that. I just think it’s super important. I think I have an easier time maybe than someone who’s 5’2” because I’m at 5’9”, and I think a little bit of height difference can make it, but it’s also an energy inside. Right.
Chris Hadnagy: I think your education and your knowledge helps you because some people lack the confidence to do what you did in that ice cream place. They lack the confidence to stand up for themselves and say, “I’m not going to stay here if you let him come because I feel unsafe.” Some people would just have ignored that and maybe suffered some horrible consequences because they didn’t have the confidence to stand up.
Traci Brown: Oh yea. Yea. I’ve never one to be understated. (Laughing).
Chris Hadnagy: Good for you. (Laughing).
Traci Brown: Which is probably why I lost all the jobs I’ve lost, but see, when you’re as speaker, then you make more money because of that.
Chris Hadnagy: We have to find our passion in life. Right.
Traci Brown: We do. We do. It took me a while.
Chris Hadnagy: I think you found it.
Traci Brown: Wow, at least professionally to do that. Okay. Final story, you’ve got a whopper out there or something you cracked into, a story where someone’s used some of your tools?
Chris Hadnagy: I do. I do. We were breaking into an armed facility here in this country.
Traci Brown: Okay.
Chris Hadnagy: When I say armed, I mean the security detail was ex-Marines and SOCOM and they carried automatic weapons. I had done, my buddy and I, Ryan again, we’re out there, and I had driven this Suburban that we rented. We were out in a different state, so we rented this car. The only car the place had was a Suburban, and we had driven it about a half a mile away from this facility we were supposed to go into. I launched my drone and I was going to fly it over the facility. I was going to fly it just to see if I could pick up anything in the fence, like an area that was weak or that was cut, so that way at night we could come back and go to that location because it was pretty big.
Traci Brown: Oh wow. Okay, hang on. Back up.
Chris Hadnagy: Yea.
Traci Brown: Why didn’t they shoot your drone down?
Chris Hadnagy: That’s a great question. So, here’s the thing. I flew it up high enough that we were safe, but then – and here’s the part of the story – then I got a little cocky and I brought it really low because I thought I saw an area in the fence that was good for us. So I brought it low and as soon as I did that, I saw a guy look and point.
Traci Brown: Oh!
Chris Hadnagy: I’m like, “Crap!” So, I bring the drone back. We pack it up. We get in the car, and we start driving away. Now, I don’t know that anybody caught us. I’m unaware of that.
Traci Brown: Uh-huh.
Chris Hadnagy: So, I said to Ryan, I said, “Look, why don’t we just do this? Why don’t we just pull into the parking lot real quick. We’ll take a couple quick shots of the locks on the fence. We’ll go back to the hotel. We’ll see if we can identify the locks. Maybe we can get the picks that are right for it, and we’ll come back tonight. So, I pull in the parking lot. Ryan snaps a couple pictures of the lock, and I’m now in reverse to pull out. When I put it in reverse, the Suburban’s reverse camera comes up and there are eight guys with automatic weapons running at the car.
Traci Brown: Oh, shoot!
Chris Hadnagy: So, Ryan says, “Hey, why don’t we just get out and lie on the ground?” I’m like, “Oh, heck no. We’re going to get caught. We’re not going to be able to break in tonight.”
Traci Brown: Yea.
Chris Hadnagy: So, I put it in drive and I floor it, and we peel out and we just get the heck out of there. To this day, I don’t know why they didn’t shoot us, right.
Traci Brown: Oh my God.
Chris Hadnagy: We flee. We get back to the hotel. That night we come back and I’m like, “We can’t go in the same way we came in today.” Because our car is probably on camera. About a half a mile away from the facility there is this giant field, like this field that just kind of leads to the back of it, but there’s not a road. It’s just a field.
Traci Brown: Okay.
Chris Hadnagy: We’ve got a Suburban. Let’s just drive through the field.
Traci Brown: (Laughing).
Chris Hadnagy: We pull off road, and we’re driving through this field. Our lights are off. We’re driving super slow. We’re literally navigating because Ryan’s got Google Maps up with satellite view, and he’s tell me, “Hey, there’s a culvert. Don’t go this way. Go this way.” And we’re navigating in the blind with Google Maps.
Traci Brown: Oh, perfect. Yea.
Chris Hadnagy: Driving super slow.
Traci Brown: Yea.
Chris Hadnagy: We get all the way out to the facility. We park the car. We got out. I can see all these lights. I can see people walking around the facility. I messed up this part. We stole a ladder from another facility of theirs just down the road.
Traci Brown: You stole a ladder. Good. Okay.
Chris Hadnagy: We stole a ladder. We come back. We grab the ladder from the back of the Suburban and we just wait. We wait until people are gone. Off in this distance where I was trying to get that drone shot, there was a light that’s not working, so it’s really dark. I’m like, “Let’s go over there.” So we put the ladder up against the fence and I climb on it and bam, we breached the facility.
Traci Brown: Just right over?
Chris Hadnagy: This fully armed facility, we breached it with a stolen ladder and a couple pieces of rope.
Traci Brown: Uh-huh.
Chris Hadnagy: And we’re roaming around this facility for an hour and a half, and nobody catches us.
Traci Brown: Wow!
Chris Hadnagy: Yea. The next day we come to report and tell them, “Like hey, we did this.” They don’t believe it. We had left the ladder and the rope, and we said, “Go to this spot in the fence.” And they go, and they’re like Crap.” I’m like, “Yea.”
Traci Brown: Oh, my goodness.
Chris Hadnagy: Yea. Those stories are always super scary because you know we’re in this armed facility and it’s 1 o’clock in the morning. We’re wearing black and we’re running around. I can only imagine that if these guys round a corner and see us, we’re just praying that they have the arrest and shoot later as opposed to shoot first, arrest later.
Traci Brown: Yea. Oh my gosh. Wow! Wow. Okay. Okay. Tell us one more time, if people want you to come break into their business and show them their weaknesses, how do they find you?
Chris Hadnagy: Social-Engineer.com.
Traci Brown: Got it. And of course, make sure you go out, first thing you should do, get Chris’ book. It’s called Human Hacking. Right.
Chris Hadnagy: Win Friends, Influence People, and Leave Them Better Off For Having Met You.
Traci Brown: Yea. It is absolutely fantastic. It is a must read. Chris, thank you so much for coming on Fraud Busting.
Chris Hadnagy: Thank you. This was a ton of fun. Thank you.
Traci Brown: Oh good! Okay.