Fortune 500 companies pay Chris Hadnagy to hack their employees. He goes after their Social Security numbers, their passwords and their employee identification numbers.
Oh, and when he’s done, he tells them not to let him do that again.
Mr. Hadnagy is one of the most prominent social engineers in the U.S. Fortune 500 companies use him to test the defenses of what is often a weak spot in hacker defenses: people.
No matter how much companies spend on digital defenses, hackers often still get in by persuading an employee to click on a link or cough up a password.
The Wall Street Journal recently spoke to Mr. Hadnagy in a telephone interview about tricks of the trade, and how companies and employees can protect themselves better. Edited excerpts of the conversation follow.
WSJ: What are the top two or three things employees always seem to fall for?
MR. HADNAGY: One that kind of got me recently went something like, “Dear driver, on X date your license plate was recorded running a red light on the corner of Fifth and Sixth Ave. You failed to come to your citation hearing and a warrant for your arrest has been issued. Please click here to pay the fine.” We’ll send it to people not even having the right street name where they live.
WSJ: Wow. Got another?
MR. HADNAGY: We just did a job recently where our goal was to get people’s Social Security numbers and dates of birth and their full names and their employee IDs. We just called and said, “This is Paul from HR. There has been a problem. Your record was flagged as having some information deleted I need to verify so we don’t have problems with your benefits.”
WSJ: And that works?
MR. HADNAGY: Just through a five-minute normal conversation we have gotten every ounce of information possible from them to commit identity theft.
WSJ: A lot of the information that you once had to trick people into divulging they now put on Facebook themselves. Does that make your job easier or are people more suspicious of strangers who seem to know a lot about them?
MR. HADNAGY: The advent and increase of social media has definitely made a social engineer’s job easier.
We decide to trust people on the phone or email very quickly. If I have information about you it makes me sound legitimate. LinkedIn: I have everywhere you’ve worked. Everywhere you went to college. Facebook: I have your family, your wife, your kids, your boyfriend, your girlfriend, your last vacation. Twitter: I have everything you’re doing throughout the day. If you’re on Foursquare, I can geolocate where you do it.
WSJ: So what’s the realistic solution? Will people really stop doing all that?
MR. HADNAGY: We don’t tell people, “Social media is the devil.” The first step we promote is auditing, doing actual tests on you, getting called every month. The second step is continual education. “This month you received this email. Here are the three indicators [it’s a phish].”
WSJ: What are the signs you have people look for?
MR. HADNAGY: That’s a harder one. We try to teach critical-thinking skills. Do the questions seem to match the call? Why would HR need to know what operating system you’re on? Why wouldn’t the IT guy know what antivirus you have?
There also is a very simple fix but really hard to institute. On the intranet you make up a color, say, cyan or yellow. That’s the color of the day. Only the people internal to the company should know that. I call you and I’m the tech guy. You ask me what the color is.
WSJ: Your job means finding out the holes in corporate security. Have you ever been tempted to exploit that?
MR. HADNAGY: That’s a double-edged question. I think as a social engineer, I do use my skills at times to get things that may benefit me, like upgrades on a plane. But do I use those skills in a malicious sense? No.
WSJ: Hold up. How can I get a free plane upgrade?
MR. HADNAGY: Airports are always stressful. These ladies are always getting yelled at. If we make someone happy before we can ask for a free upgrade, that could work.
WSJ: So, if I get a call from an unusually jolly IT guy, I should assume he’s up to no good?
MR. HADNAGY: No. Let’s say the jolly IT guy calls you and he starts to ask you things that don’t make sense. That’s when a red flag should go up.