Many fans of the Social-Engineer.org newsletter will remember a couple years ago when I launched some research. I wrote about the study and the use of nonverbal communications and labeled it NLH. Over the last couple of years I have been working on deepening and broadening that research and feel that the title limited my studies. Moving to a more general definition like “nonverbal human hacking” takes away the stigma and connection to NLP that made many view this area as something more mystical and not science-based research.
The fact of the matter is that social engineering is nothing new. From some of the oldest stories recorded in mankind’s history until today, social engineering has been used. Despite the advancement in technology the same principles work when it comes to “hacking the human OS.”
As an ardent student of the sciences and arts that make up social engineering, I am always trying to learn how to adapt certain studies from other professionals into social engineering as a whole. As you most likely have heard, we have interviewed radio hosts, psychologist, law enforcement officials, dating experts, scientists and others to try and understand what each of those fields has to offer a social engineer.
The New Age of Social Engineering
As I already mentioned, from the dawn of time social engineering has been used and the talents, skills and methods haven’t changed much. But our understanding of the principles, the science and the emotions behind why these things work are much deeper than ever.
For example imagine this scenario: A woman wants to find out how her husband has been spending money from his private account, as she thinks he is cheating on her. She dresses up in a form fitting dress and revealing shirt, and she enters the bank. She approaches a young, male teller, and she begins to tell him about her woes. Her husband is in the hospital recovering from a very severe car accident, and the hospital wants to stop care. She needs to show them they have money in many accounts to cover the charges, and all she wants is for him to print out the last few months of bank statements.
The teller knows it is against the law and bank policy, but she is attractive, she is crying, she continually leans over the desk and touches his arm. She’s employing a powerful move as she asks for help.
The teller responds by leaning in closer to her, showing her concern, trying to comfort her and then prints the bank statements. The woman thanks her “savior” and leaves the bank with the teller feeling good about breaking the rules. She is in possession of all the data she needs for a divorce.
Why did this work? There are a few principles at play here:
1) Mirror Neurons. Scientists have found specific neurons (connections in our brains) they call mirror neurons. Similar to a mirror, these neurons trigger a reaction in a person when they see another acting in a certain way. A perfect example of this phenomenon is why yawning seems to spread, or why you may smile just because you see someone else smile. This woman could make the teller feel empathy, because she was crying and showed sadness.
2) The Cry for Help. People want to help other people. The most powerful words to create a psychological feeling of indebtedness is “can you help me?”
3) Trust. We want to, no… we inherently trust other people. We want to believe that people are honest, good and truthful. That makes us believe the story instead of disbelieve it at first.
4) Attraction. The fact that she flirted built a bond, a trust and an attraction that was very hard to break. Good actions were rewarded with more flirting and undesirable actions were not rewarded at all.
Medical News Today had printed some research that can literally change the way we understand how to use microexpressions in social engineering. Much of the talk about using microexpressions is reading them on our targets to give us a clue how the target is feeling. That is a very powerful use for microexpressions. Yet, what about us using microexpressions to influence our targets and manipulate them? The study done by some top researchers proved that even though we might not consciously pick up on a microexpression, our subconscious minds do. Not only do we pick them up, but they also alter our perceptions, the way we treat others or the way we are treated by others.
That is a powerful statement. Notice what Ken Paller, Professor of Psychology in the Weinberg College of Arts and Science at Northwestern University has to say on this, “Even though our study subjects were not aware that they were viewing subliminal emotional expressions, their brain activity was altered within 200 milliseconds. As a result, the ratings of facial expressions they did see were biased.”
This means that researchers were able to see that by showing a subject specific images of certain microexpressions, at 200 milliseconds they can alter the way the subject reacted. The study went on to say that our brains are designed to pick up on subtle hints that can warn us of danger, help us detect truth and even help us to determine true intentions.
How Does Nonverbal Human Hacking Change SE?
For years social engineering has been mystified. It was only one stop short of Jedi Mind Tricks. Understanding these sciences help to see more clearly how it is that humans are manipulated. Once we understand that more clearly, we can then educate and protect against these attacks.
The team at social-engineer.org has been devoting themselves to these sciences. We’re constantly learning, reading and putting scientific results into practice in order to clearly understand how they work and how they can be effective within an SE setting.
Editor’s Note: Join Chris in France at the Hack Paris event (http://www.hackinparis.com/schedule), where he will be given an in-depth speech on this very topic, Nonverbal Human Hacking. Look for more information here on EH-Net and on Social-Engineer.Org about this exciting topic, too.
Till next month.
If you have comments or questions – please feel free to reach out to me at firstname.lastname@example.org
Chris Hadnagy, aka loganWHD, has been involved with computers and technology for over 14 years. Presently his focus is on the “human” aspect of technology such as social engineering and physical security. Chris has spent time in providing training in many topics around the globe and also has had many articles published in local, national and international magazines and journals. He is also the lead developer of Social-Engineer.Org as well as the author of the best-selling book, Social Engineering: The Art of Human Hacking.
He has launched a line of professional social engineering training and pen testing services at Social-Engineer.Com. His goal is to help companies remain secure by educating them on the methods the “bad guys” use. Analyzing, studying, dissecting then performing the very same attacks used by malicious hackers on some of the most recent attacks (i.e. Sony, HB Gary, LockHeed Martin, etc), Chris is able to help companies stay educated and secure. Chris can be found online at http://www.social-engineer.org/, http://www.social-engineer.com/ and twitter as @humanhacker.