Christopher Hadnagy
Christopher Hadnagy

Founded in 2010, Social-Engineer, LLC specializes in applying the principles of human psychology to educate and train customers against their information security (InfoSec) vulnerabilities and risks. They provide services like simulated attacks and infiltrations, behavior and points of failure analyses, detailed instructions, and training courses to prevent various and evolving attacks on individuals, institutions, and corporations. Social-Engineer's founder and CEO, Christopher Hadnagy – who has hosted a podcast on the science behind online scamming and written the literal book on social engineering – got his start in InfoSec by getting expelled from college.

Chris was close to achieving a formal education, but his curiosity about information security got the best of him when he wrote a war-dialing program that accidentally shut down the local phone system. After his expulsion, he explored a wild career path from owning his own window-cleaning company to a chef to an international negotiator of stainless steel. Even as he built this winding, exciting journey for himself, Chris eventually grew restless in his time away from InfoSec and took an online course in penetration testing.

"I became embarrassingly obsessed with security systems," Chris jokes. When he cracked a previously uncrackable machine, he realized that InfoSec was his destiny. His former lecturer hired him, and he got to work sending simulated phishing attacks through email and telephone. And, he was good at it. "My brain wasn't made for coding, but I was good with people. But even as all my attempts succeeded, I still did not understand why it worked," he recalls.

This was when he decided to launch a podcast focused on how and why humans make decisions that get altered by bad actors. Instead of interviewing his peers in the tech industry, Chris brought on clinical psychologists, researchers, and law enforcement agents to understand more deeply why scams are often so successful. As he collected this wealth of knowledge in the form of his podcast, he was simultaneously developing a framework to establish a methodology to prevent scammers from succeeding.

Chris published this framework online and, overnight, he became an international sensation. On a friend's advice, he translated his framework into the first book, formally defining 'social engineering' as any act that influences a person to take an action that may or may not be in their best interests. His first book, Social Engineering: The Art of Human Hacking, led him to found Social-Engineer, LLC in 2010, which has only continued to expand.

"Before me, there was no social engineering industry," Chris claims, as people could not figure out how to legally and ethically employ social engineering techniques in the InfoSec industry. Chris consulted with lawyers to construct a legitimate framework around his services. One of Social-Engineer's first clients was a major financial institution. They requested that he – who at the time did not have a team – run phishing programs to seek out their vulnerabilities. "In five years, we reduced the actual malware on their network by over 80% because people had learned to no longer click on suspicious links and to report phishing attempts instead."

Through his opportunities in the field, Chris refined and patented his unique process. While other actors in the industry were focused merely on click ratios and reporting ratios, he looked elsewhere. Social-Engineer's simulated attacks aim not to catch people in their vulnerabilities but to educate them to report suspicious activity. Chris' organization uses human callers to make thousands of calls a month. After each successful call is hung up, they institute their Instant Vishing Education System (IVES), where 'vishing' refers to voice phishing attacks. IVES sends informational emails to vulnerable individuals and effectively raises security awareness. The company has also tested physical vulnerabilities in client companies, infiltrating corporate buildings through ethical principles of influence and manipulation.

As he continued to define the human psychology of InfoSec scams, he got increasingly interested in the scientific principles behind how humans influence others to do their bidding. This led to his second book, this time on how social engineers use nonverbal communication – body language and facial expressions – to manipulate their targets. Chris co-authored Unmasking the Social Engineer: The Human Element of Security with the world-renowned Dr. Paul Ekman, a pioneer in the psychology of human faces. Together with his team, Chris found that authority and fear were the most effective agents of influence over his clients, compounded further by manufacturing scarcity and time constraints.

In 2017, Chris realized that his skills could be used to assist law enforcement in a non-vigilante way to geolocate and track people who traffic children and profit from the creation of child abuse material. This motivated him to create The Innocent Lives Foundation, which, to date, has assisted in over 540 cases globally.

Now, Chris Hadnagy and Social-Engineer, LLC are employing their extensive history of simulated vishing attacks to train an AI model to accurately detect deception to fight the growing presence of AI-based InfoSec attacks. As Chris reflects, "It's probably the most fun job out there. I get to travel the world and legally break into buildings. If you told a 19-year-old me who was about to be expelled that this would be my job, I would say: 'That's me in prison, not at work.' But that's the magic. We get to reclaim the technology that bad actors use to hurt us, and use it against them."