Social engineering isn’t about hacking computers — it’s about hacking people. While companies spend millions on software, hackers rely on psychology to bypass even the strongest defenses. In the first part of our breakdown of Christopher Hadnagy’s book, we examine real-world cases, OSINT techniques, and subtle manipulations that even the most advanced firewalls can’t stop. Learn how the art of deception works — so you don’t become the next victim of professional manipulators.
You can spend millions of dollars on state-of-the-art firewalls. You can fill your office with retina scanners, post armed guards, and force employees to change their passwords every three days. But there’s one vulnerability you can’t patch with a software update. That vulnerability walks through the front door every morning, drinks coffee in the break room, and complains about the weather.
That vulnerability is a human being.
In his book The Art of Deception, Christopher Hadnagy doesn’t just tell stories about scammers. He methodically breaks down how professionals “hack” people. And honestly, reading it can be unsettling — not because it’s sensational, but because of how predictable all of us really are.
Social engineering isn’t magic or hypnosis. It’s a set of lockpicks for the human mind. Let’s break down how they work — long before an attacker ever gets near your computer.
You’re probably thinking, “That wouldn’t work on me. I’m not some grandma reading out her card number to the ‘bank’s security team.’”
That’s the most dangerous illusion of all. Hadnagy argues that intelligence and education don’t matter at all. The victim can be a cleaner — or a CEO with three degrees.
Why? Because social engineers don’t attack intellect (IQ). They go after instincts.
Our brains are lazy by design. They love saving energy. Most of the day, we operate in what’s often called an “alpha state.” Think about your commute home from work: your feet move on their own, your hands steer, your thoughts are somewhere else entirely. You’re not analyzing every step. You’re on autopilot. The attacker’s goal is to keep you in that state — or, on the contrary, to overload your system all at once.
Picture this: a person in a firefighter’s uniform rushes up to a secretary, shouting, “Emergency! Where’s the server room? There’s smoke — the gas suppression system is about to trigger!”
What happens inside the secretary’s head at that moment?
Logic (the cerebral cortex) shuts down.
The amygdala — the brain’s fear center — takes over.
The body releases cortisol and adrenaline.
Reaction: Run / Act / Save.
At that moment, the secretary won’t check the firefighter’s ID. They won’t call a supervisor. They’ll just open the door. That’s how the physiology of hacking works: the attacker creates a situation where thinking is either too slow — or too frightening.
But the most interesting part happens long before a hacker puts on a firefighter’s uniform. Hadnagy calls this the information-gathering phase — and it accounts for 90% of the success of any attack.
Think of it like a puzzle. Before the attack, the hacker is staring at an empty table. Their job is to assemble a picture of your life so that, when the moment comes, they can become your best friend in five minutes.
It sounds disgusting, but it’s a classic. Companies spend insane amounts of money destroying hard drives — and then forget about paper. Hadnagy describes real cases where a simple “trash audit” handed attackers the keys to the kingdom.
So what are they looking for?
Old phone directories (names, job titles, internal extensions).
Draft versions of reports.
Calendars with notes about vacations and birthdays.
Menus from nearby food delivery services.
Why would a hacker need a menu? Simple. They call the office at 12:30 and say, “Hi, this is the pizza delivery. We mixed up an order for the marketing department — can you remind me who ordered the pepperoni?” And the secretary, without suspecting a thing, gives up the names of employees who are out to lunch. Bingo. Now the hacker knows who’s not at their desk — and can start calling in their name.
Today, there’s no need to dig through trash anymore. We willingly publish compromising information about ourselves on Instagram and Facebook. Hadnagy gives examples of how tiny details in photos can completely undermine security. You posted a selfie from your workplace? Perfect. A hacker zooms in and sees:
What software you’re using (icons visible on the screen).
The type of access badge you have (hanging around your neck).
Sticky notes on your monitor (sometimes they even have passwords on them — seriously).
And what about vacation photos? “Yay, off to Egypt for two weeks!”
For a burglar, that’s a direct invitation: “The apartment is empty, no alarm, spare key under the mat.”
For a corporate hacker, it’s a signal: “The chief accountant’s account is unattended — time to try a password reset through tech support, pretending the accountant forgot it while on vacation.”
In order to see just how far professionals will go, let me share a story from the book, which feels like a scene from a Hollywood film.
Christopher and his coworker, Michelle, were hired to conduct a security audit for a large corporation. In essence, their job was to enter the office, connect to the network, and obtain information. Since there was going to be serious security in place, including turnstiles, cameras, and guards, a direct breach of the building’s perimeter was not an option; so they created a cover story. They decided to create a cover for themselves as pest control technicians.
This was not a situation where you can simply put on some coveralls and enter the facility.
The two spent hours preparing for the event.
Branding: They created a fictional company called Big Blue Pest Control.
Appearance: They went to a local grocery store and purchased blue coveralls. Then they used a home printer to print the logo on the coveralls.
The detail that really sold it: They brought a spray bottle filled with Gatorade.
But filling the tank with only water would have been boring. And the weight of the full tank would make it too heavy and would slosh when they walked. So instead of filling the tank with water, Chris purchased a few bottles of blue Gatorade and filled each tank with the drink. This way the liquid inside the tank looked like chemical, and thus helped sell their cover.
Next came the moment of truth. Christopher and Michelle arrived at the door of the facility and spoke to the guard. His first action was to check his list. Neither one of their names was on it. Tensions began to rise. Had they blown it?
That is when Christopher pulled off a genius move. He didn’t protest. He instantly shifted into a tired blue collar worker mode. He and Michelle stepped to the side as if to call their boss — and wait. When a small group of employees returned from a smoke break, Chris and Michelle simply slipped in behind them (technique referred to as tailgating). They rode the elevator up to the next level together.
Once they were in the elevator, everyone was silent. Everyone in the elevator was staring at the two people wearing blue coveralls. Michelle took the initiative. She let out a loud sigh and then wiped sweat from her face. She then turned to Chris and said, “Come on, boss, let’s hurry and finish this floor. My stomach has been glued to my spine all morning because I haven’t had anything to eat.”
And it worked.
One of the women riding the elevator with them smiled and replied, “I completely understand — I’ve been thinking about lunch all morning.” With that, the ice was broken. Without having been asked, she touched her badge against the elevator reader and sent the two “workers” to the floor they wanted to visit.
Consider it. No hacking involved. Only blue sports drink, inexpensive coveralls, and a little bit of human understanding. They breached the building because they complained about their hunger.
Hadnagy states it simple: The Social Engineering tactics employed generated social proof and sympathy for the attacker.
Uniforms tell the brain “this is an employee, they are here on company business, therefore they are not a threat.”
Complaining about being hungry helps generate familiarity (we’ve all been there) and generates feelings of empathy towards the attacker.
Confidence is another way to describe what happens when you act confident and appear to know where you belong, people will generally accept you at face value, and generally just to avoid the hassle of dealing with you.
We have barely scratched the surface of the ways that attackers prepare, and the most basic of human instincts that they will use to get you to do their bidding. How do attackers convince you to give them your password through conversation? What dialogue does an attacker employ in order to get you to voluntarily provide your password? In part two, we will explore the process of eliciting (manipulation) using only words and tone of voice, to obtain the most sensitive information from an individual, without the victim having any idea they were being interrogated.
Цікаво, а скільки таких зловили, і яка подальша їхня доля, бо умислів немає, просто незаконне проникнення