What do you think?
Rate this book
Human Hacking: Influenzare e manipolare il comportamento umano con l'ingegneria sociale
Nella fortezza che costruiamo attorno ai dati, l'elemento umano è sempre l'anello debole. Gli hacker impiegano una serie di tecniche specifiche per ottenere l'accesso a informazioni sensibili, utilizzando pratiche studiate per manipolare e convincere le persone a consegnare password, trasferire informazioni personali, versare somme di denaro e commettere volontariamente atti contro il loro interesse.
Questo volume descrive gli strumenti dello human hacker con l'obiettivo di aiutare i professionisti della sicurezza a identificare e risolvere falle e criticità.
Si inizia con la definizione del contesto, diventato sempre più ampio per via della diffusione delle reti sociali. Quindi si passa all'esplorazione dei temi fondamentali - i modelli di comunicazione, la mentalità tribale di un gruppo, l'abilità di osservazione, le strategie per influenzare il comportamento altrui - per proporre infine un modello di prevenzione e sicurezza.
Ricco di informazioni pratiche, il testo presenta casi di studio ed esempi tratti dal mondo reale che illustrano le principali tecniche dell'ingegneria sociale, dalle più classiche a quelle più sofisticate come l'OSINT, il pretexting, la sollecitazione e, più in generale, le tecniche di information gathering che spesso sono solo il preludio di un attacco.
Questo volume descrive gli strumenti dello human hacker con l'obiettivo di aiutare i professionisti della sicurezza a identificare e risolvere falle e criticità.
Si inizia con la definizione del contesto, diventato sempre più ampio per via della diffusione delle reti sociali. Quindi si passa all'esplorazione dei temi fondamentali - i modelli di comunicazione, la mentalità tribale di un gruppo, l'abilità di osservazione, le strategie per influenzare il comportamento altrui - per proporre infine un modello di prevenzione e sicurezza.
Ricco di informazioni pratiche, il testo presenta casi di studio ed esempi tratti dal mondo reale che illustrano le principali tecniche dell'ingegneria sociale, dalle più classiche a quelle più sofisticate come l'OSINT, il pretexting, la sollecitazione e, più in generale, le tecniche di information gathering che spesso sono solo il preludio di un attacco.
239 pages, Paperback
First published November 29, 2010
960 people are currently reading
12503 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 30 of 288 reviews
May 25, 2020
This is a pretty good white-hat breakdown of techniques that exploit the more psychological aspects of hacking.
Indeed, while it does go into some really decent detail focusing on awareness of methods, it really shines in highlighting how one might go into business as an Auditor, themselves.
All in all, it is the modern confidence game. You've got thieves and thief-takers. You've got an amazing variety of people out there that simply don't take enough precautions and then you've got others that aren't paying close enough attention to the RIGHT kind of precautions.
Can you imagine having a multi-million dollar security system, teams of devoted security analysts, a fort-knox door, good key cards, and an excellent magnetic lock... all foiled by waving a t-shirt? Or because you helped a secretary out by warning her of her bad-mood boss... or by being an all-right guy helping you out of a jam?
But these kinds of things happen all the time. We've all heard of fishing. We know not to open untrusted pdf files. We know that we need to keep our software updated and relatively better protected from old exploits. RIGHT? Well, apparently not. Social creatures do as social creatures do. People who help you out of jams or mirror your expressions or appear out of nowhere with official-sounding titles and excellent business cards are always... TRUSTED. Someone with a CFO title demands that you do something or lose your job. What do you do?
The thing is, most businesses set themselves up for this kind of chicanery. If you instill respect and/or fear in your employees, don't be surprised when someone from the outside exploits the natural human reactions that come with being mistreated and/or indoctrinated. Being free to ask questions and verify credentials should be encouraged... even when an angry CFO keeps threatening an employee. (Real or not real, the terms of engagement ought to be the same.)
Alas. There's a lot more like this in the book and it's all pretty fascinating. It helps to be a genuine people person if you get into this line of work, but there are lots of different kinds of techniques. The point is to have a well-rounded toolbox and display confidence. Because you're a white-hat... right?
Indeed, while it does go into some really decent detail focusing on awareness of methods, it really shines in highlighting how one might go into business as an Auditor, themselves.
All in all, it is the modern confidence game. You've got thieves and thief-takers. You've got an amazing variety of people out there that simply don't take enough precautions and then you've got others that aren't paying close enough attention to the RIGHT kind of precautions.
Can you imagine having a multi-million dollar security system, teams of devoted security analysts, a fort-knox door, good key cards, and an excellent magnetic lock... all foiled by waving a t-shirt? Or because you helped a secretary out by warning her of her bad-mood boss... or by being an all-right guy helping you out of a jam?
But these kinds of things happen all the time. We've all heard of fishing. We know not to open untrusted pdf files. We know that we need to keep our software updated and relatively better protected from old exploits. RIGHT? Well, apparently not. Social creatures do as social creatures do. People who help you out of jams or mirror your expressions or appear out of nowhere with official-sounding titles and excellent business cards are always... TRUSTED. Someone with a CFO title demands that you do something or lose your job. What do you do?
The thing is, most businesses set themselves up for this kind of chicanery. If you instill respect and/or fear in your employees, don't be surprised when someone from the outside exploits the natural human reactions that come with being mistreated and/or indoctrinated. Being free to ask questions and verify credentials should be encouraged... even when an angry CFO keeps threatening an employee. (Real or not real, the terms of engagement ought to be the same.)
Alas. There's a lot more like this in the book and it's all pretty fascinating. It helps to be a genuine people person if you get into this line of work, but there are lots of different kinds of techniques. The point is to have a well-rounded toolbox and display confidence. Because you're a white-hat... right?
January 21, 2018
3-3.5 stars.
Book contains plenty of useful information, but I didn't like it at all ;/
Why?
1. Narrator in Audible version was far too monotonous & made even the most interesting cases sound dull.
2. Book is too repetitive, while in the same time it lacked clear structure -> this deepens the feeling of repetition
3. Author does a lot of 'cheap' NLP on the reader -> to easy to look through & too annoying ("next, you'll read about the best & most fascinating techniques of influence and manipulation that will blow your mind!!!" - sort-of-style)
4. Author ain't just inspired by classics, he explicitly quotes techniques & even full cases (!) - e.g. from Mittnick's "Art of Deception". Well, he doesn't hide it (quite the contrary), but it also means that if you've read Cialdini, Mittnick & some NLP stuff, you won't find anything really new (or refreshing) here.
So, if you haven't read anything on SE until now, it's a good starter - easy ready, comprehensive enough, very practical. Sometimes confusing (author can't decide whether it's supposed to serve white-hack SEs or individuals who should raise their awareness), but still useful. If you've already read something OR you want to start with more comprehensive psychological approach, start with Cialdini ("Influence" should go first).
Book contains plenty of useful information, but I didn't like it at all ;/
Why?
1. Narrator in Audible version was far too monotonous & made even the most interesting cases sound dull.
2. Book is too repetitive, while in the same time it lacked clear structure -> this deepens the feeling of repetition
3. Author does a lot of 'cheap' NLP on the reader -> to easy to look through & too annoying ("next, you'll read about the best & most fascinating techniques of influence and manipulation that will blow your mind!!!" - sort-of-style)
4. Author ain't just inspired by classics, he explicitly quotes techniques & even full cases (!) - e.g. from Mittnick's "Art of Deception". Well, he doesn't hide it (quite the contrary), but it also means that if you've read Cialdini, Mittnick & some NLP stuff, you won't find anything really new (or refreshing) here.
So, if you haven't read anything on SE until now, it's a good starter - easy ready, comprehensive enough, very practical. Sometimes confusing (author can't decide whether it's supposed to serve white-hack SEs or individuals who should raise their awareness), but still useful. If you've already read something OR you want to start with more comprehensive psychological approach, start with Cialdini ("Influence" should go first).
April 15, 2015
I first became aware of the concept of Social Engineering when I read
and I was blown away! It was very exciting – that guy has GUTS!
I wanted to read more about the technique, not necessarily with the goal of learning how to social-engineer people in mind, but rather to try and recognize the signs so I can detect if ever I am being social-engineered!
This book is quite thorough and there is no denying the material is interesting, but I found it too long. There was too much “telling me about what I’m about to read” which I found completely redundant and annoying. Don’t tell me about what you are going to write, just write it and let me read it!!
Aside from that complaint, the book had me hooked.
and I was blown away! It was very exciting – that guy has GUTS! I wanted to read more about the technique, not necessarily with the goal of learning how to social-engineer people in mind, but rather to try and recognize the signs so I can detect if ever I am being social-engineered!
This book is quite thorough and there is no denying the material is interesting, but I found it too long. There was too much “telling me about what I’m about to read” which I found completely redundant and annoying. Don’t tell me about what you are going to write, just write it and let me read it!!
Aside from that complaint, the book had me hooked.
July 25, 2021
This is one of the few books that deals with the human element in security (mainly IT security here), known as Social Engineering (SE, for short). It begins with a short example-driven overview of the technical aspects of hacking humans (Open Source Intelligence, OSINT), but it is clear that this is not where Hadnagy's heart lies. Rather, he likes to talk/write about the aspects of SE that involve a direct interaction with humans, and about 3/4 of the book are devoted to these.
One should note that the subtitle "Science of Human Hacking" is not really appropriate, as the practice of human hacking is not science. Some scientific results are quoted in this book, mainly from psychology, but they serve to give names, categories and structure to the techniques and concepts that social engineers have been using before anyway. None of the social engineering techniques is actually developed through the application of science or by a scientific process (it would be perfectly fine to call SE an art, as in the first edition of this book).
Also, you will not learn how to be a social engineer from this book. Pulling off the kind of deceptions and manipulations necessary for this work requires some very particular personality traits, brazenness or chutzpa if you like, and very strong nerves. Maybe some of this could be learned, but not from reading a book. Nevertheless, the information in this book is valuable for anyone wishing to understand SE better, and can be useful, say, for integrating SE into a Red Team exercise or to increase security awareness in the employees of a potential target.
The text proceeds by chapter-wise addressing certain manipulation techniques and exploitations of human behaviours and feelings. It is heavily based on anecdotes to illustrate its points. Not all of these examples fit the point they are supposed to make very well, though. In some places it feels like the Hadnagy simply wants to tell that particular story and then comes up with a forced reason why it should illustrate a certain point. Anyway, these anecdotes are entertaining and at least teach you something, even if it is not always what they are meant to teach. Some reviewers wrote that this is an "American-style book", meaning it is verbose, meandering and boastful. That is true. The book is clearly aimed at an American audience, and I would really like to see some of Hadnagy's more charm-driven hacking approaches tried against people from a different culture, say Germans or Russians. As an aside, there is actually an interesting aspect to this, which is not addressed in this book but in an episode of Hadnagy's podcast (the one on "baking a human cake"). A guest on this episode explains that human hacking essentially works by manipulating some basic feelings, which is independent of one's culture, but the way to go about it can depend strongly on the cultural background of your target. This might have been a good addition to the book.
Another thing I found bothersome was that throughout the book, Hadnagy tries to frame SE as if the social engineer was doing something for the benefit of the target person ("make them feel better for having met you"). The idea is that you employ manipulation techniques that play on the positive feelings of your target person rather than their negative ones. Make no mistake! A social engineer is essentially a con-artist, even if he/she gets hired to do a penetration test that is ultimately for the benefit of the customer. But regardless of how you frame it, what you do is lying and manipulating people. Making a person feel better for having met you is not the same as actually making the person better. SE gets you what you want, not what your target person wants. And even if it happens in the bounds of a penetration test that helps a company improve security, the person who ultimately fell victim to the social engineer will not feel better about having been tricked, and will possibly suffer other consequences as well. The idea behind this mantra of doing good by SE is simply for social engineers to be more at peace with their work.
For a 3rd edition of this book, I would wish for the text to be more streamlined, less boastful and better structured, SE to be called an art and not a science, a take on cultural aspects of SE, and a bibliography with references for the quoted scientific works and for more in-depth exploration of some topics.
One should note that the subtitle "Science of Human Hacking" is not really appropriate, as the practice of human hacking is not science. Some scientific results are quoted in this book, mainly from psychology, but they serve to give names, categories and structure to the techniques and concepts that social engineers have been using before anyway. None of the social engineering techniques is actually developed through the application of science or by a scientific process (it would be perfectly fine to call SE an art, as in the first edition of this book).
Also, you will not learn how to be a social engineer from this book. Pulling off the kind of deceptions and manipulations necessary for this work requires some very particular personality traits, brazenness or chutzpa if you like, and very strong nerves. Maybe some of this could be learned, but not from reading a book. Nevertheless, the information in this book is valuable for anyone wishing to understand SE better, and can be useful, say, for integrating SE into a Red Team exercise or to increase security awareness in the employees of a potential target.
The text proceeds by chapter-wise addressing certain manipulation techniques and exploitations of human behaviours and feelings. It is heavily based on anecdotes to illustrate its points. Not all of these examples fit the point they are supposed to make very well, though. In some places it feels like the Hadnagy simply wants to tell that particular story and then comes up with a forced reason why it should illustrate a certain point. Anyway, these anecdotes are entertaining and at least teach you something, even if it is not always what they are meant to teach. Some reviewers wrote that this is an "American-style book", meaning it is verbose, meandering and boastful. That is true. The book is clearly aimed at an American audience, and I would really like to see some of Hadnagy's more charm-driven hacking approaches tried against people from a different culture, say Germans or Russians. As an aside, there is actually an interesting aspect to this, which is not addressed in this book but in an episode of Hadnagy's podcast (the one on "baking a human cake"). A guest on this episode explains that human hacking essentially works by manipulating some basic feelings, which is independent of one's culture, but the way to go about it can depend strongly on the cultural background of your target. This might have been a good addition to the book.
Another thing I found bothersome was that throughout the book, Hadnagy tries to frame SE as if the social engineer was doing something for the benefit of the target person ("make them feel better for having met you"). The idea is that you employ manipulation techniques that play on the positive feelings of your target person rather than their negative ones. Make no mistake! A social engineer is essentially a con-artist, even if he/she gets hired to do a penetration test that is ultimately for the benefit of the customer. But regardless of how you frame it, what you do is lying and manipulating people. Making a person feel better for having met you is not the same as actually making the person better. SE gets you what you want, not what your target person wants. And even if it happens in the bounds of a penetration test that helps a company improve security, the person who ultimately fell victim to the social engineer will not feel better about having been tricked, and will possibly suffer other consequences as well. The idea behind this mantra of doing good by SE is simply for social engineers to be more at peace with their work.
For a 3rd edition of this book, I would wish for the text to be more streamlined, less boastful and better structured, SE to be called an art and not a science, a take on cultural aspects of SE, and a bibliography with references for the quoted scientific works and for more in-depth exploration of some topics.
November 26, 2015
This books contains the basic principles of S.E. The very downside of it though, is that the information provided in each domain is too trivial. Once you hit a new chapter and have a glance at the title you would say wow it must be very interesting but as you proceed along the content you get disappointed since many things stays opaque.
There are introduced interesting topics that can be used in an SE process like elicitation, framing, persuasion techniques, NLP etc. but you cannot grasp the whole idea by reading the corresponding topic in the book and you must refer to a more strong book in that regard.
I would recommend this book a very basic introduction and guideline to those who are interested in SE.
There are introduced interesting topics that can be used in an SE process like elicitation, framing, persuasion techniques, NLP etc. but you cannot grasp the whole idea by reading the corresponding topic in the book and you must refer to a more strong book in that regard.
I would recommend this book a very basic introduction and guideline to those who are interested in SE.
May 7, 2011
A typical american-style book - too much repetition and redundancy of words.
Other than that, it is a nice systematic review of social engineering methods.
And while reading this book I realized why we shouldn't share every bit of information about ourselves in social networks (it's not like I didn't know it, but now I understand it). However, not sharing information on social networks also is information that can be used, so I conclude with same as the author: security through education. Need to be aware of this.
Other than that, it is a nice systematic review of social engineering methods.
And while reading this book I realized why we shouldn't share every bit of information about ourselves in social networks (it's not like I didn't know it, but now I understand it). However, not sharing information on social networks also is information that can be used, so I conclude with same as the author: security through education. Need to be aware of this.
February 3, 2013
An easy read.
The audience is not clear, but I do not believe it needs to be. The fact that the author repeatedly talks throughout about techniques you can use to social engineer, but then closes the book out with a chapter on "Prevention and Mitigation" highlighted, to me, that the book was designed more as a wake-up call to those, like the CEO he mentions in one of his case study, that believe themselves immune from the potentially negative effects of social engineering.
I find it interesting that the author talks at length about the use of cloned sites and the use of malicious code on websites as a tool for the social engineer, and then directs the reader to specific sites, and .pdf files throughout the book. I am not sure if I am imputing too much to the author's strategy in writing the book, but the willingness to look at those websites and find those .pdfs to be an interesting example of social engineering in and of itself.
In summ: the book was depressingly informative and thought provoking. I think that it does offer an effective wake-up call, but can also have the effect of making those prone to paranoia flip-out.
I also note the irony of writing a review of a social engineering book on a website which in turn is an avenue for social engineering.
The audience is not clear, but I do not believe it needs to be. The fact that the author repeatedly talks throughout about techniques you can use to social engineer, but then closes the book out with a chapter on "Prevention and Mitigation" highlighted, to me, that the book was designed more as a wake-up call to those, like the CEO he mentions in one of his case study, that believe themselves immune from the potentially negative effects of social engineering.
I find it interesting that the author talks at length about the use of cloned sites and the use of malicious code on websites as a tool for the social engineer, and then directs the reader to specific sites, and .pdf files throughout the book. I am not sure if I am imputing too much to the author's strategy in writing the book, but the willingness to look at those websites and find those .pdfs to be an interesting example of social engineering in and of itself.
In summ: the book was depressingly informative and thought provoking. I think that it does offer an effective wake-up call, but can also have the effect of making those prone to paranoia flip-out.
I also note the irony of writing a review of a social engineering book on a website which in turn is an avenue for social engineering.
November 9, 2016
Começa bem legal, com um monte de relatos sobre hacking social e como pessoas são manipuladas dessa forma. Com uma série de outras dicas. Mas o livro fica muito repetitivo, mais longo do que o necessário e investe muito em explicações de como a mente funciona e Programação Neurolinguística (PNL). Você vai estar melhor com o hacking social lendo o Kevin Mitnick, como a mente pode ser manipulada com o Dan Ariely e o Daniel Kahneman. Agora, sobre PNL, tenho séria descrença, mas ainda preciso ler especificamente sobre.
September 22, 2023
[Audiobook] The best info in here are the anecdotes about the various malware/social engineering attacks. The author is knowledgeable though chatty and verbose. There was even a section where he described the physical descriptions of emotions, “If you see the corners of their mouth turn down, they are showing sadness.” He seems to be writing it for someone looking to start a penetration testing business. It’s the first book I’ve read about this space so I don’t know where to rank it.
February 2, 2022
I picked this up after listening to a podcast episode on social engineering. I think there are several critiques I'll have to read to understand where/how the book could have been better, but as the topic is still relatively fresh for me, the flaws flew right over my head.
What piqued my interest about this was its personal relevance: I've been scammed a couple times, and each time, I knew something was not right - but not what exactly was happening.
The downside to learning more is that you know what's happening as it's happening... which can make you feel extra foolish later. I recently had a man approach me at a dark gas station wearing a yellow vest. He walked up holding some cards in front of him and I thought he was the gas attendant and there was a problem. My gut told me the situation was off even as I rolled down my window. Even after I realized he was not a gas attendant, I still went along with what he wanted while knowing the whole situation could have turned into a nightmare that got me robbed, abducted or killed.
It is embarrassing to share that, but when reflecting on it later, I could see that he skillfully triggered my instinct to be nice to a friendly person (and buried way down deep under that, perhaps a bit of ego: "Fine, I'll help you...*sigh*" moral superiority). Lucky for me, all he wanted was some discounted gas, but the reality of the situation hit home as it was happening, as I walked away, and in the car as I drove away.... I felt stupid for going against my instincts, and mad, and thought over all the things I should have done (like...drive off without rolling down my window, for one...). My eventual conclusion was: "That was lucky...what's my takeaway?"
We all use social engineering - it's human nature. We learn from infancy how to get a response from parents and caregivers or siblings. In professional fields, we are trained to use it for particular purposes - customer service, sales, de-escalation techniques... Physicians, emergency services and police are trained in elements of social engineering (perhaps it has a different label in the training) to do their work. And scammers/con artists and criminals develop their "career" around these skills.
There are other areas we are manipulated through social engineering... marketing, the media, MLM schemes, by religious leaders, politicians, cult leaders... at the movies, through music and tv shows. All use social engineering skills that cause audiences (or targets) to respond and react without thinking. Fear, empathy, anger... conflicting warning signs that go against social conditioning (think of a nice old man with a small dog... He has a small dog...what bad guy has a small dog? He seems nice...he's "old" - he's vulnerable, not a predator...). These are all things that can be used against us.
I think it is especially relevant now, in light of the unrest that has come from conflicting and compelling messages around major issues of our current times (I don't have to list them, I'm sure... ). So it is valuable to us to be aware of how our strings are pulled. Even if we still "fall" for something, that awareness can help prevent a full-gravity-crash.
What I found I really liked about reading this particular book is that he teaches a positive use of SE skills and this ties in to excellent customer service. He has a motto to (paraphrase) leave people better for having met you. There are some great tips on communication and what not to do with your clients when teaching security awareness. I think this approach is useful to anyone in the IT field. It is not uncommon for techs to make jokes about "the user" and the stupidity of people who are not tech-savvy (case in point). But while it's easy to become frustrated and run down and we have to manage that in any customer service arena, when we become scornful, shame people for making mistakes, or think we are above them, we also become ripe to fall from the moral high ground and show that gravity affects us all.
I probably said "relevant" way too often in this review, but that was my key takeaway: this is a relevant topic for so many reasons. An awareness of Social Engineering builds critical thinking, helps with crime prevention, builds better social skills, and gives us a better understanding of how our fellow humans work.
Because there are some critiques I have yet to read that will likely make good points on how this book could be better, I think my recommendation is the usual "self-help" book recommendation: take away key points that seem like they will work for you, discard the rest. I liked it and will look into his other books.
What piqued my interest about this was its personal relevance: I've been scammed a couple times, and each time, I knew something was not right - but not what exactly was happening.
The downside to learning more is that you know what's happening as it's happening... which can make you feel extra foolish later. I recently had a man approach me at a dark gas station wearing a yellow vest. He walked up holding some cards in front of him and I thought he was the gas attendant and there was a problem. My gut told me the situation was off even as I rolled down my window. Even after I realized he was not a gas attendant, I still went along with what he wanted while knowing the whole situation could have turned into a nightmare that got me robbed, abducted or killed.
It is embarrassing to share that, but when reflecting on it later, I could see that he skillfully triggered my instinct to be nice to a friendly person (and buried way down deep under that, perhaps a bit of ego: "Fine, I'll help you...*sigh*" moral superiority). Lucky for me, all he wanted was some discounted gas, but the reality of the situation hit home as it was happening, as I walked away, and in the car as I drove away.... I felt stupid for going against my instincts, and mad, and thought over all the things I should have done (like...drive off without rolling down my window, for one...). My eventual conclusion was: "That was lucky...what's my takeaway?"
We all use social engineering - it's human nature. We learn from infancy how to get a response from parents and caregivers or siblings. In professional fields, we are trained to use it for particular purposes - customer service, sales, de-escalation techniques... Physicians, emergency services and police are trained in elements of social engineering (perhaps it has a different label in the training) to do their work. And scammers/con artists and criminals develop their "career" around these skills.
There are other areas we are manipulated through social engineering... marketing, the media, MLM schemes, by religious leaders, politicians, cult leaders... at the movies, through music and tv shows. All use social engineering skills that cause audiences (or targets) to respond and react without thinking. Fear, empathy, anger... conflicting warning signs that go against social conditioning (think of a nice old man with a small dog... He has a small dog...what bad guy has a small dog? He seems nice...he's "old" - he's vulnerable, not a predator...). These are all things that can be used against us.
I think it is especially relevant now, in light of the unrest that has come from conflicting and compelling messages around major issues of our current times (I don't have to list them, I'm sure... ). So it is valuable to us to be aware of how our strings are pulled. Even if we still "fall" for something, that awareness can help prevent a full-gravity-crash.
What I found I really liked about reading this particular book is that he teaches a positive use of SE skills and this ties in to excellent customer service. He has a motto to (paraphrase) leave people better for having met you. There are some great tips on communication and what not to do with your clients when teaching security awareness. I think this approach is useful to anyone in the IT field. It is not uncommon for techs to make jokes about "the user" and the stupidity of people who are not tech-savvy (case in point). But while it's easy to become frustrated and run down and we have to manage that in any customer service arena, when we become scornful, shame people for making mistakes, or think we are above them, we also become ripe to fall from the moral high ground and show that gravity affects us all.
I probably said "relevant" way too often in this review, but that was my key takeaway: this is a relevant topic for so many reasons. An awareness of Social Engineering builds critical thinking, helps with crime prevention, builds better social skills, and gives us a better understanding of how our fellow humans work.
Because there are some critiques I have yet to read that will likely make good points on how this book could be better, I think my recommendation is the usual "self-help" book recommendation: take away key points that seem like they will work for you, discard the rest. I liked it and will look into his other books.
October 27, 2023
I discontinued my reading at the 18% mark due to the informal and unserious tone of the text. I would recommend referring to a scholarly textbook on social engineering for a more rigorous examination of the subject matter.
August 31, 2018
There is a story about Harry Houdini, that he once failed to escape from a jail cell, even though the door was unlocked. The reason he stayed trapped is that he only knew how to get out of locked doors. In the world of technology, there are indeed many locked doors, and social engineers know how to open them.
In the domain of social engineering, Christopher Hadnagy is one of the best. I’ve reviewed other books of his here, namely Social Engineering: The Art of Human Hacking, Unmasking the Social Engineer: The Human Element of Security, and Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails. In Social Engineering: The Science of Human Hacking, Hadnagy continues his exploration into the world of social engineering.
In this book as the title implies, Hadnagy move the topics from social engineering as to art, to that of a science. The goal of a social engineer is not that far from being a con man. Where con stems from the word confidence. Be it a Three-card Monte scammer at Times Square, or a social engineer dressed-up a termite inspector; their goal is the same, to win your confidence.
Hadnagy quotes extensively from Dr. Paul Ekman, an American psychologist who specializes in the study of emotions and their relation to facial and body expressions. By mastering these expressions, the social engineer can make their attacks much more successful.
Besides Ekman, the book references the work of other psychologists including Dr. Ellen Langer, professor of psychology at Harvard University whose expertise is in the illusion of control and decision-making, neuroeconomist Dr. Paui Zak, whose work in neuroeconomist, which is the study of decision making, and more. By building on these sciences, the social engineer can be devastating effective in their attacks.
As good as the science is, it is not perfect. And as good a social engineer Hadnagy is, he fails at times. What is unique about the book is that he does not shy away from sharing those mistakes with the reader. While there are plenty of success stories in the book, he also includes disaster stories where he failed miserably. In the movies the social engineer never errs. But are in that case does not imitate life.
Becoming a highly effective social engineer is something that takes time to master. For those looking to master the topic, Christopher Hadnagy is a great person to learn from and Social Engineering: The Science of Human Hacking is a great resource to take you there.
In the domain of social engineering, Christopher Hadnagy is one of the best. I’ve reviewed other books of his here, namely Social Engineering: The Art of Human Hacking, Unmasking the Social Engineer: The Human Element of Security, and Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails. In Social Engineering: The Science of Human Hacking, Hadnagy continues his exploration into the world of social engineering.
In this book as the title implies, Hadnagy move the topics from social engineering as to art, to that of a science. The goal of a social engineer is not that far from being a con man. Where con stems from the word confidence. Be it a Three-card Monte scammer at Times Square, or a social engineer dressed-up a termite inspector; their goal is the same, to win your confidence.
Hadnagy quotes extensively from Dr. Paul Ekman, an American psychologist who specializes in the study of emotions and their relation to facial and body expressions. By mastering these expressions, the social engineer can make their attacks much more successful.
Besides Ekman, the book references the work of other psychologists including Dr. Ellen Langer, professor of psychology at Harvard University whose expertise is in the illusion of control and decision-making, neuroeconomist Dr. Paui Zak, whose work in neuroeconomist, which is the study of decision making, and more. By building on these sciences, the social engineer can be devastating effective in their attacks.
As good as the science is, it is not perfect. And as good a social engineer Hadnagy is, he fails at times. What is unique about the book is that he does not shy away from sharing those mistakes with the reader. While there are plenty of success stories in the book, he also includes disaster stories where he failed miserably. In the movies the social engineer never errs. But are in that case does not imitate life.
Becoming a highly effective social engineer is something that takes time to master. For those looking to master the topic, Christopher Hadnagy is a great person to learn from and Social Engineering: The Science of Human Hacking is a great resource to take you there.
November 5, 2015
A well done overview with added depth in key areas - overall, an excellent resource for any IT professional and will provide utility for a penetration tester looking to strengthen the person-to-person attack vector.
This book is probably best served as paper, versus audio - or at least supplemented with the actual book. This is partly due to the many lists and references and partly due to the off-putting narration. It wasn't bad, but "good" isn't quite the right word either.
This book and further study (and practice) in the areas outlined are a means to becoming a more effective Penetration tester.
To the accusers that Hadnagy is presenting tools for manipulation, and criticizing him for that... you are missing the point. Attackers will use whatever means; ethical or not, to infiltrate a company's infrastructure. NLP, framing, microexpressions - all of the tools and techniques covered in this book. And they will use others only partly acknowledged in this book, such as blackmail and other means of social leverage. Understanding that "manipulating" humans is common in this field is vital to defense against them.
It is ironic that most people are manipulated on a daily basis by advertisers and governments, yet can't come to terms with the methods in the context of information security. This isn't conspiracy theory - it is business.
Anyway - great book for understanding the challenges of IT security, particularly for the understanding of human vulnerabilities in order to deliver network infiltration devices and software.
This book is probably best served as paper, versus audio - or at least supplemented with the actual book. This is partly due to the many lists and references and partly due to the off-putting narration. It wasn't bad, but "good" isn't quite the right word either.
This book and further study (and practice) in the areas outlined are a means to becoming a more effective Penetration tester.
To the accusers that Hadnagy is presenting tools for manipulation, and criticizing him for that... you are missing the point. Attackers will use whatever means; ethical or not, to infiltrate a company's infrastructure. NLP, framing, microexpressions - all of the tools and techniques covered in this book. And they will use others only partly acknowledged in this book, such as blackmail and other means of social leverage. Understanding that "manipulating" humans is common in this field is vital to defense against them.
It is ironic that most people are manipulated on a daily basis by advertisers and governments, yet can't come to terms with the methods in the context of information security. This isn't conspiracy theory - it is business.
Anyway - great book for understanding the challenges of IT security, particularly for the understanding of human vulnerabilities in order to deliver network infiltration devices and software.
June 19, 2018
This is a pretty good into to SE, and some nice anecdotes are thrown in along the way. If you've already been studying the topic, a lot of it is redundant but I can see it being a nice thing to have one's employees read in order to take SE seriously as a security issue. He touches on microexpressions and Neurolinguistic Programming (NLP) in deceptive conversations, but these are very surface-level discussions. Here are a few resources I've found on various subjects that are more deep-dives:
Body Language
What Every BODY is Saying - Navarro [Good intro]
The Definitive Book of Body Language - Pease [A visual glossary]
Body Language Success [Analyzing body language and microexpressions in news and celebrity video clips]
Persuasion
Never Split the Difference - Voss [Negotiating]
Get Anyone to Do Anything - Lieberman
The Science of Influence - Hogan
How to Talk to Anyone - Lownders [Rapport, charisma]
Neuolinguistic Programming
NLP Workbook - O'Connor
Pitch Anything - Klaff
Physical Tools
How to Open Locks with Improvised Tools - Konkel
Social Engineering
The Art of Deception - Mitnick [SE scripts and anecdotes]
Body Language
What Every BODY is Saying - Navarro [Good intro]
The Definitive Book of Body Language - Pease [A visual glossary]
Body Language Success [Analyzing body language and microexpressions in news and celebrity video clips]
Persuasion
Never Split the Difference - Voss [Negotiating]
Get Anyone to Do Anything - Lieberman
The Science of Influence - Hogan
How to Talk to Anyone - Lownders [Rapport, charisma]
Neuolinguistic Programming
NLP Workbook - O'Connor
Pitch Anything - Klaff
Physical Tools
How to Open Locks with Improvised Tools - Konkel
Social Engineering
The Art of Deception - Mitnick [SE scripts and anecdotes]
August 3, 2017
I picked up the book with the intent of learning more about Social Engineering and how I could defend against bad actors. It sounded like the author knew his subject and was sharing.
But the author needs a better editor. The focus of the book wanders, so that on the same page the tone is for a person like me and then a couple paragraphs later, someone who wants to be a social engineering auditor. I'd be fine either way, but the constant flopping around made for difficult reading. (The biggest omission is in the beginning the text states there is an appendix, but there isn't)
The stories are the best part, though there isn't a solid narative to support them. Tidbits spring up out of nowhere, then are not connected to the next page. I think a lot could have been discussed around is numerous educational stories. That would have been much better.
In the end, I learned about the author's website and the surface of social engineering. This could be seen as a primer, but it doesn't have the cohesiveness. (I'm not knocking the fact it is 6 years old, for me, and a lot of the information could be out of date).
But the author needs a better editor. The focus of the book wanders, so that on the same page the tone is for a person like me and then a couple paragraphs later, someone who wants to be a social engineering auditor. I'd be fine either way, but the constant flopping around made for difficult reading. (The biggest omission is in the beginning the text states there is an appendix, but there isn't)
The stories are the best part, though there isn't a solid narative to support them. Tidbits spring up out of nowhere, then are not connected to the next page. I think a lot could have been discussed around is numerous educational stories. That would have been much better.
In the end, I learned about the author's website and the surface of social engineering. This could be seen as a primer, but it doesn't have the cohesiveness. (I'm not knocking the fact it is 6 years old, for me, and a lot of the information could be out of date).
October 10, 2017
This book is far from perfect, but it is the best book I’ve found on how-to social engineering as an overall field vs either a bunch of case studies or narrow guides to specific techniques. The biggest problem was using the same set of examples to illustrate multiple ostensibly distinct techniques — admittedly a lot of the distinctions were arbitrary to begin with — and the structure of the book wasn’t as clear as it could be. However, this book (and the author’s other resources on the Internet) are great resources for interested individuals, non-SE security people, or administrators.
November 19, 2017
Decent book if this is one's first interaction with the topic. If not, the repetitive, meandering and occasionally off-topic commentary coupled with a hefty amount of outdated information, plus the long internet links thrown in together with the text, instead of in an appendix, will make it a difficult read at times.
With these shortcomings aside, I did appreciate the topics on information gathering, microexpressions, the description of Kali Linux's (still called Backtrack when the book was written) tools that are oriented towards social engineering, and some of the case studies.
With these shortcomings aside, I did appreciate the topics on information gathering, microexpressions, the description of Kali Linux's (still called Backtrack when the book was written) tools that are oriented towards social engineering, and some of the case studies.
March 4, 2019
3/4 I already knew and didn’t really enjoy it. Many of the stuff were unnecessary, like comments which were not so relevant to the point that author was making or that social engineer needs to be motivated, not afraid to fail and so on... well duh, that’s obvious and is applied to ANY REAL WORLD PROFESSION.
There were parts which were indeed useful, like trick questions and real examples how to get what you want. Also the tools that engineer can use were very helpful. However, that only covered minor part of the book.
This book is for beginners who have literally no clue about security.
There were parts which were indeed useful, like trick questions and real examples how to get what you want. Also the tools that engineer can use were very helpful. However, that only covered minor part of the book.
This book is for beginners who have literally no clue about security.
January 13, 2021
Social Engineering ist seit Jahren auf dem Vormarsch und Christopher Hadnagy einer der großen Experten auf diesem Gebiet. Dementsprechend viele spannende Geschichten aus der Praxis kann er erzählen. Das Thema betrifft die meisten Büroangestellten, dafür ist das Buch leider zu lang und fachspezifisch. Gerade der Anfang des Buchs, bei dem er sich Zugang zu einer Firma verschafft, sowie das Ende mit Empfehlungen für eine gute Umsetzung von Gegenmaßnahmen haben mir sehr gut gefallen. In der Mitte hat mich das Buch leider ein wenig verloren.
Read
February 11, 2022all reviews in one place:
night mode reading ;
skaitom nakties rezimu
About the Book: What information you have on your social media profiles? Are there pictures of your home there, your family? Is the name there – real? So if I called you to ask about your bank details, knowing your name, and your bank, how would you know I’m not in it for your life savings if I, seemingly, asked nothing of value?… When’s the last time you did one of those “tag a friend” things that ask you for five facts, your favorite color, food, drink? Do you use the password you use in that profile – somewhere else too? When’s the last time you updated it? And is your security question – the easiest one to remember?…
My Opinion: A genuinely brilliant book that is also very concerning. Us the humans are easy to manipulate. A drop of empathy here, a bit of solidarity there, an instilled respect or fear of authorities, and we don’t question things. Think you can read people, and have a great gut feeling? Read it. The only issue I had with it was the pronouns used. An example is given where the abstract situation contains a person. We are led into it to “meet” this person. and then suddenly that person obtains a gender. So now that you see this person, look her in the eyes. I was okay with them being a person, don’t make me turn the person into someone more specific mid-sentence, please.
night mode reading ;
skaitom nakties rezimu
About the Book: What information you have on your social media profiles? Are there pictures of your home there, your family? Is the name there – real? So if I called you to ask about your bank details, knowing your name, and your bank, how would you know I’m not in it for your life savings if I, seemingly, asked nothing of value?… When’s the last time you did one of those “tag a friend” things that ask you for five facts, your favorite color, food, drink? Do you use the password you use in that profile – somewhere else too? When’s the last time you updated it? And is your security question – the easiest one to remember?…
My Opinion: A genuinely brilliant book that is also very concerning. Us the humans are easy to manipulate. A drop of empathy here, a bit of solidarity there, an instilled respect or fear of authorities, and we don’t question things. Think you can read people, and have a great gut feeling? Read it. The only issue I had with it was the pronouns used. An example is given where the abstract situation contains a person. We are led into it to “meet” this person. and then suddenly that person obtains a gender. So now that you see this person, look her in the eyes. I was okay with them being a person, don’t make me turn the person into someone more specific mid-sentence, please.
January 25, 2021
I agree with school of thought that states "Human is the weakest link in cyber security chain." In most cases it's much easier to just ask for password nicely and get it than to break open OS, then account, then database, then bank etc. Or why ask password, if you can just ask for money or documents themselves?
So logically defense should start with awareness and training, and not just of IT personnel, but everyone - since in 21st Century we all have digital presence.
This a good overview of methods and attack vectors - and exactly that, "overview", because to become social engineer one should add some years of practice to the book itself.
It also made me consider what I would consider social engineering, because, in a way, some of the elements are relevant to any communication - rapport, empathy, careful listening etc.
So logically defense should start with awareness and training, and not just of IT personnel, but everyone - since in 21st Century we all have digital presence.
This a good overview of methods and attack vectors - and exactly that, "overview", because to become social engineer one should add some years of practice to the book itself.
It also made me consider what I would consider social engineering, because, in a way, some of the elements are relevant to any communication - rapport, empathy, careful listening etc.
July 5, 2025
This was an excellent book, with great advice to protect ourselves in an ever changing cybersecurity world. I am very familiar with some of these topics, however, I felt that the author added to my tools of knowledge to enhance my own skills. The information is laid out easy to understand and absorb, with scenarios we can all relate to. I plan to directly apply some of these techniques in my career, to better protect myself and my organization. Highly recommend for anyone looking to learn more about this topic!
March 17, 2018
Arm yourself with knowledge.
This book looked to me like it has broke human relations down into fine pieces and made it easy to understand. The book bases its arguments on reasearch the author's team and other psychologists have conducted as well as public experiments and events. The one thing this book was, to me, lacking was examples from history.
This book looked to me like it has broke human relations down into fine pieces and made it easy to understand. The book bases its arguments on reasearch the author's team and other psychologists have conducted as well as public experiments and events. The one thing this book was, to me, lacking was examples from history.
November 8, 2021
People are so easily manipulated.
I believe it's good to be aware of it so it won't happen so easily to you.
I believe it's good to be aware of it so it won't happen so easily to you.
June 21, 2023
i love it
January 24, 2025
I was not very content tbh. Something was off. However, you do learn some valuable things.
November 5, 2018
I found that this book is vary interesting. After reading this book I watched the Television show that the author made about the same thing. Wile reading this book I learned about social engineering and how to use and manipulate people using the tactics used in the book. The book also is a good thing to learn about to protect your self from the people trying to hurt or scam me using the tactics in the book.
This book shows how to make people do what you want to do, wile also making them think its their idea and to make them think that it will also benefit them, but actually is putting them at a disadvantage on them. Giving me or the attacker the advantage. The book also shows how to infiltrate corporations to get information. From reading this book It has showed me the light in the dark and now when I grow up I want to use use this info in a job in the future. This book has sparked a interest in me to fine more about social engineering as a hobby and as a job. I will only use this book information to do good and not for evil entente.
I be leave everyone should read this book. It shows how to protect your self from people who want to harm you by showing how to prevent it. To keep your information, and possibly company safe from harms way.
"If you know the enemy and know yourself you need
not fear the results of a hundred battles.
—Sun Tzu (Page 25)"
"War is ninety percent information.
—Napoleon Bonaparte (Page 47)"
This book shows how to make people do what you want to do, wile also making them think its their idea and to make them think that it will also benefit them, but actually is putting them at a disadvantage on them. Giving me or the attacker the advantage. The book also shows how to infiltrate corporations to get information. From reading this book It has showed me the light in the dark and now when I grow up I want to use use this info in a job in the future. This book has sparked a interest in me to fine more about social engineering as a hobby and as a job. I will only use this book information to do good and not for evil entente.
I be leave everyone should read this book. It shows how to protect your self from people who want to harm you by showing how to prevent it. To keep your information, and possibly company safe from harms way.
"If you know the enemy and know yourself you need
not fear the results of a hundred battles.
—Sun Tzu (Page 25)"
"War is ninety percent information.
—Napoleon Bonaparte (Page 47)"
September 26, 2021
The only interesting part of this book was the stories from SE engagements, and even these became boring.
I don't like the overly enthusiastic style, the random jokes, the "useless fact" sections. It's like I'm listening to a hybrid of a bad stand-up routine and a sales pitch. I also genuinely dislike the formatting and the presentation, e.g. a bunch of random hyperlinks on a paper page.
But I mostly don't like the content. I want this book to be either a collection of stories from engagements with lessons learned, or I want a training manual. This feels like a book that could have been a blog post that could have been a series of tweets.
I didn't keep detailed notes on everything I disliked, but here's some stuff of the top of my head:
1) Academic research. I don't need to have an overview of a barely-related study that may or may not have been replicated. I don't get the obsession with trying to appear "scientific" and citing off studies that don't really add to the point.
2) DISC. I guess any framework is useful when you're totally lost but this just feels like a horoscope, or like MBTI. Again, it could be useful because you start thinking, but I dislike the implication that it describes people or that it has any predictive power.
3) Recycled pop psychology. It's just a bunch of stuff I've read before, e.g. from Cialdini. But it's not what makes or breaks a social engineer! Like yeah, psychology is important, but I want the subject-matter expertise, not pop-psych I and a million other people have already read.
Overall, it all feels so very cartoonish. The style of presentation, the people, their reactions. I don't know how to say it better but it feels like it has no real depth. I'm sorry because I was really looking forward to reading this book.
2 stars for SE engagement stories.
I don't like the overly enthusiastic style, the random jokes, the "useless fact" sections. It's like I'm listening to a hybrid of a bad stand-up routine and a sales pitch. I also genuinely dislike the formatting and the presentation, e.g. a bunch of random hyperlinks on a paper page.
But I mostly don't like the content. I want this book to be either a collection of stories from engagements with lessons learned, or I want a training manual. This feels like a book that could have been a blog post that could have been a series of tweets.
I didn't keep detailed notes on everything I disliked, but here's some stuff of the top of my head:
1) Academic research. I don't need to have an overview of a barely-related study that may or may not have been replicated. I don't get the obsession with trying to appear "scientific" and citing off studies that don't really add to the point.
2) DISC. I guess any framework is useful when you're totally lost but this just feels like a horoscope, or like MBTI. Again, it could be useful because you start thinking, but I dislike the implication that it describes people or that it has any predictive power.
3) Recycled pop psychology. It's just a bunch of stuff I've read before, e.g. from Cialdini. But it's not what makes or breaks a social engineer! Like yeah, psychology is important, but I want the subject-matter expertise, not pop-psych I and a million other people have already read.
Overall, it all feels so very cartoonish. The style of presentation, the people, their reactions. I don't know how to say it better but it feels like it has no real depth. I'm sorry because I was really looking forward to reading this book.
2 stars for SE engagement stories.
June 26, 2022
Easy read, interesting topic, how to tell what people are feeling based on their body language I use in my life now.
Displaying 1 - 30 of 288 reviews