If you think you can’t be tricked, you’re just the person I’d like to meet.
R. Paul Wilson
What is social engineering ?
Well, given the plethora of news about scammers and people being easily fooled by them, the public opinion about this subject is anything but positive. However,make no mistake, it surely isn’t just that…
Actually, social engineering is the art, or better yet, science of skillfully maneuvering a person to take an action that may or may not be in the “target’s” best interest. Thus, besides crimes, you can also notice it in: business marketing, the way children get their parents to give in to their demands, the way doctors, lawyers, or psychologists obtain information from their clients. Obviously, you can also find it in law enforcement, and in dating — it is truly used in every human interaction, from babies to politicians …
Types of social engineers
- Hackers & Penetration testers: as modern software gets more difficult to break into, hackers are turning to social engineering skills more than ever.
- Spies: simply put, it is a lifestyle for them. They mostly use it to build credibility and to “fool” victims into believing they are someone or something they are not.
- Identity thieves: they use information such as a person’s name, bank account numbers, address, birth date, and social security number without the owner’s knowledge.
- Disgruntled employees: often enter into an adversarial relationship with their employer. They typically hide their level of displeasure to not put their employment at risk, yet they resort to theft, vandalism or other crimes as revenge (moles).
- Scammers: usually driven by greed or the desire to “make a buck”. They master the ability of reading people in order to target a vulnerable victim.
- Executive recruiters: are very adept at not only reading people but also understanding what motivates people, in order to please both the job seeker and the job poster.
- Salespeople: use their skills to find out what people’s needs are and then see whether they can satisfy them.
- Governments: use it to control the messages they release as well as the people they govern (they utilize techniques like: social proof, authority and scarcity). This is not always negative, as some of their messages are for the good of the people, and using certain elements of social engineering can make the message more appealing and more widely accepted. However, when politicians want to avoid talking about something, they resort to using Wooden Language (this is a perfect example that I found while visiting The Romanian Kitsch Museum in Bucharest).
- Doctors, psychologists, and lawyers: must use elicitation and proper interview and interrogation tactics, as well as many if not all of the psychological principles of social engineering to manipulate their clients into the direction they want them to take.
Given the information above, you’ve probably realized that there’s a high probability to be a target of such trickery.
How do I stay safe? Great question.
Well, what I can say for sure, is that you are safer if you know and understand the techniques used for a successful social engineering attack. This is why, in the next section, I’m going to explain decisive skills like: information gathering, elicitation, pretexting, microexpressions, Neurolinguistic Programming, interview & interrogation, building rapport, The Human Buffer Overflow, influence tactics (reciprocation, obligation, concession, scarcity, authority, commitment, liking, social proof), framing, and, the last but not least, manipulation.
With enough time and enough effort anyone can be social engineered. Those words are true, as scary as they are. That doesn’t mean there is no hope; it means your job is to make malicious social engineering so difficult and time consuming that most hackers will give up.
As usual, this information is for education purposes only. A lot of social engineers face prison time as well. So, have fun, but respect the legal and ethical constraints. Otherwise, make sure that you’re hiding better than everyone else can hide, in the 21st century.
The most important phase of the attack. Usually takes from days to months, depending on the target. For example, this is what the Russian government had been doing for at least 8 years in Ukraine, using cyberattacks and spies, before starting an invasion on 24th of February 2022.
Mindset: no piece of information is irrelevant; even the slightest detail can lead to a successful breach.
Example: Mati Aharoni (professional pentester) was tasked with gaining access to a company that had an almost nonexistent Web footprint. After some internet searching, he found a high-ranking company official who used his corporate email on a forum about stamp collecting and who expressed an interest in stamps from the 1950s. Mati created a website like
stampcollections.com, where he put 1950s stamp photos found on Google, and embedded a malicious frame that exploited a vulnerability in the popular web browser at the time. So, accessing the link would give the attacker control over the victim’s computer. Then, he crafted an email for this company official. In the email, it’s stated that he’s another user of the same forum, who noticed the interest in old stamps, and that his grandfather, who ‘passed away’, left a stamp collection that can be seen on Mati’s stampcollections.com website. Before sending the email, for maximum impact, he called the target on the phone. This way, Mati built trust by discussing on a friendly tone about his stamp offer, while also expressing some feelings of sadness for the recent death in his family (triggering compassion). Thus, the target was very eager to see this collection. As soon as the man received the email, he clicked the link and the company’s perimeter was compromised. The tiny piece of information that led to this successful attack: a corporate email on a random website.
The problem: using social media, people can easily share every aspect of their lives with anyone they choose, making potentially damaging information (for their personal & business security) more readily available than ever before.
Example: Max Fosh infiltrated into The International Security Convention (the irony). He used a badge found on an Instagram post from the event (edited a little bit in Photoshop, then printed) -> video: https://youtu.be/qM3imMiERdU.
Also, many employees talk about their job title in their social media outlets. This can help a social engineer to profile how many people may be in a department and how the departments are structured.
Other sources & techniques: Apple/Google Maps (for an idea about the target’s buildings, ways in & out), Google Dorks, WhoIs, NMAP, Maltego, forums, overhearing conversations, flirting with the target, public reports, or simply the trash (you’d be surprised how much sensible information is literally dumped).
Attackers look for the links between the information extracted from all sources, to create a whole profile. This profile includes contact numbers, biographies, email naming conventions, special words or phrases that can help in password profiling, family members, physical locations, purchases, leases, contracts, favorite foods/teams/music, the service companies used, etc. Everything is processed in order to find vulnerabilities and come up with the best attack strategy.
In training materials, the National Security Agency of the United States government defines elicitation as “the subtle extraction of information during an apparently normal and innocent conversation.” Generally speaking, being able to use elicitation means you can fashion questions that draw people out and stimulate them to take a path of a behavior you want.
This method works so well because the conversation can occur anywhere the target feels comfortable (their routine places, for example). Other reasons are that:
– most people have the desire to be polite, especially to strangers
– professionals want to appear well informed and intelligent
– if you are praised, you will often talk more and divulge more
– most people would not lie for the sake of lying
– most people respond kindly to people who appear concerned about them.
Goal: obtain information then utilize that information to motivate a target to the path you want him to take (only through casual conversation). Therefore the attacker must be ‘natural‘, well informed about the subject he’s talking about, and not greedy with the questions, to avoid raising any red flag.
Preloading can be a critical part of elicitation, and denotes just what it says—preload targets with ideas on how you want them to react to certain information. It is often used in marketing messages (e.g. movie trailers soundtrack).
A simplistic example: a friend walks up and says, “I have to tell you a really funny story.” What happens to you? You might even start smiling before the story starts and your anticipation is to hear something funny, so you look and wait for opportunities to laugh. He preloaded you and you anticipated the humor. Another one: interrogators would say “Now think carefully before you answer the next question…”. This kind of statement preloads the target’s mind with the idea that he must be truthful with his next statement.
Basically, it’s all about being able to plant ideas or thoughts in a way that is not obvious or overbearing, as a first step, before starting the actual attack. Because you ‘preloaded’ the target, when the time arises to present an absurd idea, it will most probably be accepted.
A successful elicitor:
- offers a non-judgmental ear for people to talk about their problems
- appeals to someone’s ego (e.g., when you praise someone, they’ll usually express their humbleness by talking about how the situation actually is => valuable information)
- expresses a mutual interest
- makes a deliberate false statement (we have the desire to inform others, appear knowledgeable, and be intolerant to misstatements => valuable info when you’re being corrected by the others)
- offers information in a conversation, because it almost compels the target to reply with equally useful information
- uses the effects of alcohol, if possible, as it loosens the victim’s lips. This is an unfortunate but true fact.
- uses more open-ended questions (those that cannot be answered with yes or no)
- uses assumptive questions (to determine whether or not a target possesses the information you’re after).
🎭Pretexting: How to Become Anyone
Pretexting is defined as the background story, dress, grooming, personality, and attitude that make up the character you will be for the social engineering audit (you create a new identity). Chris Nickerson: it is not about living a lie (…). You are, in every fiber of your being, the person you are portraying. The way he walks, the way he talks, body language—you become that person.
What is a good pretext based on? First of all, the quality of the information gathered beforehand. Then, the practice of dialects/expressions, the simplicity (the simpler the pretext the better the chance of success), confidence (helps a lot in convincing the target you are who you say you are; usually achieved by involving personal interests in the pretext), and the finale: providing a logical conclusion or follow through for the target.
Example: a popular malicious pretext right now is the fake ‘fund raiser’, who takes advantage of the current Ukrainian crisis. These individuals behave like they care, presenting the atrocities of war (simple pretext that triggers people’s emotions), and demand money for helping Ukrainians (the logical conclusion). The same happened right after 9/11 , 2001.
🧠Modes of thinking & the senses
A social engineer has to understand the modes of thinking. Why? Well, if you can first figure out the target’s dominant mode of thinking (and then use it yourself in subtle ways), you can unlock the doors of the target’s mind and help him actually feel at ease when telling you even intimate details. So, how can you figure out someone’s dominant mode of thinking?
The world is brought to our brain by our senses: sight, hearing, touch, smell, taste (traditional classification). The modes of thinking are associated with only 3 of them. Therefore, we have the:
- visual thinker (majority): usually remembers what something looked like (colors, textures, brightness / darkness). He can clearly picture a past event and even build a picture for a future event. This individual usually makes a decision based on what is visually appealing to him regardless of what is really “better” for him. Often uses words like: “that looks good to me”, “I get the picture now”. Also, visuals need to look at the person speaking to communicate properly.
- auditory thinker: remembers the sounds of an event in detail (e.g., the alarm was too loud, the woman whispered too low, the scary bark of the dog). Of course, he learns better from what he hears, as in this case the sounds themselves help recall memories. May use phrases such as: “loud and clear”, “something tells me”, “that sounds ok to me”. Whole encounters can go from great to a disaster with one wrong word spoken to an auditory thinker.
kinesthetic thinker: remembers how an event made him feel—the warmth of the room, the beautiful breeze on his skin, how the movie made him jump out of his seat with fear. Often kinesthetic thinkers feel things with their hands to get the sense of the objects. May use phrases such as: “I can grasp the idea”, “I’ll get in touch with you”, “I just wanted to touch base”, “how does it feel?”. They don’t really react to sights and sounds, thus, social engineers have to get in touch with their feelings to communicate with them efficiently.
This is the type of people that must touch everything in the grocery store when they shop, whether they need it or not. By touching the objects, they make a connection. This is what helps them clearly remember the things later.
Asking questions that contain some of the key dominant words, observing a target’s reactions, and listening can reveal what dominant sense he or she uses.
Let’s take the example of an excellent salesguy, Tony, who can figure out someone’s dominant sense in 60 seconds. When he first engages the target, he has a very shiny silver-and-gold pen in his hand. He gestures a lot and notices whether the person follows the pen with her eyes; if she does slightly, Tony will continually make the gestures bigger to see whether her eyes follow. If that doesn’t seem to work in the first few seconds, he will click the pen open and closed. It isn’t a loud noise, but loud enough to disrupt a thought and draw someone’s attention if she’d be an auditory. If he thinks that is working, he will click it with every important thought, causing the target to have a psychological reaction to the sound and what is being said. If that doesn’t seem to work, he will reach over the table and tap her wrist or forearm, or if he is close enough, touch her shoulder. He doesn’t touch excessively, but enough to see whether she will shy away or seems overly happy or disturbed by the touch. At this point, he’s most likely guessed the correct sense and starts to move the conversation in that direction, to make the target more comfortable.
Why exactly does Tony do all of this stuff? Think about it: if someone makes you feel “warm and fuzzy”, or seems to understand what you are saying, or where you are coming from, you easily open up to, trust, and let that person in your circle.
Microexpressions are facial expressions which are not easily controllable and occur in reaction to emotions. Many times they last for as short as one-twenty-fifth of a second. Because these expressions are involuntary muscular movements due to an emotional response, they are nearly impossible to control. Social engineers use them to notice deception and figure out how the target is really feeling, in order to act accordingly. Another crucial reason is stated by Dr. Paul Ekman: If producing the facial expression can cause the emotion, that must mean that our facial movements can affect the emotions we feel, and maybe even the emotions of those around us. Basically, social engineers practice producing the facial expressions voluntarily, as it makes it easier to achieve a certain emotional state.
Let’s take a look at the microexpressions linked with some basic or biologically universal emotions:
- Anger (one of the easiest to spot): the lips become narrow and tense. The eyebrows slant downward and are pushed together, then the most noticeable characteristic comes into play: the glare.
- Disgust: often characterized by the upper lip being raised to expose the teeth, and a wrinkling of the nose. May also result in both cheeks being raised when the nose is wrinkled up, as if to try to block the passage of the bad smell or thought into one’s personal space.
- Contempt: very strong emotion that is often confused with disgust. Contempt is only experienced about people or the actions of people, but not about tastes, smells, or touches (Dr. Ekman). Contempt is distinguished by wrinkling the nose and raising the lip, but only on one side of the face, whereas disgust is the raising of the whole lip and the wrinkling of the whole nose.
- Fear: often confused with surprise because the 2 emotions cause similar muscular reactions in the face. The eyes are open wide, the eyebrows are crunched together inward. The lips are pulled together and out towards the ears. Fear can be a big motivator to do many things that you (or your target) would not normally consider doing.
- Surprise: the eyebrows are raised (eyes open wide), the jaw is unhinged and opened slightly.
- Sadness: overwhelming and strong emotion. It can also be very subtle. Mouth is open only slightly, the corners of the lips are down and the cheeks are raised a little. The eyes look down and the eyelids droop. Because we can feel it ourselves when seeing other people expressing this emotion, social engineers use sadness in their advantage a lot.
- Happiness. The true and the fake smile are an important aspect of human expressions to know how to read, and as a social engineer to know how to reproduce. When a person smiles for real, de Boulogne indicates, two muscles are triggered, the zygomaticus major and the orbicularis oculi. He determined that the orbicularis oculi (muscle around the eyes) cannot be triggered voluntarily and that is what separates a real from a fake smile. Therefore, even if recent research indicates some can train themselves to trigger that muscle, more often than not a fake smile is all about the eyes. A real smile is broad with narrow eyes, raised cheeks, and pulled-up lower eyelids (it usually involves the whole face, from the eyes to the mouth).
Showing genuine emotions is known to be a difficult task. One of the tricks actors use to be able to successfully show proper emotion is to remember and focus on a time when they truly felt the emotion they need to portray. Learning to correctly exhibit the subtle hints of microexpressions can cause the neurons in your target’s brain to mirror the emotional state they feel you are displaying, making your target more willing to comply with your request.
On the other hand, using this knowledge, there are 4 things that can help you detect lies / deceit in a target:
- contradictions: watching the person’s microexpressions while you question him about a contradiction is always helpful.
- hesitation: if you ask a question and the answer should have come quickly from the person, but he hesitates beforehand, it can be an indication that he was using the time to fabricate an answer or to decide whether he wants to reveal some facts.
- changes in behavior: during a discussion the target may change his behavior every time a certain topic is brought up. Maybe you notice an expression change or a shift in the way he sits, or a marked hesitation. All of these actions can indicate deceit.
- hand gestures: many professionals state that when someone is being untruthful he will touch or rub his face often. Some psychological connection exists between rubbing the face and generating a fabrication. Taking note of a change in the size, frequency, or duration of hand gestures during different topics in the conversation is important.
Why exactly do social engineers want to detect deceit? If their pretext is someone with authority (manager or department supervisor), and they catch someone lying, they can use that in their advantage. By “forgiving” the person, they are now owed a favor in return.
🗣️Neurolinguistic Programming (NLP)
NLP was developed in the 1970s by Richard Bandler and John Grinder with the guidance of Gregory Bateson. Without any regulating body, the field grew as everybody wanted to learn to control others, lie without getting caught, or solve all their psychological problems.
The new/modern approach of NLP states that to make a change, the unconscious mind of the target must be involved, the new behavior must satisfy their original positive intention, and the change must occur internally, at the state of mind, rather than at the behavioral level. This new code suggests how NLP can create serious and drastic changes to a person’s thinking.
Example: increasing your sales by getting someone to start talking about their dreams. Once you have them talking about certain goals or aspirations, you can position your product or service as answering one of the needs to reach those goals. By positively building on your product as fitting a need they have, you give your potential buyer’s brain a way to connect your product with positive sales.
For a social engineer, NLP comes down to using voice, language, and choice of words to guide people down the path he wants.
You can ‘inject’ commands into people’s mind without their knowledge (yes, I know how that sounds), and the way you say things is where the injection occurs; it’s a moment framed within regular conversation. Sometimes how you say something is more important than what you say. Therefore, using the tones of your voice to emphasize certain words in a sentence can cause a person’s unconscious mind to focus on those words.
For the next few paragraphs, the pink, bold font denotes the words spoken with a lower (deep) voice tone. Good social engineers jump between tones very subtly. It’s an ability that is refined with hours of practice.
“Remember how clean your room looked last Christmas?” The embedded command is “clean your room”, which includes a time shift to a happier time. This is an example of a pleasant, painless injection.
“Buy now, you can see the benefits!” This one starts with the voice low, then up to a normal tone, then back down for benefits.
If you pay close attention to the way some politicians speak or to the voices in commercials, you’ll most likely notice this technique. NLP is a powerful topic, and, much like microexpressions, this section only scratched the surface.
🤷Interview & Interrogation
The main difference between an interview and interrogation is that an interview is in an atmosphere where the target is comfortable both physically and psychologically. In an interrogation the intention is to put some pressure on the target by creating discomfort, with the goal of gaining a confession or some knowledge the target possesses. Interrogation principles are used widely by successful social engineers. It’s a skill they’ll spend a considerable amount of time obtaining.
When starting an interview or interrogation, areas observed for changes in the subject are: body posture (upright, slumped, leaning away), skin color (pale, red, white), head position (upright, tilted, forward/back), eyes (direction, openness), hands/feet (movement, position, color), mouth/lips (position, color, turned up/down), voice (pitch, rate, changes), words (short, long, number of syllables, dysfunctions, pauses). Changes can indicate a question or line of questioning that needs more attention. Professionals don’t watch for only one sign, they watch for groups of signs.
Examples: defensive posture (the torso is pointing away and the eyes are averting from looking at you), usually appears after asking a question which the target will not answer with the truth. When you feel threatened or scared, your body’s natural reaction is to pull the elbows in towards the rib cage. An increase in movement or “fidgeting” during an interrogation can show an increase in stress levels, signifying that the interrogation is having the desired effect. Blurting out answers quickly is believed to be a sign of practicing the answer. An open palm might indicate sincerity.
Social engineers have to determine what is “natural” in a target (i.e. the baseline) very fast. Being very observant is the key to success with this skill. A method of figuring out the baseline involves asking questions that cause the suspect to access different parts of his brain. The interrogator asks first nonthreatening questions that require simple memory and questions that require creative thinking. Then looks for outward manifestation of his brain activating the memory center, such as microexpressions or body language cues. This way, he knows what to expect when asking the real questions.
Theme development in police interrogations is when the interrogator develops a story to postulate why the suspect may have committed a crime. “So he insulted you and you got so mad, you grabbed the pipe and began hitting his windshield with it.” While the officer is telling the story, he or his partner is watching the body language and microexpressions of the suspect to see if there are any clues that would constitute agreement.
The Department of Defense has different approaches that professional interrogators use, and social engineers have a lot to learn from them.
- Direct approach: The confidence, attitude and manner of the interrogator rules out that the suspect is innocent at all. Without threatening, the interrogator disarms the suspect by telling him anyone else would have done the same thing. Social engineers use this if their pretext is a person who has power over the target. They assume the target “owes” the response they seek.
- Indirect approach: The suspect is allowed to tell his side of the story in detail and the interrogator looks for omissions, discrepancies, and distortions. The interrogator’s job is to let the suspect know that the best course of action is to tell the truth.
- Sympathetic approach: The interrogator drops his voice and talks in a lower, quieter tone that gives the impression he is an understanding person. He sits close to the suspect and maybe puts his hand on the suspect’s shoulder or pats him on the arm. Physical contact at the right time is very effective.
- Emotional approach: It plays on the morals or emotions of the suspect. Questions such as, “What will your wife or kids think about this?” are used. The thoughts that are aroused emotionally upset him and make him nervous. As these emotions manifest themselves, the interrogator can capitalize on them.
- Logical approach: This non-emotional approach presents strong evidence of guilt. The interrogator should sit erectly and be business-like, displaying confidence.
- Indifferent approach: The interrogator acts as if he does not need the confession because the case is solved. At that point the interrogator may try manipulating the suspect into giving his side of the story. Social engineers use this when they’re caught in an area or situation they should not be in, by acting indifferent instead of afraid that they’ve been caught. It can cause the person who caught them to not be alarmed as much and afford them an opportunity to dispel any worries.
- Face-saving approach: The interrogator should rationalize the offense, giving the suspect a way out and an excuse to confess and save face.
Egoistical approach: It’s all about pride. For it to work you need a suspect who is very proud of an accomplishment. Bragging on good looks, intelligence, or the way the crime was performed may stroke his ego enough that he wants to confess to show that, indeed, he was that smart.
Playing up someone’s accomplishments gets them to spill their deepest secrets. In the case of a U.S. nuclear engineer visiting China, social engineers loaded the man with compliments, and he spilled the beans and divulged information he shouldn’t have.
- Exaggeration approach: If an interrogator overexaggerates the case facts, the suspect may admit to what was real. Social engineers use this approach by overexaggerating the task they are there to perform. By overexaggerating the reason for being there you can give the target a reason for providing you lesser access. Example: “I know Mr. Smith wanted me to fix his computer personally because he lost a lot of data, but if you don’t feel comfortable with that, I can potentially fix his problem from another computer in the office.”
- Also, a suspect rarely confesses his transgressions all at once. Getting him to make minor admissions, such as he was on the site, owned the weapon in question, or owned a similar car, can move him toward admitting more and more, eventually leading to a complete confession.
Gesturing is often used to get better answers in these situations. There are techniques like anchoring (linking statements of a type with a certain gesture, e.g. positive with right hand movement, negative with left hand movement), or mirroring where you try to match your gestures to the personality of the target. Mirroring not only involves mimicking a target’s body language but also using gestures that make it easy for a person to listen to you. Seeing gestures a target is familiar with can be comforting to him or her.
Finally, if you want to know how far some people can go for the sake of “interrogation”, take a look at C.I.A.‘s Project MK-Ultra. You won’t be disappointed 😉 .
🫂Building Instant Rapport
Basically, it’s the ability to make friends with someone in a matter of minutes, and it is a vital skill for social engineers. Wikipedia defines rapport as being ‘in sync’ with, or being ‘on the same wavelength’ as the person with whom you are talking. So, how does a social engineer build rapport?
- he likes people and enjoys interacting with them. People can see through fake smiles and fake interest, and they need to feel you are genuinely concerned to build that trust relationship.
- he takes care with his appearance: clothing, body odor, cleanliness, movements, facial expressions. He adapts all these factors to the target (using information that was gathered about their preferences). Also, “if a person is not comfortable with himself, others will not be comfortable with him either.”
- he’s a good listener. He realizes a major difference exists between hearing and listening. It’s commonly believed that people retain much less than 50% of what they hear.
He pays attention, does not fiddle with the phone or other gadget, does not interrupt, and tries hard not to think ahead and plan his next response. If you are planning your next response, you will not be focused, and you may miss something important, or give the target the impression you don’t really care.
He doesn’t forget to smile and provide proof that he’s listening, by nodding (once in a while) and rephrasing some of the ideas of the target.
He doesn’t always let his personal beliefs and experiences filter the message coming his way. If he does that, he may not truly “hear” what the speaker is saying.
- he keeps the conversation off himself. We all love to talk about ourselves – it is human nature. So, he lets the target talk about herself until she gets tired of it (you’d amazed at how much information they release); he’ll be deemed an “amazing friend”, “a “perfect husband”, or whatever title he’s seeking.
- he tries to identify and understand the underlying emotions, then uses reflection skills to make the person feel as if he’s really in tune with him. Nothing builds rapport more than when people feel like you “get them.”
- he’s curious and he has a strong general knowledge. Knowledge is power, right? It makes you interesting and gives you something to base a conversation on. Also, when you become curious about others’ lifestyles, cultures, and languages you begin to understand what makes people ‘tick’.
- he’s open minded enough to look into another’s thoughts on a topic, even if those thoughts differ from his. This keeps you from being rigid and unbending in your personal judgments. You may not personally agree with certain topics, beliefs, or actions but if you can remain nonjudgmental, then you can approach a person by trying to understand why he is, acts, or portrays a certain way.
- he finds ways to meet any of the 4 fundamental psychological needs for humans (stated by Dr. William Glasser):
If you can create an environment to provide those needs for people, you can create bonds that are unbreakable. You just have to look at how successful social media platforms have become, and how hard it is to let them go. It’s because they are environments that mainly satisfy needs like belonging/connecting and fun.
Using these rapport-building techniques as well as matching energy levels, facial expressions, and the like, he can build strong rapport on a subliminal level.
Let’s take a police interrogation example that proves this point about the power of rapport to make people comply with requests. The officers had arrested a man who was a peeping tom. He had a fetish where he loved to invade the privacy of women who wore pink cowboy boots. The agent, instead of judging him for the freak he is, used phrases like, “I like the red ones myself,” and “I saw this girl the other day wearing short shorts and high cowboy boots, wow!” After just a short time he began to relax. Why? He was among like-minded people. He felt connected, part of the crowd. Their comments put him at ease and he began to spill his guts about his “habits.”
⚠️The Human Buffer Overflow
Buffer overflow is a well known vulnerability in the world of software security. Simply put, a buffer is a space (usually of fixed size) given for something to happen or to hold data.
If the program does not properly check the ‘limits’ of a buffer, a hacker can overload it with data until the program crashes, or, a part of that data fills a memory zone next to that buffer. If that adjacent memory zone happens to be a place where the program looks for instructions to execute, then it can execute instructions given by the hacker. Oof.
Well, it looks like this can also be applied to the human mind. If a certain dataset does not fit the space we have for it, what happens? Unlike a computer, your brain doesn’t crash, but it does open up a momentary gap that allows for a command to be injected so the brain can be told what to do with the extra data.
The simplest example of this is having color names written using another color. We’ve all been through this: YELLOW BLUE ORANGE BLACK RED GREEN PURPLE YELLOW GREY GREEN. As fast as you can, try to read the color of the word, not what the word spells.
After a couple of fast reads and struggles (which means a lot of data to process at once) you’ll read the word and not the color. The data ‘overflow’ made the command injection possible, as our mind is not good at concentrating on 2 things at the same time.
Social engineers understand how we make decisions in life, in order to perform such buffer overflows. People make most of their decisions subconsciously, including how to drive to work, get coffee, brush their teeth, and what clothes to wear without really thinking about it. The goal is to bypass the “firewall” (the conscious mind) and gain access directly to the “root of the system” (the subconscious). This is done with Embedded Commands, which are usually short (3 or 4 words), hidden in normal sentences, and accompanied by facial/body language.
Examples: In marketing / commercials, some information is presented first (studies, reviews, functionalities etc.). This information is usually intriguing and stimulates the imagination of the target, thus, the conscious mind stops to process it. This is quickly followed by words like: “Buy now!”, “Act now!”, “Follow me!” (the commands, targeting the subconscious).
When a social engineer applies this method directly (i.e. live, during dialog), while the conscious mind is connecting the dots, so to speak, the unconscious mind has little option but to comply if an embedded command exists.
An example (from personal experience) is the scammer from big cities (I found this one in Rome, he was from Africa) who builds rapport with random tourists and gives them bracelets (apparently for free). But, when the tourist tries to leave, this “friendly guy” becomes serious, and starts telling emotional stories about how his family struggles to live, demanding some money “to help them”. Because the tourist was given the bracelet, he’ll most likely feel that he needs to give something in return (there also a fear of ‘bad vibes’). So, instead of giving the bracelet back (which, btw, the scammer refuses to take back), the tourist takes his money out (the worst mistake you can make in this context).
Up to this point, there’s no buffer overflow, but now, when this scammer sees the (not so modest) amount of cash you have, he decides to go for this dirty technique. If the tourist tries to hand him a small bill (only 5€ let’s say), he quickly takes his money out, and starts to talk a lot of words in a very broken English, from which only the word ‘change‘ can be understood. While holding his money, he continuously repeats these words, faster and faster (this is the data that overflows your conscious mind – you start thinking what the hell is he actually saying), and among them, the only word you can somehow discern is still ‘change‘ (the command to be injected). So, guess what: you’ll take out a much bigger bill and you’ll hand it to him, thinking that he only wants to change the money (changing money is a well known, familiar & legit procedure to our subconscious)… He takes it, and gives you only a much smaller bill in return (that is, if you’re lucky). And that’s it. He’ll continue with the same broken English, while getting away from there, leaving the tourist still processing the situation.
Believe it or not, they make enough money to live a decent life (for some time) with this stupid trick, in big cities (Paris, Rome, Barcelona, Lisbon a.s.o.). However, there’s people who play with these scammers, to harass them back, like this guy. Sometimes, catching them becomes fun :)) .
😉Influence: the power of persuasion
This is the process of getting someone else to want to do, react, think, or believe in the way you want them to. True influence is elegant and smooth, and most of the time undetectable to those being influenced. After reading this section, you’ll start to get irritated at the shoddy attempts of marketing people and, if you are like me, you will begin to rant and rave at terrible commercials and billboards (they are fuckin’ everywhere).
Let’s take a look at some influence tactics, shall we?
It’s the simple principle of “you do something for me, I do something for you”. Simple example: I hold the door open for you first, and most likely you’ll hold the next door open for me. This rule is important because often the returned favor is done unconsciously, and it is seen as part of the moral codes.
Politicians are influenced in much the same way. It is no secret that many times politicians or lobbyists are more favorable to people who helped their political campaign than those who did not.
Social engineers give something away, and that thing must have value – to the recipient. The more value the gift has and the more unexpected it is, the greater the sense of indebtedness.
An example is, of course, negotiation. The seller starts with a big price, the buyer with a much smaller offer. Gradually, each of them gives up a part of the possible earning, one by one, until they reach a deal (reciprocation/concession: if the seller dropped the price this much for me, I can give him a little more).
Children can use this trick when demanding money from the parents. If they need 5€, but they start by asking for 30, then 20, it is more likely they’ll end up with 5 or even 10.
People often find objects and opportunities more attractive if they are rare, scarce, or hard to obtain. This is why you will see ads filled with “Last Day”, “Limited Time Only”, “Only 3-Day Sale”, “The first X users will get Y discount” and “Going Out of Business Forever” messages that entice people to get a share of the soon-to-be-never-seen-again product. In economy, the rarer the resource, the higher the perceived value the object retains (e.g., gold). Social events can often appear to be more exclusive if scarcity is introduced.
Some dating advice for men is based on this concept as well. One might act like he’s very busy on a regular basis, and free time is hard to come by. For this reason (especially if he’s built a good reputation), this man can be seen as of high value. In lots of cases, women feel much more attracted to this kind of man, also because he does not give them attention or validation, like the majority of men do (by approaching & flirting with them). So, in order to get her validation from this man as well, an attractive woman will most likely do the 1st step in the game of seduction. From personal experience, I can tell you that this is some pretty good advice, but it requires a lot of self control, self love, and self confidence.
For a social engineer, using scarcity mixed with other principles can also make the attack even deadlier. Either way, scarcity creates a desire and that desire can lead someone to making a decision he might regret later.
People are more willing to follow the directions or recommendations of someone they view as an authority. Therefore, social engineers may impersonate persons with:
– legal authority: law enforcement, security guards, lawyers;
– organizational authority: CIO or acting as sent or authorized by the CFO;
– social authority: refers to ‘natural-born leaders’ of any social group. In Western countries, there are 3 authority symbols : titles, clothes, automobiles. Using the right combination of these and an assertive attitude when approaching the target, a social engineer can easily intimidate him/her.
Example: in the BOR Recorder investigation, an expensive car (w/ the clothing) gives the ‘respected‘ status to the undercover journalist, whose pretext is a politician who wants to do business with the church.
Commitment & Consistency
People value consistency in others, and they also want to appear consistent in their own behavior. If a social engineer can get a target to commit to something small (an act or a simple “yes”), usually escalating the commitment is not too hard. Robert Cialdini states: “(…) once we make a decision, we will experience pressure from others and ourselves to behave consistently with that decision. You can be pressured into making either good or bad decisions depending on your past actions”.
Simple example – a phone conversation often used by solicitors goes something like this:
“Hello, how are you today?” You answer, “I am doing great.” Now, the exploit: “That is good to hear, because some people who are not doing so great can use your help.”
You can’t really go back on what you said now, because you are still doing great and committed to it.
Being aware that it is okay to say “no” can save you from committing to something that could be disastrous. Yet sometimes we convince ourselves that saying “no” is some form of cardinal sin that needs many prayers to be forgiven.
Other than making themselves liked at the psychological level, social engineers take into consideration their physical attractiveness as well. Humans tend to automatically “like” those who we find attractive. As vain as that sounds, it is the truth. Some serious psychological principles back up this idea.
The “What Is Beautiful Is Good” study proved that people tend to link beauty with other successful qualities and it alters their opinions and ability to trust someone. This effect is often used in marketing. Beautiful people are given products to drink, eat, and wear, and other people will automatically assume these things are good.
A good social engineer knows the target (how does he dress, what does he consider bad and good) so he/she can successfully look the way the target would expect. The social engineer will project a confident and positive attitude, will look for things to compliment people on, and will wear clothing, hairstyles, jewelry, makeup that won’t shock, surprise, or disgust anyone.
Smart compliments tend to reinforce a target’s self image, making him feel as if you have a greater-than-normal understanding of him.
Consensus / Social Proof
Social proof is a psychological phenomenon that occurs in social situations when people are unable to determine the appropriate mode of behavior.
Dr. Robert Cialdini states in one of his books: “Social proof—people will do things that they see other people are doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up into the sky to see what they were seeing. At one point this experiment is aborted, as so many people were looking up that they stopped traffic.”
“One means we use to determine what is correct is to find out what other people think is correct…We view a behavior as more correct in a given situation to the degree that we see others performing it.”
Social proof is not just influenced by large groups, but also by high-profile individuals. For instance, a single celebrity becoming associated with a product will make others want to be associated with the celebrity’s positive traits, and they will then use the same product.
A social engineer uses this principle to stimulate a person’s compliance with a request by informing him or her that many other individuals, perhaps some who are role models, took the action or behavior you are trying to get this person to do. He uses social proof under 2 conditions: uncertainty (when people are unsure and the situation is ambiguous, they are more likely to observe the behavior of others and accept that as being correct) and similarity (people are more inclined to follow the lead of others who are similar to themselves).
🏞️Altering Reality: Framing
Framing is your own personal experiences and the experiences of others that you allow into your conscious mind to alter the way you make decisions. Basically, anything that can alter people’s perceptions can be called framing.
You can see simple examples of this when inspecting grocery store products. On many of them it’s written that they contain 25% of some good stuff instead of 75% of the bad stuff.
Simply presenting the facts in a different way can make something that would normally be considered bad,seem good. Hence, framing has long been used in politics.
Our minds are designed to not like “clutter” or chaos. When presented with frames that are cluttered (e.g. images with optical illusions), our brains will try to make order out of them. Your mind will insist on finding familiar patterns in things. We do it in clouds, space, and inanimate objects. Humans also tend to see faces in these things. Example – just take a look at texts like this: O lny srmat poelpe can raed tihs. The fact that you easily read it has to do with the brain trying to make order out of chaos, by default.
Many times companies will use subtle measures of framing to plant an idea. They know that logic convinces someone an action is good to take, but emotion is what makes the action happen.
E.g. in logos: in the FedEx logo you can also see an arrow (frame between ‘E’ and ‘x’); in the Amazon logo, the arrow can be seen as a smile, which connects ‘a’ to ‘z’ (the frame is that Amazon has everything, and it makes you happy).
In an expensive clothing store—when you walk in, everything is hung neatly, pressed, and perfect. The items are evenly spaced and in little amount. The perception can be that the clothing is worth the exorbitant price.
Social engineers know that a frame is a conceptual structure that our minds use in thinking. So, their goal is either to create a new frame, align with a person’s frame, or bring the target into their frame. However, people tend to overlook frames or proposed frames if a link does not exist to a core belief or a value of their belief system.
E.g.: Vladimir Putin‘s regime frame about Ukraine. It’s strongly connected to events of WW2 when Russians fought & defeated the Nazis (in their attempt to conquer some of Russia), who were seen as the worst people on the planet (there were reasons for that ofc). Since then, this win is a crucial event for Russia (even transformed in propaganda) and is intensively thought as one of the most important history lessons in Russian schools. Now, because defeating Nazis turned into a national value/core belief there, the frame that Ukraine has to be “eliberated” and “de-nazificated” is used by Putin, and, if you pay close attention, there still are a lot of Russians who believe him.
Because our minds work by picturing things, social engineers use words which are descriptive and robust (“imagine this and that“). They deliver stories that cause the target to picture the frame they want, while involving him emotionally. After planting the idea, they may repeatedly cause the target to think about the frame, as this reinforces it tremendously.
You can learn a lot from looking at how media utilizes this skill. By using omissions, or leaving out details of a story or the whole story itself, the media can lead people to a conclusion that seems like their own, but really is the media’s. This method is effective because it bends the truth but not so much that it becomes false, so it remains believable.
😈Manipulation: Controlling Your Target
The aim of manipulation is to overcome the critical thinking and free will of the target. The social engineer doesn’t want to alert the target he is being manipulated.
Some of the following methods may be very controversial and downright horrible, but they are used each day by scammers, identity thieves, and the like. One of the goals can be to create anxiety, stress, and undue social pressure. When a target feels that way he is more likely to take an action that you want him to take.
Simple but innocent example: diverting the target’s attention to something other than the problem at hand can give you enough time to finish your job (until he realizes what is actually happening). For instance, if you are caught by a security guard, instead of getting nervous, you could simply look at him with confidence and say: “Do you know what I am doing here? Did you hear that some USB keys have been lost with very important data on them? It is imperative we find them before everyone comes in tomorrow. Do you want to check the bathrooms?”
Manipulation is used in 6 ways that hold true whether the topic is brainwashing or something less insidious. You shouldn’t fancy the details, but I know you want them. Here you are.
- Increasing the suggestibility (i.e. the desire to cooperate) of the target. It can involve using NLP skills (discussed previously) or other visual cues. A social engineer can make sure the whole setup is geared towards his target – the phrases used, the word pictures painted, the clothing colors chosen to wear. Knowing his likes, dislikes, kids’ names, favorite teams, and favorite foods, and then using this to create an emotional environment will bring great results. At its most extreme, sleep or food deprivation increases suggestibility the fastest.
Gaining control over the target’s environment. Can involve everything from controlling the type and quantity of information to which a target has access, to much subtler things like gaining access to a target’s social media websites. Being able to use social networks to find out what triggers they have is a powerful skill.
Good social engineers locate the target’s social circles, whether online or in the real world, and spend time planning how to get in and control that environment. How? Well, they again take time to build relationships in there, and gather information before the final blow is administered.
Creating doubt/ forcing the target to reevaluate. This one is very negative because it’s used to make someone doubt what he/she has been told (most probably for years) to be true. It’s basically destabilizing and undermining his/her belief system.
A manipulator makes his victim question the rules they follow, their job, or any other belief, in order to affect her ability to make rational decisions. Cults use this tactic to prey upon those looking for guidance through life. Many times, people who feel lost or confused are convinced that their whole belief system needs to be reevaluated. When the cults have control they can be so credible that the victims can be thoroughly convinced that their family and friends do not know what is best (e.g., in recent years we’ve seen people leaving civilized countries to join ISIS).
Social engineers usually apply this concept by presenting well-thought-out questions that can cause the target to reevaluate his stand on a topic and cause him to falter.
Creating a sense of powerlessness. Very dark, but effective tactic.
To make a target feel a lack of confidence in her convictions, a social engineer presents “facts” he “received” from someone with authority, known by the victim. On the other hand, if his pretext is someone with power, he can act angry by the lack of response or the inability of the target to give quick answers. In this context, the social engineer also threatens his victim, causing her to doubt her position and feel loss of power. If the victim cannot take time to think about how to handle a problem, she must take a decision in a way she knows she shouldn’t.
Creating strong emotional responses in the target. That includes everything from doubt to guilt to humiliation and more. If the feelings are intense enough, they can cause the target to alter their whole belief system.
Social engineers usually create an emotional response based on fear, loss, or punishment. In that context, a target might possibly do anything to “regain favor”.
Heavy intimidation. Of course, fear of physical pain or other dire circumstances can be used to make a target crack under pressure. Social engineers won’t go this route unless they are using corporate espionage as a tactic. They’ll use perceived authority to build strong fear and feelings of potential loss, by suggesting that failure to comply can lead to being laid off or other adverse consequences.
Looking busy, upset, and on a mission can intimidate many. Talking with very authoritative expressions can also intimidate people.
An experienced social engineer does not allow his emotions to get involved, and always assumes that the target will act the way he wants (by answering the way he wants, by granting all his requests). He knows that assuming what he wants will occur is a strong point, because it affects his mental outlook. The belief that you’ll get what you came for will create a new body language and facial expressions that will feed your pretext perfectly.
But, how about using positive manipulation? The difference is that the target doesn’t need therapy when you are done 🙂 . This is useful in educating children, in convincing people to stop smoking or in making someone take up a good habit.
Let’s finish with some critical points about why all this madness usually works.
- people are designed to be trusting, to have levels of compassion, empathy, and a desire to help others
- most of us are not aware or do not realize the scale of the danger. Only when you know how the “criminal” thinks, and only when you are ready to look that evil in the eye and embrace it, can you truly protect yourself.
- you can throw money into intrusion detection systems, firewalls, antivirus programs, and other solutions to maintain perimeter security. With social engineering no software systems exist that you can attach to your employees or yourself to remain secure.
- companies tend to fear change. That’s why many of them fall behind with software updates and even mindset updates.
- when information is perceived as having no or little value, then little effort is placed on protecting it. You must realize the value of the data that you have and be aware of a tactic a social engineer might use to reduce the value of this information in your eyes.
In the end, I’ll leave you with one of the most ‘fun’ Social Engineering presentations out there.
Publications used for this article:
Social Engineering: The Art of Human Hacking – Christopher Hadnagy