As we review social engineering techniques in this section, there are 6 key principles that we need to keep in mind, because they heavily influence the efficacy of social engineering threats. These principles are:
- Commitment and Consistency
- Social Proof
Let’s take a closer look at each of them. (Extra information is also available here)
Whenever you do someone else a favor, the person receiving the favor often feels like they need to give back in return — to reciprocate. Therefore, this can be used in social engineering attacks to make a victim more likely to cooperate and give the attacker what they want.
Perhaps you know that employees like to hang out at a local bar, and so you “happen to run into them” and you buy them free drinks. A day or two later, the receptionist recognizes you, remembers that you bought them free drinks, and decides to skip corners and let you in.
Commitment and Consistency
If an attacker is able to get someone to commit either verbally or in writing, then that person is far more likely to honor that commitment. Even if circumstances change after the fact.
So an attacker may try to force some kind of commitment, even if it’s before their actual attack.
If you’ve ever seen those videos of people in groups where if more than one person starts doing something, a larger crowd of people start to join in. This happens because when people see others doing something, they are more likely to want to do those things as well.
This happens with commercial products, anything that ends up going viral, and in our case, with facilitating social engineering attacks.
Authority is another powerful driver. If someone who’s perceived to have a lot of authority asks someone else to do something, even if they otherwise would never do it, they are far more likely to comply.
If an attacker wants results, they may try to create a sense of authority in order to influence someone’s actions. For example, they may try to say that they know a higher-up at your organization and that if you don’t let them in, that executive will hear about it and it won’t reflect well on your performance.
Or, you may receive a call or a knock on the door with someone pretending to be a federal officer, asking you to take an action or to let them in.
You’ve probably received letters in the mail before that look very official and that seem to be from a government agency, but in very fine print, they explain that they’re not a government agency and are soliciting your business. This is another example of trying to use authority to influence action.
The old saying that you can catch more flies with honey than vinegar holds true here. If you are likable, you’re far more likely to persuade people to do things for you.
This may be an approach that an attacker starts with, and if it’s not working, they might move on to one of the other principles.
Scarcity and Urgency
Scarcity is a tactic often used in marketing because it’s incredibly powerful at generating results. It plays on human emotions that they don’t want to lose out on something that appears to be in limited quantity.
Even if they don’t really need something, they’re more likely to purchase it if there’s a perceived scarcity.
Again, this can be used by social engineers to influence action beyond just marketing examples.
So keep these principles in mind as we go through this section on social engineering techniques used by adversaries, and of course, as you take the exam!