Social engineers are such savvy information swindlers because they understand the psychology of influence.
There are seven huge ways people influence others, according to behavior psychologist Robert Cialdini. Understanding these principles can help you better educate your employees on some common social engineering tactics used by bad actors.
Social engineers understand that it’s human nature to give back when we receive. Most of us feel obligated to repay someone for a favor, gift, invite, or kind gesture, which is why bad actors often bait their target with a little offer.
Let’s say your employees get an email saying they’ll receive a $10 Amazon gift card for anonymously filling out a survey from the IT department asking how well they’re handling digital security. Unfortunately, it’s actually from a spoofed recipient masquerading as a trusted source. Yet, because it looks like an email from your own IT team and your employees will receive a reward— you scratch IT’s back by filling this out, IT will scratch yours by giving you a gift card!— your employees may be inclined to give pertinent details about your security to a hacker. Employees who fill out the survey may even receive a legitimate gift card, to reduce arousing suspicion, a small price for the cyber criminals to pay for a wealth of information aiding in a mass-scale hack.
Social engineers use reciprocation not as a kind gesture, but as a compliance tactic for getting private data.
We want what we can’t have, especially when we perceive it as rare or hard to come by. That’s why those emails we receive saying, “Order now! Only 10 left” often make us impulse-buy a product we don’t really need.
Social engineers capitalize on scarcity to influence targets often, creating a clear divide between “you can have this now” and “you can never have it again.” This may be a bad actor emailing an employee a special offer for a new tool your team could really use. The cybercriminal found a place on a public forum where a staff member asked what the best plugin for SEO was, and the clever hacker created a fake pretense that they were a rep with the company and offering a free trial of the plugin— that’s only good until the end of the day— if they were interested in downloading the Chrome extension. The fake webpage downloads malware attached to the real extension, so your employee never even realizes that they were infected.
Bad actors use scarcity to create a sense of urgency, so you are less inclined to think before taking an action or sharing information.
Your employees are taught to respect the leadership team and to understand their place on the corporate ladder. While some work environments blur these lines more than others, the reality is that teams often have a structural hierarchy, wherein authority figures manage over lower-tiered staff.
Cybercriminals often pose as managers or members of the C-suite to trick lower-level employees into conceding to a request. The infamous “wire transfer” social engineering exploits are a prime example of authority at play. A social engineer may know a manager is out-of-office and create a spoofed email address to ask a staff member to route money from one location to another, since the boss is very busy or on vacation. Because an authority figure demanded the action, some employees may do it without thinking, fearing reprimand from management for hesitating.
Social engineers imitate a person of importance quite often, using a false sense of authority and urgency to get their way.
We’re more willing to help someone we find likable than someone who exhibits characteristics or traits we dislike. Face it, we’re attracted to people who are charming. According to Kevin Mitnick in his book The Art of Deception, the main tools a social engineer needs are, “sounding friendly, using some corporate lingo, and… throwing in a little verbal eyelash-batting.”
A prime example of the liking principle in action would be a charismatic voice phisher. The social engineer rings you up, claiming to be an authoritative source— let’s say a vendor— and cracks a few jokes, maybe even compliments you or your company on something. Just from a two-minute chat with this stranger, you like the guy. He’s got spunk. But he’s also got his finger on the trigger, waiting to use his charm to his advantage.
Social engineers are often so successful at their cons because they work very hard to get you to like them, knowing you’ll be more willing to cooperate with their requests if you find them appealing.
Commitment & Consistency
People want to see themselves as consistent with their word. Social engineers often leverage this need for self-preservation by building a slow, steady rapport with a target and requesting small commitments to achieve their strategic goals.
A cybercriminal may email you a friendly correspondence, pretending to be a happy customer who wants to thank you for how incredible your product is. A few weeks go by, and the bad actor commits to their ruse, emailing you again asking if you’d be interested in some lifestyle photos of your product set up in his office to share on social media. You concede and he sends over what he promised to establish trust. You thank him, and he asks you to promise to keep him in mind for influencer marketing help in the future. You loved the content, and you agree without hesitation. So the next time he emails you a few images, you eagerly open the attachment, only to download malware.
Social engineers commit to long-term, slow-nurture engagements for a big payoff in the end. They may also lock you into upholding your word on a small promise, knowing you’ll want to preserve your self-image by keeping it, and that they can use your need for verbal consistency to manipulate you in the future.
Consensus & Social Proof
Cybercriminals know that people rely on the actions and opinions of others to determine their own. That’s because we innately trust that if others are doing or saying one thing, it must be a safe or wise choice. Unfortunately, that’s not always the case, the reason why moms ask, “if all your friends jumped off a bridge, would you?”
Social engineers create crafty pretenses using “proof” from what others have done to convince you to do the same. For instance, a cybercriminal might call and ask an employee for sensitive information, like a daily changing code, and when they resist answering, they’ll say something like, “I don’t understand, Linda shared this with me last week.”
Social engineers often couple this strategy with the “authority” tactic when their pretext begins to backfire, threatening lower-tiered employees to comply or they’ll pull a manager into the conversation for resisting the request.
Bad actors know that in moments of uncertainty, we tend to turn to lessons from others for guidance on next steps and will often bring up other employees or fictional sources to validate trust and manipulate you into complying with a sketchy request.
We all want to feel as if others can relate and empathize with us in times of need. Bad actors will use false pretenses to make themselves as relatable as possible, creating a sense of unity amongst them and their target to build trust before deceiving.
Social engineers use their OSINT research to understand the inside knowledge of your organization, like staff names and clock-in times. A cybercriminal may know after previous rapport with an employee, for instance, that your staff hates having to use their fobs every time they want to enter the building. After manipulating the surveillance camera, the engineer tailgates one of your workers, pretending to be a new employee who forgot their fob. She banters about how annoying it is to always remember your fob, and introduces herself as the new receptionist working for a neighboring department. The social engineer mentions the manager by name and has a relatable pretense for rushing to get to work on time, much like your almost-late employee is now. The real employee feels unified in their struggle and lets her through the door with a smile and laugh, saying, “don’t be late!” as he walks the other way and grants a stranger full access to the building.
Malicious manipulators capitalize on shared struggles or experiences to make a relatable connection with their target for a quick “in.”
Back to top