Last Updated on March, 2023 by Edison
If you’re an aspiring SE, ethical hacker, business owner, or just an individual fascinated by this topic (like me), you might want to read this article.
It will help you understand how social engineers and con men use psychology to steal money or hurt your business.
Reticular Activating System
RAS is a brain area responsible for arousal, focused attention and motivation. You know the brain loves to save energy.
Once you do a task several times like driving the car, pumping gas, typing on your computer, you will learn to do it unconsciously. The brain relies on imprinted memories to complete these tasks without having to consciously process every detail.
So every day we do activities on autopilot and often we miss important details on what’s happening around us.
An interesting study showed that people failed to see money on the tree over the road they were passing.
What does it mean for social engineers?
Most employees you will encounter at your social engineering engagement or on autopilot mode. They just do their role at work.
If you do something that breaks their autopilot the RSA will be activated and they will pay attention. They will become curious and ask questions.
Now how can you make yourself a fit into their reality?
When you’re creating a pretext, it’s not just playing a role. You need to become that person. Every single detail about your character and environment matters:
- the clothing
- body language
- the way your character walks and talks
- Does it makes sense to carry a magazine, newspaper, or a briefcase?
Avoid wearing a necklace cross ring or have a tattoo because those things draw people’s attention.
Next when you are trying to build a rapport with a target use pieces of information from your own life because it can help you tap into all those emotions and make yourself seem genuine.
For example if you’re trying to build a rapport with a target that has a daughter don’t say you also have a daughter but you might have a niece, so use that information.
FBI defines elicitation as “A technique used to discreetly gather information”. You construct the conversation in such a way that makes him give information without you asking for it.
Many governments warn their employees about elicitation because it is commonly used by spies worldwide.
Why does it work?
If we know something that doesn’t directly affect us, we are more willing to talk about it.
Jack Schaffer, ex-FBI agent and author of Truth Detector, gives an example of an exercise with his students.
He asked his student to go into a jewelry store, have a conversation with the clerk, and get the needed information as if he wanted to rob the place.
By having a simple conversation with the clerk, he could learn that:
- The cameras in the store don’t work.
- Mall security officers are incapable of doing their job properly.
- The clerk won’t be a problem for the shoplifter because he was instructed not to engage with them.
- The store won’t bother shoplifting unless the loss is greater than $1200
- There are $2200 in the store right now, and the safe is broken
Based on the clerk’s information, he could steal an item that costs $1200 or less and walk away without fear of getting caught or even reported.
The clerk wasn’t aware of the sensitive information he was giving. And since it didn’t affect him directly, he didn’t care.
Of course, not everyone will reveal so much information. But your job is to collect pieces of seemingly unimportant information that will help you complete the big picture.
Another reason elicitation work is that most people feel insecure. We might feel inferior to people who we think are better than us.
So, this insecurity drives us to show others we’re just as smart or smarter than them. That’s why we correct others when they give incorrect information.
In other words, we feel good when we correct others and keep doing it. You can exploit this tendency simply by presenting incorrect information.
#1 Be confident. Nothing kills the conversation more than being uncomfortable.
#2 Educate yourself. You need to know the subject you’re talking about. But mostly, you’ll ask well-thought questions to encourage him to talk more about his area of expertise. Make the conversation about them.
#3 Common conversation openers are the weather; asking for advice on technology; general questions about kids; their pets; sports (if you notice signs he is a fan).
#4 When someone does a small favor for you, it makes them more willing to do you another favor.
You can thank them for taking the time to meet you, for being early, or for arriving on such brief notice.
#4 Don’t be greedy. Your goal is to get information. Yet, that shouldn’t be your sole focus because the target will lose interest.
Make the conversation a give-and-take unless you are with someone who wants to dominate the conversation. Here, let him dominate.
If you got the answer, don’t go deeper and deeper into the conversation because it can raise a red flag.
Appealing to their ego – This technique is simple but effective because many people take pride in their work.
They often link their identity with their work. That’s why they’ll talk freely about their professional accomplishments.
You: “You must have an important job, X seems to think highly of you.”
Target: “That is so nice of you to say, but my job isn’t that important. All I do here is…”
Or, I bet you were the key person in designing this product.
Appealing to their ego is simple and effective, but don’t overdo it or when you’re not sincere because it can turn people off.
Presumptive Statements – You make a statement that might be right or wrong and wait for them to respond.
If your statement is correct, he will agree and provide additional information.
If your statement is wrong, he will probably provide the correct answer and give a detailed explanation.
Criticize – You criticize their company, hoping he will give information during the defense.
e.g. “How did your company get the contract? Everyone knows E Corp has better engineers for that work”.
Oblique Reference – You discuss a topic related to the main issue.
For example, you discuss the catering at a work party when you want to know the type of access outside vendors have to the facility.
Questions – You ask open-ended questions to get small bits of information that will complete the bigger picture.
It can also create the illusion of authority. In conversations, we perceive the one asking questions to have more power.
Alcohol – The SE might offer alcohol to their targets because drunk people talk more than they have to.
Elicitation Sandwich – People tend to recall the first and last thing in a conversation.
So, where should you put the elicitation? Exactly. In the middle.
After you have established rapport… start with small talk… deviate the focus of the conversation to the elicitation topic… then go back to the first topic.
Experts say that most security breaches happen because of human error.
Often the breach won’t be intentional, but sometimes it is.
An employee might hold grudges against the company, and they might have no choice but to stay there. And the managers might not know this.
An unhappy employee can be a great help to the attacker.
They could establish network backdoors, provide legitimate passes, or directly give business data to the attacker.
You can meet with employees in smoking areas, local cafes, or even on public transport they take.
Then you can start a conversation and focus on work-life in general.
You probably heard about the Milgram experiment and its results. A man in a lab coat at Yale University convinced strangers to harm other people.
He had no real authority to force a person to follow orders, just perceived authority.
Authority is so powerful that it overrides decision centers in the brain and shuts off our sense of responsibility.
Businesses expect employees to perform tasks set by the management. So, if the employee believes the SE is part of the management, he will conform to any reasonable request. He might provide sensitive information and wouldn’t raise any alarms.
You can also impersonate a security guard. Of course, it would need more than a fake uniform to use authority to great effect. You can ask to see an employee’s badge to make a security check.
The chances of challenging and questioning a security guard are very slim.
Remember that authority should be part of every aspect of impersonation. A good suit or uniform can be enough for the looking part. But the sounding part is a little more challenging.
A trick in creating the illusion of authority is to ask questions. In conversations, we perceive the one asking questions to have more power.
Another technique that can help you to pretext is…
Priming is when you get exposed to something like a word, feeling, or image… that influences your behavior later on, without your awareness.
Researchers at the University of Nijmegen conducted an interesting experiment about priming:
They divided volunteers into two groups and each would give a test on general knowledge.
The first group was primed with the stereotype of professors.
The second group was primed with the stereotype of hooligans.
The first group performed significantly better than the second group.
In other words, the mere perception of a person or a group of people causes you to act similarly – at least for a short period.
Now priming is a powerful tool you can use to improve your pretext.
For example, let’s say you have to pretend to be an IT professional.
What is the perception people have about them? Or more accurately, what is the stereotype?
It’s a socially awkward person, obsessed with technology who can fix anything computer related, right?
This is not the case with everyone, but it’s all about perception.
One way to prime the stereotype of someone from IT would be writing down everything it comes to your mind related to their behavior and appearance.
The key is that the priming works when you have expectations it is going to work. You don’t force it; you simply allow that persona to flow into your pretext. You know, it helps you on an unconscious level.
So, when you are out there pretending to be someone else, you instinctively know how to behave; And you don’t spend mental energy worrying about how you look.
Working at the Company
If you can get a job at the target company, everything becomes easier.
Often social engineers apply for a cleaning role which has two advantages.
First, it doesn’t require any specific qualifications.
Second, it is doubtful for a business to do thorough research on applicants due to the low privileges of that job.
The irony is that the cleaners have more access to the building than other employees.
I understand that it will take a great deal of time, but the payoffs are high and low risk.
It’s a complicated technique involving a lot of planning and careful timing.
The social engineer provides help that aids the attack.
The target asks for something from SE when it’s usually the other way around.
For example, the SE impersonates someone from the IT department, asking, “Are you experiencing any computer issues?” Most likely, someone will have a problem. And the SE could help them solve it.
He/she could ask for the user’s credentials to log in remotely. Or it could ask them to visit a particular website to test connectivity, which is malicious.
A more complex strategy is to sabotage and assist. The SE causes an issue and then presents himself as someone who can solve it.
Another attack could be Introduce-Sabotage-Assist. You introduce yourself as a new member of IT, give your phone number explaining they could call any time if they have a problem.
You’re not asking for any information which won’t raise any alarms. The target will call the SE when the problem occurs, asking for assistance.
Targeting an Individual
If you want to perform a targeted attack on an individual instead of a group, then consider the following:
- Recent holidays
- close friends
- Family members
- What bank do they use
- What car do they drive
Here are some scenarios that are used as a basis for attacks.
If your target went to a particular school, then you can send an email like this:
We’re organizing an XYZ high school reunion party for the class of 1990 and hope you can join us.
We’ve set up an account on http://www.fakeschoolreunion.com where you can rsvp.
Also, we uploaded pictures of everyone back then.
Sorry if you find them embarrassing.
Hope to hear from you soon.
Another email might include a malicious PDF file based on where they shop regularly.
XY is offering 50% off all products! Please print off the attached voucher and bring it to the store.
Pick up lines
As we have seen in many cases, a social engineer can hijack accounts, steal identities, or infiltrate corporate offices. They use pick-up lines to encourage communication with their targets.
Here are the most common ones:
I’m stuck in X place, and I lost my wallet. Can you wire some money?
The SE probably hacked a friend’s Facebook account and sent the message pretending to be him. He might say he has no money due to a lost wallet or robbery.
You should be careful and ensure you’re talking to your friend or family member. You can ask him to send you a picture of that place or ask a specific question to which he would know the answer.
Click this link
As in the examples above, the social engineer encourages the target to click a link. They might pose as your friend, work colleague, or even a company where you’re a client.
They include logos and variation links to websites such as facebookk.com, paypall.com, etc.
Simona Halep’s Instagram was hacked.
The attackers posted several messages, such as:
“Hey, can anybody help me? I’m stuck in Switzerland and my bank account is not working here. I need 500$, I am willing to pay 1,500$ by the weekend”.
Amygdala is a brain area that plays an important role in processing fear and other emotions.
When we feel threatened the information bypasses the logic and goes straight to amygdala which triggers fear and we take action.
This quick response to threat has been crucial for our survival. When our ancestors saw a 200 kilogram tiger they didn’t think, “oh what a magnificent creature,” but they ran as fast as they could.
This process is called amygdala hijacking.
The adrenaline and blood pressure rise we lose the ability to communicate effectively and autopilot is in charge.
The best part: You can use this process to your advantage.
If you can trigger a strong emotional response to the target like fear or empathy you can dramatically reduce their ability to think logically.
Now I will give you two examples of amygdala hijacking
First is by using fear.
A lot of theft happens in people’s lockers in the gym. A social engineer might break the lock and take the wallet.
The wallet is missing but he or she might think it’s in the car.
As they are walking out, you ring their phone and say something like, “this is X Bank and we have a reason to believe someone is trying to cash out your account. Has your card been stolen recently?”
The person is in a panic mode and is trying to find the solution
Then you say, “hey we are here to help you. But to show access to the account I’m going to need to verify your social security number.”
And then you will say, “Okay we can shut down the card too. What is your pin?”
It might sound obvious in retrospect, but when you are in panic mode you might not give it a second thought.
The other method to trigger amygdala hijacking is by using empathy.
If you can find the story that triggers an empathetic response, the target is more likely to comply with your request.
A perfect example is the video below where the journalist Kevin Roose went to Defcon and challenged the team of hackers to hack him.
Now let’s see the part where Jessica Clark (a social engineer) calls his phone provider with the goal of getting his email address.
After she spoofs his number, she plays a video with a background of a baby crying. She is apologetic and kind. She explains that they have been trying to get a loan and that she screwed up and makes a reasonable request.
I mean, what customer support would suspect that she is not really his wife.
In a short time, she triggers empathy and a sense of urgency. And most importantly, she leaves no room for doubt that she’s not his wife.
Another example of using empathy to get the job done is from the book, Unmasking the Social Engineer.
Christopher Hadnagy tells a story about an SE engagement.
The goal was to insert a malicious software onto the company’s computer network using a USB key.
They wanted to test the corporate policy which forbids employees from inserting foreign devices into any company machine.
He was wearing a business suit and was holding a folder with a few “resumes.” As he parks the car, he spills coffee all over the folder.
Then he enters the building with sadness displayed on his face.
He walks to the front desk, and the secretary asks, “Oh, no, honey. What happened?”
Chris quickly scanned her desk pictures and saw a small child with a cat.
“I’ve been out of work for a while, and I finally got an interview here today. I was driving here all nervous, and a cat ran out in front of me.
I love cats, and I didn’t want to hit it, so I swerved, and my coffee fell out of its holder onto my seat and drenched my resumes.
Fortunately, I missed the cat, but I killed my resumes.”
“Oh, that’s terrible. What can I do to help?”
“I have my resume on this USB key. Could you print me just one copy, please?”
And that was it. The job was done.
Social Engineering Penetration Testing by Gavin Watson, Andrew Mason, and Richard Ackroyd
The Ellipsis Manual: Analysis and engineering of human behavior by Chase Hughes
CSO’s Ultimate Guide to Social Engineering
We recommend reading the following: