This is the ultimate guide to social engineering.
Here you’ll learn:
- How to profile people through communication styles
- Why we suck at detecting lies and deception?
- The golden rules of building rapport
- Elicitation Techniques
- Principles of Influence
- The best tools to collect information
And much more…
So, let’s get into it.
Truth Default Theory
When we communicate with other people, we tend to presuppose they are honest.
In social situations we don’t think like scientists… slowly gathering evidence, analyzing it, before reaching a conclusion.
We do the opposite. We start by believing.
You can have doubts about someone and still believe him.
But we stop believing only when our doubts rise to the point where we can no longer explain them away.
The upside is that even when we’ll fall prey to deception… what we gain in terms of efficient communication is far more valuable than the cost of being deceived occasionally.
How good are people at distinguishing truths from lies?
Slightly better than chance.
We think that the better we know someone, the more we can understand when they’re lying.
And we also think that they wouldn’t lie to us.
Being close to someone will make us truth biased.
What about their nonverbal behavior?
People look at a group of behaviors when they’re trying to distinguish truths from lies.
If you seem anxious and uncertain, then you’re more likely to be doubted, even if you are telling the truth.
If you appear friendly, confident, and engaged, you’re more likely to be believed, even if you are lying.
Another interesting argument is that there is a disconnection between beliefs of what liars do and what people actually do to catch liars.
In a study, when they asked people, “How can you tell when people are lying?” They emphasize nonverbal behavior.
When asked, “Think of a time when you found out you were lied to. How did you discover the lie?”
Their answer shifted to verbal signals like confessions and content inconsistency with knowledge.
Timothy Levine, the co-other of Truth Default Theory, in the book, Duped wrote:
People are more likely to attribute deceit to speakers who avoid eye contact, shift posture more often, take longer to respond, talk faster, make more speech errors, have more pauses and hesitations, have less plausible content, contradict themselves, are less conversationally involved, convey uncertainty in their voices, are less friendly and cooperative, and act nervous.
Keep these in mind when pretexting.
Powerful techniques to build rapport
1. The friendship formula
Proximity – People who share physical space are more likely to become attracted to each other, even if no words are exchanged.
Frequency & Duration – The more time you spend with that person, the more you can influence him/her.
Intensity is how strongly you can satisfy someone else’s psychological and/or physical needs through verbal and nonverbal behaviors.
Proximity + Frequency + Duration + Intensity = Friendship
2. Artificial time constraints
Have you ever been sitting in a bar, or a library when a stranger tried to start a conversation with you? Did you feel awkward?
This discomfort comes from you not knowing when or if the conversation will end.
The first step in developing rapport is letting the other person know there is an end in sight and is close.
You can do that by mentioning time or having the body language that shows you are leaving.
e.g. “Hi, I was about to leave in a second, and I am very sorry to bother you, but I was hoping you could help me…”
3. Accommodating non-verbal’s
Give a genuine smile; slightly tilt your head and lower the chin a little.
Also, if you stand toe-to-toe with a stranger, it might intimidate them. Instead, keep your body and legs slightly in angle.
4. Speak at a slower rate
Speak slowly so people can understand what you are saying and appear more credible.
And try not to use word fillers such as “um”, “uh”, “like” …
5. Sympathy or assistance
Making a simple request, it’s a great way to develop a quick rapport.
If you’re talking to a stranger, the requests need to be very “light”.
In general, you can ask for advice on a particular topic.
6. Ego suspension
It is the most effective technique to build rapport. But it’s also very hard to make it work.
Let’s define ego suspension…
Is letting go of your ego- the need to be first, to be correct, or to be perceived as smart.
Ego suspension requires you to consider someone else’s thoughts, statements, and opinions whether you agree with them.
A great way to suspend your ego and keep your emotions under control is by reminding yourself the ultimate goal.
Let’s say that your target says something that hurts your ego.
You can fall to the trap and respond negatively to him – an action that might break rapport.
Or, you can remind yourself that your goal is to build rapport and elicit information so it doesn’t really matter what he says about you or something you care about.
7. Be nonjudgmental
The problem with judging people is that we make assumptions about why they behave in a certain way.
And almost always our assumptions are wrong.
What’s even worst… we just stop from trying to figure out the real reason behind their actions.
Consequently, we will probably make them feel hurt and damage the relationship with that person.
We need to resist the urge to correct if we think they’re wrong and the need to be perceived as smart.
We need to show respect and a complete understanding of their ideas and choices in life.
8. Quid pro quo
Giving a little information to make the person feel comfortable sharing their info.
You give a little information about yourself to further the conversation.
There are two types of situations where you might use it:
- The other person is very introverted.
- They suddenly realize how much they have been speaking and feel awkward.
9. Be aware of unconscious communication
Albert Mehrabian, a researcher in the 1950s, found that the total impact of what we say is:
- 7% verbal (words only)
- 38% vocal (tone of voice)
- 55% nonverbal
This doesn’t mean that words don’t matter, but that we are also communicating with tonality and body language.
– We can give different meanings to the same word by just using our tone of voice.
– You can guess how someone is feeling by looking at their body language.
So, you need to use the elements in a congruent way.
If you say something but your tonality and body language give a different message, then people will get a gut feeling to not trust you.
Align the 3 elements and you will influence people in an emotional and logical level.
Elicitation: How to Get Information from Anyone
Elicitation is constructing the conversation in such a way that makes him give information without you asking for it.
Many governments warn their employees about elicitation because it is commonly used by spies all over the world.
FBI defines elicitation as “A technique used to discreetly gather information”.
Why does it work?
– If we know something that doesn’t directly affect us, we are more willing to talk about it.
Jack Schaffer, ex-FBI agent and author of Truth Detector gives an example about an exercise with his students.
He asked his student to go into a jewelry store, have a conversation with the clerk, and get the needed information as if he wanted to rob the place.
By having a simple conversation with the clerk, he could learn that:
- cameras in the store don’t work
- Mall security officers are incapable of doing their job properly
- The clerk won’t be a problem for the shoplifter because he was instructed to not engage with them.
- The store won’t bother shoplifting unless the loss is greater than $1200
- There are $2200 in the store right now and the safe is broken
Based on the information the clerk gave him, he could steal an item that costs $1200 or less and walk away without fear of getting caught or even reported.
The clerk wasn’t aware of the sensitive information he was giving, and since it didn’t affect him directly; he didn’t care.
Of course, not everyone will reveal so much information.
But your job is to collect pieces of seemingly unimportant information that will help you complete the big picture.
– Most people feel insecure. We might feel inferior to people who we think are better than us.
So, this insecurity drives us to show others we’re just as smart or smarter than them.
That’s why we correct others when they give incorrect information.
In other words, we feel good when we correct others and we keep doing it.
You can exploit this tendency simply by presenting incorrect information.
4 Tips to master the art of communication
#1 Be confident. Nothing kills the conversation more than being uncomfortable.
#2 Educate yourself. You need to have knowledge of the subject you’re talking about.
But mostly, you’ll ask well-thought questions to encourage him to talk more about his area of expertise.
Make the conversation about them.
#3 Common conversation openers are the weather; asking for advice on technology; general questions about kids; their pets; sports (if you notice signs he is a fan).
In addition, remember an important rule:
When someone does a small favor to you, it makes them more willing to do you another favor.
Example: Thank them for taking the time to meet you, for being early, or for arriving on such brief notice.
#4 Don’t be greedy. Your goal is to get information. Yet, that shouldn’t be your sole focus because the target will lose interest.
Make the conversation a give and take, unless you are with a person who wants to dominate the conversation.
Here, let him dominate.
But if you got the answer, don’t go deeper and deeper into the conversation, because it can raise a red flag.
Appealing to their ego
This technique is simple but effective because most people take pride in what they do.
They often link their identity with their work. That’s why they’ll talk freely about their professional accomplishments.
You: “You must have an important job, X seems to think highly of you”.
Target: “That is so nice of you to say, but my job isn’t that important. All I do here is…”
Or, I bet you were the key person in designing this product.
Appealing to their ego is simple and effective, but don’t overdo it or when you’re not sincere because it can turn people off.
You make a statement that might be right or wrong and wait for them to respond.
If your statement is correct, he will agree and provide additional information.
If your statement is wrong, he will probably provide the correct answer and give a detailed explanation.
You criticize their company in the hopes he will give information during the defense.
e.g. “How did your company get the contract? Everyone knows BCorp has better engineers for that work”.
You discuss a topic that is related to the main topic.
For example, you discuss the catering at a work party when in fact you want to know the type of access outside vendors have to the facility.
You ask open-ended questions to get small bits of information that will complete the bigger picture.
It can also create the illusion of authority. In conversations, we perceive the one asking questions to have more power.
The SE might offer alcohol to their targets because drunk people talk more than they have to.
People tend to recall the first and last thing in a conversation.
So, where should you put the elicitation?
Exactly. In the middle.
After you have established rapport… start with small talk… deviate the focus of the conversation to the elicitation topic… then go back to the first topic.
Dr. Robert Cialdini in his best-selling book, Influence reveals the six aspects of influence:
Reciprocity – Is when you create a feeling of indebtedness by being the first to give something away.
Reciprocity is the expectation that when someone treats you well, you respond in the same way.
It’s often used by companies offering a free sample. And people are more prone to buy their product.
But the level of your request you make is determined by the perceived value of the gift to the receiver.
Scarcity – When people think a product or information is hard to get, it becomes scarce and therefore more valuable.
Authority – It’s our inner desire to obey and follow instructions.
Consistency – If you can make the target follow simple instructions, they will be consistent.
Liking – We like people who like us back. If a target feels liked, in return, he will give us the information we need.
Social proof – If everyone else is doing it, then it must be good.
Attackers who have advanced skills in social engineering use pretexting to persuade their targets to do certain actions to gain access to an organization and exploit its structural flaws.
The attacker creates a credible story, leaving little or no room for doubt for his target.
A social engineer can also impersonate people in jobs they never have done themselves.
It’s like you are an actor and today, for example, your job is to act like a firefighter or a pest control serviceman.
Building the persona
You should use pieces of your real life and the knowledge you already have.
Don’t think of too many details. You don’t have to build an entire life for your pretext.
Keep in mind the big 4 questions:
– Who are you?
– What do you want?
– Are you a threat?
– How long will this take?
Roles for Social engineers
There are plenty of roles to choose from, but these are the most common ones.
There are two reasons to consider this role.
First, it gives you a good excuse for doing technical things such as inspecting PCs or carrying surveys that require you to record logins and passwords.
Second, as a new employee, most people won’t recognize you. They might also offer to help you.
This is like your “real life” role so it will be easier for you to carry off.
You can ask many questions about the security of that company. And the main advantage is that people won’t suspect a security consultant to be an attacker.
We all heard the phrase “Customer is king”. And the companies will do anything to satisfy a customer.
You can gather information about existing customers, and you can adopt that role to help the attack.
Your goal is to find as much information about your target as you can. Even the slightest detail can lead to a successful social engineering breach.
Corporate or personal websites can provide lots of information. You can understand:
What they do
What they sell
Biographies of the founders or board of directors
Special words or phrases that can help in password profiling
Other useful websites
Social Media sites (Facebook, LinkedIn, Twitter) contain a wealth of information about millions of people.
Another good tool is Analyzewords.
It can analyze a person’s Twitter account based on the language used.
You shouldn’t expect to know the real personality of that individual. The reason is that most people communicate differently online than in person.
But, many attacks occur based on the “online” personality.
All My Tweets – It provides a clean display of all the tweets in a post.
DomainIQ –It gives hosting information about any site.
You can use TinEye to do an image search.
Remove bg – It helps in removing undesired effects from an image. This can lead to better results when doing an image search in attempts to identify a person or an object.
It’s one of the most sophisticated algorithms on the planet. And there are many Google search tricks that will help you collect more information about the target.
Here’s a list with google operators:
intext: Returns a chosen word or phrase.
Site: Locates files from a particular site.
inurl: This operator restricts the search results to pages that contain a specific word in the link.
For example, inurl:Citrix/MetaframeXP will show you different organizations that are using Citrix Metaframe set up for their remote access.
If our target is a website with “.org” “.edu” we use:
site: edu|org + inurl:”faculty_login.asp | .php”
filetype: Followed by a file extension (PDF, DOC, XLS) returns specific files.
e.g. confidential business plan filetype:pdf
cache: Find a copy of the page that Google indexed even if the pages are no longer available. You can also use archive.org, also known as the way back machine.
info: It will present information that Google has about a webpage
intitle: operator looks for documents where the specified word is in the page title.
e.g. If you want to find an MS Word document with the marketing plan phrase, you can use the query
intitle:”marketing plan” filetype:doc.
You can enter a full street address, city, zip code, or a state and it automatically gives you street maps.
You can do this in different methods. One is just to try to stake out the area, try to sneak in and dig through the trash.
In the USA it’s legal while in most of the Europian countries, it’s illegal.
So make sure to understand the laws as it relates to your social engineering engagement.
The other is through impersonation method, where the SE dresses as if they work for the waste removal company.
And this gives you the pretext to get into the dumpster in a secured area.
It is considered as the most common SE technique which attackers use today.
Phishing scams goals are getting personal information, including names, social security numbers, and addresses of targets.
They might send an e-mail which appears to be from someone you know or a company.
They incorporate fear, or a sense of urgency to manipulate targets to act fast.
In addition, they use links or link shorteners to redirect targets to malicious websites through URLs that may appear legit.
A scammer might also clone a website to look more legitimate. And they might trick you into entering login credentials.
Why phishing works?
Good phishers have a good understanding of decision-making processes.
Greed: This is the first and also the most base. Most people don’t think straight when “offered” large sums of money.
It’s like believing you have a real shot winning the lottery.
Lack of education: There are lots of people who do not understand that a bad person might try to steal their identity or money through e-mail.
Gullibility: Many people fully trust others, especially strangers. And this can put them in an unsafe position.
The Amazon scam is very common. It doesn’t use your name and by looking at the URL you can see it’s not legitimate.
The PayPal phishing
Prevent Social engineering
– Suspect everything that seems to be out of the ordinary. Especially calls from people who tell you there is a serious security problem in the company and you need to give them log-in credentials.
– Think before you click.
As I explained above, email phishing is very common. So make sure to check the e-mail address of the sender and look at where the link will lead you.
– Become digitally quiet.
– Become unpredictable: Don’t fall into patterns of doing the same things every day.
– Physical security
Make sure that the dumpster is in a gated area.
Set up authorization or identity checking at entries to a building. All entrances, not just the front door.
– Raise awareness. Everyone in the organization should know the techniques of social engineering.
– Delete metadata from your images you posted online.
Many photographs contain metadata such as
- The coordinates of the location where the photo was taken
- The model of the camera
- It also contains the date and time someone took the photo
Follow the experts
If you are seriously considering a career in social engineering, then I recommend following these experts.
They have many years of experience and you can learn a lot from them.
He is a security consultant and the author of 4 books in social engineering.
He is the founder and creator of the Social Engineering Village (SEVillage) at DEF CON and DerbyCon, and the creator of the popular Social Engineering Capture The Flag (SECTF).
Hadnagy has over 16 years of experience in the security fields.
He also interviews different security experts on his Podcast. They release new episodes on the second Monday of each month.
Is an American computer security consultant, author of 4 best-selling books, and a hacker.
He was one of the FBI’s most wanted because he hacked into 40 major corporations just for the challenge.
Now, he is the CEO of Mitnick Security Consulting.
They work with Fortune 500 companies and governments to test their security strengths, weakness, and potential loopholes.
He spent 18 years as a government computer crime investigator. He is the author of many books on OSINT and security.
Michael was also one of the technical advisors for the first season of “Mr. Robot”.
Is a computer security expert, author, and co-author of 13 books.
It is known for his background in google hacking, a process by which they can identify vulnerable servers on the internet through constructed Google searches.
He has 20 years of experience in all aspects of penetration testing. He has been engaged in projects and delivered specialist training on four continents.
Talking to Strangers by Malcolm Gladwell
It’s Not All About Me by Robin Dreeke
What to Read Next?