The Principles Behind Social Engineering: A number of principals, or elements, allow social engineering attacks to be effective. Most of these based on our nature to be helpful, or trust other in general, and to believe that there is a hierarchy of leadership that should be followed. For the exam, be familiar with the following reasons for its effectiveness:
Authority: If it is possible to convince the person you are attempting to trick that you are in a position of authority, they may be less likely to question your request.
That position of authority could be upper management, tech support, HR, or law enforcement.
Intimidation: Although authority can be a source of intimidation, it is possible for intimidation to occur in its absence as well. This can be down with threats, with shouting, or even with guilt.
Consensus/Social Proof: Putting the person being tricked at easy by putting the focus on them—listening intently to what they are saying, validating their thoughts, charming them—is the key to this element.
The name comes from a desire that we all have to be told that we are right, attractive, intelligent, and so forth, and we tend to be fond of those who confirm this for us.
By being so incredibly nice, the social engineer convinces the other party that there is no way their intentions could possibly be harmful.
NOTE: Discussion at home with a spouse, or casual conversations with associates where we are bragging or trying to impress others, can lead to sharing more information than we should.
Scarcity: Convincing the person who is being tricked that there is a limited supply of something can often be effective if carefully done.
For example, convincing them that there are only one hundred vacation requests that will be honored for the entire year and that they need to go to a fictitious website now and fill out their information (including username and password, of course) if they want to take a vacation anytime during the current year, can dupe some susceptible employees.
NOTE: More than one principal can be used in any given attack; it is not uncommon, for example, to see both scarcity and urgency used together.
Urgency: The secret of successfully suing the urgency element is for the social engineer to convince the individual they are attempting to trick that time is of the essence.
If they don’t do something right away, money will be lost, a nonexistent intruder will get away, the company will suffer irreparable harm, or a plethora of other negative possibilities may occur.
Familiarity/Liking: Mental guards are often lowered, many times subconsciously, when we are dealing with other individual that we like. The “like” part can be gained by someone having, or pretending to have, the same interest as we do, be engaged in the same activities, or otherwise working to gain positive attention.
Trust: One of the easiest ways to gain trust is through reciprocation. When someone does something for you, there is often a feeling that you owe that person something.
For example, to gain your trust someone may help you out of a troublesome situation or buy you lunch.