You’re influenced by social engineering tactics every day, often without realizing it.
From an information security perspective, Wikipedia defines social engineering as the psychological manipulation of people into performing actions or divulging confidential information. That’s accurate, but it’s only part of the story. Social engineering isn’t limited to cybersecurity, it’s something we all encounter daily.
Most of the time, it’s not even malicious. At its core, social engineering is about building and using influence to persuade others to act in a way that benefits you. In other words, it’s about guiding decisions.
In this new series on the psychology behind phishing attacks, we’ll explore why social engineering works, how it’s used (and misused), and how to spot it. In this first article, we’re diving into how decisions are made and the common ways people are influenced — starting with the basics so you can recognize these tactics when they appear in increasingly clever attacks.
Decisions, Decisions
When you break it down, we make a phenomenal number of decisions each day and we think about surprisingly few of them, let alone analyze them. In the 1980s, a behavioral psychologist by the name of Robert Cialdini proposed a concept called the Theory of Influence in his book Influence: The Psychology of Persuasion. His theory says that influence over others is created in seven major ways.
These principles of persuasion illustrate how we take shortcuts in our decision-making. There's a cool video that illustrates these principles in more depth[2]. Making decisions is hard and we don't have the time, energy, or patience to fully examine each decision before we act on it. So, we make shortcuts for ourselves, particularly when it comes to relating to others. Social Engineering takes advantage of those shortcuts. Let's go over each one briefly.
Reciprocity
People don't like to feel indebted to others. When we're the recipient of a favor, we tend to try and repay it. The candy with your check at a restaurant has been shown to increase tips. Companies offer up free content on their blogs in hopes of catching your interest and, hopefully, your business one day. My favorite example is one Cialdini calls out in his book, Influence: The psychology of persuasion.
In 1985, Mexico City was hit by a massive earthquake, causing billions of dollars in damage and over 5,000 deaths. Foreign aid poured in from across the world to help Mexico, but one country in particular stands out with a particularly unexpected donation. In 1985 Ethiopia was not in a position to be helping anyone. They were suffering from famine and drought. The total aid sent to Ethiopia in 1985 was around $1 billion. Yet, the Ethiopian Red Cross donated $5,000 in aid to Mexico because, 50 years prior, Mexico came to Ethiopia's aid when Italy invaded. Mind. Blown.
Scarcity
People are more likely to want things that they believe are in limited supply, are exclusive, or that are not always available. This is the entire premise behind the McRib, the special limited time discounts on products you didn't know you wanted, or the clearance sale that car dealerships seem to always have because they're overstocked (apparently inventory management of automobiles is really tricky).
Authority
People don't like being uncertain. We naturally look for and follow authority figures. The problem is that we have a broad definition of what constitutes an authority figure. Uniforms, for example. If we see someone in a white coat at a hospital, we tend to give their medical opinion more weight.
Liking
We listen to people who we like. This principle is why you used to see the attractive young woman sitting on top of a sports car in ads, why compliments can improve the odds of getting a favor, and why certain fast-food chains have mouthy X feeds.
Commitment
People naturally strive for consistency in their behavior, which makes small commitments powerful.
Psychologist Robert Cialdini shares a compelling example: researchers called a random group of people and asked if they’d be willing to donate three hours to volunteer for the American Cancer Society. Most said yes—after all, few want to seem unwilling to help a good cause.
Later, when those same people were contacted again with an actual request to volunteer, the organization saw a 700% increase in participation compared to their usual outreach.
That initial “yes” created a sense of commitment, making it much more likely they’d follow through when asked again.
Consensus
People tend to do what they believe everyone around them is doing, particularly when they are unsure of what to do in the first place. If you walk into a crowded room, and everyone is staring at the ceiling what's the first thing you're going to do?
Unity
We gravitate toward people who we identify as being similar to us. This is where nationalism, the family bond, and Women's March all originate from. It's also why we like it when we share an interest with somebody; it's something we have in common.
In practice, these principles are often used in combination, which is something we'll see as we apply them to real world examples of social engineering tactics.
Our Greatest Strengths, Our Greatest Weaknesses
In his paper Psychological Based Social Engineering, Charles Lively outlines a framework of attack vectors that social engineering commonly leverages: Careless, Comfort Zone, Helpful, and Fear. What Lively is hinting at, and where we're going to spend our next four articles, is that there are fundamental facets of human behavior which attackers exploit using the influence techniques we've already covered. They are more than just attack vectors or bad behavior; they are part of who we are as people, and each has played a role in shaping today's society. I've adapted Lively's grouping into what I call the Four Natures.
- Simple Nature: Humans tend to filter out information they perceive as unimportant
- Assistive Nature: Humans tend to want to be helpful
- Familiar Nature: Humans prefer, and let our guard down in, familiar circumstances
- Emotional Nature: Humans tend to allow emotions to influence or overpower decision making
