Social Engineering Principles

Posted by in Security+ | 0 comments

Social engineering principles are the common methods that social engineers use to increase the effectiveness of their attacks.

The Security+ exam specifically asks about these so it’s important to understand them.

Social Engineering Principles Question

For example, can you answer this question?

Homer received an email advertising the newest version of a popular smartphone, which is not available elsewhere. It includes a malicious link. Which of the following principles is the email author using?

A. Authority

B. Intimidation

C. Scarcity

D. Trust

Answer below.

Get Certified Get Ahead


It’s important for any user to understand social engineering and their tactics. Additionally by understanding the underlying principles, it becomes easier to avoid being tricked by them. The following sections introduce these principles.

  • Authority
  • Intimidation
  • Consensus / Social Proof
  • Scarcity
  • Urgency
  • Familiarity/Liking
  • Trust

Authority is One of the Social Engineering Principles

Many people have grown up to respect authority and are more likely to comply when a person of authority says to do so.

As an example, volunteers participating in the Milgram experiment continued to send shocks to unseen subjects even though they could hear them scream in pain, simply because a man in a lab coat told them to continue. They weren’t actually sending shocks and the screams were fake, but everything seemed real to the volunteers. Psychologists have repeated these experiments and have seen similar results.

Using authority is most effective with impersonation, whaling, and vishing attacks:

  • Some social engineers impersonate others to get people to do something. For example, many have called users on the phone claiming they work for Microsoft. The Police Virus attempts to impersonate a law enforcement agency. Some social engineers attempt to impersonate a person of authority, such as an executive within a company, or a technician.
  • Executives respect authorities such as legal entities. In a well-known whaling attack, many executives were tricked into opening infected PDF files that looked like official subpoenas.

Security+ Full Access Package

Get Certified Get Ahead Security+

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access For Only $55.98

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. They can also be used to help ensure you're ready no matter what study guide you're using.

This exam is expensive.

Make sure you're ready before exam day. 

Here's what you'll get:
  • All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. See a demo here. All questions have full explanations so you'll know why the correct answers are correct and why the incorrect answers are incorrect.
  • Over 35 new multiple-choice questions we've added after publishing the study guide.
  • Over 70 performance-based questions. See a demo here.
  • All of the flashcards from the study guide. View them in any Web browser.
  • All of the audio from the study guide. Listen to a sample here.
  • A subnetting mini-tutorial to help you answer key question types in the Security+ exam.
  • Access to a free discount code for 10% off your Security+ voucher. Save $31.10 off the US retail cost for this voucher.

Buy The Full Access Study Package Today

60 Days Access For Only $55.98

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Intimidation is One of the Social Engineering Principles

In some cases, the attacker attempts to intimidate the victim into taking action. Intimidation might be through bullying tactics, and it is often combined with impersonating someone else. Using intimidation is most effective with impersonation and vishing attacks.

For example, a social engineer might call an executive’s receptionist with this request:

“Mr. Simpson is about to give a huge presentation to potential customers, but his files are corrupt. He told me to call you and get you to send the files to me immediately so that I can get him set up for his talk.”

If the receptionist declines, the social engineer can use intimidation tactics by saying something like:

“Look, if you want to be responsible for this million-dollar sale falling through, that’s fine. I’ll tell him you don’t want to help.”

Note that this tactic can use multiple principles at the same time. In this example, the attacker is combining intimidation with urgency. The receptionist doesn’t have much time to respond.

Consensus/Social Proof are Social Engineering Principles

People are often more willing to like something that other people like.

Some attackers take advantage of this by creating web sites with fake testimonials that promote a product. For example, criminals have set up some web sites with dozens of testimonials listing all the benefits of their fake antivirus software (rogueware). If users search the Internet before downloading the rogueware, they will come across these web sites, and might believe that other real people are vouching for the product.

Using consensus/social proof is most effective with Trojans and hoaxes.

Victims are more likely to install a Trojan if everyone seems to indicate it’s safe. Similarly, if a person suspects a virus notice is just a hoax, but everyone seems to be saying it’s real, the victim is more likely to be tricked.

Scarcity is One of the Social Engineering Principles

People are often encouraged to take action when they think there is a limited quantity.

As an example of scarcity, think of Apple iPhones. When Apple first releases the new version, they typically sell out quickly.

A phishing email can take advantage of this and encourage users to click a link for exclusive access to a new product. If the users click, they’ll end up at a malicious web site.

Scarcity is often effective with phishing and Trojan attacks. People make quick decisions without thinking them through.

 

Social Engineering Principles Answer

Homer received an email advertising the newest version of a popular smartphone, which is not available elsewhere. It includes a malicious link. Which of the following principles is the email author using?

A. Authority

B. Intimidation

C. Scarcity

D. Trust

Answer: C. The attacker is using scarcity to entice the user to click the link. A user might realize that clicking on links from unknown sources is risky, but the temptation of getting the new smartphone might cause the user to ignore the risk.

Continue to part 2 of Social Engineering Principles.

Leave a Comment

CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!

Get Certified Get Ahead is a participant in the Amazon Services LLC Associates Program,
an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

Copyright © 2015 Get Certified Get Ahead. All Rights Reserved.