Social engineering principles are the common methods that social engineers use to increase the effectiveness of their attacks.
The Security+ exam specifically asks about these so it’s important to understand them.
Social Engineering Principles Question
For example, can you answer this question?
Homer received an email advertising the newest version of a popular smartphone, which is not available elsewhere. It includes a malicious link. Which of the following principles is the email author using?
A. Authority
B. Intimidation
C. Scarcity
D. Trust
Answer below.
It’s important for any user to understand social engineering and their tactics. Additionally by understanding the underlying principles, it becomes easier to avoid being tricked by them. The following sections introduce these principles.
- Authority
- Intimidation
- Consensus / Social Proof
- Scarcity
- Urgency
- Familiarity/Liking
- Trust
Authority is One of the Social Engineering Principles
Many people have grown up to respect authority and are more likely to comply when a person of authority says to do so.
As an example, volunteers participating in the Milgram experiment continued to send shocks to unseen subjects even though they could hear them scream in pain, simply because a man in a lab coat told them to continue. They weren’t actually sending shocks and the screams were fake, but everything seemed real to the volunteers. Psychologists have repeated these experiments and have seen similar results.
Using authority is most effective with impersonation, whaling, and vishing attacks:
- Some social engineers impersonate others to get people to do something. For example, many have called users on the phone claiming they work for Microsoft. The Police Virus attempts to impersonate a law enforcement agency. Some social engineers attempt to impersonate a person of authority, such as an executive within a company, or a technician.
- Executives respect authorities such as legal entities. In a well-known whaling attack, many executives were tricked into opening infected PDF files that looked like official subpoenas.
Intimidation is One of the Social Engineering Principles
In some cases, the attacker attempts to intimidate the victim into taking action. Intimidation might be through bullying tactics, and it is often combined with impersonating someone else. Using intimidation is most effective with impersonation and vishing attacks.
For example, a social engineer might call an executive’s receptionist with this request:
“Mr. Simpson is about to give a huge presentation to potential customers, but his files are corrupt. He told me to call you and get you to send the files to me immediately so that I can get him set up for his talk.”
If the receptionist declines, the social engineer can use intimidation tactics by saying something like:
“Look, if you want to be responsible for this million-dollar sale falling through, that’s fine. I’ll tell him you don’t want to help.”
Note that this tactic can use multiple principles at the same time. In this example, the attacker is combining intimidation with urgency. The receptionist doesn’t have much time to respond.
Consensus/Social Proof are Social Engineering Principles
People are often more willing to like something that other people like.
Some attackers take advantage of this by creating web sites with fake testimonials that promote a product. For example, criminals have set up some web sites with dozens of testimonials listing all the benefits of their fake antivirus software (rogueware). If users search the Internet before downloading the rogueware, they will come across these web sites, and might believe that other real people are vouching for the product.
Using consensus/social proof is most effective with Trojans and hoaxes.
Victims are more likely to install a Trojan if everyone seems to indicate it’s safe. Similarly, if a person suspects a virus notice is just a hoax, but everyone seems to be saying it’s real, the victim is more likely to be tricked.
Scarcity is One of the Social Engineering Principles
People are often encouraged to take action when they think there is a limited quantity.
As an example of scarcity, think of Apple iPhones. When Apple first releases the new version, they typically sell out quickly.
A phishing email can take advantage of this and encourage users to click a link for exclusive access to a new product. If the users click, they’ll end up at a malicious web site.
Scarcity is often effective with phishing and Trojan attacks. People make quick decisions without thinking them through.
Social Engineering Principles Answer
Homer received an email advertising the newest version of a popular smartphone, which is not available elsewhere. It includes a malicious link. Which of the following principles is the email author using?
A. Authority
B. Intimidation
C. Scarcity
D. Trust
Answer: C. The attacker is using scarcity to entice the user to click the link. A user might realize that clicking on links from unknown sources is risky, but the temptation of getting the new smartphone might cause the user to ignore the risk.