Social engineering is the exploitation of psychological heuristics (that is, mental shortcuts innately used by the human brain to process and analyze information more effectively) in order to obtain access to secure and confidential information. The psychological processes that are abused by social engineering are ones that have been empirically proven time and time again over the past century as they are fundamentally wired into human behavior. Oftentimes such techniques are used to gain access to technical systems, but they can often be employed deceptively in personal relationships to acquire critical knowledge held by the victim. In organizational settings, these techniques are particularly dangerous in light of the findings that many employees do not consider themselves as playing a role in information security, therefore rendering them susceptible to outside influence attacks.
Advanced manipulation tactics, such as those used in social engineering, rely heavily on the ability to influence others. Robert Cialdini, author of The Psychology of Persuasion, discusses seven fundamental principles of influence.
The Unity Principle: The more that we identify ourselves in others, the more susceptible we are to being influenced by them. A study from researchers at Yale found that we are more willing to work cooperatively and favor those who share more identity traits with us. Social engineers utilize this principle by first researching their target victim in order to identify interests and hobbies that they can use as “common ground” in order to build rapport and trust.
Authority: The principle of authority, perhaps most famously demonstrated by the experiments of Stanley Milgram in 1963, is the human tendency to follow instructions provided by those in a position of authority. In the experiments, volunteers were told that they were to assist researchers in a learning experiment. The volunteers were instructed by the lead researcher (an authority figure) to quiz another individual (termed “the learner” who, unbeknownst to the volunteer, was an actor who was employed by the researchers AKA a confederate) with an assortment of predetermined questions. Whenever the learner answered incorrectly, the volunteer was instructed to administer an increasingly severe electric shock. Over time, as the shocks grew more intense, the volunteers would often express discomfort and wish to discontinue, but prompting from the authority figure would result in compliance the majority of the time. At times, the learner would scream incredibly loudly in pain, but orders from the lead researcher would convince the volunteers to continue. In the context of social engineering, this is typically used by falsifying the identity of an authority figure. This can be done by faking an ID badge or uniform, creating a false email, or even simply acting as if they are an important individual.
Principle of Reciprocity: This principle is based on our tendency to do things for those who do things for us. As a social species, humans evolved to favor traits conducive to cooperation and teamwork, therefore favorably selecting for more reciprocal individuals. This principle is illustrated, for instance, by free samples, the “friend and foe” questioning tactic, and international politics. It’s important to note that the initial favor does not need to be asked for in order for the principle to apply, nor does the initial action need to be positive; negative reciprocity occurs when an action negatively affects an individual, and that individual seeks to react in a way that negatively affects the perceived perpetrator to an equal or greater degree. Therefore, while this can obviously be used by social engineers by doing something for the victim (in order to influence them to return the favor by divulging sensitive information), it can also be used by convincing the victim that an ally of theirs has betrayed them.
Principle of Consistency/Commitment: This principle abuses a psychological principle known as cognitive dissonance. Cognitive dissonance occurs when our thoughts and behaviors are inconsistent with each other, presenting an incongruent self-image; this psychological discomfort typically leads to a change in attitudes or behavior. This is used in manipulation by getting the victim to commit to an action either verbally or orally. (This is seen in online advertising when a pop-up prompts the user to sign-up for a mailing list and presents the options “Yes” and “I’ll sign up later”). This phenomenon holds true even when the initial motivator is removed. This principle was used against American POWs in the Korean War. By simply nudging the POWs to admit that America was not a perfect country, the Chinese were then able to expand on these statements to get full dissertations from the Americans detailing the shortcomings of the United States.
Principle of Social Proof: Social proof is a type of conformity; simply put, we are influenced to do and like the things that we see others doing and liking. In Solomon Asch’s 1935 conformity experiment, volunteers were put in a group with 4 confederates and shown pictures of 4 lines of different lengths labeled A, B, C, and D. The experimenter then asked each member of the group which line was closest in length to Line A. The confederates each agreed on an answer that was clearly incorrect. After hearing the others agree on the incorrect answer, the volunteers were far more likely to agree that the incorrect answer was closer in length. Organized social engineers may use this to demonstrate that an otherwise disagreeable activity is preferable; by “proving” that the activity is acceptable by the social group, the victim is more likely to engage in the activity themselves.
Principle of Liking: As previously discussed, this principle refers to the phenomenon wherein people are more influenced by the people that they like. This is very commonplace nowadays in “viral marketing” and often explains the pervasiveness of multi-level marketing, which relies on pyramid marketing where people sell an organization's products to friends and family (who can in turn choose to sell them to the people in their lives). Social engineers often present themselves as charming, attractive, and confident in order to make themselves more likable.
Principle of Scarcity: The principle of scarcity dictates that the perception of limited access will generate an increased desire. This principle can apply to merchandise, membership in a group, or even to an individual. Marketers may use this principle by creating the illusion that they/their product are more in demand than they actually are.
These principles are often combined strategically to obtain access to sensitive information. While social engineers are often thought of as functioning as lone entities, these tactics are often commonly used (intentionally or not) by extremist organizations.
The Principles of Unity and Liking are perhaps best exemplified by Hezbollah in Lebanon. Since the conclusion of the Lebanese Civil War, Hezbollah has been increasingly involved in the political landscape of the country. Simply by being a proxy for Iran, Hezbollah’s efforts could be easily handicapped in the region (as seen with the Iran proxy group in Yemen, the Houthis). However, Hezbollah has worked hard to establish itself as a legitimate resistance organization that fights for the people of Lebanon. In their efforts in the 2006 Lebanon War, they obtained support from over 85% of the country, including 80% of Christians, Druze, and Sunnis. In their efforts to promote an image of being “for the people” Hezbollah has established themselves as a state group, allowing them more influence over the region.
The Principle of Authority is most easily observable in the indoctrination processes utilized by various extremist organizations. The Taliban in Pakistan are infamous for their use of child soldiers. From a young age, children are taught violent ideologies and undergo significant combat training. This is enabled by the fact that few (if any) relationships exist that have a greater disparity in authority than the relationship between a child and adult. Adults are naturally seen as authority figures by children, regardless of circumstance. Therefore, when an adult encourages the child to practice shooting an automatic weapon, to steal, or to detonate explosives, the request is met with little resistance.
The Principle of Reciprocity is demonstrated in some recent events surrounding Operation Barkhane in the Sahel Region of Northern Africa. Operation Barkhane consists of French counterterrorism forces that combat extremists in Burkina Faso, Chad, Mauritania, Maliu, and Niger. As discussed in a recent CTG report, French forces have been the target of a number of fake news articles that paint them as a foreign aggressor attacking civilians and government officials. These stories seek to engender negative reciprocity in the civilian populace; by convincing citizens of the region that the French forces are acting in a damaging way to the countries, it is more likely that individuals or groups will seek equally negative actions upon the members of Operation Barkhane.
Terrorist groups often use the Principle of Commitment to keep members invested, especially in the early phases of radicalization. In particular, groups may abuse a tactic referred to as the “foot-in-the-door technique”. This technique involves receiving a small concession from the target, such as getting them to do a small task, or admit that some aspect of a radical ideology is understandable. At this point, another, slightly larger task is asked of the victim. Tasks continue to grow in this way until the target is completing tasks that would have been outright refused if they were asked from the start. A terrorist handbook titled A Course in the Art of Recruitment instructs recruiters to address the suspicions of targets by saying, “Know my beloved brother that one suspicion only is enough to move people off the road, particularly in the beginning.” (Of note, this handbook also heavily endorses the use of giving gifts to the potential recruits, which is another example of the Principle of Reciprocity).
The Principle of Social Proof is a fundamental aspect of online recruitment for many extremist groups. For example, when recruiting new members, the Islamic State will typically invite the members to an online group page/group chat. This page usually has a few recruits invited at any given time, but the large majority of the group consists of fake profiles. IS members can then post messages from these profiles that support their cause. In early recruitment, this social proof (seeing others that are adamantly endorsing the values of the extremist ideology) can be paramount in whether the recruitment process succeeds or fails.
The Principle of Scarcity is exploited far more often by terrorist groups in influencing members to commit attacks. While a successful radicalization will result in a compliance with violent action, scarcity can be used to fine-tune the targets or do further persuade a member to undergo a particularly difficult act (such as a suicide bombing). This can be seen in the Mumbai Terror Attacks of 2008; the handlers of the attackers told them that the lives of Jewish people were worth “50 times the lives of non-Jews”, therefore influencing the attackers to attack a Jewish Center. By attaching a value such as this to a particular target, the inherent scarcity of the target makes it far more worthwhile to the attackers.
It is of monumental importance that organizations train their staff in the proper countermeasures against social engineering. Discussed above is the usage of various tactics by extremist organizations, but social engineers do not need such affiliations to pose a threat, and therefore it’s critical that countermeasure training be a part of any security protocol. A number of strategies can be employed to increase security, but all can be summarized by three distinct practices. The first practice involves developing a habit of scrutiny among employees. For example, if an employee receives a call from the IT department, they should first verify the phone number being used before divulging any sensitive information. Social engineers are known to code a virus into USB drives, then label the drive “Bonuses” (or something equally enticing) before leaving it where employees may see it. Taking the same scrutinizing approach to a scenario such as this can increase the informational security of any organization. Once employees have been educated and trained in countermeasures, the second strategy is referred to as “Event Tests”, wherein the security network is tested unannounced at random intervals. This may involve higher-level staff utilizing the same tactics employed by social engineers (pretexting, tailgating, spear phishing, water holing, etc.) in order to test the responses of their employees. Finally, the results of such event tests must be reviewed and analyzed in order to determine weaknesses in the current system and where security may be improved.
CTG works to detail security threats in various reports published each week. In doing so, CTG hopes to educate others in order to better prepare them for such hazards. Further, the Behavior/Leadership Team often looks at the various ways in which human psychology can be exploited or manipulated for nefarious purposes. CTGs Cyber Team is dedicated to finding threats online and any exploits that can be used in the digital medium. Through thorough research, analysis, and education, CTG seeks to continue detecting, detering, and defeating various threats around the globe.
 Post-Secondary Education Network Security: Results of Addressing the End User Challenge, NSU Works, March 2014, https://nsuworks.nova.edu/gscis_facarticles/529/
 Influence: The Psychology of Persuasion, New York: Harper Collins, Cialdini, R. B., 2007
 Identity and Self-Other Differentiation in Work and Giving Behaviors: Experimental Evidence, Yale, August 2006, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=927433
 Behavioral Study of obedience, Journal of Abnormal and Social Psychology, 1963, https://doi.org/10.1037/h0040525
 Effects of a favor and liking on compliance, Science Direct, November 1971, https://www.sciencedirect.com/science/article/abs/pii/0022103171900254?via%3Dihub
The Pressure to Appear Consistent: American POWs in Korea, The Game of Few, April 2016, https://www.thegameoffew.com/blog/consistency-in-korea
 Lebanon’s Halloween Government, Foreign Policy, January 2020, https://foreignpolicy.com/2020/01/22/lebanons-halloween-government/
 Poll finds support for Hizbullah's retaliation, Beirut Center, July 2006, https://web.archive.org/web/20060830210321/http://www.beirutcenter.info/default.asp?contentid=692&MenuID=46
 Israeli strikes may boost Hizbullah base, Christian Science Monitor, July 2006, https://www.csmonitor.com/2006/0728/p06s01-wome.html
 Indoctrinating Children, Combating Terrorism Center, June 2010, https://ctc.usma.edu/indoctrinating-children-the-making-of-pakistans-suicide-bombers/
 A Jihadist’s Course in the Art of Recruitment, Combatting Terrorism Center, February 2009, https://ctc.usma.edu/a-jihadists-course-in-the-art-of-recruitment/
 WHAT ONLINE RADICALISATION CAN TEACH YOU ABOUT SECURITY, Red Goat Cyber Security, February 2019, https://red-goat.com/social-engineering/radicalisation-and-se/
 And Then They Came for the Jews, Somoa Observer, April 2012, https://web.archive.org/web/20120510111633/http://www.samoaobserver.ws/index.php?view=article&id=15442%3Aand-then&option=com_content&Itemid=57