Examining the six principles of persuasion

As mentioned, social engineering is an art, an art that can be improved with time but can also be learned by applying several tactics.

Those tactics were highlighted by Robert Cialdini (behavioral psychologist) in the book The Psychology of Persuasion, in which he divides those tactics into six key principles, as shown in the following figure:

Figure 1.5 – Key principles of influence

Now, let’s review each of those principles:

• Reciprocity: There is a strong sense of payback when we receive something from others. Therefore, an attacker may use this technique by giving you something or doing a favor for you to influence your brain to do something form them later.

Figure 1.6 – Example of using reciprocity to influence a victim

• Commitment and consistency: If you commit to something, it is likely that you will honor that commitment, even if the original commitment or incentive slightly changes. That is exactly what the attacker wants. First, the attacker will make you commit to something reasonable and then slightly change it at the last minute to something you may have doubts about, but due to the previous commitment, you are likely to accept and proceed. The following figure shows an example of how an attacker can use this to gather physical access:

Figure 1.7 – Example of using commitment to influence a victim

• Social proof: This principle is based on the fact that people’s behaviors are influenced by what others do in a given place (the culture of the place). For example, in companies with a mature cybersecurity culture, tailgating is seen as an unacceptable behavior. However, the same action (tailgating) can be seen as just being polite in other companies with less cybersecurity awareness as illustrated in Figure 1.8:

Figure 1.8 – Example of using social proof to influence the victim

• Authority: It is more likely that people will follow an order when it is given by a person with authority (or at least pretending to have it). Impersonating a cybersecurity expert, influencer, or any other credible or known person is a typical case of using authority to influence the victim into executing a questionable action. As seen in Figure 1.9, the attacker calls the victim, impersonating someone from the IT or security department. Then, the attacker requests the victim to provide a code that they supposedly sent to them. However, what the victim does not know is that the code they are giving to the attacker is actually a password reset code that will give full access to the attacker:

Figure 1.9 – Example of using authority to influence the victim

• Liking: People are more willing to trust others they like, and an attacker may use that principle to influence a victim. Liking is not limited to physical attraction; in fact, there are many other methods that attackers may use to gain your trust, as follows:
  • By sharing some characteristics in common (such as saying we live or grew up in the same city or have similar ancestors)
  • By sharing the same passion (for example, the same series, the same idols, the same favorite music group, etc.)
  • By following the same team or groups (in sports, politics, etc.)

  The following figure shows an example of how an attacker can use some compliments to like the victim and gain their trust:

Figure 1.10 – Example of using liking to influence the victim

• Scarcity: This tactic is commonly used in marketing to influence you to purchase something (which, most of the time, is something that you don’t need). This tactic is incredibly powerful, which is why it is present in almost all social engineering attacks. Here, the attacker will push the victim by making them believe that they will lose a big opportunity if they do not leverage it right now!

Figure 1.11 – Example of using scarcity to influence the victim

Now, there are other key tactics and techniques used in social engineering attacks that are not included in that list such as developing rapport, empathy, and pretexting, so let’s review them in detail.