Social Engineering - Christopher Hadnagy [106]
Sales literature about your products or company
These things do not build indebtedness. The recipient must deem the “gift” valuable. Another source of “gifts” that can build true indebtedness is information. Giving away a valuable, beneficial, or useful piece of information can literally be of more interest than a physical gift to some.
Ask for What You Want
On one occasion as I was entering a building, I saw a man who looked very much to be the “boss” get out of his car parked in the spot marked “For CFO Only,” and he was on his cell phone. He was not a happy guy, and I overheard him telling someone that he was upset because he had to go inside and let some people go. I assumed from his tone that he was on with his wife or girlfriend and he didn’t like the job he was about to do.
I walked past him and went to the front desk and as I walked up I saw that the girl behind the desk was playing Minesweeper. As I approached the counter she gave me the standard, “How can I help you?” She had a look on her face that said she was bored and not in the mood. I said, “Look, I am here for a meeting, but your boss is about to walk in and he is in a bad mood…” I then trailed off and just stood there with a folder in my hand. A few seconds later the boss stormed in the front door and I said loudly, “Thank you so much for your assistance.”
She looked over and said to me, “Excuse me, sir,” then said to her boss, “Good morning, Mr. Smith, I have your messages,” and then handed him a small pile of paper as he walked by.
When he disappeared to his office she thanked me profusely. I just saved her and she knew it. The information I gave her was invaluable, and my next words would be imperative: “I need your help. I wanted to see the HR manager just for a brief meeting. Can you get me into her office real quick?”
She walked me back to the manager’s office and introduced me as “her friend” that stopped in. Within minutes my plan was launched, and all thanks to reciprocity.
As a social engineer, look for little opportunities to give out information that will make you valuable to the recipient and more importantly, make the recipient indebted to you.
Be aware of your surroundings and what little things you can do to make your targets indebted to you. Remember it doesn’t have to be something amazing, just something that they value. A good point to keep in mind is to not “stalk” the target. Standing and staring at him or her waiting for an opportunity to do or say something can be off-putting. These principles should be natural.
Naturalness means you start doing these principles in everyday life. Hold doors for people, be very polite, and look for opportunities to do good things for others. These actions will become second nature and you will have fewer struggles doing them in an audit.
Reciprocity is a powerful influence tactic, and the next two principles discussed are closely tied into it.
Obligation
Obligation has to do with actions one feels he needs to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. In the context of social engineering, obligation is closely related to reciprocation but is not limited to it. Obligation can be as simple as holding an outer door for someone, which will usually make him hold the inner door for you. It can be escalated to someone giving you private info because you create in them a sense of obligation to you. Obligation is a common attack vector used when targeting customer service people.
You can also use obligation in small doses by utilizing smart complimenting. For example, compliment the person, then follow it up with a request. This technique is very easy to do wrong if you are new or inexperienced and can come across so fake that it alerts the target’s inner sense and has the wrong effect. But if done properly, it can lead to obtaining even little pieces of valuable information.
An example of complimenting in the wrong way would be something like, “Wow, you have beautiful eyes, can I get into your server room?” Sounds stupid, huh? Be sure to