Social Engineering - Christopher Hadnagy [107]
A small conversation like this, on the other hand, can be a proper way to compliment:
As you approach the receptionist’s desk you see some pictures of a couple of little children at Disney World and after you introduce yourself you say, “Are those your kids? They sure are cute.” Regardless if they are the receptionist’s kids or her nephews, she will most likely enjoy your compliment. Then you follow up with, “I have a couple of my own. They keep us young, huh?”
“Yes, my two kids. And I am not sure about young,” she chuckles, “but they do tire me out.”
“I haven’t taken mine to Disney yet,” I say. “Did you find they enjoyed it at that age?”
“Oh yeah, they loved every second of it,” says the receptionist. “As long as my daughter is with her Daddy, she is having fun.”
“Ah, yeah, I have my little princess too,” I reply. “Well, I could stand here and talk about my kids all day, but I am wondering if you can help me out. I called in and spoke to someone last week about a new HR software package and I said I would drop off this information packet, but I lost the paper I wrote her name on. I am terribly embarrassed.”
“Oh, that’s probably Mrs. Smith,” offers the receptionist. “She handles all of that.”
“You are a life saver. I owe you one. Thank you.”
These types of compliments go a long way to opening the target up to be more agreeable to influence.
The golden rule—treat others as you would wish to be treated—is a key principle in creating obligation. Treating people kindly and giving them something they may need, even if it is as small as a compliment, can create a sense of obligation to you.
Psychologist Steve Bressert makes this point in his article “Persuasion and How To Influence Others,” in which he states, “according to the American Disabled Veterans organization, mailing out a simple appeal for donations produces an 18% success rate. Enclosing a small gift, such as personalized address labels, nearly doubles the success rate to 35%. ‘Since you sent me some useful address labels, I’ll send you a small donation in return.’”
If you want to prove to yourself the power of this principle try this simple exercise. Even something as small as a question can create obligation. The next time someone asks you a question, say nothing. Just stay silent or ignore it and move on in the conversation. Notice how awkward that is; something as simple as a question creates a sense of obligation to answer. Simply asking the target a question can lead to amazing results.
If your first action creates a feeling that there is an expected follow-up, then fulfilling that expectation can lead to strong feelings of obligation. When the person with whom you are interacting expects a result, fulfilling it can create a strong sense of commitment in him or her to do the same for you.
This method can be used, for example, by sending the CFO of a company a piece of technology, maybe an iPod loaded with malicious software. When he gets the gift he is obligated to plug it in. One successful attack vector I saw in play was where the social engineer sent a small relevant gift to the CFO or CEO with a card that said, “Please accept a small gift from our company. All we ask is that you browse our products at www.products.com and download our PDF catalog here at www.products.com/catalog.pdf. I will call you next week.”
This method was successful every time.
Concession
A concession, or the act of conceding, is defined as “an acknowledgment or admission,” or “the act of yielding.” Concessions are used often within the social engineering context as a play on the reciprocation instinct of humans. Humans seem to have a built-in function that makes them want to “do unto others as they do unto” you. A social engineer can use the “something for something” idea or the “I’ll scratch your back if you scratch mine” principle.
There are basic principles to concessions and how to use them properly:
Label your concessions: Make it known when and what you are