Social Engineering - Christopher Hadnagy [15]
Identity thieves: Identity theft is the use of information such as a person’s name, bank account numbers, address, birth date, and social security number without the owner’s knowledge. This crime can range from putting on a uniform to impersonating someone to much more elaborate scams. Identity thieves employ many aspects of social engineering and as time passes they seem more emboldened and indifferent to the suffering they cause.
Disgruntled employees: After an employee has become disgruntled, they often enter into an adversarial relationship with their employer. This can often be a one-sided situation, because the employee will typically try to hide their level of displeasure to not put their employment at risk. Yet the more disgruntled they become, the easier it becomes to justify acts of theft, vandalism, or other crimes.
Scam artist: Scams or cons appeal to greed or other principles that attract people’s beliefs and desires to “make a buck.” Scam artists or con men master the ability to read people and pick out little cues that make a person a good “mark.” They also are skillful at creating situations that present as unbeatable opportunities to a mark.
Executive recruiters: Recruiters also must master many aspects of social engineering. Having to master elicitation as well as many of the psychological principles of social engineering, they become very adept at not only reading people but also understanding what motivates people. Many times a recruiter must take into consideration and please not only the job seeker but also the job poster.
Salespeople: Similar to recruiters, salespeople must master many people skills. Many sales gurus say that a good salesperson does not manipulate people but uses their skills to find out what people’s needs are and then sees whether they can fill it. The art of sales takes many skills such as information gathering, elicitation, influence, psychological principles, as well as many other people skills.
Governments: Not often looked at as social engineers, governments utilize social engineering to control the messages they release as well as the people they govern. Many governments utilize social proof, authority, and scarcity to make sure their subjects are in control. This type of social engineering is not always negative, because some of the messages governments relay are for the good of the people and using certain elements of social engineering can make the message more appealing and more widely accepted.
Doctors, psychologists, and lawyers: Although the people in these careers might not seem like they fit into the same category as many of these other social engineers, this group employs the same methods used by the other groups in this list. They must use elicitation and proper interview and interrogation tactics as well as many if not all of the psychological principles of social engineering to manipulate their “targets” (clients) into the direction they want them to take.
Regardless of the field, it seems that you can find social engineering or an aspect of it. This is why I hold firmly to the belief that social engineering is a science. Set equations exist that enable a person to “add up” elements of social engineering to lead to the goal. In the example of a con man, think of the equation like this: pretext + manipulation + attachment to greed = target being social engineered.
In every situation, knowing what elements will work is the hard part, but then learning how to utilize those elements is where the skill comes in. This was the basis for thought behind developing the social engineering framework. This framework has revolutionized the way social engineering is dissected, as discussed in the next section.
The Social Engineering Framework and How to Use It
Through experience and research I have tried to outline the elements that make up a social engineer. Each of these elements defines a part of the equation that equals a whole social engineer.