Social Engineering - Christopher Hadnagy [58]
She then calls over another gentlemen who stares at the screen and says, “I have no clue what the heck that stuff is.” He then looks around, sees my smiling face, and says, “Is this you?”
I walk over to the table with him as he is emptying my RFID scanner and my large case of lock picks and he says, “Why do you have all of these items and what are they?”
I had nothing planned but decided at the last second to try this move: I pulled out a business card and said, “I am security professional who specializes in testing networks, buildings, and people for security holes. These are the tools of my business.” I said this as I handed him a business card and he looked at it for about five seconds and then said, “Oh, excellent. Thanks for the explanation.”
He neatly put all my items back in, zipped the bag up, and let me go. Usually I go through the bomb screening, the little dust machine, and then a patdown, but this time all I got was a thank you and a quick release. I began to analyze what I did differently than normal. The only difference was that I had given him a business card. Granted, my business card is not the $9.99 special from an online card printer, but I was amazed that what seemed to have happened was that a business card added a sense of license to my claims.
My next four flights I purposely packed every “hacking” device into my bags I could find and then kept a business card in my pocket. Each time my bag was examined and I was asked about the contents, I flipped out the card. Each time I was apologized to, had my items packed in neatly, and let go.
Imagine my experience was a pretext. Little details can add so much weight to what I am saying that I can appear valid, trustworthy, and solid with nothing more than a card that tells people that everything I say is true. Don’t underestimate the power of a business card. One word of caution: getting a weak and pathetic-looking business card can actually cause the opposite effect. A business card that was “free” with an advertisement on the back will not add weight to a professional pretext. Yet there is no reason to spend $300 on a business card to use once. Many online business card printers can print a small amount of very nice cards for less than $100.
Another reason to take this chapter very seriously is that often times pretexting is the very first step used by professional identity thieves. Because identity theft is taking a front row seat in the crime industry of late, knowing what it is and how to identify it is important for consumers, businesses, and security professionals. If you are a security auditor you must help your clients become aware of these threats and test them for possible weaknesses.
Summary
In addition to extensively covering pretexting and providing real-world examples of pretexting in action, this chapter also continually brushed up against the psychological principles that affect different aspects of pretexting. The logical next stop on the framework covers just that—the mental skills that professional social engineers use that make them seem like mind control masters and that give each social engineer a huge leg up in success.
Chapter 5
Mind Tricks: Psychological Principles Used in Social Engineering
It all depends on how we look at things, and not on how they are themselves.
—Carl Gustav Jung
In Hollywood movies and television shows con men and law enforcement are portrayed with almost mystical talents. They have the ability to get away with anything; they seem to be able to just look into the eyes of a person and tell if they are lying or telling the truth. It is not uncommon to see situations like this: the cop looks into the eyes of his suspect and can automatically tell whether he is lying or telling the truth, or with just the power of suggestion the con man’s targets are