Social Engineering: The Art of Human Hacking (2011)

Chapter 6. Influence: The Power of Persuasion

If you would persuade, you must appeal to interest rather than intellect.

—Benjamin Franklin

The epigraph sums up this entire chapter. You might be wondering why I didn’t include this within Chapter 5’s discussion of psychological principles of social engineering. Psychology is a science and a set of rules exists in it that, if followed, will yield a result. Social engineering psychology is scientific and calculated.

Influence and persuasion are much like art that is backed up by science. Persuasion and influence involve emotions and beliefs. As discussed in some of the earlier chapters, you have to know how and what people are thinking.

Influence and the art of persuasion is the process of getting someone else to want to do, react, think, or believe in the way you want them to.

If you need to, reread the preceding sentence. It is probably one of the most powerful sentences in this whole book. It means that using the principles discussed herein, you will be able to move someone to think, act, and maybe even believe the way you want him to because he wants to.Social engineers use the art of persuasion every day and, unfortunately, malicious scammers and social engineers use it, too.

Some people have devoted their life to researching, studying, and perfecting the art of influence. Those such as Dr. Ellen Langer, Robert Cialdini, and Kevin Hogan have contributed a very large repository of knowledge in this field. Mix this knowledge with the research and teachings of NLP (neurolinguistic programming) masters such as Bandler, Grinder, and more recently Jamie Smart, and what you have is a recipe to become a true artist.

True influence is elegant and smooth and most of the time undetectable to those being influenced. When you learn the methods you will start to notice them in commercials, on billboards, and when used by salespeople. You will start to get irritated at the shoddy attempts of marketing people and if you are like me, you will begin to rant and rave at terrible commercials and billboards while driving (which does not make my wife very happy).

Before getting into how social engineers will use in influence and persuasion, the chapter begins with a short tour of some of the key elements of persuasion and influence that I have compiled and used. This chapter will discuss things like reciprocation, manipulation, and the power of setting goals, just to name a few of these key elements.

Influence and persuasion can be broken down into five important aspects, as discussed in the following sections.

The Five Fundamentals of Influence and Persuasion

The five fundamentals of persuasion are crucial in obtaining any type of successful influence upon a target:

· Setting clear goals

· Building rapport

· Being observant of your surroundings

· Being flexible

· Getting in touch with yourself

The whole goal of social engineering is to influence the target to take an action that may or may not be in their best interest. Yet they will not only take the action, but want to take the action and maybe even thank you for it at the end. This type of influence is powerful and can make a social engineer who possesses these skills legendary.

World-renowned NLP trainer Jamie Smart once said, “The map is not the territory.” I love that quote because it blends perfectly with these five fundamentals. None of them are the whole sum on their own, but individually they are like points on a map that show you the whole territory of what you want to accomplish. The following section delves deep into the first fundamental: why setting clear goals is very important.

Have a Clear Goal in Mind

Not only should you have a clear goal in mind, you should even go so far as to write it down. Ask yourself, “What do I want out of this engagement or interaction?”

As I discussed in Chapter 5, especially in relation to NLP, a human’s internal systems are affected by his thoughts and goals. If you focus on something, you may be more likely to become it or get it. This doesn’t mean that if you focus on the thought of getting one million dollars, you will get it. In fact, it is unlikely. However, if you had a goal of making one million dollars and focused on the steps needed to make that money, your goals, education, and actions would increase the likelihood of you achieving that goal. The same is true with persuasion. What is your goal? Is it to change someone’s beliefs? To get him to take an action? Suppose a dear friend is doing something terribly unhealthy and you want to try and persuade her to stop. What is the goal? Maybe the end goal is to persuade her to stop, but maybe little goals exist along the way. Outlining all of these goals can make the path to influencing that person clearer.

After setting the goal, you must ask yourself, “How will I know when I have gotten it?” I once listened to a training program offered by Jamie Smart, one of the world leaders on NLP, and he asked each person in the classroom these two questions:

· What do you want?

· How will you know when you have it?

At this point, I paused the CD for the first question and answered for myself out loud what I wanted from this course. Then I pressed Play again and when he asked that second question, “How will you know you have gotten it?” I paused the CD again and was lost. It was clear to me that I didn’t have a roadmap. I knew what I wanted out of that course, but I didn’t know how to gauge when I had gotten it.

Knowing what you want out of your engagements is an important aspect of influence and persuasion tactics. When you approach a target knowing what your goals are and what the indicators are that you are getting what you want, then you can clearly identify the path you need to take. Clearly defined goals can make or break the success of the influence tactics used by a social engineer as well as make the next step much easier to master.

Rapport, Rapport, Rapport

Chapter 5 has a whole section on rapport building. Read it, study it, and perfect your rapport-building skills.

Developing rapport means that you get the attention of the person you are targeting and his unconscious mind, and you build trust within that unconscious portion. Mastering the skill of building rapport can change the way you deal with people, and when it comes to social engineering, it can change your whole methodology.

To build rapport, start where the person you want to influence is mentally—try to understand their frame of mind. Are they suspicious? Are they upset, sad, or worried? Whatever emotional state you perceive them to be in, start from there. Do not focus on your goals as much as focusing on understanding the person. This is a very vital point. This means a social engineer must understand his target enough that they can imagine where they are consciously. What are the target’s thoughts and state of mind?

For example, imagine you want to influence your dear friend to want to quit smoking or doing drugs or something else. Notice you don’t want to convince her to quit, but convince her to want to quit. Your goal cannot be about you, right? It must focus on the target. You can’t start your conversation with what her addiction is doing to you and how much you hate the smell, and so on. The argument has to be what is in it for her. You cannot start the conversation with a verbal attack about what the person has done to you with their habit, but you need to understand where that person’s frame of mind is, accept it, and come into alignment with it.

Social engineering is much the same: you can’t start where you are mentally. This is going to be struggle for many people. Do you know why she smokes? Do you understand the psychological, physical, or mental reasons why? Until you can really get into her shoes, you cannot build a strong rapport and your efforts at influence will fail.

In addition, you cannot always base the idea of building rapport on logic. I once was in the hospital with a dear friend who was dying from throat cancer. He had smoked for more than 40 years and one day he found out he had cancer. It spread fast, bringing him to the hospital to live out his last days. His children would come to visit and every now and then they would leave the room. I thought they were overcome with emotion. One time after they excused themselves I went out to comfort them and they were outside the hospital smoking! I was dumbfounded. I don’t smoke and have no desire to, and although I can understand how strong an addiction can be, I couldn’t understand how after seeing the pain their father was in, how they could raise a cigarette to their lips.

Logic would not win in this case. Telling my friend’s children why smoking is bad and how it will kill them would do no good—this information was useless because it was combative and only made me feel good in saying it, but did not align with their present frame of mind. Until you understand the person you cannot successfully build a good enough rapport to influence him or her.

Getting someone to want to do something is a blend of emotion and logic, as well as understanding and humility in many cases. Once I walked into an office I was going to do some work for and I had heard a funny comment outside, so when I walked in the main lobby I was chuckling. The woman behind the desk must have just done something embarrassing because when she saw me she immediately got angry and yelled at me, “It’s not very funny and you are a jerk.”

Now I didn’t know this woman and to tell you the truth I had a goal in mind that this interaction was not going to help. In addition, I felt insulted that she assumed I was laughing at her, and wanted to lash back at her. But instead, I saw she was upset. I got close to the counter so as not to embarrass her anymore, I looked her in the eye, and with sincerity said, “I am so sorry if you thought I was laughing at you. I was in the parking lot and some of your workmates were telling a story about a party over the weekend and I thought it was very funny.”

She looked at me and I could tell she was now even more embarrassed, so to save face for her, I loudly said, “Ma’am, I am sorry for laughing and embarrassing you.” This allowed her to save face to those around us. She understood that I “took one for the team” and she responded with extreme kindness. A minute later she apologized and it worked to my benefit as I was given all the data I asked for, data I normally would have had to work very hard to get.

A teacher I had once used to tell me to “kill them with kindness.” That is a pretty powerful statement. Being kind to people is a quick way to build rapport and to establish yourself in the five fundamentals of persuasion and influence.

One method to influence people using kindness and rapport is to ask questions and give choices that lead them to a path you want. For example, once I was influenced to take a job I really didn’t want as part of a team effort. The team leader was very charismatic and friendly and had the “charm factor” that allowed him to speak to anyone. He approached me and said, “Chris, I wanted to talk to you separately from the team. I need a right hand for a small project. But the person needs to be a go-getter, self motivated. I think this is you, but I don’t want to assume; what do you think?”

I was excited and flattered by the compliments and the potential to be “important,” so I responded, “I am a very self-motivated person. Whatever you need, tell me.”

The team leader continued, “Well, I am a big believer in leading by example. And I think you have that leadership quality. The problem is, some on the team do not, and they need a strong person to show them how it is done.”

Before the end of the conversation, what he wanted appeared as if it was my idea, which made it impossible to back out of. Powerful indeed, and all started with the power of persuasion.

Be in Tune with Yourself and Your Surroundings

Being aware of yourself and your surroundings, or sensory acuity, is the ability to notice the signs in the person you are targeting and yourself that will tell you that you are moving in the right direction or not.

Many of the principles discussed in the previous chapter apply to persuasion. Reading body language and facial signs can tell you much about your influence on the person.

To really master the dual art of influence and persuasion, you have to become a master watcher and master listener. Chris Westbury, a cognitive neuropsychologist at the University of Alberta, Canada, estimates that human brains process information at 20 million billion calculations per second. Those calculations are represented by facial expressions, microexpressions, gestures, posture, voice tones, eye blinks, breathing rate, speech patterns, nonverbal utterances, and many more types of distinguishing patterns. Mastering influence means to be aware of those subtle things in yourself and others.

I found, for myself, the ability to be observant proved to be easier for me after receiving some training from Dr. Ekman in microexpressions. I found afterward that not only did I become much more aware of what was going on with those around me, but also myself. When I felt a certain expression on my face, I was able to analyze it and see how it might be portrayed to others. This recognition of myself and my surroundings was one of the most enlightening experiences of my life.

NLP experts promote minimizing your internal dialog when trying to influence others. If you approach the target thinking about the next stage of the attack, the end goal, or comebacks for potential conversation stoppers, that internal dialog can cause you to miss a lot of what is going on around you. Being observant takes a lot of work but the payoff is well worth it.

Don’t Act Insane—Be Flexible

What do I mean by not acting insane and being flexible? One definition of insanity that’s been floating around for years is “doing the same thing over and over and expecting different results.” Being willing and able to flex is one of the keys to persuasion.

You can think of this flexibility in terms of physical things. If you were tasked to persuade or bend something, would you rather it be a branch from a willow tree or a steel rod? Most people would say the willow branch because it is flexible, easier to bend, and makes the task accomplishable. Trying to persuade others while being unyielding and inflexible doesn’t work, and neither does persuasion if you are not flexible.

Many times, an audit will not go as planned. A good social engineer will be able to roll with the punches and adjust their goals and methods as needed. This does not go against the idea of planning ahead; instead, it bespeaks the point of not being so rigid that when things do not go as planned you can move and adapt so the goal is not lost.

The way a person would view an insane person is the way a target would view the inflexible social engineer. The social engineer would look unreasonable and you would most likely never reach endgame.

Get in Touch with Yourself

By getting in touch with yourself, I am not suggesting some Zen meditation avenue, just that you understand your emotions. Emotions control practically everything you do, as well as everything your target does. Knowing your emotions and being in touch with yourself can help you lay the groundwork for being an effective social engineer.

Going back to the earlier example of you and your smoking friend—approaching your friend if you have a deep-seated hatred for those who smoke affects your approach. It can make you act, express, say, or do something that will close the door to persuasion. You may never compromise on certain things, and being aware of those things and your emotions about them can help you to develop a clear path toward influencing a target.

These five fundamentals are key to understanding influence and persuasion. Being able to create an environment where a target wants to do what you are requesting is the goal of persuasion, and these five fundamentals will help you create that environment. The next section examines how social engineers use these fundamentals.

Influence Tactics

As mentioned, social engineers must practice the skill of persuasion until it becomes part of their everyday habits. This doesn’t mean that they must influence everyone in everything they do, but being able to turn this skill on and off at will is a powerful trait of a good social engineer.

Influence and persuasion have many aspects you can use and many that fit easily into an audit. Other aspects might not fit too easily, but hold a very powerful position in the world of influence. The following sections cover eight different techniques of influence that are used often by media, politicians, government, con men, scammers, and of course, social engineers.

Each section provides an analysis of each technique to see how it is used in other areas of influence besides social engineering, as well as takes a closer look at how it can apply to a social engineer.

Reciprocation

Reciprocity is the inherent expectation that when others treat you well you respond in kind. A simple example is when you are walking into a building—if someone holds a door open for you, he expects you to say thank you and then make sure that next door stays open for him as he comes in.

The rule of reciprocity is important because often the returned favor is done unconsciously. Knowing this means that you now have a step up on how you can use it as a social engineer. Before getting into that, though, here are a few examples where reciprocity is often used:

· Pharmaceutical companies will spend $10,000–$15,000 per doctor (yes, per doctor) on “gifts” that might include dinners, books, computers, hats, clothing, or other items that have the drug company’s logo on it. When the time comes to choose a drug to support and buy, to whom do you think the doctors are more likely to go?

· Politicians are influenced in much the same way. It is no secret that many times politicians or lobbyists are more favorable to people who helped their political campaign than those who did not.

· Reciprocity is often used in business, especially when it comes to matters of contracts. Maybe the sales guy will pay for a meal, then later on ask for a concession in the contract. The client is compelled to give this concession.

· A fellow employee filled in for you one week when you needed a day off. Now she asks you to return the favor, but you have plans. In this situation, people will reschedule and honor the request.

All of these are examples of reciprocity. Sociologist Alvin Gouldner wrote a paper called, “The Norm of Reciprocity” (http://media.pfeiffer.edu/lridener/courses/normrecp.html) in which he states:

Specifically, I suggest that a norm of reciprocity, in its universal form, makes two interrelated, minimal demands: (1) people should help those who have helped them, and (2) people should not injure those who have helped them. Generically, the norm of reciprocity may be conceived of as a dimension to be found in all value systems and, in particular as one among a number of “Principal Components” universally present in moral codes.

Basically, his research led him to see that reciprocity works despite cultural backgrounds. Reciprocity, used under the right circumstances, is all but impossible to resist.

Think of reciprocity as the process shown in Figure 6-1.

Figure 6-1: The cycle of reciprocity.

The following sections expand on some key points of the preceding idea.

Give Something Away

The thing you give away can’t be some simple piece of junk. The thing given must have value—to the recipient. Giving away a beautiful hardcover novel written in a language the recipient does not read or collect is useless.

The item can be a service, a physical item, some valuable information, assistance, or anything else that the receiver will deem as a value (even something as simple as holding the door or picking up something dropped). Some sales organizations promote this method but then fall short by offering something that has no value. Imagine you are at a trade show and at each table is a giveaway. If you walk up to a table and notice a pile of cheap-looking pens you might just walk by. The next table has an interesting puzzle-like game. You are intrigued so you pick it up; after you spend a few minutes playing with it a salesperson approaches and says, “You want a hint?” After showing you a small hint he asks whether you have a minute so he can show you a service you might really love.

How can you say no? You get an intriguing game and a free hint, and now all he wants is a minute of your time? It’s a perfect setup.

Create Indebted Feelings

The more value the gift has to the recipient and the more unexpected it is, the greater the sense of indebtedness.

Not allowing the gift to be used in an obvious manipulation tactic is important. Don’t say or act like, “I gave you this great gift now you owe me.” Even thinking it can take away any feelings of indebtedness. The “gift” should be totally free and of great value to the recipient.

The Humane Society of the United States, for instance, gives away personalized mailing labels as a free gift. No strings are attached and many people use them for holiday cards or personal letters. They are attractive and good quality. You sign up for them, and many months later you will get a call asking for a donation to support your local Humane Society. The recipient’s sense of obligation is usually too great to not contribute even a little.

By way of another example, Fortune Magazine offers college professors free issues of its magazine to try out in their classes with no strings attached at all.

Many examples of reciprocity like these exist. On the flip side, many companies fail at reciprocity by thinking things like the following are good gifts:

· Sharp-looking and colorful corporate brochures

· Useless and junky toys

· Sales literature about your products or company

These things do not build indebtedness. The recipient must deem the “gift” valuable. Another source of “gifts” that can build true indebtedness is information. Giving away a valuable, beneficial, or useful piece of information can literally be of more interest than a physical gift to some.

Ask for What You Want

On one occasion as I was entering a building, I saw a man who looked very much to be the “boss” get out of his car parked in the spot marked “For CFO Only,” and he was on his cell phone. He was not a happy guy, and I overheard him telling someone that he was upset because he had to go inside and let some people go. I assumed from his tone that he was on with his wife or girlfriend and he didn’t like the job he was about to do.

I walked past him and went to the front desk and as I walked up I saw that the girl behind the desk was playing Minesweeper. As I approached the counter she gave me the standard, “How can I help you?” She had a look on her face that said she was bored and not in the mood. I said, “Look, I am here for a meeting, but your boss is about to walk in and he is in a bad mood…” I then trailed off and just stood there with a folder in my hand. A few seconds later the boss stormed in the front door and I said loudly, “Thank you so much for your assistance.”

She looked over and said to me, “Excuse me, sir,” then said to her boss, “Good morning, Mr. Smith, I have your messages,” and then handed him a small pile of paper as he walked by.

When he disappeared to his office she thanked me profusely. I just saved her and she knew it. The information I gave her was invaluable, and my next words would be imperative: “I need your help. I wanted to see the HR manager just for a brief meeting. Can you get me into her office real quick?”

She walked me back to the manager’s office and introduced me as “her friend” that stopped in. Within minutes my plan was launched, and all thanks to reciprocity.

As a social engineer, look for little opportunities to give out information that will make you valuable to the recipient and more importantly, make the recipient indebted to you.

Be aware of your surroundings and what little things you can do to make your targets indebted to you. Remember it doesn’t have to be something amazing, just something that they value. A good point to keep in mind is to not “stalk” the target. Standing and staring at him or her waiting for an opportunity to do or say something can be off-putting. These principles should be natural.

Naturalness means you start doing these principles in everyday life. Hold doors for people, be very polite, and look for opportunities to do good things for others. These actions will become second nature and you will have fewer struggles doing them in an audit.

Reciprocity is a powerful influence tactic, and the next two principles discussed are closely tied into it.

Obligation

Obligation has to do with actions one feels he needs to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. In the context of social engineering, obligation is closely related to reciprocation but is not limited to it. Obligation can be as simple as holding an outer door for someone, which will usually make him hold the inner door for you. It can be escalated to someone giving you private info because you create in them a sense of obligation to you. Obligation is a common attack vector used when targeting customer service people.

You can also use obligation in small doses by utilizing smart complimenting. For example, compliment the person, then follow it up with a request. This technique is very easy to do wrong if you are new or inexperienced and can come across so fake that it alerts the target’s inner sense and has the wrong effect. But if done properly, it can lead to obtaining even little pieces of valuable information.

An example of complimenting in the wrong way would be something like, “Wow, you have beautiful eyes, can I get into your server room?” Sounds stupid, huh? Be sure to say your method out loud to see how it sounds. If it sounds like a cheap pickup line then it has to go.

A small conversation like this, on the other hand, can be a proper way to compliment:

As you approach the receptionist’s desk you see some pictures of a couple of little children at Disney World and after you introduce yourself you say, “Are those your kids? They sure are cute.” Regardless if they are the receptionist’s kids or her nephews, she will most likely enjoy your compliment. Then you follow up with, “I have a couple of my own. They keep us young, huh?”

“Yes, my two kids. And I am not sure about young,” she chuckles, “but they do tire me out.”

“I haven’t taken mine to Disney yet,” I say. “Did you find they enjoyed it at that age?”

“Oh yeah, they loved every second of it,” says the receptionist. “As long as my daughter is with her Daddy, she is having fun.”

“Ah, yeah, I have my little princess too,” I reply. “Well, I could stand here and talk about my kids all day, but I am wondering if you can help me out. I called in and spoke to someone last week about a new HR software package and I said I would drop off this information packet, but I lost the paper I wrote her name on. I am terribly embarrassed.”

“Oh, that’s probably Mrs. Smith,” offers the receptionist. “She handles all of that.”

“You are a life saver. I owe you one. Thank you.”

These types of compliments go a long way to opening the target up to be more agreeable to influence.

The golden rule—treat others as you would wish to be treated—is a key principle in creating obligation. Treating people kindly and giving them something they may need, even if it is as small as a compliment, can create a sense of obligation to you.

Psychologist Steve Bressert makes this point in his article “Persuasion and How To Influence Others,” in which he states, “according to the American Disabled Veterans organization, mailing out a simple appeal for donations produces an 18% success rate. Enclosing a small gift, such as personalized address labels, nearly doubles the success rate to 35%. ‘Since you sent me some useful address labels, I’ll send you a small donation in return.’”

If you want to prove to yourself the power of this principle try this simple exercise. Even something as small as a question can create obligation. The next time someone asks you a question, say nothing. Just stay silent or ignore it and move on in the conversation. Notice how awkward that is; something as simple as a question creates a sense of obligation to answer. Simply asking the target a question can lead to amazing results.

If your first action creates a feeling that there is an expected follow-up, then fulfilling that expectation can lead to strong feelings of obligation. When the person with whom you are interacting expects a result, fulfilling it can create a strong sense of commitment in him or her to do the same for you.

This method can be used, for example, by sending the CFO of a company a piece of technology, maybe an iPod loaded with malicious software. When he gets the gift he is obligated to plug it in. One successful attack vector I saw in play was where the social engineer sent a small relevant gift to the CFO or CEO with a card that said, “Please accept a small gift from our company. All we ask is that you browse our products at www.products.com and download our PDF catalog here at www.products.com/catalog.pdf. I will call you next week.”

This method was successful every time.

Concession

A concession, or the act of conceding, is defined as “an acknowledgment or admission,” or “the act of yielding.” Concessions are used often within the social engineering context as a play on the reciprocation instinct of humans. Humans seem to have a built-in function that makes them want to “do unto others as they do unto” you. A social engineer can use the “something for something” idea or the “I’ll scratch your back if you scratch mine” principle.

There are basic principles to concessions and how to use them properly:

· Label your concessions: Make it known when and what you are conceding, which makes it difficult for your mark to ignore the urge to reciprocate. This will take balance because you don’t want to blow a trumpet, so to speak, while you announce a concession, but a simple statement like, “OK, I’ll give you this one,” or “I will meet you halfway,” show you are willing to concede.

· Demand and define reciprocity: You can start by planting the seeds of reciprocation and this increases your chances of getting something in return. An easy way to start planting these seeds is through nonverbal communication showing that you are flexible, and also by being a good listener. These little things can make a big difference when building feelings of reciprocation in your target.

· Make contingent concessions: You can use “risk-free” concessions when trust is low or when you need to signal that you are ready to make other concessions. What I mean by this is a concession that does not come with a “now you can do something for me” attitude. By giving in to something the target wants or needs with no counter demand, you can build a very strong bond with the target.

· Make concessions in installments: The idea of reciprocity is deeply ingrained in our minds. Most people feel that if someone does them a favor then they are socially contracted to eventually return that favor. Similarly, if someone makes a concession, say in a negotiation or bargaining agreement, then one instinctively feels obligated to “budge” a little bit, too. Since this is a fact, you do not have to feel that all your concessions must be at one time. You can make “installments” with your concessions, where you give in a little here and a little there over time to keep your target reciprocating.

Concessions are used daily by salespeople, negotiators, and social engineers. A successful social engineer can use and abuse this instinctual tendency by not only resisting the manipulations being placed on them by others but also by trying to take over the situation completely. Concession and reciprocation skills play well with many of the other social engineering techniques discussed within the pages of this book.

An example of how many people fall for concessions can be illustrated with telemarketers who call for donations. They use a strategy for gaining concessions after someone is first given the opportunity to turn down a large request. The same requester counteroffers with a smaller request that you are more likely to accept than the large request.

Large request: “Can you donate $200 to our charity?”

Response: “No, I cannot.”

Smaller request: “Oh, I’m sorry sir, and I understand. Can you donate only $20?”

People who are not aware of this technique might feel like the burden is taken off of them and realize they can part with a mere $20 rather than the initial asking price of $200.

Another great example appeared in an article (http://ezinearticles.com/?How-to-Negotiate-the-Salary-Using-the-Power-of-the-Norm-of-Reciprocity&id=2449465) written by David Hill:

The power of this norm can be felt in most bargaining situations. Assume a buyer and a seller are haggling over the price of a car. The seller starts out with a bid at $24,000. The buyer finds this offer unacceptable and makes a counter bid at $15,000. Now, the seller lowers his bid to $20,000, i.e., he makes a concession. In this case, the buyer will most often feel inclined to increase his bid, maybe to $17,000. The reason why the buyer will feel this inclination is because of the presence of the norm of reciprocity. This norm now demands that the buyer responds to the seller’s concession with another concession.

As with most of the principles discussed so far, the concession must be valuable to the receiver. You can’t concede something that is valuable only to you or you lose the power you gain with a good concession.

As a social engineer, not giving a concession that will cause you to lose face, rapport, or your position is also imperative. A delicate balance must exist between the concession and your standing with the target, and finding it is half the work. Find it, though, and concessions can be a very serious tool in your hands.

Scarcity

People often find objects and opportunities more attractive if they are rare, scarce, or hard to obtain. This is why you will see newspapers and radio ads filled with “Last Day,” “Limited Time Only,” “Only 3-Day Sale,” and “Going Out of Business Forever” messages that entice people to come from all over to get a share of the soon-to-be-never-seen-again product.

The use of scarcity in the sales context is best known with the catch phrase “Act now! Supplies are limited!” Other techniques are the common “The first X callers get a free widget,” or having an intentional short supply of a popular product. In recent times, this practice was most popularly alleged with the Nintendo Wii. Jason Dobson, a writer for Gamasutra, said, “But I think [Nintendo] intentionally dried up supply because they made their numbers for the year. The new year starts April 1, and I think we’re going to see supply flowing” (www.gamasutra.com/php-bin/news_index.php?story=13297).

Where I live, a car dealership ran an ad on a Thursday stating it had to get rid of X number of cars due to new stock arriving. The prices were so low and some of the cars—wait for it—were no longer being produced, and that weekend was the last weekend ever that you could come in for a piece of auto-selling history.

The sales went through the roof that weekend, so the sale was over right? Nope, that ad ran every Thursday for more than three months. I often wondered how people just didn’t catch on to it, but the dealership sold a lot of cars using this method.

Social events can often appear to be more exclusive if scarcity is introduced. The perceived social benefit of attending these events often goes up in these circumstances. In advertising, this point is driven home with ads for music events that point out how the last concert was quickly sold out.

Many popular restaurants have been known to close off sections of the restaurant to appear busier than they really are. The perception that they are extremely popular can often trigger a heightened desire to eat at that establishment. To see an ad that actually mentions the use of scarcity in promoting an event, go to www.social-engineer.org/wiki/archives/Scarcity/Scarcity-Advertisment.html.

This ad played on four major components of scarcity:

· The launch is limited access.

· The application is not public and only limited.

· Promoters are handpicked and limited.

· The e-book is free to those lucky enough to be chosen to come.

All of these points use scarcity by making the would-be partygoers feel that getting into this event is so difficult that only the elite, the few, and the proud can even have a remote chance of stepping foot onto that hallowed ground.

The basics of economics are made up of the allocation of resources that have alternative uses. This allocation is driven by the scarcity of the objects that are being allocated. The rarer the resource, the higher the perceived value the object retains. This rarity is why gold is worth more than salt, which is worth more than clay.

Also, within daily interactions scarcity is often used. Scarcity can be introduced into social situations in an attempt to make something one has go up in value. For instance, one might act like he is very busy on a regular basis, and free time is hard to come by. This action may excuse him from not spending time with someone he may have an obligation to spend time with, and at the same time make time that is spent seem that much more valuable.

You can manipulate attention through the use of scarcity as well. Think of how many people complain about salesmen bothering them in a store when there is no scarcity of salespeople’s attention, yet they are just as upset when they are ignored by salespeople when their attention is scarce. On the whole, people are driven to desire that which is hard to obtain, because it is viewed as having more value. This holds true for attention as well.

Scarcity is often used in social engineering contexts to create a feeling of urgency in a decision-making context. This urgency can often lead to manipulation of the decision-making process, allowing the social engineer to control the information provided to the victim. This is done commonly by using a mixture of authority and scarcity principles. For example, saying something like, “The CFO, Mr. Smith, called me before he left for the long weekend and told me to come down and fix his email problem. He said he was sick and tired of the crashes and wanted it fixed before Monday.” This creates urgency alongside scarcity in that the CFO is not available to speak to and time is the scarce item.

Using scarcity mixed with other principles can also make the attack even deadlier. Either way, scarcity creates a desire and that desire can lead someone to making a decision he might regret later.

This was proven to me recently when a truck pulled into my driveway with a freezer in the back. This decently dressed young man approached my wife and explained that he is a meat salesman. He delivers meat to customers and was just about to head back to the office and saw her working in the yard. He began talking about meat prices and how expensive things are in the store. My wife is a very price-conscious shopper, so this built rapport. Plus he had a very pleasant southern accent and called her “ma’am” and was very respectful.

After a few minutes of talking, she blurts out the question that usually stops salesmen dead, “How much do you want?”

Without missing too much of a beat he says, “Listen, I have been selling these all day for $400 per box, but this is my last box. I would love to just go back to the office with an empty freezer and give you some high-quality meat in the meantime.”

Oh no, the last box! He told her before he only comes through once every two months. The desire has been raised, but my wife is no dummy. She knew she was being manipulated. She excused herself and came to get me.

He went through his spiel and laid on the scarcity thick. Of course, this type of an account can be a lesson on how to not fall for this tactic. The problem is that emotion gets involved. He sees that I have a grill outside that looks used, so he knows I love to cook outside and he plays on that. He then talks about the quality of meat and quickly makes comparisons to restaurant quality and what is in his boxes.

Many people could easily fall for the emotional aspect of his sales pitch. “What if it is his last one?” “He is right, this is much cheaper than eating out.” “He comes to me…I don’t even have to drive to the store.”

Instead, I whipped out a calculator and asked him for the amount for the two last boxes, divided by the weight and then asked my wife how much she normally pays per pound for a Delmonico or ribeye in the store. When her price came in lower by $3.00 per pound I simply just shut up. Now his emotions get involved. He scrambles to save face. He lowers his price by $150 off the bat. I again do the math and he is still $.50 more per pound.

He tries to talk about quality, convenience, and all those aspects that make it worth the $.50 more. I shift my posture and position to be away from him and to show disinterest. Without saying anything, he trails off at the end of a weak spiel and offers me another $50 off. I tell him, “Sorry, I just don’t think it’s worth it.”

He then does the classic mistake that shows how his claims of scarcity were false—he caves in more. “How much do you want to pay for these boxes?”

“I probably could do $100.”

“If you can give me $125 we can call it a deal.”

Now mind you a little bit ago he was at $400 per box and they were the last two in this area for two to three months. This should have been a bidding war for that value, but instead, I sent him packing with his two boxes of meat and no cash.

The lesson in this story for social engineers is that for scarcity to work it either has to be real, or you have to stick to your guns to give the appearance of reality.

People will perceive the value higher when something is really in need. A malicious example of this is how the petrol companies raised the prices of fuel after Hurricane Katrina. The claim was that fuel was in shortage due to the destruction, which caused terrible price increases. Of course, if this were true then the fuel would be worth a lot more than it is; instead it was an example of the claim of scarcity used to make money. Yet at the same time, when BP’s error caused millions of gallons of oil to be lost in the Gulf of Mexico, ruining the ecosystem, instead of fuel prices skyrocketing due to lack of supply, they dropped. How? Well I won’t get into that here, but it proves the point that for scarcity to work, it has to be believable, and this where the oil companies fail and where social engineers can fail, too.

From a social engineer’s standpoint, the more limited or difficult it is obtain an opportunity the more value it will have to people. If information is deemed as private, restricted, and hard to come by, and you are willing to share it with someone, you have just gained a lot of value in their eyes.

A social engineer can leverage scarcity with information by using a statement like, “I am not supposed to be saying this but…” or “I am not sure if you heard this news, but I overheard…” Statements like these spoken in hushed tones imply that this information is scarce.

Authority

People are more willing to follow the directions or recommendations of someone they view as an authority. Finding a person who has enough assertiveness to question authority directly, especially when that authority holds direct power over him or is face-to-face with him is uncommon.

Children, for example, are taught to obey adults such as teachers, counselors, priests, and nannies because they have authority over them. Often, questioning authority is deemed as disrespectful and abject obedience is what is rewarded. These principles carry over into adult life because we are taught to respect authority figures and not question rules or orders given to us by those whom we deem authorities.

Unfortunately, it is this principle leads many children into the hands of abusers and molesters. Of course, not this principle solely, but those who prey on children realize how children are taught about authority and often seek out those who appear to be more compliant. Similarly, malicious social engineers use this principle to manipulate their targets to take some action or inaction that can lead to a breach.

Understanding how authority is used from a social engineering aspect is important. German sociologist and political economist, Max Weber, defined authority into categories that I have adapted to fit more closely into the realm of social engineering.

Legal Authority

Legal authority is based upon government and law. This generally applies to law enforcement officers or others who enforce the laws of the land, area, or facility you are presently in.

As a social engineer, pretexts that involve law enforcement or other government officials are usually illegal. However, security guards, bank security, or other types of enforcement authority figures can be well represented and are often used by social engineers.

In one episode of the BBC television program The Real Hustle, Paul Wilson and his cohorts dressed up like the guards who collect the money. When someone shows up in the uniforms that look similar to the real ones and acts as a normal person in that authoritative position would act, targets have little reason to doubt the imposter is who he “says” he is. Acting as an authority figure is a major ploy used by social engineers to gain access to a company.

Another ploy that can be effective is posing as a lawyer who is seeking certain information. Playing a role that is generally feared or respected by the masses can be one way a legal authority ploy is used.

Organizational Authority

Organizational authority is quite simply any authority defined by means of an organization. Typically, this refers to a supervisory hierarchy. Someone within a position of power in an organization has more power and access to more information than someone at the bottom of the hierarchy.

In a social engineering audit, a consultant may impersonate the CIO or someone else with clearly defined organizational authority. The consultant may then be able to obtain passwords or other information from the help desk or any other employee who may perceive that the impersonated person has authority over him or her.

In a paper entitled “The ‘Social Engineering’ of the Internet Fraud” Jonathan J. Rusch of the U.S. Department of Justice writes, “People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present” (www.isoc.org/inet99/proceedings/3g/3g_2.htm).

This ploy is used in other ways, by not acting as if you are the CFO, but instead sent or authorized by the CFO. The authority the name and title wields may be enough to grant that power to the attacker in the eyes of the target.

Rusch cites an experiment performed by Robert B. Cialdini and recorded in his book Influence (1993), which showed 95 percent of nurses within 22 stations from three different hospitals were willing to administer patients a dangerous dose of medication based upon a phone call from a researcher purporting to be a physician the nurses had never met.

This experiment clearly shows that based upon orders and the perceived notion of authority, people might take certain actions despite their better judgment. This type of authority can and is often used to exploit companies into giving away valuable data.

Social Authority

Social authority refers to the “natural-born leaders” of any social group. A social group could consist of co-workers, college friends, or any other gathering of people.

In Influence, Cialdini writes, “When reacting to authority in an automatic fashion there is a tendency to often do so in response to the mere symbols of authority rather than to its substance.”

For social authority to occur, an extraordinary amount of time or structure may not be needed to define an authoritative figure. In any setting, a quick flash of social proof, where people are influenced by a group of people taking the same action, may help provide a person social authority.

Social authority can be used to an advantage in social engineering by asking or pressuring the target for information. If the target refuses and is therefore not liked by the leader of the group, the target may fall out of favor with the entire group. Complying with the leader’s social authority is perceived to be advantageous.

Social authority is successfully used when either directly stated or implied that a previous person or group reacted the way that the attacker is asking. “Yesterday the CFO sent me down to take care of this problem and Joe let me through and he checked all my credentials, did he put them on file?” A simple statement like that utilizes a few forms of authority.

If you comply with authorities mindlessly, you may respond to symbols of authority rather than to reality. Three authority symbols are particularly effective in Western countries—you may reward people with any one of these (and no other evidence of authority) for their compliance:

· Titles

· Clothes

· Automobiles

In an interview I conducted with Dr. Ellen Langer, Harvard psychologist and researcher of persuasion and influence (www.social-engineer.org/episode-007-using-persuasion-on-the-mindless-masses), she talked extensively about mindlessness. She stated that people often do much of their work in a state where there is not much thought; in other words, they are in autopilot. In those positions, the abuse of the authority role is very dangerous. Perceived authority can make someone on autopilot react without limits.

Using the right clothes, body language, and even having a fake business card printed has worked for many social engineers in presenting an authority stance and keeping their targets in autopilot.

Other forms of authority may come into play for a social engineer than the ones outlined here, but these are the most commonly used. Authority is a powerful force when it comes to influencing others, and with a little bit of reasoning and information gathering a social engineer can effectively use an authority pretext to his or her advantage.

Commitment and Consistency

People value consistency in others, and they also want to appear consistent in their own behavior. Generally people probably want their words, attitudes, and deeds to be consistent and congruent. Consistency reduces the need to reprocess information and offers shortcuts through complex decisions.

Gut feelings—those moments where you sense that an action is good or bad, or right or wrong, based on past experience—are often indicators that a decision being made might be against previously committed feelings and beliefs. These signals often indicate that you feel pushed to agree to something that you don’t want.

Gut feelings can also occur when it comes to making commitments. Gut feelings may indicate that you are uncertain of whether your commitment was a mistake. You can ask yourself, “Knowing what I now know, if I could do that again, would I make the same commitment?”

Before looking at how a social engineer can use consistency to gain someone’s commitment, take a look at three examples that might help hit this point home.

· Marketing: Companies often spend extraordinary amounts of money to gain market share. There is no real return, but they fight to remain in that share that they believe to be profitable. Coca-Cola and Pepsi are great examples of using marketing throughout the decades in the fight to remain visible, yet often a commercial will not sway a person to switch from Pepsi to Coke. Because the two companies have been “committed” to the war against each other it seems that when one of them comes out with a new product or marketing idea, the other is not too far behind.

· Auctions: The increased popularity of online auction houses such as eBay has this principle more visible. People feel a level of commitment to something they place a bid on and if someone outbids them it is as if they are compelled to bid again. At times they will even increase the bid way past their comfort zone because they feel committed. One classic example of this is when Robert Campeau bought Bloomingdales. He paid $600 million dollars more than it was worth. Max Bazerman, author of Negotiating Rationally quoted a journalist from the Wall Street Journalas saying, “We are not dealing with price anymore, but with egos….”

· Carnivals, game houses, and so on: Anytime gambling or game houses are involved a greater risk exists of commitment and consistency being used to persuade people. One columnist, Ryan Healy, an online marketing consultant, wrote a story about when he took his daughter to a circus (www.ryanhealy.com/commitment-and-consistency/). He spent $44 on the tickets, $5 to park his car, then 40 minutes of drive time to get there. He was committed to being at the circus. His daughter wanted cotton candy so he committed to a yes by giving her $5. How could cotton candy cost more than that? When the vendor came by and said the bag was $12, how could he back out on his commitment now? He couldn’t, and therefore ended up spending the $12 on a single cotton candy.

Consistency in this pretense is defined as what is expected based on previous experience or expectations. That experience or expectation can motivate a target to take an action that can cause a breach. For example, when the tech support guy comes it is expected he will go to the server room. That request is consistent with the previous experience and expectation. When access to the server room is requested, it is more likely to be fulfilled because it is consistent with what is expected.

Commitment and consistency can be strong influence factors upon most people to take actions, give information, or divulge secrets.

A social engineer can make commitment and consistency some of the most powerful tools in his or her arsenal. If a social engineer can get a target to commit to something small, usually escalating the commitment is not too hard.

In his book Influence, Robert Cialdini writes:

The key to using the principles of Commitment and Consistency to manipulate people is held within the initial commitment. That is—after making a commitment, taking a stand or position, people are more willing to agree to requests that are consistent with their prior commitment. Many compliance professionals will try to induce others to take an initial position that is consistent with a behavior they will later request.

The social engineer hoping to employ the technique of commitment and consistency usually tries to get the target to divulge a small piece of information toward the overall intended goal. By getting the subject to remain consistent with things he or she has already said, the attacker may get the subject to reveal even more information.

On the other hand, the attacker must remain consistent with what he is asking. The attacker should start off small and escalate the information gathering.

To use an unrealistic example, an attacker should never start off asking for the nuclear launch codes. This request will be denied, and the attacker will be left few options but to backpedal the request. However, starting off small and escalating the value of the information requested with each new piece of gathered information will seem like a more natural progression and will not appear so obvious to the victim.

Going slowly and progressively can be hard as social engineers are often impatient and want to get the “password” right now. Playing it cool and remaining patient can make this avenue rewarding. Clearly defining, maybe even writing out, a path that you can use on each audit can help you go into the audit with clearly defined goals and a path to accomplish them.

I created a chart you can see in Figure 6-2 that shows how a social engineer may be able to visualize this path to obtain information using commitment and consistency.

Getting a target to verbally commit to a certain action can force the target into a certain path of action. Cialdini states, “The commitment and consistency rule states that once we make a decision, we will experience pressure from others and ourselves to behave consistently with that decision. You can be pressured into making either good or bad decisions depending on your past actions.”

Maybe you have felt this if you ever verbally told your wife or spouse that you wanted to lose weight. That verbal “commitment” leads to a lot of pressure to hold up to your end of the “bargain.”

Sometimes, ending up disagreeing with yourself can be hard and almost impossible. Everyone has, at one point or another muttered the phrase, “I’m sorry, I changed my mind,” at least once in our lives. When we do, we hang our head in shame, our voice tones drop, and we sound sad. Why? We have just broken a commitment we made and we feel guilty for doing it.

Figure 6-2: Clearly defining your goals can help you to obtain an information commitment.

Even small, seemingly insignificant commitments can lead to exploitation. For example, a phone conversation often used by solicitors goes something like this:

“Hello, how are you today?”

You answer, “I am doing great.”

Now, prepare for the exploit: “That is good to hear, because some people who are not doing so great can use your help.”

You can’t go back on what you said now, because you are still doing great and committed to it.

This is not to say that you need to be so paranoid that you cannot even answer simple questions without the fear of exploitation, but being aware that one commitment does not mean you must commit to everything that follows is vital. I once worked with a guy who could literally get anyone to do the worst jobs and make them think it was their idea. Ensuring their commitment was one method he used.

If you committed to a path of agreeing with him on certain things, which was almost impossible not to do, because he got you to say “yes” upfront, then you had to continue to say “yes.” Those yeses lead down one path, and that path was right to where he wanted, agreeing to the job he needed to get done.

Being aware that it is okay to say “no” can save you from committing to something that could be disastrous. Yet sometimes we convince ourselves that saying “no” is some form of cardinal sin that needs many prayers to be forgiven.

In the earlier example of the frozen meat salesman, my wife is a very self-aware person. Knowing she might be manipulated by a “seemingly good deal” she came inside to get me because I am a “jerk.”

One of the best examples I have heard that really shows the power of commitment is a social experiment done by Dr. Thomas Moriarty in 1972. He sent an assistant to the beach as a “victim” with a portable radio. The victim sat in his chair listening to his radio for about 10 minutes, then he got up to go purchase a drink.

While he was gone, another assistant, the “criminal” who no one knew was working with him, came by to “steal” the radio. Only 4 out of 20 people—that’s only 20%—stopped the thief from taking the radio.

The researchers then upped the ante in the next round. Before the “victim” would leave to buy the drink he would ask one of the neighboring sunbathers to watch his radio for him. What do you think the change was?

Now a staggering 19 out of 20 stopped the thief, some even resorting to violence. Why the staggering difference? Commitment and consistency. The researcher obtained commitment from the neighboring sunbathers and that caused them to have to act consistently with that commitment. In my opinion, these are amazing statistics that show the power of this influence method.

A social engineer can effectively use this method of influence to get a target to commit to even a small act or small “yes” and use that commitment to escalate it into a larger set of actions.

Liking

People like people who like them. As tongue twisting as that phrase is, it is a very true statement. Understanding the full depth of that statement gets you much closer to mastering persuasion.

When I say understand the depth, I really mean that because that sentence has much more to it than meets the eye.

This statement isn’t saying that people who like you will respond well. Salespeople are often taught that people buy from people they like. That is true, but not the point. It also isn’t saying that people must like you—it is saying you must like people and then they will like you in return.

This task is not as easy as it sounds because liking someone cannot be faked. As discussed in Chapter 5, smiles and happiness are very hard to fake. You must go into the circumstance genuinely caring for the person who you are trying to influence. Caring for people and their feelings is not a standard practice of the malicious social engineer; therefore, they often rely on charm. Charm can work on a short-term basis, but in the long term, liking people is a practiced and learned skill.

Liking is used in marketing extensively. In 1990 Jonathan Frenzen and Harry Davis published a study entitled, “Purchasing Behavior in Embedded Markets” (www.jstor.org/pss/2626820) that examined why Tupperware parties are so successful. All of their research led to this principle of liking.

The researchers concluded that most people bought because they wanted the hostess to be happy, to help a friend, and to be liked. How embarrassing to go to a party like this and not buy anything! That fear of not being liked is what will drive most people to purchase at these parties and it has little to do with wanting more Tupperware.

Other surveys and studies have compared the trust that people have in receiving “tips or advice” from those they consider friends to the trust they have in complete strangers or worse, people they don’t like. A friend can give bad advice and one may be more prone to follow it than good advice from a person one doesn’t like.

From a social engineering aspect the concept of liking is a powerful tool. Not only do you have to be likeable and win their trust, but you also have to genuinely be interested in people. This concept goes back to the discussion of pretexting in Chapter 4. When you pretext, you are not merely acting out an idea or belief—you must become the person you are pretexting; that role is what your life is about. If you can do that then the step of liking can become easier. Your pretext will be truly interested in helping, liking, or assisting that person.

One last aspect of liking that is important for you as a social engineer is physical attractiveness. Humans tend to automatically “like” those who we find attractive. As vain as that sounds, it is the truth. Some serious psychological principles back up this idea.

What is beautiful is good. In 1972 Berscheid, Walster, and Dion performed a study entitled just that, “What Is Beautiful Is Good,” which unleashed some very profound findings. Participants were asked to rate photos of three individuals ranging from low, medium, and high attractiveness. Based on the photos alone they were to rate the people for personality traits, overall happiness, and career success.

They then compiled the ratings and averaged them and found that people who were deemed attractive were more socially desirable, had better occupations, were happier, and more successful. The study proved that people tend to link beauty with other successful qualities and it alters their opinions and ability to trust someone.

This study is an example of a phenomenon called the halo effect, where one particular trait influences or extends to the other qualities of the person. It has been proven to bias a person’s decisions with a tendency to focus on the good traits of the other person. I have archived a copy of this amazing study at www.social-engineer.org/wiki/archives/BlogPosts/BeautifulGood.pdf.

In other words, if someone views you as beautiful, then that good trait extends to other judgments that person makes about you. This halo effect is often used in marketing. Beautiful people are given products to drink, eat, and wear, and other people will automatically assume these things are good, possibly thinking, “Well it must be good if this beautiful person is using it.”

Recently I saw an ad on television that really hit this point home—the ad makes fun of marketing efforts but does it very intelligently. An attractive young female comes on the screen wearing beautiful clothing and says, “Hi, I am a believably attractive 18–24 year old female.”

Using an attractive female who is not overly attractive, but believably real, someone we normal people can look up to is marketing genius. We can’t really tell her age but her beauty can place her somewhere between the ages of 18–24.

“You can relate to me because I am racially ambiguous.”

Again, this is another marketing genius tip. She is not black, white, or Native American—we can’t tell, but she may be a mix, which may be attractive to many races and is non-offensive to most.

“I am in this commercial because market research shows girls like you love girls like me.”

Her beauty and self-assuredness makes us like her; she is well dressed, well spoken, and we want to know her.

The camera then pans to different shots of her doing things like kickboxing, cheerleading, and playing with flowers. By showing viewers she can do all these things while being as beautiful as she is, we perceive her as strong and powerful, and all the things she’s doing as good.

“Now I am going to tell you to buy something…”

She then goes on to sell tampons. This commercial is genius, because the advertiser actually outlines, uses, and educates the consumer on the methods used to make you want to buy. But despite all that, within this commercial lies this principle of liking and the halo effect.

Knowing all this about the importance of liking, what can you do? I have a hard enough time becoming an attractive male, let alone an attractive female. Because endless runs to my local plastic surgeon are out, is there anything a social engineer can do to capitalize on this principle?

Know your target. Know what is and isn’t acceptable to him or her. How does he dress, and what does he consider bad and good? Too much jewelry, makeup, or other aspect of dress can turn off a target. Suppose you are auditing a doctor’s office and your pretext is a drug sales representative. You know that most sales reps wear suits; have perfect hair; and look, smell, and act confident, a trait of many attractive people, so walking in with spiked hair and facial piercings would draw more attention to yourself than your goal.

You must know your target so you can successfully look the way the target would expect. Wear clothing, hairstyles, jewelry, and makeup that will not shock, surprise, or disgust the target. Putting her mind at ease can go a long way toward creating an atmosphere where she will like you, which will build trust and lead to success.

A social engineer can look for things to compliment a target on. When engaging a target, and when appropriate, starting the conversation with a simple complimentary question (such as “Those are nice shoes; where did you buy them?”) is useful. People like positive reinforcement. When one receives compliments from another, he tends to stay engaged in order to receive more positive reinforcement. These compliments tend to reinforce a target’s self image, making him feel as if you have a greater-than-normal understanding of him.

The University of Minnesota issued a paper (www.cehd.umn.edu/ceed/publications/tipsheets/preschoolbehaviortipsheets/posrein.pdf) about reinforcement which states that too much positive reinforcement can have a negative effect. They call it satiation, which means that when reinforcement is given too much it begins to lose its effectiveness. To combat this effect, you can use positive reinforcement backed up by a question. This method reinforces positive behavior or attitudes but also makes people happy as they are asked about themselves.

Four steps can help you get people to like you:

1. Project a confident and positive attitude.

2. Establish rapport.

3. Synchronize, or get in tune with the target and surroundings using the methods mentioned earlier.

4. Effectively communicate.

In his book How to Make People Like You in 90 Seconds, Nicholas Boothman says that people decide whether they like someone in the first two seconds of meeting him or her. After an impression is made changing it can be hard. He promotes coming into an interaction with a good attitude. Having the ability to speak up and communicate effectively in many different situations can make you more likeable. What you project onto others is what they will feel. Your facial expressions, body language, dress, and so on must all project a good, positive attitude.

Boothman says some key things in his book about being likeable, including to ask lots of questions, actively listen, and be interested in what people are saying. Doing these things will help people like you.

A social engineer may need to practice it, but being likeable will go a long way toward succeeding in your audits.

Consensus or Social Proof

Social proof is a psychological phenomenon that occurs in social situations when people are unable to determine the appropriate mode of behavior. You can easily assume a behavior is appropriate if you see others acting or talking a certain way. Social influence in general can lead to conformity of large groups of individuals in either correct or mistaken choices. This behavior is common when people enter into unfamiliar situations and don’t have a frame of reference on how to deal with the situation; they mirror their behavior off of others whom they assume are more familiar and therefore better informed.

In his book, Influence: The Psychology of Persuasion, Dr. Robert Cialdini states, “Social proof—people will do things that they see other people are doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up into the sky to see what they were seeing. At one point this experiment is aborted, as so many people were looking up that they stopped traffic.”

I will outline some excellent examples of social proof that will help you to see how powerful it is and if you have ever fallen for it.

Social proof is used heavily in marketing. Social proof is utilized in sales when high sales numbers are released, demonstrating to potential customers that the product is popular. Another example is when companies release shirts with logos or slogans printed on them, where the wearer then gives an implicit endorsement.

Social proof is not just influenced by large groups, but also by high-profile individuals. For instance, a single celebrity becoming associated with product will make others want to be associated with the celebrity’s positive traits, and they will then use the same product.

Many examples exist of celebrity endorsements, here are a just a few:

· A major supplier of berets was able to get Samuel L. Jackson to endorse their product, The Kangol hat.

· Right through 2010 Maria Sharapova was paid millions in USD per year to endorse Canon products.

· Catherine Zeta Jones endorses T-Mobile Products in their TV commercials and print ads to the tune of $20 million in USD.

· In 2009, Tiger Woods was paid over $100 million in USD for his off-course product endorsements like AT&T, Gatorade, Gillette, Nike Golf and TAG HEUER to name a few.

· Michael Jordan still earns $45 million in USD per year for his Nike endorsements.

There are even some more unusual celebrity endorsements like:

· Ozzy Osbourne endorsing I Can't Believe It's Not Butter

· Mikhail Gorbachev endorsing Louis Vuitton

· Ben Stiller endorsing the alcoholic drink Chu High to Japanese Viewers

Why do companies spend so much just to have a celebrity endorse their products? It is exactly how social proof works. When consumers see famous people they admire and adore wearing, using or even speaking about those products, it is as if they are being told directly by that person how amazing that product is. Many will view it as solid proof that these products are worth every penny.

In its marketing efforts the company said its hats were some of the hottest on the market and the proof was that Mr. Jackson can be seen wearing them.

Advertisers often say things like, “largest selling” or “hottest product” to convince their audience that they have the backing of many of our peers in these claims.

In addition, the Media-Studies.ca website posted an article on influencing its targets using social proof (www.media-studies.ca/articles/influence_ch4.htm):

Experiments have found that the use of canned laughter causes an audience to laugh longer and more often when humorous material is presented and to rate the material as funnier. In addition, some evidence indicates that canned laughter is most effective for poor jokes.” The question is: why does it work, especially when the laugh track is often so obviously fake? To answer this question, Cialdini posits the principle of social proof: “One means we use to determine what is correct is to find out what other people think is correct…We view a behavior as more correct in a given situation to the degree that we see others performing it.”

As with the other “weapons of influence,” social proof is a shortcut that usually works well for us: if we conform to the behavior we see around us, we are less likely to make a social faux pas. The fact that canned laughter provokes an automatic response in audiences suggests that auditory cues are powerful stimuli because they influence us at a level of consciousness that is difficult to critique.

Other examples are how bartenders or other establishments will “salt the tip jar,” by placing a few bills in the jar. As a patron approaches to purchase food the implication is, “Many before you have tipped me, why don’t you?” And it works, too!

One of the most profound bits of research in this field that really stands out was done by Dr. K. D. Craig in 1978. Dr. Craig devoted his life to the study of pain and its effect on people. In 1978 he published a paper entitled “Social Modeling Influences on Sensory Decision Theory and Psychophysiological Indexes of Pain” (www.ncbi.nlm.nih.gov/pubmed/690805?dopt=Abstract), in which he did an experiment that he described as:

Subjects exposed to social models dissimulating tolerance or intolerance generally exhibit matching behavior in their verbal ratings of painful stimulation. It has been unclear, however, whether these changes reflect voluntary alteration of evidence or genuine changes in distress.

This study used alternative measures and controlled for methodological limitations of earlier studies by examining non-palmar skin potential in addition to palmar skin conductance and heart rate indexes of psycho-physiological response to electric shock, and by evaluating verbal expressions of pain with sensory decision theory methodology.

Several indexes of non-palmar skin potential and heart rate reactivity exhibited lower reactivity in the tolerant group. Tolerant modeling was also associated with decreases in subjective stress. The results were consistent with the position that changes in pain indexes associated with exposure to a tolerant model represented variations in fundamental characteristics of painful experiences as opposed to suppression of information.

To boil this down, what he basically did was shock people and ask them to rate their pain level. Then using similar but varying shocks did the same test in the presence of a person who was “tolerant” to the pain; it was as if a magical cloak was over the subject, because they were now more tolerant to pain.

This experiment points to the fact that part of the motivation to show, exhibit, or feel pain is related to how others around you act. The people in the study weren’t just acting like it hurt less: Their skin reactions and heart rate actually exhibited less pain reaction when a tolerant model was in place.

For a humorous example of the power of social proof, check out a video from the old television show Candid Camera at www.social-engineer.org/framework/Influence_Tactics:_Consensus_or_Social_Proof.

This video shows subjects being influenced to face different directions in an elevator, even at one point facing toward the back because everyone else is doing it. There were four to five participants in the elevator acting as patrons. At set intervals, the participants would all turn to the left, to the right, or face backwards. After a few seconds, a hidden camera would catch the unsuspecting subject complying and facing the same direction, removing a hat, or taking some other action.

Using social proof as a social engineer can be a deadly tool. This principle can be used to stimulate a person’s compliance with a request by informing him or her that many other individuals, perhaps some who are role models, took the action or behavior you are trying to get this person to do. Social proof can provide a shortcut for determining how to behave. But at the same time it can make targets vulnerable to the manipulations of others who seek to exploit such influence.

Social proof is most influential under two conditions:

· Uncertainty: When people are unsure and the situation is ambiguous they are more likely to observe the behavior of others and to accept that behavior as correct.

· Similarity: People are more inclined to follow the lead of others who are similar to themselves.

These conditions are where a social engineer can use social proof. Stating or even implying that many people before this target have taken a particular action can increase your chances of success.

In one social engineering situation where I was stopped by a leery security guard, I simply acted confused as to why I was stopped and said, “Yesterday, Jim let me in after checking all my credentials. I just figured I was still on record.”

The present security guard, hearing that Jim approved me, allowed me to pass without question. Social proof won’t always work so easily, but it is a very powerful force.

The principles outlined in this section are some of the deadliest influence tactics used today. These tactics can literally give a social engineer powers to motivate people, move them, and cause them to react in ways that will put them in the social engineer’s control.

Remember that influence and the art of persuasion is the process of getting someone else to want to do, react, think, or believe in the way you want them to. Creating this motivation within a target is a powerful force; it is a social engineer’s superpower. The principles outlined in this chapter can make that superpower a reality, but not without consequence and lots of work.

What do I mean by that? I have often found that after I practice a certain skill and become proficient at it, “turning it off” is very hard. This trait may sound attractive, but being cautious when it comes to who you are influencing, especially as a social engineer, is a good idea. To ingrain these skills into your personality, use them for helping others. For example, when you start to practice reading microexpressions and even using them to manipulate a target, the initial response might be to think you have some mystical power that allows you to almost read minds. This is where caution is wise. Practice the skill and work toward perfecting it, but don’t assume you know it all.

If you can influence someone to stop smoking, to start working out, or to be healthier, then you will learn to tap into these skills at will to benefit others, and using them in your social engineering practice is not a farfetched idea.

Many of these skills require you to actually be interested in people, care about them, and empathize with them. If these are not natural abilities for you, then you must work hard to obtain those skills. I urge you to take that time, because the skills in the preceding section can lead you to being a grand master social engineer.

Imagine you could alter what you think to the extent that gaining these skills could be easier. Imagine now, too, if you could alter the thinking of your targets so what they experience is exactly what you want them to experience. Literally altering the reality of those you interact with, including yourself, is the next topic, and it will just blow you away.

Altering Reality: Framing

Framing has been defined as information and experiences in life that alter the way one reacts to the decisions one must make. From a non–social engineer point of view, framing is your own personal experiences and the experiences of others that you allow into your conscious mind to alter the way you make decisions.

Grocery stores use framing by putting “75% lean” on a package of ground meat as opposed to “25% fat.” These terms mean the same thing (both have 25% fat content) but one sounds healthier and is more appealing to the buyer, and that is why stores use 75% lean as opposed to labeling the actual fat content.

The preceding example is simple, but it is also one that helps to show the power of framing. Simply presenting the facts in a different way can make something seem good that would normally be considered bad.

The following sections look at a few areas where framing is often used so you can see how powerful it is.

Politics

Framing has long been used in politics. Simply the way campaigns or messages are worded can make a huge difference in the way the public perceives a message.

Consider, for example, George Lakoff, a professional cognitive linguist. In an interesting observation on framing in politics, he states the difference in how people perceive the use of the phrases “Counterterrorism as law enforcement” versus “Counterterrorism as war.” When the 9/11 attacks occurred, Colin Powell argued that they should be treated as crimes. When the public demanded more action and stricter policies, then President Bush announced the “War on Terror” campaign.

Another example is the Social Security program in the United States. The name implies that this program can be relied upon to provide security for the future.

Yet another example is the difference in the terms bailout versus economic stimulus. Bailout met with lots of opposition because it can paint a word picture of bailing water out of a sinking boat. But economic stimulus paints the mental picture of helping the economy by stimulating the economy. Both programs did almost the same thing, but simple wording made the latter term more acceptable.

Judith Butler, Berkeley professor and author of the critically acclaimed book Frames of War, wrote about how framing is used especially in western cultures when it comes to political agendas and war. In her book she explores the media’s portrayal of state violence:

This portrayal has saturated our understanding of human life, and has led to the exploitation and abandonment of whole peoples, who are cast as existential threats rather than as living populations in need of protection. These people are framed as already lost, to imprisonment, unemployment, and starvation, and can easily be dismissed. In the twisted logic that rationalizes their deaths, the loss of such populations is deemed necessary to protect the lives of “the living.”

These are just a few examples where framing is used in politics.

Using Framing in Everyday Life

The term frame of reference is defined as a set of ideas, conditions, or assumptions that determine how something will be approached, perceived, or understood. This definition can be helpful in understanding how framing is used.

Anything that can alter people’s perceptions or the way they make decisions can be called framing. A friend tells you that last week she went to town and took a certain route that was backed up for 10 miles due to some construction. You might then take a longer route to avoid the potential delay, even though the news your friend shared is more than one week old.

Our minds are designed to not like “clutter” or chaos. When presented with things that are cluttered our brains will try to make order out of them. One interesting example of this is found in Figure 6-3.

Figure 6-3: Can you alter your reality frame to change what you see?

In your present frame, what is the background and what is the foreground? Your minds will insist on finding familiar patterns in things. We do it in clouds, space, and inanimate objects. Humans also tend to see faces in these things.

In Figure 6-4 can you alter your frame and change what is the image and what is the background? Try by focusing on the opposite of what you noticed first.

Another very interesting example of how human brains find order in chaos can be illustrated in an e-mail that circulated over the last few years that looked like this:

O lny srmat poelpe can raed tihs.

I cdnuolt blveiee taht I cluod aulaclty uesdnatnrd waht I was rdanieg. The phaonmneal pweor of the hmuan mnid, aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoatnt tihng is taht the frist and lsat ltteer be in the rghit pclae. The rset can be a taotl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Amzanig huh? yaeh and I awlyas tghuhot slpeling was ipmorantt! if you can raed tihs psas it on !!

I am not sure whether this is actually Cambridge research, but the interesting part in that forwarded e-mail is how many of us who use English as our main language or are very proficient in reading English are probably able to read that paragraph without much effort, because our brains are very efficient at making order out of chaos.

Many times the framing is more subliminal. Companies use this in marketing in hopes that the subliminal messages will alter the target’s perception of their product. Many times companies will use subtle measures of framing to plant an idea.

For example, Figure 6-4 shows something you probably have seen many times.

Figure 6-4: Can you spot the frame?

After I show you this, you will never see the FedEx logo the same way again—there is an arrow in the FedEx logo. In an interview with the creator of the logo, he said he embedded the arrow in the logo to plant an idea about FedEx’s services. It is there to communicate movement, speed, and the dynamic nature of the company.

Did you find it yet? Look at Figure 6-5 where I outlined and circled the arrow.

Figure 6-5: The arrow indicates quality service that is always moving.

FedEx is not the only company that utilizes framing. For decades companies have been embedding messages into logos in an effort to frame the thinking of the viewer to remember, think, and view their company in the way they want. The next few figures show more examples.

Did you ever notice Amazon’s logo for its embedded framing message (see Figure 6-6)?

Figure 6-6: Do you see the smiling happy customer?

Amazon has two framed messages in its logo. One is the happiness you will feel as a customer, represented by the smile in the image, but the smile is also an arrow. That arrow points from A to Z, indicating the Amazon has everything from both points and in between.

Another great example is the Tostitos logo. This is a very social logo, as you can see in Figure 6-7.

Figure 6-7: Does this logo make you want to share a chip with someone?

The two T’s in the middle are people sharing a chip over a bowl of salsa. In 2004, Tostitos issued a press release that said, “Tostitos plays a role as a ‘social snack,’ helping to create connections between friends and families, whether it’s at a party, during the ‘big game,’ or at simple everyday get-togethers. The new logo brings to life this idea of making connections.”

These examples are just a small subset of how framing is used in marketing. Framing is not all about images; mostly it is about the value that the target perceives. The perception that the target has of an item can increase or decrease its value. Take an expensive clothing store—when you walk in everything is hung neatly, pressed, and perfect. The perception can be that the clothing is worth the exorbitant amount of the price tag. Yet, if you were to take one of the ties, shirts, or other pieces of clothing off the rack; bring it to a discount store; and throw it into a large bin full of other clothes marked, “Discount 75% off” your perception of the value of that item of clothing would go way down.

Marketing gurus play off this phenomenon in an effort to frame the public’s perception of value. Many companies have been successful at framing to such an extent that people actually have coined phrases to create a whole genre of words to describe products.

For example, everyone has probably said, “Will you make a Xerox of that?” even if the machine is not a Xerox but another brand. Xerox is the brand name, not the type of machine.

A more recent example is no matter what search engine you use, people often say, “Did you Google it?” because Google has become synonymous with searching on the Web. And people say, “Hand me a Kleenex please,” when really they want a tissue.

Others that you might not even be aware were brand names (unless you are of the generation in which they were introduced) include:

· Aspirin is a trademarked product of Bayer.

· Thermos is a product name of Thermos GmbH Company.

· Band-Aid is a trademark of Johnson & Johnson.

· Frisbee was a trademark of Wham-O.

All of those names became so popular that people’s frame of reference eventually encompassed any product similar to it. I never take aspirin—I usually use another brand—but I will always ask for “two aspirin,” be given the brand I use, and be happy.

Volumes of information exist about framing, but boiling down this information to some main principles you can use as a social engineer is necessary. The preceding information set a very detailed stage for what framing is and how it is used in different areas of life. Before moving to the social engineering arena, take a look at the different types of framing alignments.

Four Types of Frame Alignment

Two researchers, David Snow from the University of Arizona and Robert Benford from the University of Nebraska, wrote a paper entitled, “Clarifying the Relationship Between Framing and Ideology in the Study of Social Movements” (www.social-engineer.org/resources/book/SNOW_BED.pdf).

Snow and Benford argue that when individual frames become linked in congruency and complementariness, that frame alignment occurs, producing frame resonance, which is key to the process of a group transitioning from one frame to another. Snow and Benford then outline four conditions that affect framing efforts:

· “The robustness, completeness, and thoroughness of the framing effort”: Snow and Benford identified three core framing tasks, and the degree to which these tasks are attended to will determine how much each participant gets involved.

The three steps are:

1. Diagnose the frame for problems.

2. Analyze it for solutions.

3. If successful, a call to action.

The more effort put into the frame the better chance the person has to call those he is framing into action.

·“The relationship between the proposed frame and the larger belief system”: People tend to discount frames or proposed frames if a link does not exist to a core belief or a value of their belief system.

Trying to convince a person who holds a belief that eating meat is cruelty to animals to go to the steak place down the road that has a great special will certainly fail. The frame must fall with the core of a person’s beliefs to be successful (unless your goal is to use a frame to change his or her core beliefs); it is imperative to success.

A large-scale framing change attempt was made through the controversial anti-smoking commercials where volunteers pile up body bags in front of a tobacco industry building’s front door. The body bags represent how many people die every minute, hour, or day from smoking. The hope is to alter the frame of those who support smoking to think about the death toll for those who smoke.

·“Relevance of the frame to the realities of the participants”: The frame must be relevant to the person (target). It must be creditable and testable as it relates to the target’s experience.

You can’t expect to use a marketing frame that will encourage people to take a luxury cruise in a land where people cannot afford food for the day. No matter how good you are at using framing in marketing, it just would fail. For the frame to align, it must not just be relevant but must also be provable in order to hold value, even if that proof is just in the mind of the target.

For example, in 2007 a very popular and trusted news source, Insight Magazine (which is owned by the same company as The Washington Times) reported that then-presidential candidate Obama had attended an all-Muslim school that was known for teaching a very radical and fundamental form of Islam. When this news report was released many believed it right away—why? It fit into the frame of their reality, it seemed credible, and it came from a “trusted” source.

CNN, another reputable source for news, sent out investigators, discovered that story was false, and reported its findings.

This is a good example of altering people’s frames on a matter using a very trusted source for “truth”—news media. People who wanted to believe that Obama was a radical Muslim ran with that story, and the news went wild. When research revealed the story to be false, many people’s thinking was altered again.

·“Cycles of protest; the point at which the frame emerges on the timeline of the current era and existing preoccupations with social change”: What is happening in the world can affect a social frame. Think back a few years ago; if the idea of full body X-ray scans were proposed to companies in the U.S. or other Western cultures, the idea would have been thrown to the wind.

Activists for privacy would have fought against the idea and won, simply by using the idea of someone being able to see your private areas and potentially saving that picture to mock or sexually harass you. This argument would have outweighed the sales efforts of the creators of the machines. Yet, after the attacks in America on September 11 and the subsequent rise of terrorist activity, those machines are being installed at airports around the globe despite the cries by activists, even arguing with the power of child pornography laws on their side.

Why? The social frame of how to remain safe has been altered, allowing a new breed of decision to enter.

Snow and Benford propose that when proper frames are constructed as described in these four points, large-scale changes in society such as those necessary for social movement can be achieved through frame alignment. Their studies focus on society as a whole, but these same principles are effective when dealing on a smaller scale or even one-to-one.

The preceding discussion is just the process to frame alignment; actually four different types of alignment can occur after these four conditions are met. Although many of these aspects are geared towards framing groups as a whole, the following sections discuss these four framing alignments on a personal level that will show how you can use them on a smaller scale both as a social engineer and/or just as a person wanting to align frames with others. Imagine trying to align your goal of entry to a building with the frame of the security guard designed to stop you. Bringing his frame into alignment with your pretext can ensure success.

One thing to remember about frames is that they are never constructed from scratch. Frames are always drawn on already-existing cultural codes that involve the core of a person’s beliefs and experiences. Knowing this will affect how you use framing.

Frame Bridging

The Cathie Marsh Centre for Census and Survey Information defines frame bridging as the linkage of two or more ideologically congruent but structurally unconnected frames regarding a particular topic.

Bridging is not about tricking people into believing your frame as much as your understanding their frame so deeply that you find the connecting link. You then use that connecting link to bring a target into your frame.

The situation could be that you want to gain access to an area, building, or piece of information. Your frame is that you want that to happen. The frame of the person you are approaching is not necessarily to stop you; he may not even know what you are going to attempt. If you were to approach the situation in that frame you may alert him to a problem and thereby shut down your chances.

By understanding the target’s job, role, and mental outlook you can understand his frame of mind and maybe find a link that will make his transition into your frame much easier.

What is your pretext? How would the person you are about to approach treat a person in your pretext? A good social engineer must understand this to be successful. The “gatekeeper” will treat a sales guy differently from the soda delivery guy. Understanding the frame of the target means knowing how he will treat you—not you as a social engineer, but you as the pretext.

A more personal example may be to think of how you want others to view you— maybe as cool, “together,” intelligent, or confident. A professor wants to appear smart. A manager wants to appear in control. An athlete wants to appear calm and strong. A comedian wants the audience to view her as funny. All of these are frames that a person wants others to be in alignment with.

In the comedian’s case, what if there is a heckler—a person who doesn’t see her as cool, funny, intelligent, or confident? Because of the heckler’s frame they are angry, not happy, put off, or just not interested? If the comedian persists in his frame he may convert some people around him, but until he delves deep and try to understand where someone is coming from he will not be able to align their two frames and bring that person into his frame. The comedian who can handle a heckler is able to put aside her fears about her frame and use the heckler to her advantage.

The frame bridging alignment technique can be one of the most powerful used by a social engineer, but involves some preparation to make sure you get it right.

A social engineer can utilize this particular form of frame alignment by helping a target bridge the gap of what they see and what they need to believe through a proper pretext. Again, recall the example of trying to gain access to the building as a tech support rep. Your dress, tools, and language must match the frame that the target expects of a support rep. If they do, the bridge is created and alignment occurs.

Frame Amplification

Frame amplification, according to Snow, refers to “the clarification and invigoration of an interpretive frame that bears on a particular issue, problem, or set of events.” In other words, you will amplify, or focus on, the values or beliefs of the target. By focusing on those values you can find an area that will align your two frames, or at least drive the target to think there is alignment.

This form of alignment has been labeled as the most basic of the four because it is more of a maintenance method. It involves the accenting, augmenting, or punctuating of an event as being more important than others, which allows for this event to be linked with other events with greater ease.

An example of frame amplification can be revealed if we do further research into the earlier example about the full-body X-ray scanners. The scanners are being sold now as deterrents for terrorists. The frame that they are being sold under is how the recent terrorist activity caused a need for products like these, and here they are to fulfill that need. Yet research into these devices shows they were being built, marketed, and rejected long before the attacks of 9/11 and other recent attacks.

Using the events of 9/11 combined with the fear of flying many people have due to those attacks enables the scanner companies to link their frame with the frame of fear many people have, and thereby gain support for implementing these devices in airports around the globe.

One of the other strengths of frame amplification is that it can be successfully used to blur the frame and cause people with a certain belief to distance themselves from that belief. For example, many who believed in privacy and the freedom to choose how to be screened have been brought into a different frame by the x-ray scanner manufacturers focusing on certain aspects of other screening methods being unsafe or incomplete, and to prove their point they bring out stories like “the underwear bomber.” Such tactics amplify their frame that the new x-ray scanners are better and safer, using widely held beliefs regarding the lack of security of other methods.

A social engineer can utilize this alignment technique in a few different ways. For instance, a social engineer may want to convince a security guard to give him access to an onsite dumpster area. The pretext of working for a waste disposal contractor is good and it very well may work alone, but it would work even better if you presented the idea that there is damage to one of the dumpsters, which represents a security liability for the company. Amplifying that frame can bring you to an alignment with the security guard that the best solution is allowing you onsite to check it out.

Frame Extension

“Frame extensions are a movement’s effort to incorporate participants by extending the boundaries of the proposed frame to encompass the views, interests, and, more importantly, the sentiments of a group.” In other words, by extending your frame’s boundaries to encompass other subjects or interests of your target, you can bring them into alignment.

For example, the possibility exists that groups who support environmental or “green” initiatives will extend their frame to antinuclear movements, stating they are under the umbrella of a being concerned about the environmental risks.

However, a risk with using frame extensions is they can weaken the stance on the original frame and a certain level of appeal can be lost. This can be done by including too many frame extensions into a certain frame, eventually diluting the main frame and causing interest to be lost.

Even on a personal level, simple is best. When using this frame alignment tactic, keep it simple and easy to follow. Don’t make the connecting web so convoluted you lose the interest of the target.

A social engineer may utilize this frame alignment technique through the elicitation skills discussed in Chapter 3. When a social engineer approaches a target, she can gather information about the target or their company by not acting interested in that but utilizing chit-chat at a party, or with a pretext as a reporter. This will give the social engineer the “right” to ask for information that they would normally have to work very hard to get.

Frame Transformation

“Frame transformation is a process required when the proposed frames may not resonate with, and on occasion may even appear antithetical to, conventional lifestyles or rituals and extant interpretive frames.” In other words, a social engineer offers new arguments that point to why their frame is better in an effort to transform the thoughts or beliefs of a target from where they are to where the social engineer wants them to be.

When a frame transformation occurs, new values and new understandings are required to keep people involved and keep their support. This type of transformation was done on a large social level in the 1970s where the conservative movement was reframed or transformed into a more progressive environmentalist movement.

On a smaller, more personal scale, frame transformations occur every day through religious conversion, in which a person’s frame or whole belief system is altered, changed, and transformed to be aligned with a new frame of thought, that of the new religion.

Transforming someone’s frame is not easy; it is one of the most complicated alignment tactics to put into practice because it can take:

· Time: Changing someone’s whole belief structure is not a quick process and can take the usage of other alignment techniques and lots of time to make it work.

· Effort: Knowing where the target is coming from and where you want him to be are just the initial steps. What will be his objections and mental blocks? Finding out these things will take some work.

· Education: Knowledge is power. You must help the target understand the new frame you want him to “convert” to.

· Logic: The education must be logical and not all emotion. The target must be able to reason and rationalize the action he is about to take. The only way he can do that is with logic.

· Deep emotional ties: Knowledge is what prepares a person for action, logic convinces him the action is good to take, but emotion is what makes the action happen. If you are emotional about your “cause” the target will feel that emotion. Just make sure the emotion you are expressing and feeling matches the pretext. If your pretext is a guidance counselor and you come in like a cheerleader you will offset the target’s ability to align.

Being able to align others to your frame and align yourself with theirs can give people incentive to do the things you ask. Although using any of the four framing methods is powerful, a social engineer who is successful in frame transformation has endless power.

Read on to find out how to apply these framing techniques as a social engineer.

Using Framing as a Social Engineer

Throughout this section I mentioned many ways a social engineer might use framing as a technique. Some of these methods are so powerful that perfecting them can turn you into a master influencer.

To truly use framing as a social engineer you must understand four things about framing. These four things will help you to understand clearly how framing works and how to use it as a social engineer.

Remember what a frame is. A frame is a conceptual structure that our minds use in thinking. This is a vital piece of information because your goal is either to create a new frame, align with a person’s frame, or bring the target into your frame.

One of those three goals needs to be outlined with the following four rules in order to master framing as a social engineer.

Rule 1: Everything You Say Will Evoke a Frame

People’s minds work by picturing things. This natural fact cannot be altered, but you can use it to your advantage.

If I start to talk to you about your boss, your mind will picture him. If I paint a picture with words about how he was outside on the cell phone and he was angry, your mind will start to picture his angry face, body language, and words. You will not be able to control this and that mental frame will cause emotions and reactions.

Painting a picture with words is a powerful way to use framing. By choosing your words carefully you can cause a target’s mind to picture things you want him to picture and start moving him to a frame you want.

Have you ever heard someone who you thought was a great storyteller? Why? What made her great? She was able to paint a mental picture, make you see things in your mind, which intrigues you and gets you involved. This skill is very important for a social engineer. It doesn’t mean you talk as if you are telling a great story all the time, but you want to keep in mind the words you choose because those words hold the power to paint pictures in the minds of the targets.

Here is a simple example: I can tell you that I had spaghetti for dinner last night. If you are not a foodie or not Italian, maybe the last time you had spaghetti it wasn’t that pleasurable. Your mental frame is not that strong and you might be turned off.

What if I told you that last night my wife made a sauce of vine-ripened tomatoes and basil she grew in the garden? It also had chunks of fresh garlic and oregano in it, as well as a hint of red wine flavors. She served it over a plate of perfectly cooked spaghetti noodles and with homemade garlic bread.

Whether or not you are a pasta fan, you are picturing a restaurant-quality dish. This is how you should plan your words with your targets. They should be descriptive, robust, and full of pictures. Yet the caution is not to be overly theatrical as a social engineer. Your goal should be to build a picture with your words, not to draw attention to yourself or your delivery.

Rule 2: Words That Are Defined Within a Frame Evoke the Mental Frame

You don’t have to use the exact words to make a person picture the frame you want. For example, what do you think of when you read the following sentence?

“I saw the insect struggle to get free from the web, but he could not. Moments later he was wrapped up in a cocoon and saved for dinner.”

Notice, I didn’t have to mention a spider to make you think of a spider. If I want to frame you into thinking about a spider, I can do it without having to mention the word spider. This powerful rule of influence and framing gives a social engineer the ability to control the target’s thoughts using indirect speech.

Toastmasters, the international organization focused on people’s speaking abilities, teaches its members to move people with their speech by getting their audience’s emotions involved. Delivering a story that causes the target to picture the frame you want while involving them emotionally will solidify your standing in leading that conversation.

Again, using this method of framing will take planning. A powerful aspect to this frame rule is that while a target’s brain is processing the information you are feeding it and generating the mental pictures you are painting, there is a time when you can plant thoughts or ideas. Unlike where I painted a direct picture of a beautiful pasta dish, this rule allows the target the freedom to picture something else.

I could have ended my earlier spaghetti dinner story with, “My wife then served it on a plate of perfectly cooked pasta. What kind of pasta? I am not telling you, you have to picture it,” and when your brain starts to picture it then I can say, “As I twirled it on my fork, the sauce was so thick and perfect it clung to each noodle.”

This description paints the mental picture of spaghetti. What other pasta do you twirl? (I know there are others, but you get the point.)

Rule 3: Negating the Frame

If I tell you to not picture a spider in a web, your brain has to picture the spider first to tell yourself to not picture it.

This technique of negating the frame is powerful. Telling a target to be careful, watch out, or be cautious about something automatically puts them in the frame you may want. This technique is often used by professional social engineers. In one interview I did with a panel of social engineers, everyone agreed that this technique works great.

During one audit, I dropped a few USB keys that were laden with malicious code that I wanted someone in the company to run without thinking. I approached one of the employees who I had gained the trust of and said, “John, I heard a memo was issued to be on the lookout for a few USB keys that have been dropped. They are looking for them now.”

It just so happens that you are in there as a janitor and you dropped the USB keys laden with malicious files, and now by telling people to look out for them, you are in essence planting the seed for them to do your bidding. This kind of a phrase negates the worry they may feel when finding a rogue USB key and cause them to plug it in to see whose it is.

Rule 4: Causing the Target to Think About the Frame Reinforces That Frame

Every time the brain focuses or thinks about something it is reinforced. The more you can make the target think about or picture the frame you want him in, the easier it will be to reinforce and move him to that frame.

Look back at Chapter 2 on communication modeling and analyze how the messages a social engineer will develop can have amazing effects on your targets.

I was once traveling in India. I don’t remember the exact incident in the news, but all I know is that President George W. Bush had lost favor with people in Europe. I was flipping through the news stations and saw how people in certain European countries where hanging dolls that looked like George W. Bush in the streets. After wrapping American flags around the dolls they were lighting them on fire.

It was a shocking scene and while I was on the phone with my wife that evening I said, “Wow that news story on what’s happening in Europe is crazy, huh?”

She hadn’t heard anything about it. Why? News media and news stations are masters when it comes to framing and manipulation.

A social engineer can learn a lot from looking at how media utilizes this skill. By using omissions, or leaving out details of a story or the whole story itself, the media can lead people to a conclusion that seems like their own, but really is the media’s.

Social engineers can do that, too. By omitting certain details and only “leaking” details that they want leaked, they can create the frame that they want the target to think or feel.

Labeling is another tactic used by the media. When they want to frame something positive they may say things like, “the strong defense of…” or “our healthy economy.” These phrases paint mental pictures of stability and health that can help draw positive conclusions. The same rules can apply for negative frames, too. Labels such as, “Islamic terrorists” or “conspiracy theories” paint a very negative picture.

You can utilize these skills to label things with descriptive words that will bring a target into the frame you want. Once, approaching a guard booth that I wanted to gain access to, I walked right through as if I belonged. I was instantly stopped abruptly. I looked at the guard in shock and apologetically I used a phrase like, “Oh, yesterday that extremely helpful security guard, Tom, checked out all my creds and let me pass. That is why I assumed I was still on the list.”

Labeling the previous guard as “extremely helpful” automatically puts the present guard in a frame I want. If he wants to receive such a prestigious label, he better be as “extremely helpful” as Tom was.

Framing is effective because it bends the truth but not so much that it becomes false, so it remains believable. A social engineer can create a desired impression without departing too far from the appearance of objectivity.

I read a white paper called “Status Quo Framing Increases Support for Torture,” written by Christian Crandall, Scott Eidelman, Linda Skitka, and Scott Morgan, all researchers from different universities. In the white paper they supplied a very interesting data set that intrigued me on this topic. In the U.S. it seems many people are against the use of torture in wartime as a tactic for gaining intelligence information. The purpose of this study was to see whether the researchers could get a subset of people to agree that torture is less disagreeable by framing the message differently.

They took a sample group of roughly 486 people and asked them to read two paragraphs.

The first one read:

The use of stress by U.S. forces when questioning suspects in the Middle East is in the news. This kind of stress interview is new; according to some reports, it is the first time it has been widely used by the U.S. military. American forces have used many different methods, including strapping detainees to a board and dunking them underwater, stuffing detainees face-first into a sleeping bag, and long periods of hanging detainees by ropes in painful positions. Detainees are also kept awake and alone for days at a time.

This paragraph paints the thought that these are new techniques being employed by the U.S. Government to obtain data.

The second paragraph read:

The use of stress by U.S. forces when questioning suspects in the Middle East is in the news. This kind of stress interview is not new; according to some reports, it has been used for more than 40 years by the U.S. military. American forces have used many different methods, including strapping detainees to a board and dunking them underwater, stuffing detainees face-first into a sleeping bag, and long periods of hanging detainees by ropes in painful positions. Detainees are also kept awake and alone for days at a time.

The status quo version of the paragraph was identical, except that the second sentence in the paragraph was replaced with “This kind of stress interview is not new; according to some reports, it has been used for more than 40 years by the U.S. military.”

What were the results in just changing one frame—a frame that these are brand-new methods or that these are tried-and-tested methods that have been used for decades?

The paper describes the researchers’ measures. Seven items formed the basic set of dependent variables. These items corresponded to a seven-point “button” scale, with the point labels of very much disagree, moderately disagree, slightly disagree, uncertain, slightly agree, moderately agree, and very much agree. All items were reverse scored so that higher scores reflected greater agreement with each item.

The conclusion? “The status quo manipulation had an effect on overall evaluation of torture—when described as a long-standing rather than new practice, torture was evaluated more positively; [m]aking torture appear to be the status quo for interrogations increased individual support and justifications for using it as a tactic.”

By changing just one little part of the frame the researchers were able to bring a sizeable group of people into alignment and make them agree (for the most part) that torture can be an acceptable policy.

That paper’s remarks continued, “They can apply across many, many domains, and can affect judgment, decision making, aesthetics, and policy preferences,” concluding with, “relatively modest changes in the way ethical choices and value dilemmas are presented, framed, or put in context can have profound effect on political choice and policy.”

This experiment proves how powerful framing is because it can change even core beliefs, judgments, and decisions that people may have had for years. As a social engineer that is not even the goal most of the time. You are not trying to convert people; you’re just trying to get them to take an action that with a little thought they would reason is not that good to take.

Applying the four framing rules and doing a lot of planning can make framing a devastating force to be reckoned with, which is why, unfortunately, malicious social engineers use this technique every day. In the U.S. and “westernized cultures,” especially, people are trained to accept being framed, to accept being told what to think and how to think it.

If I told you 15 years ago that almost every program on television would be about watching real people do real things, you might have laughed at me. Why? Because watching shows like that sounded boring and silly. Yet in 2006, the Los Angeles Times stated that the number of reality TV programs jumped up 128% (http://articles.latimes.com/2010/mar/31/business/la-fi-ct-onlocation31-2010mar31), and it hasn’t slowed down much since then, and it’s because watching them is what’s new and hip, and we are told that watching them is good and fun, and everyone does it. These shows are an example of how one thing can be made to look good that most people would have considered silly just a few years earlier.

Framing is definitely an art form that when mixed with the science of communication and influence can become a formidable force on a personal level in the hands of a skilled social engineer, through presenting information in a way that can make aligning with the social engineer “easy” for the target, can make him take action that will not leave him feeling guilty, and alter his perception of reality.

Framing and influence are key parts of social engineering, although another skill is often associated with the “dark corners” of social engineering. The book’s introduction mentioned peering into these corners; the following section presents the information that will alter the way you look at influence.

Manipulation: Controlling Your Target

Manipulation is considered by many to be a very dark topic, a topic that creates a sense of fear because of the way it is often portrayed.

Taking a look at a few definitions found on the Internet may help to explain:

· “exerting shrewd or devious influence especially for one’s own advantage”

· “influence or control shrewdly or deviously”

· “control (others or oneself) or influence skillfully, usually to one’s advantage”

You can clearly see why many social engineers drool over this topic. Can you imagine being able to use your skills to control or influence someone to your advantage?

From something as dark as brainwashing to the subtle hints of a salesperson, manipulation tactics are something every social engineer should study and perfect. The aim of manipulation is to overcome the critical thinking and free will of their target. When the target loses his ability to make a decision based on informed processes, they can be fed the ideas, values, attitudes, or reasonings of the one manipulating them.

Manipulation is used in six ways that hold true whether the topic is brainwashing or something less insidious. I will quickly go through each one before we get into this very deep section.

· Increasing the suggestibility of your target. At its most extreme, sleep or food deprivation increases a target’s suggestibility. On the lighter side, subtle hints that build in intensity over time to make your target more suggestible.

· Gaining control over the target’s environment. This technique can involve everything from controlling the type and quantity of information to which a target has access to much subtler things like gaining access to a target’s social media websites. In a social engineering context, having access to social media allows you to view your target’s communications as well as exert control over the information he receives.

· Creating doubt. Destabilizing and undermining your target’s belief system can go a long way toward manipulating your target to take an action you want. From a social engineering viewpoint, this must be done subtly. You can’t just barge in and start degrading your target; instead, questioning the rules they follow, their job, or their beliefs can affect the target’s ability to make rational decisions.

· Creating a sense of powerlessness. This truly malicious technique is used in wartime interrogations to make a target feel a lack of confidence in their convictions. A social engineer can utilize this tactic by taking away the target’s agency by presenting the “facts” you received from someone with authority, thus creating a powerless feeling.

· Creating strong emotional responses in the target. Strong emotional responses include everything from doubt to guilt to humiliation and more. If the feelings are intense enough, they can cause the target to alter their whole belief system. A social engineer must be careful not to create damaging negative emotions, but using tactics that create an emotional response based on fear of loss or punishment can prove beneficial to your SE goal.

· Heavy intimidation. Fear of physical pain or other dire circumstances can be used to make a target crack under pressure. Again, most social engineers will not go this route unless they are using corporate espionage as a tactic, but in normal social engineering, this tactic utilizes perceived authority to build strong fear and feelings of potential loss.

Most times, however, manipulation is not so extreme. On its very basic level, imagine you’re in a crowded room and someone calls out your name. What is your reaction? Usually it is to turn around or respond with a “Yes?” You have been manipulated, but not necessarily in a bad way.

On a psychological level, being manipulated is even more profound. Notice what happens to make that preceding interaction happen: Your brain hears your name, and you automatically formulate an answer (“Yes?”). The connection between that answer and your vocal response is very short. Even if you made no vocal response or if the name-calling is not targeted to you personally, if a question is asked your mind will formulate an answer.

Just being in close proximity of two people conversing and overhearing a question will cause your mind to formulate an answer. The answer can be an image or sound in your mind. If a target overhears two people talking about what someone looks like his mind will form a mental picture. If you hear two people telling a joke about a chicken crossing the road, you may picture the chicken, the road, or the whole scene.

This type of manipulation is just the beginning of what you can do. Another manipulation tactic is that of conditioning.

People can be conditioned to connect certain sounds or actions with feelings and emotions. If every time something positive is mentioned a person hears a pen click, after a short time the target can be conditioned to associate a positive feeling with this sound.

One of the most classic examples of conditioning was Ivan Pavlov and what we call Pavlov’s dog, which was discussed in Chapter 5. The question then becomes whether you can use this type of conditioning on people. Although making targets salivate is not on most social engineers’ priority list (although it would be humorous), are there ways to condition a target to react to certain sets of input the way you want them to react?

To find the answer, read the following sections, which provide a few examples of manipulation in business and marketing to set a foundation for discussion and an analysis of how to use manipulation on a personal level.

To Recall or Not To Recall

In May 2010 The Washington Post reported an interesting story (www.washingtonpost.com/wp-dyn/content/article/2010/05/27/AR2010052705484.html). The maker of children’s Tylenol, Motrin, Benadryl, and Zyrtec, among other liquid over-the-counter medicines, discovered a defective batch of Motrin and didn’t want to perform a recall due to the costs of such an action. What was the company’s answer?

It used manipulation. The company hired a slew of contractors to go from store to store and buy back all the Motrin in the store, which would then be destroyed. Unfortunately, its plans were foiled when a contractor dropped a paper in one store that outlined the plot, which was then reported to the Federal Drug Administration (FDA).

On a side note, the FDA did make that company recall 136 million bottles in just one out of four recalls. Unfortunately, it was too late because 775 cases were reported of children and infants who had adverse reactions to this tainted batch, with 37 ending in death. The reports are not conclusive whether the deaths were a result of the bad Motrin or a reaction to the Motrin. That is not the focus here.

This is a very dark example of manipulation, or at least attempted manipulation. To protect this company’s image it was willing to forgo the proper procedures and the safety of children all over the world. It attempted to manipulate the system and in the process people lost their lives. The documentation that was dropped in the store discussed how the contractors were under orders to buy the product back and not mention “recall” at any point in time.

When the company was caught it deployed many interesting manipulation tactics. It deflected the situation by saying the reason for the action was its experts didn’t think a significant risk existed to children.

It followed this statement by a formal apology and the firing of six top executives. Then the real manipulation came in. While being questioned, the company stated that they were not trying to do a “phantom recall,” as it was being called. The company was testing the alleged damaged batch by having the contractors buy it back to be tested. If it was found faulty the company would have taken the proper procedures. This company attempted to use a manipulation technique called diversion, to divert attention from what they were really doing to make it seem better than it was. In addition, it used a cover-up technique to manipulate the thinking of those who disagreed with their actions by issuing statements that the company was trying to do testing to determine if there was need for a recall.

This type of manipulation is worth discussing because a diversion tactic can work on a much smaller scale in a personal setting, too. If you are caught in an area or place you should not be, then having a good cover story that is believable can go a long way toward manipulating the target to allow you safe passage. Diverting the target’s attention to something other than the problem at hand can give you enough time to redirect his or her concern. For example, if you are caught by a security guard, instead of getting nervous, you could simply look at him and say, “Do you know what I am doing here? Did you hear that some USB keys have been lost with very important data on them? It is imperative we find them before everyone comes in tomorrow. Do you want to check the bathrooms?”

Many of you probably never heard about the Motrin recall story, showing that the company did a good job of manipulating (so far) the media and justice system to keep the limelight off of it. Regardless, this situation outlines how diversion and cover-up can be used in manipulation.

Anxiety Cured at Last

In 1998 SmithKline Beecham, one the largest pharmaceutical companies in the world, launched an ad campaign designed to “educate” the masses about something it called “social anxiety disorder.” It planted 50 press stories and surveys with questions like, “Do you have social anxiety disorder?” These quizzes and surveys were geared to “educate” people on this disorder and how to tell whether they suffer from it.

Later that year it changed its marketing campaign copy in medical journals from “Paxil means peace…in depression, panic disorder, and OCD” to “Show them they can…the first and only approved treatment for social anxiety disorder.” This change cost the company about $1 million to make.

In 1999, a $30 million campaign was launched on print and television announcing that SmithKline Beecham found the cure for social anxiety disorder, and its name is Paxil. Using the data from the surveys and quizzes the company bought spots in some of the “hottest” television shows at that time and spouted statistics that 10 million Americans suffer from SAD (social anxiety disorder), and now there is hope.

By 2000, Paxil sales accounted for half of the increase in the entire market: The company “became number one in the U.S. selective serotonin reuptake inhibitor market for new retail prescriptions in 2000.’’ In 2001 it won FDA approval to market Paxil for both generalized anxiety disorder and posttraumatic stress disorder.

The 9/11 attacks resulted in a dramatic increase in prescriptions for all antidepressants and anxiety drugs. During this time Paxil’s advertising positioned it as an answer to the uncontrollable feelings of fear and helplessness that many people felt in the aftermath of the attacks.

I am not saying that these drugs do not work, or that the company’s motive is malicious, but I find this case particularly interesting in that the manipulation of the market started with education and ended with a massive increase in sales, while creating new disorders along the way.

This type of case-building manipulation is often used in marketing, but is also used in politics and even on a personal level, presenting a problem that is terrible, but then presenting “facts” that you have derived as proof of why what you say is true. On one episode of The Real Hustle, Paul Wilson set up a scenario where he had to extract a famous star they were using in a scam to steal some CDs from a store. The store clerk detained the star and waited for the cops to arrive. Paul walked in, identified himself as a cop, flashed his wallet with nothing more than a picture of his kids in it, and was able to “arrest” the star, take the CDs and the money in the cash register as evidence, and leave unquestioned. This story is an excellent example of this type of case-building manipulation. Paul had a problem (the thieving star) and presented himself as the solution (the cop) to the problem. Whatever the scenario, build the case for what a good person you are before presenting your request, and that case makes the request more palatable to the person you’re trying to manipulate.

You Can’t Make Me Buy That!

Kmart. I felt like just leaving this section at that, but I think I should explain more. Kmart developed an idea it called the planogram, which is a diagram that shows retailers how to display their products based on colors, sizes, and other criteria to manipulate their customers to want to buy and spend the most.

Planograms are designed to create optimal visual and commercial product placement.

The use of these planograms is a form of manipulation because researchers have studied how people shop, think, and buy. Understanding these things helped them develop mechanisms to control the visual input to increase shoppers’ desire to buy.

Software, as well as whole companies, are devoted to planning and executing these planograms for the maximum effect on keeping shoppers shopping.

Three different layouts are used to manipulate shoppers:

· Horizontal product placement: To increase a customer’s concentration on a certain article, a multiple horizontal placement side by side of one product is applied. Some retailers found that a minimum placement range between 15 and 30 cm of a single product is necessary to achieve an increase in customer attentiveness (see Figure 6-8).

· Vertical product placement: A different method used is the vertical product placement. Here one product is placed on more than one shelf level to achieve 15–30 cm placement space (see Figure 6-9).

Figure 6-8: Placing the same or similar items in a horizontal row, as shown in this computer generated planogram, increases customer focus.

Figure 6-9: Products are grouped together to drawn the eye to items they want to sell.

· Block placement: Products that have something in common are placed in a block (brands). This can be done side by side, on top of each other, centered, or using magnetized hangers (see Figure 6-10).

Figure 6-10:Another example of a few different types of planograms being used at once.

Planograms are not the only method of manipulating shoppers. One test done involved a shopping mall running specifically designed music loops. The result was that those shoppers stayed in the mall an average of 18% longer than when the music was not running.

In the Journal of Business Research, Jean-Charles Chebat and Richard Michon published a study they performed in a Canadian shopping mall (www.ryerson.ca/~rmichon/Publications/Ambient%20odors.pdf). The researchers pumped specially designed aromas into the air that were supposed to trigger happiness and the desire to buy. The result there was that an average of $50 more per shopper was spent in that week-long study.

Your trips to the shopping malls and grocery stores will never be the same now. However, you can learn a lot from these methods and experiments. Knowing how people group things in their brains can affect how you organize your shelves to manipulate the feelings, emotions, and thoughts of your targets.

On the topic of colors, they are a major way to manipulate the emotions of a target. Many of the same principles apply to colors as they do to product placement. The colors you choose to wear or use can affect the target. A lot of research has been done on colors and their effects. The following is a short list of some ways a particular color could affect the thinking or emotions of another person:

· White: White is often associated with purity, light, and cleanliness. It gives feelings of safety and neutrality as well as goodness and faith. This is why white is often used in weddings or as the color of surrender.

· Black: Black often denotes power, elegance, mystery, and strength. It is used to denote authority, depth, and stability. Black gives the feeling of calmness and tranquility. Because it contrasts with other colors, it can also be used to enhance other colors.

· Red: Red is associated with excitement and joy. It is a color filled with celebration, action, and energy. It can denote good health, speed, passion, desire, and love. Red can stimulate emotions as well as increase heart rate, respiration, and blood pressure.

Red can trigger strong emotions—use caution when using red. Even though it can denote power and impulsiveness, it can denote force, intimidation, and conquest, even violence and revenge. Be careful how you use red.

·Orange: Orange gives warmth, enthusiasm, attraction, determination, strength, and endurance. It can stimulate a person to feel invigorated and even stimulate his or her appetite.

Orange is another color to be cautious with. Although using orange has many good benefits, like making the viewer feel warm and attracted to you or your product, too much or the wrong combination can create feelings of insecurity, ignorance, and sluggishness.

·Gold: Gold is usually associated with illumination, wisdom, wealth, and prestige.

·Yellow: Yellow is associated with energy and optimism, joy and cheerfulness, loyalty and freshness. It can cause a person to feel focused and attentive.

Yellow also has an impact on a person’s memory (why are so many sticky notes yellow?). Used in small amounts, it can trigger positive emotions, but too much can cause a target to lose focus or feel criticized.

·Green: Green is often associated with nature, harmony, life, fertility, ambition, protection, and peace. It can produce a very calming effect, making someone feel safe.

Green is another power color but can also make one feel greedy, guilty, jealousy, and disordered if used in the wrong setting or used too much.

·Blue: Blue is associated with the color of the sky and ocean. It can be linked to intelligence, intuition, truth, tranquility, health, power, and knowledge. It is very calming and cooling and has been known to slow down the metabolism.

Blue is the easiest color for the eyes to focus on. It can have many positive effects, but be careful not to make the target feel cold or depressed.

·Purple: Purple is associated with royalty, nobility, luxury, creativity, and mystery.

·Brown: Brown is associated with earth, reliability, approachability, convention, and order. It can create emotions of being rooted or connected, or having a sense of order.

How can you use all this information? I am not suggesting that with a simple blue outfit you can make someone feel calm enough to hand you her password. Yet you can use this information to plan your attack vectors, ensuring you have the best opportunity to succeed, which includes how you look and how you are dressed.

A social engineer would want to analyze the target they will be calling on and make sure the colors they choose to wear augment their ability to manipulate the target and not turn them off. For example, knowing that green may elicit feelings of greed or ambition can help a social engineer decide not to wear green to a meeting with a charity where it might conjure feelings and emotions contrary to the charity’s mission. Wearing something blue to a lawyer’s office, on the other hand, can have a calming effect, allowing the lawyer to open up more. Careful planning and sensible use of these tactics can help ensure the success of your social engineering audits.

Conditioning Targets to Respond Positively

Conditioning is used in everything from normal conversation to marketing to malicious manipulation. Just like Pavlov’s dog, people have been conditioned to respond to certain items. Human nature is often used to manipulate the majority of people to take actions the manipulators want.

When the majority of people think of babies they will smile, we will find talking animals “cute,” and we might even be manipulated to sing a jingle for a popular product in our head.

These tactics are so covert that many times we don’t even know they are working. Many times I find myself wondering what a scantily clad, bikini-wearing woman has to do with beer.

One example of how conditioning is used is Michelin Tires (see Figure 6-11). For years this company has used babies in its ads. Why? “Because so much is riding on your tires.” But these ads have more to them. You see a baby, you smile, and you are happy. That emotion triggers a positive response, and that response conditions you to be agreeable to what is told to you next. When you see the baby you smile; when you see it enough you are conditioned to think of warm, happy feelings when you see Michelin tires.

Figure 6-11: Aren’t babies cute?

Seeing the baby next to the tire makes you equate positive happy feelings with that brand. This is an example of classic manipulation.

Another advertisement (see Figure 6-12) that might have had many people wondering from Budweiser—remember those popular frogs belching out “Bud” “weis” and “er”? What do frogs have to do with beer? Along those same lines, think of the more recent Clydesdale horse and his gang of animal friends. These ads are catchy, even funny the first time, but not really explaining why you want to buy their beer.

Figure 6-12: Frogs selling lager.

This form of manipulation, conditioning, is subtle. You laugh at that commercial, and then later on you pull into your local beer distributor, see a cardboard cutout of the frogs or horse, and smile to yourself, which creates that positive feeling that makes you feel agreeable to buying the product.

These conditioning tactics are used often in the world of sales and marketing firms with the goal of manipulating the consumer to buy their products over the competition. Social engineers aren’t really selling a product, but they do want their targets to “buy” the lines they are selling, the pretext they are putting out there, and the actions they want the target to take. But why use manipulation? What are the incentives to utilizing this powerful form of control? The next section covers that very topic.

Manipulation Incentives

What are the incentives to manipulate someone? This question gets to the root of the methods, thinking, and tactics used in any manipulation. Not all manipulation is negative, but is related to the incentives behind it. But each incentive can be positive or negative.

What is an incentive? An incentive can be labeled as anything that motivates you to take an action. It can be money, love, success, or anything—even negative emotions like hatred, jealousy, and envy.

The main reasons why people chose to manipulate others can be broken down into three categories: financial, social, and ideological incentives. The following sections look at each of these incentives and how they apply to manipulation.

Financial Incentives

Financial incentives tend to be the most common, as in the cases mentioned earlier related to increasing sales. Many scams have a financial incentive behind their tactics.

How many people play the lottery every day with the hopes of getting that winning ticket? They may spend hundreds of dollars over time, and winning a $20 payoff makes them happy and keeps them coming back for more.

A non-malicious example of financial incentive is coupons. If you buy this particular product at this particular store you will get X dollars or cents off. If you are a thrifty shopper or want to try that product you will go to that store.

Many commercials that promote furthering your education, career, or skill set use financial incentives by painting a picture that your income will increase after their course or education.

The malicious attacker’s incentive for using manipulation is his own financial gain and therefore his motivation and his technique will reflect that. For example, if the malicious social engineer’s goal is to get his target to part with some of his hard-earned money, the social engineer will utilize pretexts that will be “allowed” to ask for money—pretexts like charity organizations are suitable in this scenario because asking for donations or financial information is not out of the ordinary.

Ideological Incentives

Ideological incentives are the most difficult to describe. Each person’s ideals are different and those ideals can affect the incentive. If your dream in life is to run a restaurant then that is your passion. You will work longer hours and put in more effort than any of your employees. You will also work for less money, because it is your dream or your motivation; for everyone else it is just a job.

Dreams and beliefs can be so ingrained in a person that separating them from the person can be almost impossible. When you hear the phrase, “I have a dream,” did you think of Martin Luther King? Some people’s dreams and goals are who they are, not what they think about.

People tend to be drawn to those with similar dreams and goals, which is why the phrase, “Birds of a feather flock together” applies so well in this discussion. But it is also why so many people can be manipulated.

Look at Christian televangelists, for example. People who have a faith and desire to believe in God flock together. Like-minded people can strengthen each other’s faith and desire to do the right thing, but a televangelist can use that ideology to convince people that God’s desire is for that particular church to prosper, therefore also lining the televangelist’ pockets with cash.

The televangelist gives a few motivating sermons and sheds some tears and suddenly people are sending in the checks. These televangelists use the tools of both financial and social ideals (see the following section, “Social Incentives”) to convert their listeners to their ideals so those people part with their hard-earned cash. What is interesting is that if you ask a follower how he feels about the preacher being way richer than he is, he believes it is God’s will. His ideal set has been changed or manipulated.

Ideological incentives can also be used for the good by educating people about morals, and even resorting to using fear as the incentive can have great effects on people. Ideological incentives are often taught to children through stories and fables that have meanings behind them. The Brothers Grimm are an excellent example of this type of incentive. Stories that often end in the bad characters suffering physical harm or even death and the good characters, persevering through all forms of hardship, getting a massive reward at the end builds on fear that being bad leads to death or some terrible punishment.

Ideological incentives are used in marketing, too, through placing ads where “like-minded” ideals often “meet.” For example, diaper companies market in family magazines, animal shelters market at zoos, athletic gear companies market at sporting events, and so on. This type of incentive gives a greater chance that the goods or services being advertised will be bought by those who share the same ideals.

Ideological incentives are used to bring one’s ideals in alignment with those of a like mind. Often, once people are sympathetic to a cause is when the manipulation tactics start. Again, not all manipulation is bad, but it has to be used in the proper way.

Social Incentives

Social incentives are probably the most widely used and the most complex set of incentives out there, especially when it comes to social engineering.

Humans are social by nature; it is what we do in normal daily life. Social incentives also encompass all the other types of incentives. The right relationship can enhance your financial needs and can also adjust, align, or augment your ideals. It could be argued that social incentives are stronger than the other two types of incentives.

The power that peer pressure holds over many people is easy to see. For young and old alike, the draw of conformity is powerful. Many times, that which is acceptable is directly linked to a social incentive. One’s outlook on life and self can be greatly affected by his or her social surroundings. In essence peer pressure can exist even in the absence of direct peers.

Am I good looking? Well, that depends. If I am in the United States where a supermodel is a size zero and the guys have muscles in places I didn’t know muscles existed, probably not. If I am in ancient Rome where maybe being larger meant I was rich and powerful, then I am. Your whole inner self is framed by your social view of the world.

In 1975, the U.S. Air Force ran a study entitled “Identification and Analysis of Social Incentives in Air Force Technical Training” to try to see the power of social incentives on creating leaders during its training drills. It ran four different scenarios with a group and analyzed what effects they had on the students.

The end results were that a certain social incentive, usually involving praise or positive reinforcement from peers or authority figures, created a strong bond between the students and instructors:

The major conclusion of this entire research effort is that the management of social incentives is a particularly difficult art. While social incentives can be identified and scaled with considerable ease, manipulation and management of the same incentives requires considerably greater effort. The scaling data show high attractiveness value for various social incentives. The results of the field experiment show the positive influence of the acquaintanceship and psychological contract exercise on attitudes toward fellow trainees. Both of these findings underline the importance of social factors.

In other words, increasing or decreasing the attractiveness of the social incentive is not too difficult once you know what motivates a person. This phenomenon is particularly evident in groups of teenagers. When they find out what bothers someone, it is often used as a weapon to force compliance. The larger the group that provides the pressure, the greater the chance the target will comply.

This is a powerful statement. I wonder how that research would have gone if the researchers had been able to use the plethora of social media sites that exist today. Peer pressure is a strong influence and everyone wants to fit in and be part of the crowd.

Social incentives work. In 2007 a group of researchers (Oriana Bandiera, Iwan Barankay, and Imran Rasul) wrote a research paper entitled, “Social Incentives: The Causes and Consequences of Social Networks in the Workplace” (www.social-engineer.org/wiki/archives/Manipulation/Manipulation-Social-Incentivespdf.pdf).

The report is an interesting study along the lines of the Air Force study, but set in 2007. Basically the researchers analyzed how those who have “friends” at work handle their jobs when they work in groups with their friends. Their conclusion:

Our findings indicate there are social incentives—the presence of friends affects worker productivity, despite there being no externalities of worker effort onto their co-workers due to the production technology or compensation scheme in place. Due to social incentives, workers conform to a common norm when working together. The level of the norm is such that the presence of friends increases the productivity of workers who are less able than their friends and decreases the productivity of workers who are more able than their friends.

Social incentives are a quantitatively important determinant of a worker’s performance. As workers are paid piece rates based on individual productivity, the strength of social incentives is such that (i) workers who are more able than their friends are willing to forgo 10% of their earnings to conform to the norm; (ii) workers who have at least one friend who is more able than themselves are willing to increase productivity by 10% to meet the norm. Overall, the distribution of worker ability is such that the latter effect dominates so the net effect of social incentives on firm performance is positive.

The presence of friends meant that a person would actually work harder or less hard depending on their normal work level. Peer pressure with the absence of the actual pressure can affect people’s work. The pressure is perceived by what is standard. Why? Maybe if a person could work faster or better, she probably didn’t want to appear to be a know-it-all or brown-noser, as these people can be called. Maybe if he is normally more of a slacker, he didn’t want to appear lazy so he pushed up the pace a little. In either case their work ethic was affected by having friends.

A good point for management is to always put the hardest workers and natural leaders over the group. But there is so much to learn in this research.

This method is how social engineers use “tail-gating.” Being in a large crowd of people coming back from break or lunch and looking like one of the employees minimizes the chance that the security guard will stop you while you walk through the front doors.

It is also how whole groups of people can be manipulated into thinking a certain action or attitude is acceptable. You can see this in the entertainment industry as each year the standard of what is acceptable or moral seems to get lowered, yet this drop in standards is sold as “freedom.”

These three incentives are not the only types that are used. They can branch off into other aspects beyond the scope of this book, but the question still arises of how you can use them as a social engineer.

Manipulation in Social Engineering

Manipulation is less about making others think like you do and making them feel comfortable, and more about coercing them to do what you want.

Coercion is not a friendly word. It means “to force to act or think in a certain manner” or “to dominate, restrain, or control by force.”

Manipulation and coercion use psychological force to alter the ideology, beliefs, attitudes, and behaviors of the target. The key to using them is to make the steps so small they are almost invisible. The social engineer doesn’t want to alert the target he is being manipulated. Some of the following methods may be very controversial and downright horrible, but they are used each day by scammers, identity thieves, and the like. One of the goals of manipulation can be to create anxiety, stress, and undue social pressure. When a target feels that way he is more likely to take an action the social engineer is manipulating them to take.

With that in mind, you can see why manipulation is often thought of in a negative light, but it is used in social engineering and therefore must be discussed.

Increasing a Target’s Suggestibility

Increasing a target’s suggestibility can involve using the neurolinguistic programming (NLP) skills discussed in Chapter 5 or other visual cues. Earlier you read about conditioning people with the use of pen clicks or other noises or gestures that can elicit an emotion even when words are not spoken.

I once saw this in action when I was with a person who was manipulating a target. He used a pen click to indicate a positive thought. He would say something positive and then smile and click his pen. Literally, I saw the person begin to smile after about four or five times of hearing the pen click. He then brought up a very depressing subject and clicked his pen, and then the target smiled and felt instantly embarrassed. That embarrassment was the open door he needed to manipulate the target to do what he wanted.

Creating a situation where the other person feels susceptible to suggestion can be through repetition of ideas or other means that will soften the target to the ideas you are trying to present.

A social engineer can make sure the whole setup is geared towards this manipulation—the phrases used, the word pictures painted, the clothing colors chosen to wear. All of it can make the target more susceptible.

William Sargant, a controversial psychiatrist and author of the book Battle for the Mind, talks about the methods by which people are manipulated. According to Sargant, various types of beliefs can be implanted in people after the target has been disturbed by fear, anger, or excitement. These feelings cause heightened suggestibility and impaired judgment.

A social engineer can use this device to their advantage by offering the target a suggestion that causes fear or excitement and then offering a solution that turns into a suggestion.

For example, in the hit BBC TV show The Real Hustle, the cast ran a scam to show how this works when they set up a booth in a mall that allowed people to buy raffle tickets. People would buy a ticket for a chance to win three prizes worth much more than the ticket they just bought.

One woman bought the ticket, and, of course, she won the biggest prize. Her excitement was extreme because she had never won anything like this before. At this point, Paul Wilson gave the suggestion to manipulate her: At the height of excitement he told her she had to call a phone number and provide her bank info to claim her prize.

She did it without a second thought. The suggestion made sense, especially in the light of her excitement.

Knowing the target and his likes, dislikes, kids’ names, favorite teams, and favorite foods, and then using this to create an emotional environment will make creating a susceptible atmosphere so much easier.

Controlling the Target’s Environment

Controlling the target’s environment is often used in online social engineering, scams, and identity theft.

Becoming part of the same social networks and groups gives the attacker the chance to have “face time” to be able to manipulate targets into acting or thinking the way the attacker wants. Being able to use a target’s social networks to find out what triggers they have is also a powerful tool.

I used this method once when searching for an illegal scammer for a client who wanted to get the scammer’s contact details. I was able to gain an account on a forum he used to post his “achievements.” Using this tactic of getting into his environment, then befriending him, I was able to gain his trust, use his social networks to know what he was doing, and eventually get his contact info.

Any method used to control the environment of the target can be used in this manipulation technique. Controlling the environment can be as simple as approaching when you know you have the least chance of interruption, or allowing a target to see or not see something that will cause a reaction.

Of course, unless you plan on bringing your target to a dark closet, you can’t really control his whole environment, so controlling as much as you can will take planning and research. After you locate your target’s social circles, whether online or in the real world, you will need to spend time planning how you will get an in to control that environment. Once inside, what elements do you want to control? A good social engineer will not come in running for the “kill shot” but will take time to build a relationship and gather information before the final blow is administered.

Environment control is often used in police or war-time interrogations. The environment where the questioning will take place will have a certain atmosphere to make the target feel at ease, nervous, scared, anxious, or any other emotion the attacker (or lead officer) wants the target to feel.

Forcing the Target to Reevaluate

Undermining a target’s beliefs, awareness, or emotional control of a circumstance can have a very unsettling effect on him or her. This tactic is very negative because it is used to make a target doubt what he or she has been told to be true.

Cults use this tactic to prey upon those looking for guidance through life. Many times, people who feel lost or confused are convinced that their whole belief system needs to be reevaluated. When the cults have control they can be so convincing that the victims can be thoroughly convinced that their family and friends do not know what is best.

On a personal social engineering level you can make a person reevaluate the beliefs he has been taught about what is safe and what is not, or what is corporate policy and what is not.

Each day social engineers use similar tactics by presenting one well-thought-out question that can cause the target to reevaluate his stand on a topic and cause him to falter.

For example, in this economy, salespeople are hungry to make sales, and you could call the sales department of a company that happens to have a strict policy about downloading PDFs from the web without proper scans and precautions. Yet you can still place this call:

“Hi, I am with ABC Company and I want to place an order for your product that could be more than 10,000 pieces. My employer wants me to get three quotes to see whether we can do better. I have uploaded the quote package to our website; can I give you the URL? I am going to a meeting in two hours. Could you look over the package and get me a preliminary quote before then?”

Do think this tactic would work? Most likely the salesperson would download and execute that file with little to no thought. You have caused him to reevaluate the policy he has been taught.

Making the Target Feel Powerless

Making the target feel vulnerable or powerless is another very dark, but effective, tactic. It is often used in social engineering when the pretext is an angry executive or someone who should have power over the target. Angry by the lack of response or the inability of the target to give quick answers, the attacker berates or threatens the target, causing him to doubt his position and feel a loss of power.

Another more subtle way this is used is to undermine the belief system using social incentives. In one audit, I was stopped by a custodian while doing scans of the internal network. When she did the right thing for stopping me, I reacted with something like, “Did you know that each year this company deals with a constant battle against network breaches? I am trying to secure you, and you are trying to stop me from doing my job!”

My overpowering demeanor caused her to feel powerless and she backed down.

Giving a target the impression he has no time to think or there is serious urgency can also make him feel powerless. He cannot take the time to think about how to handle a problem and therefore must make a decision in a way he knows he shouldn’t.

This tactic was used after the recent earthquakes in Haiti. A website was launched that claimed to have information on loved ones who might have been lost. Because their claim was that no one was able to provide information on their loved ones but this group who set up the site, they could demand certain criteria be met to obtain this information. Many people, feeling hopeless and powerless, entered too much information and clicked things they knew they shouldn’t and in the end were damaged by it. The BBC issued a story about this and lists some tips to stay protected:http://news.bbc.co.uk/2/hi/business/8469885.stm.

Dishing Out Nonphysical Punishment

Closely linked to making the target feel powerless is making them feel guilt, humiliation, anxiety, or loss of privilege. These feelings can be so strong that a target might possibly do anything to “regain favor.”

Guilt over not giving what was expected can cause humiliation and doubt, which can cause the target to react the way the attacker wants.

I don’t suggest using humiliation in most social engineering settings, but I have seen it used on a target in a team effort to open the door, and on another social engineering team member to soften the face of the target, making them more pliable to suggestion.

The first attacker approached the target in a public setting trying to get information; he was playing the role of someone important.

In the middle of the conversation an underling, who happened to be female (and on the team), came up and asked a question that angered the first attacker. He reacted by saying, “You have to be the dumbest person I have ever met.” In a fit of anger he walked away. The female attacker looked dejected and hurt and was quickly comforted by the target, who fed into her act. The target’s empathy allowed him to be manipulated to give out way more information than he wanted.

Intimidating a Target

Intimidation is not a tactic that you might think of using in a traditional sense in social engineering. You are not going to tie up your target and go all “Jack Bauer” on him, but you can use intimidation in subtle ways.

Suggesting that failure to comply can lead to being laid off or other adverse consequences can intimidate the target to react a certain way. Governments often use this tactic to manipulate society to believe that the economic system is collapsing. This way they can control the emotions of those they govern.

You can use it in a social engineering audit even by having an intimidating appearance. Looking busy, upset, and on a mission can intimidate many. Talking with very authoritative expressions can also intimidate people.

In business, sending things by certified mail or courier connotes a level of intimidation. Making the person sign for a package whose contents are unknown can make some people intimidated. The goal with this manipulation tactic is to make the target feel uneasy and anxious, which can cause him to react in a way he will later regret, but by then it is too late.

These darker manipulation techniques are used successfully by social engineers and professional auditors. Manipulating a person to feel completely helpless causes him or her to feel that giving in to the attacker makes sense.

That really is where manipulation differs in a social engineering practice from other forms of influence. With negative manipulation the social engineer leaves and doesn’t care how the target feels later on. Even if a target realizes he has been hacked, it doesn’t matter because the damage is done and the company or person is already infiltrated.

Other aspects of social engineering manipulation are just as powerful but not so dark.

Using Positive Manipulation

Positive manipulation has the same goals in mind as negative manipulation—in the end the target is in alignment with your thoughts and desires. The differences are in how you get there. But in positive manipulation, the target doesn’t need therapy when you are done.

Over my years of research, I have compiled some tips about how parents interact with their children to get them to comply with the parents’ wishes. A few of its points on positive manipulation are useful for social engineers. The following sections cover some of these positive techniques.

Disconnect Your Emotion from Their Behavior

Keeping your emotions separate from your target’s behavior is important. As soon as you let your emotions get involved the target is manipulating you. You can feel emotion, of course, but be in control of what you feel and how you display what you are feeling.

You do not want to be the one out of control. You also want to control the negative emotions as much as possible so you can remain in control at all times.

Disconnecting your emotions can also put people at ease. This doesn’t mean being devoid of emotion; that is not comforting to people. But if someone is really upset, showing the proper level of concern is good, but if your display of emotion is too much you can offset the target and ruin the gig.

Keep your emotions in alignment with the pretext you are trying to achieve. If you do not allow your emotions to get involved you can remain in control at all times. A good social engineer is able to do this despite the actions or attitudes displayed by the target. If the target is upset, mad, belligerent, rude, or if any other negative emotion is displayed, a good social engineer remains calm, cool, and collected.

Look for the Positive to Mention

Whenever you can, find something to make a joke about or compliment, but without being creepy. You don’t want to walk up to the security guard and say, “So two nuns walk into a bar….” This method probably won’t go over too well. At the same time you can’t walk into the front office and say to the girl behind the counter, “Wow, you’re pretty.”

Finding something positive to mention puts everyone at ease, but it must be balanced, controlled, and in good taste. Using the example of approaching a security guard, after introducing yourself, complimenting the picture of her children by saying something like, “Wow, she is really cute; how old, four or five? I have a little girl at home, too,” can go a long way toward opening the door.

Assume, Assume, Assume

You have probably heard what they say about people who assume, but in this case, assume it all. Assume that the target will act the way you want, assume he will answer the way you want, and assume he will grant you all your requests.

Assume with the questions you ask and the statements you make.

“When I come back from the server room…”

This statement assumes you belong there and you are already granted access. In the security guard situation mentioned earlier, after the compliment maybe offer a follow-up: “When I get back from checking the servers, I will show you a picture of my daughter.”

Assuming that what you want will occur is a strong point, too, because it affects your mental outlook. You must have the mental outlook that you are getting what you came for; that belief system will create a new body language and facial expressions that will feed your pretext.

If you go in expecting failure you will fail or at best it will affect your body language and facial expressions. If you have the mental outlook that this deal is done, the same will occur. A word of caution, though—don’t take this step so far you become arrogant.

For example, going in thinking, “Of course I have this in the bag because I am amazing and the best,” can affect the way you come off and turn off the target quickly.

Try Different Opening Lines

Starting a conversation with the standard why/what/when is common but try a different approach and see what happens. The research group that runs a popular dating site (www.okcupid.com) compiled data that shows the value of starting out with non-traditional openers.

Remember the discussion about compliments? Well, the OkCupid guys found that starting off with too “big” of a compliment had the reverse effect than what one would think. Words like sexy, beautiful, and hot had terrible effects on people, whereas words like cool, awesome, andfascinating had a better effect.

In usual greetings these guys found that saying things like “hi,” “hey,” and “hello” left the target feeling blah and unmotivated, whereas “How’s it going?,” “What’s up?,” “howdy,” and “hola” were strong openers to use.

Of course, these stats are about dating, but the point to be learned is that people react better to nontraditional greetings.

Similarly, in a social engineering situation, vary your approach and you may notice an increase in the way the target reacts to the message.

Use Past Tense

When you want to address anything negative that you do not want the target to repeat, put it in past tense. This technique puts the negative attitudes and actions in the past in his mind, presenting him with the new and improved “clean slate” on which to do good things for you. For example:

“When you said I couldn’t get in to meet with Mr. Smith…”

as opposed to: “When you say I can’t get in to meet Mr. Smith….

Only verb tense changed, but the effect is very important. It gives the impression that the negative statement is so far in the past, let’s move on to something new and improved. It also makes the target feel that you feel it is in the past.

Seek and Destroy

Identify, map, and plan how you will handle any disruptive or negative attitudes and actions. Imagine if your pretext is to be a tech support guy who will gain access to the server room. In your previous calls you knew that every day at 10 am a large group goes out for a smoke break. You decide this is a good time as people are shuffling in and out. You go all prepared, but as you enter the building the receptionist has just received some bad news and is an emotional mess. You should have a plan for handling this disruption.

If you wait to think about how you will handle potential conversation stoppers, or disruptive influences, until the first time you hear them you will most likely fail to handle them. That presents an interesting thought then. You have to sit back and think like the target: what objections would he raise? When a person he does not know calls or approaches him, what might he say? What objections might he raise? What attitudes would he portray? Thinking through these things can help you to make a game plan for these potential problems.

Write down your thoughts and the target’s potential objections and then role play. Have your spouse or friend play the mean gatekeeper or security guard. Of course, he or she cannot imitate elements such as facial expressions and so on. But you can give him or her a small list of conversation stoppers to choose from to test your comeback.

Practice until you feel comfortable, but not scripted. Remember the comeback is not to be structured so stiffly that you cannot alter it at all.

Positive manipulation can have a very strong effect on the target. Not only does it not leave him feeling violated but if done properly he can feel accomplished and as if he did something good for the day.

Summary

Manipulation is a key component to social engineering as well as influence. This chapter covered areas of human behavior that spanned decades of research from some of the smartest minds on earth.

Common reactions to the thought of manipulating others might be:

· “I don’t want to manipulate people.”

· “It feels wrong to be learning this.”

These comments represent the way most people think when they hear the word manipulation. Hopefully, you’re now convinced that manipulation isn’t always a dark art and can be used for good.

The world of influence has been dissected, researched, and analyzed by some of today’s brightest psychologists and researchers. This research served as the basis of my own research to develop the information in this chapter. The section on framing, for instance, can truly change the way you interact with people, and the concept of reciprocation can shape your thinking as a social engineer and how you utilize influence. Influence is such an amazing topic, though, that volumes of books are devoted to that topic alone.

Understanding what triggers a person to motivate him to want to do a certain action and then having that action seem good to the target—that is the power of influence.

This chapter illuminated the science and psychology of what makes people tick, and clarified how influence is used by social engineers.

Remember, influence and the art of persuasion are the processes of getting someone else to want to do, react, think, or believe in the way you want them to.

The power in this statement transcends social engineering and manipulation. It is the key to altering any frame, the key to unlocking any door of manipulation, and the pathway to becoming a master at influence.

Social engineers also use many physical tools, some of which might look like they were taken out of a page of a James Bond movie, and they are discussed in the next chapter.