Someone once asked me to come up with some positive predictions I see unfolding in the social engineering world. This request got me thinking about the industry in a way that I never had before. It started me thinking about the impact each of us within the industry can have on it. And, through that, the world itself. To be fair, that sounds like a fairly zoomed out “you can have an effect on the world!” pep talk style sentence. But I think while living through a global pandemic, which continues to alter our social norms, we can all use a little positivity.

The Observation

Over the past few years, I have seen a rise in discussions surrounding social engineering and the tactics intrinsic to it. In the corporate world, awareness of social engineering and its potential malicious uses is becoming more widely known, even outside of your standard security departments. This is exciting to see because, along with that rise in awareness, more companies are seeing the benefits of training their employees using phishing, vishing, and impersonation.

These conversations extend beyond the corporate world, however. More and more online discussions have been popping up regarding human behavior and communication. I’ve seen threads with the following topics; tips on how to recognize and respond to manipulative behavior, how to communicate through difficult conversations, and other, similar posts. Under each, some incredible discussions have developed. These discussions range from people looking for advice or support as they deal with difficult family matters, to people giving examples of how they have seen tactics (such as the ones described in the post) leveraged in various malicious scams.

The Prediction

Whether the people starting these conversations realize it or not, they are bringing awareness to techniques that many social engineers leverage. This awareness is two sided. First, it enables people to recognize the tactics. Second, it puts them in a position to leverage said tactics if they wish. My prediction is that this rise in awareness will have a positive effect on society as more individuals utilize these tactics themselves.

Now I know I have used the phrase “social engineering tactics” a few times without giving it a solid definition. Some of you may already have an idea of what these “tactics” are, some of you may not, and others have probably thought of many that I haven’t or won’t discuss in this newsletter. (If you’re one of the latter, please comment so we can talk about them!) For the purpose of our discussion, let’s look at a few tactics (there’s that word again) that can be used both at work and in day-to-day life.

The Tactics

There are eight influence tactics that are the base for the methods we will look at today. For an in-depth definition of these, and examples of their use, you can read more here. For now, let’s keep it simple and look at two techniques I use in my work on a day-to-day basis. We will define them and then talk about how and why they can contribute to a healthier society.

Quid Pro Qou

Quid pro quo is a Latin phrase meaning “something given or received for something else.” Basically, if you take the lead in providing a little information to your person of interest, many people will give a little back. This exchange can be like a conversation you have with a friend, where you have a back-and-forth exchange of information. This is the feel you want to strive for.

Quid pro quo can be extremely useful in a professional social engineering setting. I love to use it when I’m vishing. When done properly, the person I am talking to will provide the information I’m seeking without even realizing it’s what I was looking for. Notice what the key to this technique is, though. It’s making the conversation feel natural, like one you would have with a friend. Imagine if each of us tried to speak to the strangers we meet the same way we would speak to a good friend. Surely, we would exhibit more patience, understanding, and kindness than we initially may be inclined to.

Ask … How? When? Why?

As it says in our 10 steps to Instant Rapport, “Asking How, When, or Why means you are encouraging your target to provide more information instead of giving you a shorter Yes or No answer.” Open-ended questions allow your person of interest to provide you with more information. Be sure to let them express all they wish rather than filling each silence immediately. Sometimes, allowing pauses to linger that we may be inclined to fill, can lead to us obtaining the information we seek.

Predicting the Future of Social Engineering

Again, let’s apply this to our positive social engineering awareness theory. Asking open-ended questions goes hand in hand with showing interest in the person we are talking to. Showing interest in someone and what they are saying is rarely going to impact your conversation or life in a negative way.

The Malicious Actor

Some of you may be wondering if the rise of knowledge and application of tactics such as the ones discussed is really a good thing. After all, there are plenty of people in the world who would use these tools maliciously. And you’re right, those people have, do, and will continue to exist. Those people, however, likely already lean towards malicious or manipulative behaviors in their everyday life. With that being the case, I don’t believe education on these tactics will have a negative impact. On the contrary, it will only help the general population identify manipulative tactics and have a better grasp on how to respond in a way that will protect themselves and those around them.

The Goal

With these things in mind, I challenge you to set a goal of using social engineering tactics in your conversations throughout the week. Look for ways to use quid pro quo and ask more open-ended questions. Pay active attention to how strangers react to your efforts, and how it positively impacts your relationships with those closest to you. These, along with other methods, can help take the focus off you and put it on the other person, which is where it truly belongs in a conversation. You don’t have to be a red team professional, human hacker, or FBI agent to do so. Don’t forget to let me know how it goes! Help spread the knowledge as we strive to continue increasing our understanding of human behavior.

Written by Shelby Dacko

Sources
https://www.social-engineer.org/framework/general-discussion/social-engineering-defined/
https://www.social-engineer.org/framework/general-discussion/categories-social-engineers/
https://www.fbi.gov/scams-and-safety/common-scams-and-crimes
https://www.social-engineer.org/framework/influencing-others/influence-tactics/
https://www.social-engineer.org/framework/attack-vectors/phishing-attacks-2/
https://www.social-engineer.org/framework/psychological-principles/instant-rapport/

Images
https://miro.medium.com/max/1000/1*gumICueFRleklGeeG_10eQ.jpeg
https://www.cnn.com/2021/03/01/health/conversation-ending-study-wellness/index.html