• United States



by Senior Editor

Mind Games: How Social Engineers Win Your Confidence

Jul 22, 20098 mins
Data and Information SecurityIT LeadershipSocial Engineering

Brian Brushwood, founder of Scam School, demonstrates the four simple psychological mechanisms underlying social engineering mind games.

Social engineering and mind games expert Brian Brushwood has not come by his knowledge in the traditional manner of school or business training. Brushwood is the host of the Internet video series Scam School, a show he describes as dedicated to social engineering in the bar and on the street.

In addition to his passion for teaching people about social engineering cons, Brushwood is also a touring magician who frequently performs on college campuses and has appeared on the Tonight Show. He first became interested in social engineering years ago as a means to enhance his performance and pull off secret moves successfully. Brushwood said his understanding and use of the term social engineering goes beyond the security industry perception.

“When I use the phrase, I am actually talking about an older version of it. Social engineering just basically means the application of social science to the solution of social problems,” he said. “In other words, it’s getting people to do what you want by using certain sociological principles.”

Also read 9 Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines

These days, Brushwood uses social engineering techniques so frequently he admits it is sometime hard to “turn it off.” Here Brushwood explains the four basic psychological tactics social engineers use to gain trust and get what they want, and how security pros can arm their staff against this type of deception.

1. Social engineers are confident and in control of the conversation

According to Brushwood, one of the first steps to pulling off something deceptive is to act confident. For example, someone trying to get into a secure building might forge a badge or pretend to be from a service company. The key to getting in without being challenged is to simply act like you belong there and that you have nothing to hide. Conveying confidence with body posture puts others at ease.

“People running concert security often aren’t even looking for badges,” said Brushwood. “They are looking for posture. They can always tell who is a fan trying to sneak back and catch a glimpse of the star and who is working the event because they seem like they belong there.” (See how this tactic played into another scammer’s attempt to get into the Super Bowl for a massive prank.)

Another way to gain the upper hand is to seem in charge through conversation, said Brushwood.

“The person who asks the questions controls the conversation,” he said. “When someone asks you a question, it immediately puts you on defense. You feel a social pressure to give a correct or appropriate response.”

Takeaway: Advise employees not to become too comfortable with allowing outsiders into the building. Visitors (and service providers) should have credentials checked thoroughly — even if they are familiar faces.

2. They give you something

Reciprocation is another fixed action pattern, said Brushwood.

“When people are given something, such as a favor or a gift, even if they actively dislike the person who did it, they feel the need to reciprocate,” said Brushwood, who referred to the Hare Krishnas as one of the more well-known employers of this tactic.

“They give out a flower or a copy of the Bhagavad Gita and say ‘This is a gift for you. Enjoy. Oh, by the way, would you like to make a donation?’ You may be thinking ‘I didn’t want this flower,’ but it’s still difficult to turn around and say ‘No, go away.'”

Brushwood himself uses this tactic during his many cross-country flights when he is hoping for a free upgrade or perhaps a free drink or two. With a few bags of M&Ms in hand, he boards each flight and hands them to flight attendants on his way in and tells him he wanted to give them something for their hard work.

“Even if they hate M&Ms, they are so moved by the thoughtfulness of the gesture,” he noted.

This tactic, like the confident attitude, would be useful for a social engineer trying to gain illegal entry into a secure facility or office building. (Read how another social engineer breached building security with a box of cookies in Anatomy of a Hack.) However, Brushwood noted that the time delay between giving the gift and asking for a favor is also important.

“If you give a gift and then immediately ask for a favor, the odds are that somebody might perceive it as a bribe. If they perceive as a bribe, they react uncomfortably.”

Instead, a skilled con artist might give something to a gatekeeping employee early in the day and then come back later, claiming to need access due to a mix up, such as an item left behind after a meeting.

“Chances are they will let you by as reciprocation for how you treated them earlier,” said Brushwood.

Takeaway: Advise employees to be skeptical of anyone who tries to give them something. Depending on how big the stakes are, an experienced criminal may even spend weeks laying the ground work to form a reciprocal relationship with staff that can result in access to sensitive or secure areas.

3. They use humor

People generally enjoy the company of those who have a good sense of humor. The social engineer knows this all too well and uses it to gain information, get past a gatekeeper, or even just to get out of trouble. Brushwood refers to it as the ‘liking’ fixed action pattern.

“People who we like, or think we like, we are much more likely to grant a favor to because we feel a familiarity to them,” he said.

Brushwood has used humor to get out of speeding tickets many times. His trick is to show a funny license picture and then even finds a way to hand the officer a Monopoly “Get out of Jail Free” card as part of his side-of-the-road shtick.

“Police deal all day with the boo-hoo stories,” he said. “But my approach is to be upbeat. To give them the impression that I am not worried and would rather hang out and make them laugh.”

Brushwood estimates he gets out of speeding tickets 80 to 90 percent of the time with this tactic.

Takeaway: In a breach or criminal scenario, the social engineer might try and chat with an employee to get information out of him. One good example is the fake IT call, where the caller asks for an employee’s password. It is much more likely that sensitive information will be volunteered if the conversation is fun, and puts the employee at ease.

4. They make a request and offer a reason

Brushwood was recently inspired by the results of a recent Harvard study, also included in Cialdini’s ‘Influence,’ which found people are likely to concede to a request if the word ‘because’ is used when asking. The study looked at groups of people waiting to use a copy machine in a library and how they responded when someone approached and asked to cut in line.

In the first group, the person would say: “Excuse me, I have five pages. May I use the Xerox machine because I’m in a rush?” In that group, 94 percent said yes and allowed the person to skip ahead in line. In another group, the line-cutter asked: “Excuse me, I have five pages. May I use the Xerox machine?” However, only 60 percent said yes to the person looking to cut. In a third group, the question was: “Excuse me, I have five pages. May I use the Xerox machine because I need to make copies?” Even though the reason was seemingly ridiculous, 93 percent still said yes to the line-cutter.

“Turns out magic word is because,” said Brushwood. “It didn’t matter what she said next. Just like if you see someone marching around like they own the place, it’s safe to assume they belong there. Likewise, if someone says ‘because’ people assume they have some legitimate reason.”

Brushwood points out that the fixed action pattern at work in this scenario is the simply the perception of a reason. Even if the reason given is nonsense, hearing the word ‘because’ prompts people to respond favorably.

Takeaway: It’s important to slow down and look and listen to what is happening and what is being said in a work environment. During a hectic day, it may seem easier to wave someone by, or give up information when it is requested. But awareness and presence of mind are paramount to prevent a criminal from taking advantage of you.