New social engineering poll reveals which scam works better

Which tactic works best for a scamming social engineer? Acting like an authority figure and requiring a victim to answer questions and give up sensitive information? Or acting like a nice, trustworthy person who strikes up a friendly conversation and just needs the victim to tell them a few things to help them out?

That was the question asked by the team behind the web site social-engineer.org. They have just released results of a several-months long poll that laid out two different scenarios of how a social engineer might try and elicit information from a victim.

[Social engineering: The basics]

The first showed how the principle of endearment and how it may be used by a malicious social engineer. The example given was a social engineer who attempts to get strangers to engage in very personal conversation with him with little effort. Dressed very casually he grabbed a prop that he felt would endear people to him, a small sign that had a funny slogan on it. As he walked around, looking like a tourist with his prop, he was able to engage people in conversation.

“The fact is we like to deal with people who are like us, but even more powerfully we like to deal with those who LIKE us,” said Christopher Hadnagy, founder of social-engineer.org and author of Social engineering: The art of human hacking. “Endearment makes a person feel liked and, in turn, like you. Endearment is used by getting on the same plane as the target, or giving them reasons to like you.”

The second story involved a social engineer employing the authority principle. The social engineer walks into the office with IT tools and a clip board he mumbles how busy he is today. Then looking at the secretary he barks an order, “I was sent to check your network connectivity and I have no time as I have to do this on 25 other nodes. I need you to log in to your network share with your password as I watch to confirm you can connect.”

[5 more dirty tricks: Social engineers’ latest pick-up lines]

“This works because people fear losing their jobs and there are no methods in place for an employee to port or reject without fear,” explained Hadnagy. “Other methods, like carrying a clipboard, looking busy or in control, all of these give off the air of authority and few people will question it.”

The two scenarios where presented with a third option that neither of them would work.

Endearment came out as the winner among respondents. It was chosen by more than half of the several thousand who took the poll, said Hadnagy.

“We would have guessed that most would have chosen authority, but, in fact, we agree that endearment works in more cases over authority,” said Hadnagy in a synopsis of the results. “A simple word or action that can make someone feel you care can go a long way into building rapport, trust and a relationship that will cause that person to want to give you the information you seek.”

When the results are broken down by gender, endearment still took first place among both men and women, but authority was much further behind with the males. Many more women said they thought authority was a powerful social-engineering technique than men.

Hadnagy says the poll results further enforce that humans are naturally trusting creatures. But it is that trusting attitude that has lead many to being hacked.

“We are not saying to not be trusting, but just to become a critical thinker,” said Hadnagy. “The requests that are being laid upon you, the questions being asked — do they make sense? Is it really needed to answer those questions to this individual? Critical thinking can go a long way. Secondly, get educated. Be aware of the attack vectors that are being used and learn how they are being facilitated. That can keep you aware.”

Social-engineer.org is now running a new poll that asks why more women are not involved with social engineering.