The seven principles of social engineering

A principle is a fundamental truth, doctrine or law. It serves as the foundation for a system of belief or behaviour.

More than two thousand years ago, the core principle of justice was defined by Aristotle who asserted that “equals should be treated equally and unequals should be treated unequally." 

A modern translation of this principle might read something like this:

You should treat individuals the same way unless they differ in ways that are relevant to their situation.

Like justice, social engineering, too, has its principles which have been followed since long before the days of Aristotle. For millennia people have used tricks to exploit others, influencing them to willingly give away something they possess. 

As time passes and technology evolves, these tricks change shape and color somewhat. But the fundamental principles behind them stay the same as they ever were.

There are seven core principles of social engineering:

As we covered in the previous article in this series, the psychology of social engineering leans heavily on human emotions.  

That has a lot to do with the fact that our emotions can provide us with an immediate response to stimuli. In that sense, emotions are the polar opposite to logical thinking which requires deliberate analysis and reasoning. 

It’s this immediacy that can make emotional responses more influential in guiding our behaviour - especially in situations that require quick decisions. This is well-studied by Kahneman, Tversky and others in dual process theory. 

Emotions are closely tied to our needs, desires, and values. They can serve as powerful motivators, pushing us towards - or pulling us away from - certain actions. The brain's emotional centres, like the amygdala, are deeply interconnected with other regions of the brain that govern survival instincts and basic functions. This connection may give emotions a more primal influence over our behaviour. For example, the fear of failure might drive someone to work harder, even though this fear might be completely irrational sometimes.

This power that emotions hold over us is a honey trap for modern-day social engineers. And if anything, the modern world has encouraged us to act even more emotionally and impulsively. In the space of a decade or two, our brains have evolved to the smartphone and social media, releasing dopamine when notifications tell us that others have liked our photos, have followed us, or have found us attractive. When one of these little boosts ping on our mobile devices, we often can’t resist the urge to reach for them at that very moment.

Almost any form of fear or anxiety can be exploited. Consider the scam emails or text messages that warn you about a compromised password, urging you to click on a specific link. Think about those that falsely notify you that your bank card has been blocked.

A common fear in our age of economic instability is being made redundant. And this has led people to think more about their long-term security and pension payments. In the UK, pension scams surged by 45% in 2021 alone. Scammers will often entice individuals to transfer their pensions with the promise of implausibly high returns on foreign or alternative investments. They might also recommend a transfer to a scheme that isn’t in the client's best interest simply so that they can collect a fee. Bad actors sometimes even target victims of previous pension scams, offering to recover their lost funds (for a fee, of course.)

Social engineers sometimes pretend to be an employee’s boss, deceiving them into buying gift cards or transferring money from the company account. The greater the employee's anxiety, the more likely they are to comply with even the most absurd requests from their bogus boss.

A related form of exploitation is the fake job offer scam. When people are fearful of losing their job, they may start exploring other opportunities as a safety net. Scammers capitalise on this by posting seemingly legitimate job listings that are actually fake. Then they reveal that you can only apply for the role if you pay a fee.

Fear and anxiety can cloud rational judgement. These emotions can cause individuals to comply with the scammer’s demands without stepping back for a second and questioning their legitimacy.

Lust is a potent human emotion that social engineers and scammers know they can exploit easily. 

It’s another example of an age-old exploitation principle that has gotten easier with the advent of technology like the smartphone. 

The methods of exploitation are varied. Fake dating apps that offer in-app purchases to boost your chances of finding a match are one example. Then there are more explicit phishing emails promising to share photos of a friend's girlfriend or a celebrity. 

While most internet users might like to think of themselves as being far too savvy to fall for scams like these, this actually misses the point. Attackers only need a few of us to take the bait to make their social engineering campaign worthwhile.

Everyone has something to hide. 

Shame is a very powerful emotion - one that attackers are constantly looking to exploit. Sextortion scams are a prime example of this. In these phishing attacks, individuals are typically coerced into paying a Bitcoin ransom under the threat of having sensitive, compromised videos of them exposed for the world to see. 

The scam may be sophisticated, involving actual stolen photos or somebody’s browser history. But it’s just as likely to be a mass mailing effort where the hope is that some vulnerable people might fall for it. Once the emotion of shame is activated, rational thinking often takes a backseat.

At least a hundred years before the internet arrived and the infamous Nigerian 419 email scam emerged, there was a very similar con called “Spanish Prisoner”. It exploited greed in just the same way the Nigerian email scam does. This acts as a useful reminder to us that while a lot of modern attacks feel very new, when you dig beneath the surface a little you begin to realize that it’s often only the delivery method that has changed over time.

Greed is a potent emotion characterised by an intense desire to acquire something - be it money or power. While the methods have evolved in the digital age (as highlighted above), the underlying principle remains the same. Scammers craft "once-in-a-lifetime” opportunities, creating a sense of urgency and a fear of missing out in the recipients which compels them to take action. 

Fraudsters promise a large sum of money in exchange for bank details, only to empty the victim's account. The scam often involves convincing the target that they’re entitled to money or winnings. The emotion of greed is thus triggered and a fee or personal details are requested to release the funds. As is often the case, emotion clouds rational judgement, making the social engineering attack successful.

Curiosity is another emotion that's easily exploited, with clickbait being its most benign form. Companies use sensational headlines to drive traffic to their blogs or websites, costing the user nothing more than their time. 

But more elaborate schemes can have serious consequences, as demonstrated by the RSA hack. A meticulously crafted email titled "2011 Recruitment Plan" piqued an RSA employee's curiosity enough to retrieve it from the junk folder and open it. This action unleashed a virus that paved the way for a complex attack on the company's information systems. In just a few seconds, the power of emotion effectively sidelined rational thinking and led to one of the most infamous hacks of recent times.

As social creatures, humans have evolved to place significant emphasis on emotions in shaping social interactions and relationships. Emotional bonds, such as empathy, love, and trust, often wield more influence over our behaviour than logical reasoning.

Over the course of human evolution, the concept of a social contract has also emerged. Initially, specialised roles like military service were established, followed by healthcare, law enforcement, and banking. Nowadays, even our private communications, personal photos, and digital assets are managed by external organisations rather than by ourselves.

This social contract is rooted in trust. We trust the police to maintain public order, we trust healthcare professionals to provide competent and ethical treatment, and we trust banks to safeguard our finances. 

Abusing this trust is a go-to principle of social engineering. And it’s made much easier for the attacker because so many of these social contracts are realized on our mobile devices. 

Here are some examples of scammers pretending to be in positions of authority and so benefitting from the trust people tend to have in them: 

Tax scams: 

Scammers have been known to impersonate tax authorities like HM Revenue & Customs (HMRC) in the UK. They contact victims through phone calls, SMS, or emails, demanding immediate payment for alleged unpaid taxes and threatening legal action.

Tech support scams

Here, scammers pretend to be from reputable tech companies and claim the victim's computer has a virus or some other kind of security issue. They may request remote access to the computer, which can lead to the theft of personal information or financial loss.

Law enforcement impersonation

Some scammers pretend to be police officers or other law enforcement officials. They then use this fake position of authority to extort money, claiming that the victim is under investigation or has outstanding fines to pay.

Banking Scams

Impersonation of banking officials is also common. Scammers may claim to be from a bank's fraud department and ask for sensitive information to gain access to bank accounts.

COVID-19 Related Scams

During the COVID-19 pandemic, there were reports of scams involving impersonation of health authorities or government officials. They offered false information like bogus, malicious links to book a vaccine, or solicited payments for vaccines and tests.

Trust is often more emotional than rational. We don't fully understand the intricacies of medical treatments or the complex systems banks use to secure our finances. We essentially take a leap of faith, because every time trust is embraced, there’s also an underlying fear of betrayal.

We interact with authorities and companies via a myriad of channels, including mobile apps, text messages, websites, emails, calls, notifications, physical mail, and even video calls. This multitude of mediums creates a complex landscape, and one that can be easily exploited by attackers.

In the modern world there’s an unwritten rule to many of the social contracts that we sign; we often trade freedoms for convenience. We use social networks to keep in touch with friends but acknowledge that in return our digital habits are used for advertising purposes. We book restaurants and travel arrangements online, store our photos in the cloud, and rely on GPS-enabled navigation systems to get around. And we know that by doing so we’re placing our trust in service providers to respect and protect our privacy.

The truth is that most people aren’t aware of how the technology behind communication mediums and services actually works. The tech is continually evolving, and it's often difficult for the masses to keep up. As Arthur C. Clarke famously said, “any sufficiently advanced technology is indistinguishable from magic.”

It's impossible to control or understand every aspect of our technological world. And the mystery is often by design - no bank or social network would allow you insight into how things work inside their systems. But it’s also unrealistic for most of us to abandon our digital lifestyle and live off-grid.

So, what’s the answer?

It’s up to all of us to be aware of these seven principles of social engineering and make sure we have empathy for other people living under their rule. That means if you’re a user of mobile apps, email, and SMS, make sure to take a second to step back and analyze the message you’ve just received - however contrary to the modern world that might feel. 

If you’re a software engineer, make sure you have empathy for those who will be using your application while you develop it. And make sure you do your bit when communicating with your users to make things clearer for them. That way they can distinguish your messages from the fake ones.