You encounter social engineering tactics every day, often without even noticing them.
From an information security perspective, Wikipedia defines social engineering as the psychological manipulation of people into performing actions or revealing confidential information. While that definition is accurate, it only captures part of the picture. Social engineering extends beyond cybersecurity and appears in many everyday interactions.
In many cases, it isn’t even malicious. At its core, social engineering is about influence. It's about using persuasion to encourage someone to take a particular action or make a certain decision.
In this blog, we’ll explore how people make decisions and the common techniques used to influence them. Understanding these fundamentals can help you recognize social engineering tactics when they appear in increasingly sophisticated attacks.
Decisions, Decisions
When you break it down, we make a phenomenal number of decisions each day and we think about surprisingly few of them, let alone analyze them. In the 1980s, behavioral psychologist Robert Cialdini proposed a concept called the "Theory of Influence" in his book Influence: The Psychology of Persuasion. His theory says that influence over others is created in seven major ways.
These principles of persuasion illustrate how we take shortcuts in our decision-making. There's a cool video that illustrates these principles in more depth. Making decisions is hard and we don't have the time, energy, or patience to fully examine each decision before we act on it. So, we make shortcuts for ourselves, particularly when it comes to relating to others. Social Engineering takes advantage of those shortcuts. Let's go over each one briefly.
Reciprocity
People naturally dislike feeling indebted to others. When someone does us a favor, we often feel compelled to return it. The candy with your check at a restaurant has been shown to increase tips. Businesses leverage the same principle, offering free content on blogs or resources to spark interest and, hopefully, future business.
One of my favorite examples comes from Cialdini’s book. In 1985, a devastating earthquake struck Mexico City, causing billions in damages and claiming over 5,000 lives. Aid poured in from around the world, but one contribution stood out: Ethiopia, which was itself facing famine and drought at the time, donated $5,000 to help Mexico. Why? Because 50 years earlier, Mexico had assisted Ethiopia when Italy invaded. Generosity returned decades later, a powerful demonstration of the principle of reciprocity.
Scarcity
People are more likely to want things that they believe are in limited supply, are exclusive, or that are not always available. This is the entire premise behind the McRib, the special limited time discounts on products you didn't know you wanted, or the clearance sale that car dealerships seem to always have because they're overstocked.
Authority
People don't like being uncertain. We naturally look for and follow authority figures. The problem is that we have a broad definition of what constitutes an authority figure. Uniforms, for example. If we see someone in a white coat at a hospital, we tend to give their medical opinion more weight.
Liking
We listen to people who we like. This principle is why you used to see the attractive young woman sitting on top of a sports car in ads, why compliments can improve the odds of getting a favor, and why certain fast-food chains have mouthy X feeds.
Commitment
People naturally strive for consistency in their behavior, which makes small commitments powerful.
Cialdini shares a compelling example: Researchers called a random group of people and asked if they’d be willing to donate three hours to volunteer for the American Cancer Society. Most said yes, after all, few want to seem unwilling to help a good cause.
Later, when those same people were contacted again with an actual request to volunteer, the organization saw a 700% increase in participation compared to their usual outreach.
That initial “yes” created a sense of commitment, making it much more likely they’d follow through when asked again.
Consensus
People tend to do what they believe everyone around them is doing, particularly when they are unsure of what to do in the first place. If you walk into a crowded room, and everyone is staring at the ceiling what's the first thing you're going to do?
Unity
We gravitate toward people who we identify as being similar to us. This is where nationalism, the family bond, and Women's March all originate from. It's also why we like it when we share an interest with somebody; it's something we have in common.
In practice, these principles are often used in combination, which is something we'll see as we apply them to real world examples of social engineering tactics.
