Introduction[edit]

Social engineering as defined by wikipedia is, “the art of manipulating people into performing actions or divulging confidential information.” In a nutshell social engineering can be equated to “people hacking.” Where as hackers find flaws in computer systems, networks, and programs and exploit those flaws in an attempt to gain access to restricted files, information, or otherwise confidential information, social engineers find flaws in the human psyche and exploit those flaws for many of the same reasons a “typical” hacker would.

Tools Of The Trade[edit]

When it comes to social engineering there are typically only a handful of “tools” at the disposal of the social engineer. Among these tools are a basic understanding of human nature, cognitive biases, and psychological fallacies. The following lists name, and explain, many of the common cognitive biases. While it is not important to commit each and every one of them to memory, it is important to learn which of the following you typically observe in everyday life and commit them to memory as you'll notice that they will turn up more and more as you continue your social engineering career.

Decision-making and behavioral biases[edit]

Many of these biases are studied for how they affect belief formation, business decisions, and scientific research.

• Bandwagon effect — the tendency to do (or believe) things because many other people do (or believe) the same. Related to groupthink and herd behaviour.
• Base rate fallacy — ignoring available statistical data in favor of particulars.
• Bias blind spot — the tendency not to compensate for one's own cognitive biases.
• Choice-supportive bias — the tendency to remember one's choices as better than they actually were.
• Confirmation bias — the tendency to search for or interpret information in a way that confirms one's preconceptions.
• Congruence bias — the tendency to test hypotheses exclusively through direct testing, in contrast to tests of possible alternative hypotheses.
• Conservatism bias — the tendency to ignore the consequence of new evidence. (Related to base rate fallacy.)
• Contrast effect — the enhancement or diminishing of a weight or other measurement when compared with recently observed contrasting object.
• Déformation professionnelle — the tendency to look at things according to the conventions of one's own profession, forgetting any broader point of view.
• Denial — the tendency to disbelieve or discount an unpleasant fact.
• Distinction bias — the tendency to view two options as more dissimilar when evaluating them simultaneously than when evaluating them separately.
• Endowment effect — "the fact that people often demand much more to give up an object than they would be willing to pay to acquire it".
• Expectation bias — the tendency for experimenters to believe, certify, and publish data that agrees with their expectations for the outcome of an experiment, and to disbelieve, discard, or downgrade the corresponding weightings for data that appears to conflict with those expectations.
• Extreme aversion — the tendency to avoid extremes, being more likely to choose an option if it is the intermediate choice.
• Focusing effect — prediction bias occurring when people place too much importance on one aspect of an event; causes error in accurately predicting the utility of a future outcome.
• Framing — by using a too narrow approach or description of the situation or issue. Also framing effect — drawing different conclusions based on how data are presented.
• Hostility
• Hyperbolic discounting — the tendency for people to have a stronger preference for more immediate payoffs relative to

later payoffs, where the tendency increases the closer to the present both payoffs are.

• Illusion of control — the tendency for human beings to believe they can control or at least influence outcomes that they clearly cannot.
• Impact bias — the tendency for people to overestimate the length or the intensity of the impact of future feeling states.
• Information bias — the tendency to seek information even when it cannot affect action.
• Irrational escalation — the tendency to make irrational decisions based upon rational decisions in the past or to justify actions already taken.
• Loss aversion — "the disutility of giving up an object is greater than the utility associated with acquiring it". (see also

sunk cost effects and Endowment effect).

• Mere exposure effect — the tendency for people to express undue liking for things merely because they are familiar with

them.

• Moral credential effect — the tendency of a track record of non-prejudice to increase subsequent prejudice.
• Maternal/Paternal Instinct - the tendency to be more outraged if a child is portrayed as the victim of a misdemeanor or crime (Think about the recent British incidents of Baby P, Maddy and Shannon)
• Need for closure — the need to reach a verdict in important matters; to have an answer and to escape the feeling of doubt and uncertainty. The personal context (time or social pressure) might increase this bias.
• Neglect of probability — the tendency to completely disregard probability when making a decision under uncertainty.
• Not Invented Here — the tendency to ignore that a product or solution already exists, because its source is seen as an "enemy" or as "inferior".
• Omission bias — the tendency to judge harmful actions as worse, or less moral, than equally harmful omissions (inactions).
• Outcome bias — the tendency to judge a decision by its eventual outcome instead of based on the quality of the decision at the time it was made.
• Perceived self-radicalism - the tendency to jump on a bandwagon (see also bandwagon effect) because one thinks one is in a minority and therefore are 'cool', when actually it is already commonplace to be on the bandwagon (everyone hates the politically correct, everyone hates the faceless corporations, etc.)
• Planning fallacy — the tendency to underestimate task-completion times.
• Post-purchase rationalization — the tendency to persuade oneself through rational argument that a purchase was a good value.
• Pseudocertainty effect — the tendency to make risk-averse choices if the expected outcome is positive, but make risk- seeking choices to avoid negative outcomes.
• Reactance — the urge to do the opposite of what someone wants you to do out of a need to resist a perceived attempt to constrain your freedom of choice.
• Selective perception — the tendency for expectations to affect perception.
• Status quo bias — the tendency for people to like things to stay relatively the same (see also loss aversion, endowment effect, and system justification).
• Von Restorff effect — the tendency for an item that "stands out like a sore thumb" to be more likely to be remembered than other items.
• Wishful thinking — the formation of beliefs and the making of decisions according to what is pleasing to imagine instead of by appeal to evidence or rationality.
• Zero-risk bias — preference for reducing a small risk to zero over a greater reduction in a larger risk.

Biases in probability and belief[edit]

Many of these biases are often studied for how they affect business and economic decisions and how they affect experimental research.

• Ambiguity effect — the avoidance of options for which missing information makes the probability seem "unknown".
• Anchoring — the tendency to rely too heavily, or "anchor," on a past reference or on one trait or piece of information when making decisions.
• Attentional bias — neglect of relevant data when making judgments of a correlation or association.
• Authority bias — the tendency to value an ambiguous stimulus (e.g., an art performance) according to the opinion of someone who is seen as an authority on the topic.
• Availability heuristic — estimating what is more likely by what is more available in memory, which is biased toward vivid, unusual, or emotionally charged examples.
• Availability cascade — a self-reinforcing process in which a collective belief gains more and more plausibility through its increasing repetition in public discourse (or "repeat something long enough and it will become true").
• Clustering illusion — the tendency to see patterns where actually none exist.
• Capability bias — The tendency to believe that the closer average performance is to a target, the tighter the distribution of the data set.
• Conjunction fallacy — the tendency to assume that specific conditions are more probable than general ones.
• Gambler's fallacy — the tendency to assume that individual random events are influenced by previous random events. For example, "I've flipped heads with this coin five times consecutively, so the chance of tails coming out on the sixth flip is much greater than heads."
• Hawthorne effect — the tendency of people to perform or perceive differently when they know that they are being observed.
• Hindsight bias — sometimes called the "I-knew-it-all-along" effect, the inclination to see past events as being predictable.
• Illusory correlation — beliefs that inaccurately suppose a relationship between a certain type of action and an effect.
• Ludic fallacy — the analysis of chance related problems according to the belief that the unstructured randomness found in life resembles the structured randomness found in games. Ignoring the non-gaussian distribution of many real-world results.
• Neglect of prior base rates effect — the tendency to neglect known odds when reevaluating odds in light of weak evidence.
• Observer-expectancy effect — when a researcher expects a given result and therefore unconsciously manipulates an experiment or misinterprets data in order to find it (see also subject-expectancy effect).
• Optimism bias — the systematic tendency to be over-optimistic about the outcome of planned actions.
• Ostrich effect — ignoring an obvious (negative) situation.
• Overconfidence effect — excessive confidence in one's own answers to questions. For example, for certain types of question, answers that people rate as "99% certain" turn out to be wrong 40% of the time.
• Positive outcome bias — a tendency in prediction to overestimate the probability of good things happening to them (see also wishful thinking, optimism bias, and valence effect).
• Primacy effect — the tendency to weigh initial events more than subsequent events.
• Recency effect — the tendency to weigh recent events more than earlier events (see also peak-end rule).
• Disregard of regression toward the mean — the tendency to expect extreme performance to continue.
• Reminiscence bump — the effect that people tend to recall more personal events from adolescence and early adulthood than from other lifetime periods.
• Rosy retrospection — the tendency to rate past events more positively than they had actually rated them when the event occurred.
• Selection bias — a distortion of evidence or data that arises from the way that the data are collected.
• Stereotyping — expecting a member of a group to have certain characteristics without having actual information about that individual.
• Subadditivity effect — the tendency to judge probability of the whole to be less than the probabilities of the parts.
• Subjective validation — perception that something is true if a subject's belief demands it to be true. Also assigns perceived connections between coincidences.
• Telescoping effect — the effect that recent events appear to have occurred more remotely and remote events appear to have occurred more recently.
• Texas sharpshooter fallacy — the fallacy of selecting or adjusting a hypothesis after the data is collected, making it impossible to test the hypothesis fairly. Refers to the concept of firing shots at a barn door, drawing a circle around the best group, and declaring that to be the target.

Social biases[edit]

Most of these biases are labeled as attributional biases.

• Actor-observer bias — the tendency for explanations of other individuals' behaviors to overemphasize the influence of their personality and underemphasize the influence of their situation (see also fundamental attribution error). However, this is coupled with the opposite tendency for the self in that explanations for our own behaviors overemphasize the influence of our situation and underemphasize the influence of our own personality.
• Dunning-Kruger effect — "...when people are incompetent in the strategies they adopt to achieve success and satisfaction, they suffer a dual burden: Not only do they reach erroneous conclusions and make unfortunate choices, but their incompetence robs them of the ability to realize it. Instead, ...they are left with the mistaken impression that they are doing just fine."(see also Lake Wobegon effect, and overconfidence effect).
• Egocentric bias — occurs when people claim more responsibility for themselves for the results of a joint action than an outside observer would.
• Forer effect (aka Barnum Effect) — the tendency to give high accuracy ratings to descriptions of their personality that supposedly are tailored specifically for them, but are in fact vague and general enough to apply to a wide range of people. For example, horoscopes.
• False consensus effect — the tendency for people to overestimate the degree to which others agree with them.
• Fundamental attribution error — the tendency for people to over-emphasize personality-based explanations for behaviors observed in others while under-emphasizing the role and power of situational influences on the same behavior (see also actor-observer bias, group attribution error, positivity effect, and negativity effect).
• Halo effect — the tendency for a person's positive or negative traits to "spill over" from one area of their personality to another in others' perceptions of them (see also physical attractiveness stereotype).
• Herd instinct — Common tendency to adopt the opinions and follow the behaviors of the majority to feel safer and to avoid conflict.
• Illusion of asymmetric insight — people perceive their knowledge of their peers to surpass their peers' knowledge of them.
• Illusion of transparency — people overestimate others' ability to know them, and they also overestimate their ability to know others.
• Illusory superiority — perceiving oneself as having desirable qualities to a greater degree than other people. Also known as Superiority bias.
• Ingroup bias — the tendency for people to give preferential treatment to others they perceive to be members of their own groups.
• Just-world phenomenon — the tendency for people to believe that the world is "just" and therefore people "get what they deserve."
• Lake Wobegon effect — the phenomenon that a supermajority of people report themselves as above average in desirable qualities (see also worse-than-average effect and optimism bias).
• Money illusion - an irrational notion that the arbitrary values of currency, fiat or otherwise, have an actual immutable value.
• Notational bias — a form of cultural bias in which a notation induces the appearance of a nonexistent natural law.
• Outgroup homogeneity bias — individuals see members of their own group as being relatively more varied than members of other groups.
• Projection bias — the tendency to unconsciously assume that others share the same or similar thoughts, beliefs, values, or positions.
• Self-serving bias — the tendency to claim more responsibility for successes than failures. It may also manifest itself as a tendency for people to evaluate ambiguous information in a way beneficial to their interests (see also group-serving bias).
• Self-fulfilling prophecy — the tendency to engage in behaviors that elicit results which will (consciously or not) confirm our beliefs.
• System justification — the tendency to defend and bolster the status quo. Existing social, economic, and political arrangements tend to be preferred, and alternatives disparaged sometimes even at the expense of individual and collective self-interest. (See also status quo bias.)
• Trait ascription bias — the tendency for people to view themselves as relatively variable in terms of personality, behavior and mood while viewing others as much more predictable.
• Ultimate attribution error — Similar to the fundamental attribution error, in this error a person is likely to make an internal attribution to an entire group instead of the individuals within the group.
• Us vs Them - the tendency to hate another group, usually one much larger than that of the person's (everyone in Europe hates America, America hates China,etc)

Memory errors[edit]

• Consistency bias — incorrectly remembering one's past attitudes and behaviour as resembling present attitudes and behaviour.
• Cryptomnesia — a form of misattribution where a memory is mistaken for imagination.
• Egocentric bias — recalling the past in a self-serving manner, e.g. remembering one's exam grades as being better than they were, or remembering a caught fish as being bigger than it was
• False memory — confusion of imagination with memory, or the confusion of true memories with false memories.
• Hindsight bias — filtering memory of past events through present knowledge, so that those events look more predictable than they actually were; also known as the 'I-knew-it-all-along effect'.
• Self-serving bias — perceiving oneself responsible for desirable outcomes but not responsible for undesirable ones.
• Suggestibility — a form of misattribution where ideas suggested by a questioner are mistaken for memory. With that long and boring list now out of the way, you should realize something. If you realized that there are a lot of possible “holes” in the human psyche to exploit then you'd be right, and that is where the danger, as well as strength, of social engineering resides. In the following sections you will learn many techniques that I have accumulated over time which have proven themselves to be worth while, as well as some basic social engineering training exercises.

Techniques[edit]

• Be Polite: I cannot tell you how many people hung up on me when I first started social engineering because I acted like an asshole. Act like you own the place but be polite at the same time. Saying, “I would like to speak with your manager” and “BITCH GET ME YOUR FUCKING MANAGER” both mean the same thing at their core but which one would you personally like to respond to?
• Be Knowledgeable: Different professions and companies have different technical jargon. If you can learn this jargon through means of the internet, go for it. If not, try calling a few times and asking tech specific questions which may unlock little nuggets of wisdom for you. Maybe they call a motherboard a MoBo (this is a poor example but whatever), make note of these words.
• Be Firm: People naturally want to help people but that doesn't mean you make yourself a wet noodle.
• Being passive-aggressive while asking for help makes people actually want to help you more. If you ever saw the movie Hackers you can remember the scene when Zero Cool/Crash Override/Dade Murphy called up the television company and told the guard that if he didn't get the work done the corporate big heads would have him commit huri kuri. By asking for help while still “pushing” the guard to help him, Dade Murphy was able to hack into the television network.
• Learn Basic Psychology: I've put up a list of certain things people take to be true even though they shouldn't but you shouldn't stop there. Learn the kinds of people that someone is more likely to help, to avoid, to hate. Knowing these things will help you become any type of person you want. If you think one of the CEO's is an asshole and you try to impersonate them but act nice, your cover is blown.

Exercises[edit]

The following exercises make use of a phone or an internet connection, although if you are reading this now, chances are you have an internet connection. When mentioning exercises in the context of this write-up, I will call them “hacks” because essentially you are simply hacking the mind.

Exercise 1: The “AOL” Hack[edit]

This hack is an all time favorite of mine although I'm pretty biased with this opinion since it was the first hack I ever did. Essentially you call up AOL (or any company for that matter) Customer Service, tell them about a fictional problem you have, and try to keep them on the line fixing your “problem” as long as possible. For this hack make sure to have thought of your “problem” before calling AOL, this will build the foundation for the AOL 2.0 hack which you will read about later. For this hack you don't need to write down the names of any employees you come across just try to stay talking to someone (or on hold) for as long as possible. Below is an example conversation I had with AOL one day.

AOL: Hello this is AOL customer service, Michelle speaking, how can I help you?
Sintakz: Yes hello, this is George(fictional name) and I seem to be having problems browsing the interwide web (trying to sound pretty technologically challanged).
A: You mean the Internet?
S: Yes that thing.
A: Please wait while we transfer you to our internet troubleshooting department George.
S: Alright.
[Note: So far I know that in the most bottom of the AOL hierarchy is Michelle who answers the phone and redirects people to whichever department would better help the caller. Also I played the “stupid” guy because that way I can say stupid things and have the rep spend more and more time on the line with me.]
-some time later-
A: Hello, this is Gary
S: Hello Gary, my name is George and I seem to be having problems browsing the interwide web.
A: Interwide web? You mean the Internet?
S: Yeah, that thing.
A: Well what is the problem you seem to be having?
[Note: I had told myself to do something outrageous this time around]
S: Well no matter which website I type into the little box thingy(url bar) I always get sent to a bestiality site.
A: What do you mean by bestiality?
S: Like young women having sex with farm animals and dogs.
A: Oh my... sir I don't think I've ever encountered a problem like this, let me transfer you to the senior rep for our department.

Ok, I'll stop the example there. So far I've gotten two names from the company and had been on the line a total of 15 minutes, not too shabby. Notice one thing though, because I acted stupid I got a stupid rep. Had I told Michelle, “My client seems to be unable to resolve DNS's correctly and keeps redirecting me to bestiality sites.” I'd still get Gary because Michelle doesn't know any better. Once I got to Gary, if I told him, “I'm having DNS resolution problems” I would have still gotten to the “senior rep” BUT I would have one less lie to remember. This is because I have still not explicitly stated my problem and if I were doing this without a script written beforehand, it would give me less time to think of a lie. By playing stupid I had a lot more time to think of a lie. That bring us to our next exercise.

Exercise 2: The “AOL 2.0” Hack[edit]

This hack is exactly like the last except that you call without a prepared problem or script already at hand. Once the first person picks up you have to either think of a problem on the spot or work your way up the ladder while thinking of your problem. With this exercise make sure to write down the names of people you encounter and “where” in the company they stand. The example text from Exercise 1 would do here as well.

Exercise 3: The “Family Member” Hack[edit]

This is always a fun hack. Take that list of names from Exercise 2 and pick one of the higher ups. Call up AOL Customer Support and tell the first person who answers that you are the brother/sister/dad/mom/cousin/gay lover/girlfriend/boyfriend whatever of {Insert Name Here} in the {Insert Name Of Department Here} department. Hopefully the person who answered will transfer you. Here is where the fun comes, once your significant other in whatever department answers act as if you reached them through the normal means of “Please hold while we transfer you,” and act as if you have a problem (think about it ON THE SPOT) and see how long you can keep them on the line. The following hacks can be done essentially anywhere.

Exercise 4: The “Lost Contact” Hack[edit]

This one came to me one day while watching a woman search frantically for her contact lens. The premise is simply, play the lost, confused, sad person who just wants to find their contact lens and try to enlist people to help you. See how many people and/or how long you can get the people to help you look for your lost contact lens before you sigh and proclaim, “I'm sorry for wasting your time, we can't find it and I guess I'll just have to go back and buy a new pair.” This exercise can be done with any easily misplaced item in any area at all. Losing your shopping bag in the food court at the mall, forgetting your cellphone in a coffee shop, losing your mind, etc.

Exercise 5: The “Friendship” Hack[edit]

I've only done this a handful of times but it was fun to do none the less. Go to a moderately crowded area and at random choose a person (or group if you are up for the challenge) and try to establish a conversation with them. Here is the fun part, you have to make yourself seem as good a potential friend as possible. This tests all the random things you pick up everyday and all the research you should be doing on different types of people. Say you unknowingly pick a metal-head. Would you be able to hold your own while talking about favorite bands or how much old school metal and Nu Metal are? This hack will teach you to learn a little about everything as possible so that you can become any person at a moments notice. Of all the hacks, this is the most valuable hack to master which is why it is the last one you should attempt.

Conclusion[edit]

This is a beginners introduction to social engineering, and as such, things have been left out. After “wetting” your feet with these techniques and hacks you can create your own exercises and develop your own style of “people hacking”. This is in no way the only way to social engineer but I believe it is the best way to teach the basics although others may disagree. Knowing how to Social Engineer helps to teach you how not to fall for social engineering attempts. In the case of Dade Murphy and the Television Network security guard, there should have been some rule stating that certain information not be disclosed which would have put a big boulder in the path of Dade Murphy hacking the network. Now that you know the basics, it is time to delve deeper into the practice and learn as much as you can. See ya in space, cowboy.

External Links & PDF Mirror[edit]

• Sharebee
• Kevin Mitnick Art of Deception has examples and techniques