Social Engineering Principles

admin 2023年12月23日01:32:09评论21 views字数 5705阅读19分1秒阅读模式

Social Engineering Principles


Social engineering works so well because we’re human. The principles of social engineering attacks are designed to focus on various aspects of human nature and take advantage of them. Although not every target succumbs【屈服】 to every attack, most of us are vulnerable to one or more of the following common social engineering principles.



Authority is an effective technique because most people are likely to respond to authority with obedience. The trick is to convince the target that the attacker is someone with valid internal or external authority. Some attackers claim their authority verbally, and others assume authority by wearing a costume or uniform.

An example is an email sent using the spoofed email of the CEO in which workers are informed that they must visit a specific universal resource locator (URL)/universal resource indicator (URI) to fill out an important HR document. This method works when the victims blindly follow instructions that claim to be from a person of authority.




Intimidation can sometimes be seen as a derivative衍生物 of the authority principle. Intimidation uses authority, confidence, or even the threat of harm to motivate someone to follow orders or instructions. Often, intimidation is focused on exploiting uncertainty in a situation where a clear directive of operation or response isn’t defined.

An example is expanding on a previous CEO and HR document email to include a statement claiming that employees will face a penalty if they do not fill out the form promptly. The penalty could be a loss of casual Friday, exclusion from Taco Tuesday, a reduction inpay, or even termination.


例如,在之前的一封 CEO 和人力资源文件电子邮件中加入一项声明,声称如果员工不及时填写表格,将面临惩罚。惩罚可能是失去周五的休闲时间、不能参加周二塔可(Taco Tuesday)活动、减少工资甚至解雇。


Consensus or social proof is the act of taking advantage of a person’s natural tendency to mimic what others are doing or are perceived as having done in the past. For example, bartenders often seed their tip jar with money to make it seem as if previous patrons were appreciative of the service. As a social engineering principle, the attacker attempts to convince the victim that a particular action or response is necessary to be consistent with social norms or previous occurrences.

An example is an attacker claiming that a worker who is currently out of the office promised a large discount on a purchase and that the transaction must occur now with you as the salesperson.




Scarcity is a technique used to convince someone that an object has a higher value based on the object’s scarcity. This could relate to the existence of only a few items produced or limited opportunities, or that the majority of stock are sold and only a few items remain.

An example is an attacker claiming that there are only two tickets left to your favorite team’s final game and it would be a shame if someone else enjoyed the game rather than you.If you don’t grab them now, the opportunity will be lost. This principle is often associated with the principle of urgency.




Familiarity or liking as a social engineering principle attempts to exploit a person’s native trust in that which is familiar. The attacker often tries to appear to have a common contact or relationship with the target, such as mutual friends or experiences, or uses a facade to take on the identity of another company or person. If the target believes a message is from a known entity, such as a friend or their bank, they’re much more likely to trust in the content and even act or respond.

An example is an attacker using a vishing attack while falsifying the caller ID as their doctor’s office.




Trust as a social engineering principle involves an attacker working to develop a relationship with a victim. This may take seconds or months, but eventually the attacker attempts to use the value of the relationship (the victim’s trust in the attacker) to convince the victim to reveal information or perform an action that violates company security.

An example is an attacker approaching you as you walk along the street, when they appear to pick up a $100 bill from the ground. The attacker says that since the two of you were close when the money was found, you two should split it. They ask if you have change to split the found money. Since the attacker had you hold the money while they went around to find the person who lost it, this might have built up trust in this stranger so that you are willing to take cash out of your wallet and give it to them. But you won’t realize until later that the $100 was counterfeit and you’ve been robbed.


举例来说,当你走在街上时,攻击者走近你,从地上捡起一张百元大钞。攻击者说,因为捡到钱时你们俩关系很好,所以你们俩应该平分。他们问你是否有零钱来分拾到的钱。由于袭击者让你在他们四处寻找丢钱的人时拿着钱,这可能会建立起你对这个陌生人的信任,从而愿意从钱包里拿出现金给他们。但直到后来你才意识到这 100 美元是假币,你被抢劫了。


Urgency often dovetails with scarcity, because the need to act quickly increases as scarcity indicates a greater risk of missing out. Urgency is often used as a method to get a quick response from a target before they have time to carefully consider or refuse compliance.

An example is an attacker using an invoice scam through business email compromise (BEC) to convince you to pay an invoice immediately because either an essential business service is about to be cut off or the company will be reported to a collection agency.



Social Engineering Principles

原文始发于微信公众号(网络安全等保测评):Social Engineering Principles

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2023年12月23日01:32:09
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Social Engineering Principles


匿名网友 填写信息