situations.

Learning that social engineering isn’t always scary, dark, and evil can go
a long way toward uncovering how certain skills are used. After you
understand those skills, practice and become skilled or proficient in them;
discerning how they are being used against people then becomes much
easier.
You can find places to analyze these skills that are not in the dark corners
of the world. You can read books on psychology, persuasion, and sales,
then observe in the field to see how these skills are used.

The Importance of Gathering and Organizing Information

I cannot really reiterate enough how important quality information gathering
truly is. The quality, professionalism, and the very success of every social
engineering engagement depends on the level of information gathering you
do. The Web is a boundless and endless resource of information.
Companies post their financial records, employees’ names and titles,
contact information, pictures of physical location, security policies, contracts,
vendors and suppliers’ names, people’s personal files, and so much more.
On a personal level, employees as well as everyday people post personal
pictures, their addresses, their purchases, leases, contracts, favorite foods,
teams, music, and so on.
Armed with all this overwhelming amount of information a social engineer
can pick and chose what he wants to use and what kind of attack vector to
implement. As the engagement continues the information gathered will give
the social engineer the ability to use story lines and pretexts that will have the
greatest effect on the target. Without information gathering, as reiterated
throughout the book, the engagement will most likely lead to failure.
For example, if a professional auditor is given three weeks for a job, he
should spend half of that time gathering information. However, professional
auditors often have a tendency to get excited and approach the target with the
old standby pretexts. Do not fall into this habit; spend a lot of time in
information gathering.
Almost as important as the information gathering itself is how you store
and catalogue the information—perhaps by using one of the methods
mentioned in Chapter 2 to store and organize this information. Learning to
not just efficiently collect the information but how to store the information can
go a long way toward making it efficient to use. Not simply dumping things
into a massive document but categorizing things, cataloging them, and
labeling them will make the information easy to use, especially if you are on
a phone engagement.
Just remember that a social engineer is only as good as the information
he obtains. I personally have seen too many gigs go down the drain
because of bad information or lack of information. At the same time I have
seen people who might not be the smoothest speakers or the most
charming succeed in very difficult situations because of the information they
gathered.
Information is the crux of social engineering, and if you take anything away
from this book, let it be that.

Choose Your Words Carefully

Just like this section’s opening epigraph, this topic lends itself to the thought
that information has no value unless you put it into practice. You can have all
the information gathered and organized and catalogued, but you need to use
it efficiently. The first step in this is to organize what words you will use.
I discussed the skills of elicitation and preloading. These are two of the
most valuable skills, and I hope you practice using them. Use anchors,
keywords, and phrases to load the target with emotions and thoughts to
make him follow your lead. Preloading is a very powerful technique that
cannot be mastered in a short while, but practice will enable you to use this
skill. The great thing about preloading is that you can practice this skill at
home, at work, with your kids, your parents, your clients, really anywhere.
Don’t think that practicing this means you will always have to get people to
do things against their will. Preloading is used to motivate people’s minds to
be more open to a suggestion or idea. You don’t have to use it maliciously.
Kids do it all the time. For example, your daughter says, “Daddy, I love you…”
and adds a few seconds later, “Can I have that new doll?” This is an
example of preloading, putting a “target” into an agreeable emotional state.
Once you master that skill, or at least become proficient in using it, work
on the way you use elicitation. Remember that no one loves the feeling of
being interrogated. Elicitation should not mimic a police interrogation; it
should be a smooth, seamless conversation that is used to gather
intelligence on the target or topic you are seeking.
Learning the methods and process used to come up with questions that
can be used in normal conversation will not only enhance your skills as a
social engineer but also as a communicator. People enjoy when they feel
others are interested in their lives and their work. Using this skill for the good
can enhance your ability as a social engineer.
I have a good friend that gets people to tell her anything. It is uncanny.
Complete strangers will, at the end of a conversation, say things like, “I just
don’t know why I am telling you all these things...” She is not a social
engineer or even in security, but she is a great elicitor.
Mastering preloading and elicitation can enhance your ability to also plan
out what you will say. These skills can put your mind in the frame of seeking
and gathering information in a more intelligent and less intrusive way.

Have a Good Pretext

Remember that a good pretext is not a lie or a story. Instead you become
and live your pretext for a short time. Every fiber of your being—your thoughts,
actions, speech, and motivation—should reflect what the pretext would do. If
you can accomplish this then your pretext will be believable to the target.
The other thing to remember is that pretexting is used in everyday life, not
just in social engineering. Imagine this scenario: You just had an argument
with your mate. Now it is time for work. You don’t want everyone to know that
things at home aren’t that good this day, so when you go to work and meet
your coworkers who say, “Hey Jim how’s it going?” Your reply is, “Awesome.
Couldn’t be better.”
That is the opposite of the truth but what do you do to make that
believable? Shoot someone a smile, or project confidence via your posture
or body language. Depending on how private you are and how much you
don’t want to share with your co-workers you might even have a “cover story”
to prove how great life is.
This is just one scenario, but people use pretexting all the time.
Whenever you are trying to portray a difference from what is reality to people
the “cover story” to make it believable is a pretext. Of course, most people
aren’t really good at it and are easily detected, but noticing these situations
in your life and work will give you a good basis of pretexting to analyze.
Analyzing these scenarios can help you identify areas you want to improve
in your pretexts and help you master this very useful skill.

Practice Reading Expressions

I think I can talk for weeks about microexpressions. The topic just fascinates
me, and it intrigues me to think that people have built-in mechanisms for
displaying our deepest darkest feelings, and most of us will have no control
over it. How our emotions cause certain muscles to contract and display a
certain expression for milliseconds is just an amazing aspect of creation.
But learning how to notice them, read them, and use those very same
expressions to manipulate others is something that truly astounds me.
Practice how to recreate the microexpressions discussed in Chapter 5.
As you do, notice the emotions the microexpressions conjure up in you.
Practicing these expressions will also help you read them when others
express them.
As you practice, do not focus just on what it takes to read
microexpressions in others but on how to control your own
microexpressions and prevent someone using their facial-reading reading
skills on you. Remember that reading others is a good skill, but having
control over your own microexpressions, body language, and vocal tones is
far better. This skill can enhance your security practice as well as your
personal relationships. After you master many of those skills, you will begin
to see how you can utilize one of the main concepts Chapter 5, the human
buffer overflow (HBO). The human mind works much like software, just on a
higher level. But it can be fuzzed, examined, and overthrown like software.
Re-read that section to make sure you fully understand the principles
presented.

Manipulation and Influence

Manipulation and influence are two aspects of social interaction that have
some dramatic and powerful effects on the people you interact with. For that
reason, use the information in Chapter 6 with extreme care. Learning how to
persuade and manipulate people can literally make the difference between
success or failure in a social engineering endeavor. Every day, people try to
manipulate and persuade others to take actions. Some of these actions are
very bad and can cost money, personal freedom, and identities.
Use those situations as teaching tools. Analyze the methods that
marketers, psychologists, counselors, teachers, and even coworkers use to
try to manipulate you. Pick out points that you think you can learn from and
put them into your arsenal.
Remember that persuasion is not always negative: It doesn’t always have
to mean getting someone to do something they don’t want. Persuasion can
have very positive effects, and many times, positive persuasion is much
more difficult. If you can master those skills and use them to help people
stay secure, you will be more readily able to identify when someone is using
persuasion tactics in a negative sense.

Be Alert to Malicious Tactics

Being aware of what tactics attackers use will surely keep you from falling
victim to them. The professional auditors can use these tactics to educate
their customers on what to look for in a possible attack. Be alert to pick out
instances of how these are being used.
For example, one tactic the “bad guys” use is to strike during times of
trouble. When the planes hit the Twin Towers, the earthquakes hit Haiti, and
the tsunami hit Asia, the devastation upon the human population and their
lives, psyche, and emotions was insurmountable. During times of people’s
vulnerability and weakness is exactly when the bad guys strike.
Let me illustrate it this way: I once read an article that spoke about how
lions hunt in the wild. It said that a lion, when it wants to confuse and disjoint
a group of prey to choose a victim, will roar towards the ground—not toward
the prey or sky, but the ground. Why? It’s because the massive, fear-inspiring
roar will reverb off the ground and surround the prey. They become confused
by not knowing which direction the lion is coming from. Some will scatter left,
some will scatter right, but they will leave their young, old, infirm, and
immature herd members open.
The preceding is not too far off from how professional malicious social
engineers operate. They “roar” in such a way as to cause or add to the
confusion. They use websites that help find dead loved ones after a natural
disaster, or claim themselves to have lost family and friends in the carnage.
When the emotions of the “targets” are so involved they can’t see straight is
when an attack occurs.
The inexperienced and immature (technologically speaking) fall victim
first by giving out little bits of information until the attacker has enough to
build a profile. That profile helps launch further attacks, and those attacks get
more vicious and heartless.
Be alert to these instances, and you will keep your clients and yourself
protected from falling victim to them. Also, use these situations as a learning
lesson, analyze the methods used, and see whether they worked or failed.
Doing so will enhance your ability to be more alert to potential threats.
The unfortunate difference in between a lion and a social engineer
(besides the obvious) is that a social engineer gives no audible roar. He is
not out there yelling, “I want prey, now run!” Instead malicious social
engineers’ sly, subtle attacks trick thousands into their traps each year.

Use Your Fear

Now if this chapter has built any kind of fear in you all I can say is, “good.”
You need it. Because healthy fear can save your life, or at least in this case
your identity and your business.
Use that fear to motivate change. Don’t get angry and upset. Make a
decision to change and to educate yourself, your families, and your
companies how to observe, notice, and defend against these attacks. Make
a decision to not allow your identities and your companies to be hacked, and
then do something about it.
This whole book boils down to “security through education.” Human
hacking is an art form. Social engineering is a mixture and blending of
sciences, art, and skill. When blended in the right amount and right mixture
the results are “shikata ga nai.”
Companies lose millions of dollars per year to breaches, with a large
majority of those breaches stemming from social engineering attacks. Yet,
more often than not, when we offer clients the chance to add social
engineering auditing to their pentesting services they decline.
Why?
Companies tend to fear change. Countless times in my professional
practice I have heard intelligent and successful business owners say things
like, “We don’t need a social engineering audit. Our people won’t fall for
those tricks.” Then during the pentest we will do a few authorized phone
calls to get information and when we present the information in the report
they are amazed how easy it was to get the information.
At all levels of various companies, security awareness doesn’t tend to
change much. When speaking to companies after a pentest about a security
awareness training program we launched, many told us they do not perform
formal intense training for call center or tech support departments. Yet those
are the same departments that most often fall for social engineering attacks.
This points to the core of the problem that I am speaking about here.
Security through education cannot be a simple catch phrase; it has to
become a mission statement. Until companies and the people who make
up those companies take security personally and seriously, this problem
won’t be fixed completely. In the meantime, those who were serious enough
to read this book and to have a desire to peer into the dark corners of society
can enhance their skills enough to keep their families, selves, and
companies a little more secure.
When the “lion roars,” be the one who is at the front of the pack leading
the exodus out of the way. Be an example of what to do and how to defend
against these attacks.
 With enough time and enough effort anyone can be social engineered.
Those words are true, as scary as they are. That doesn’t mean there is no
hope; it means your job is to make malicious social engineering so difficult
and time consuming that most hackers will give up and go after “low-
hanging fruit” or the prey that is left behind. I know; it sounds cold. I would
love it if everyone would read this book and make some massive changes—
then companies would be truly secure. But that is just not the world we live
in.
That statement, then, raises a very serious question. If there truly is no
hope, how can companies, people, families, and everyone protect against
this massive vulnerability? Until companies begin to realize their vulnerability
to social engineering attacks, individuals will have to educate themselves
about attack methods and stay vigilant, as well as spread the word to others.
Only then do we have hope of staying if not one step ahead of an attack, then
not too far behind.

Summary
As I conclude this book, I hope it has opened your eyes to the world of social
engineering. I hope that it will continue to help you take note of the potential
for malicious attacks. I hope it has helped you build or maintain a healthy
fear of the potential for disaster.
I also hope this book helps you to protect your businesses, your families,
your children, your investments, and your life. I hope that the information
within has showed you that staying completely secure and protected is not
impossible.
Mati Aharoni, my mentor, says in one of his classes that the reason the
bad guys usually win is because they have dedication, time, and motivation
on their side. Don’t let life get in the way of security. Conversely, don’t let too
much fear of the bad guys keep you from enjoying life.
I hope that applying the principles in this book enhances your ability to
read and communicate more effectively with people around you. Using them
in many aspects of your life, not just security, can prove to be a life-altering
exercise. Social engineering is truly an art form. Enjoy.
 Index

Numbers
7-38-55 Rule
419 scam
A
Abagnale, Frank Jr.
active listening, reflective responding and
aggressive approach to interrogation
Aharoni, Mati
program crashes
stamp collection
Air Force training, social incentives and
alcohol, eliciation and
alternate route
Amazon logo
anchoring
anger, microexpressions
anxiety
appearance, rapport building and
arm/hand placement
ask for what you want
assumed knowledge
assumptions in positive manipulation
assumptive questions
Asterisk
attacks