Trust Me - I'm Lying: Psychology and Social Engineering
by N0x
You lock your doors, set strong passwords, and install anti-virus software. But what if the biggest risk isn't your technology - it's you.
The art of manipulating people into performing actions, or divulging sensitive information is as old as humanity itself. An innate survival tool, baked into our evolutionary DNA. Imagine Neanderthals living in communities where persuasion, deception, and influence were crucial to survival. A stronger hunter might boast about a kill to secure a better share of food or exaggerate their prowess to win a mate. A gatherer might convince the group to avoid a dangerous area - not out of caution, but to keep the best food sources for themselves. These primal forms of manipulation weren't malicious; they were tactics to improve one's odds in a brutal, unforgiving world.
As society advanced, so did our methods. Ancient traders likely oversold the value of their goods to get a better deal. Medieval spies wormed their way into enemy courts, pretending to be allies. (((Con artists))) in the 1800s crafted elaborate personas to scam their way into fortunes. It's all about understanding human behavior and exploiting it to get what you want. And in many ways, that drive - to find shortcuts, to persuade, to manipulate when necessary - isn't a flaw in our nature. It's part of what helped us survive, build civilizations, and dominate the planet.
Social engineering helps us manipulate human behavior - our desire to help, or perhaps our fear of getting in trouble. We're full of instincts and emotions we've built up throughout our lives - rules we follow that help us "fit in" and not just survive, but flourish. Over time, those of us who look for vulnerabilities noticed that it can be disturbingly easy to turn those instincts in our favor.
As technology evolves, human psychology remains the most constant vulnerability. Tools like ChatGPT, deepfake technology, and other AI-assisted content generators have made social engineering more effective than ever. Generating phishing emails, creating fake websites or landing pages, and even producing your own malware is now accessible to anyone with an Internet connection - and these tools allow us to create convincing payloads in a fraction of the time. It's 2025, your brain is a port, and hackers know exactly how to connect.
If you've never foraged through the methods of using social engineering for initial access, you're overlooking what's often the easiest way into any system. I'd encourage you to learn as much as you can about human psychology, and even sales tactics - both of which will greatly improve your chances of initial access. There are plenty of great psychology-, sales-, and hacking-focused publications out there that can directly and indirectly teach you more about the topic. For instance, in the book Influence: The Psychology of Persuasion, Robert B. Cialdini approaches sales in a science-based manner. By outlining tactics and methods that aim to build rapport and trust with people quickly, he helps pave the way for a hacker to build a sound social engineering methodology. These concepts are vital to any social engineering or phishing effort: get the target to like and trust you quickly, which opens them up to further emotional manipulation.
A great way to find success in any social engineering or phishing engagement is to target emotions - that which makes us human. This can come in many forms, but you'll often find success leaning into one (or more) or the following categories:
Urgency: Creating a sense of urgency might invoke a quick response/click from the target. You want them to engage their mouse before they engage their brain.
Authority: Impersonate a person of authority (executives, IT staff) to gain compliance from your target regarding your request.
Trust: Build rapport, appear to be a friendly, likable, legitimate individual - to bypass normal social/security skepticism.
Curiosity/Greed: Use promises of rewards, freebies, or special access - exploiting the target's greed or initial curiosity. Send out an email saying there was a cat found in the parking lot, with a link - asking if anyone has helpful information. People may jump to click a link, hoping to see a picture of a cat... and curiosity kills more than cats.
Helpfulness/Sympathy: You might feign distress or ask for help, exploiting the target's desire to be a good person (everyone likes to feel good about helping people!). Something that seems like a quick/low effort task to a stranger might be your ticket in.
Reciprocity: You may provide something of value to the target first - creating a sense of obligation to respond or help you. There's a reason some charities mail out dimes/nickels to people they're asking for donations from.
Social Proof: "I just spoke with Jim in accounting, and he mentioned you'd be the best one to ask about the inventory list below: [link]" - using the target's social circle as proof that you're a trusted/safe person. So go ahead and click that link for me...
Scarcity: Make it rare/desirable - maybe there are only three free tickets left to that concert, or two hours left in the sale, or "the first ten people who claim the code get the discount," etc.
Commitment and Consistency: Once a target takes a small action with you, you're on the way to building more rapport. You can potentially build that relationship and get more and more help from them.
Regarding the list above - remember, you only need to sprinkle in enough of any of them to get the target to click a link, or reveal a small piece of information you need.
Now, outside of (or perhaps overlapping with) human emotions, exists a tangential target we can keep in mind, that of human tendencies. You'll often find that people will tend to write down passwords. This can look like stored plaintext documents on their desktop, or maybe thinking they're "hiding it" within source code, or even scribbling it down on a notepad or sticky note sitting right next to their system. They do this because as humans, we tend to strive for the path of least resistance, and we often fall to convenience over security. Keep that in mind.
Perhaps you're posing as a member of the IT staff, or an IT vendor the target company uses. Sometimes success comes with introducing a problem, explaining a complex fix, and then "suddenly remembering" that there may be another, quicker way we could try first - and send a link to a payload or malicious login page to capture credentials. Offering a quick and convenient solution to a problem you created can work wonders.
Let's take the concept of human tendencies a step further with password rotation mistakes. We like to tell ourselves we're being more secure by rotating our passwords. But many people simply add predictable changes to bypass the hassle of needing to remember another password to another platform (once again, convenience over security at play). Things such as adding a "1" to the end of their current password, or maybe adding an exclamation point, etc. These often give enough of a change that the platforms accept the new password, but ultimately don't solve the initial problem. This leads to situations where even old and outdated credential leaks can still have quite an impact toward bad actors figuring out current passwords - somewhat defeating the purpose of changing the passwords periodically.
Over time, one thing remains true: social engineering is effective. Understanding human psychology is a surefire way to increase your odds of getting what you want. It essentially allows us to create our own race conditions within the mind of the target, with the hope that they follow the flood of chemicals and emotions in their body before they decide to stop and think logically about the details of what's occurring. When emotions run high (fear, excitement, urgency), rational thought often takes a back seat.
We all like to think we're more clever than we are, that we're too smart to be tricked so easily. Though, maybe we need to consider - are we really as sharp at 4:45 pm on a Friday when we're itching for the weekend and notice that link to a new movie trailer we've been dying to see?! Maybe we click it, maybe we don't. One thing's for certain: the adversary is going to try again tomorrow, and we only need to mess up once.