Making the
pretext appear spontaneous goes back to my point on using an outline versus
using script.
Outlines
will always allow the social engineer more freedom and a script will make the
social engineer sound too robotic. It also ties in to using items or stories
that interest the social engineer personally.
If every time someone asks you a question or makes a statement
that requires you to think, and you go, “Ummmm” and start to think deeply, and
you cannot come back with an intelligent answer, it will ruin your credibility.
Of course
many people think before they speak, so this is not about having the answer in
one second, but about having an answer or a reason for not having the answer.
For example, in one phone call I was asked for a piece of information I didn’t
have. I simply said, “Let me get that.” I then leaned over and made it sound
like I was yelling for a workmate: “Jill, can you please ask Bill to give me
the order form for the XYZ account? Thanks.”
Then as “Jill”
was getting the paper for me I was able to obtain the data I needed and the
paper was never brought up again. I have compiled a small list of ways that you
can work on being more spontaneous:
Don’t think about how you feel. This point
is a good one, because often in a pretext if you overthink you will start to
add emotion into the mix, which can cause fear, nervousness, or anxiety, all of
which lead to failure. On the other hand, you might not experience nervousness
or fear,
but over-excitement, which can also cause you to make a lot of mistakes.
Don’t take yourself too seriously. Of course, this is great advice in life, but it applies
wonderfully to social engineering. As a security professional you have a
serious job; this is a serious matter. But if you’re not able to laugh at your
mistakes, you may clam up or get too nervous to handle a small bump in the
road. I am not suggesting you take security as a joke. In your mind, though, if
you view a potential failure as the pinnacle of failure in your life, the pressure
you create can cause just what you fear the most. Minor failures can often lead
to greater success if you have the ability to roll with it.
Learn to identify what is relevant. I like to phrase this concept as, “Get out of your head and into
the world,” which is more great advice. A social engineer may be trying to plan
three steps ahead and in the meantime miss a vital detail that can cause the
pretext to fall apart.
Be quick to
identify the relevant material and information around you, whether it is the
target’s body language, words spoken, or microexpressions, and assimilate the
information into the attack vector.
Also keep
in mind that people can tell when someone isn’t really listening to what they
are saying. Getting the feeling that even unimportant sentences are falling on
deaf ears can be a massive turnoff for many people. Everyone has experienced
being with someone who just didn’t seem to care what he or she is saying. Maybe
that person even had a legitimate reason to be thinking on a different path,
but doing it is still a turnoff.
Be sure to
listen to what your target is saying. Pay close attention and you will pick up
the details that are very important to them and in the meantime, you might hear
something to help you in your success.
Seek to gain experience. This
concept goes back to what you will probably see repeated four million times in
this tutorial—practice.
Gaining experience through practice can make or break the pretext.
Practice
spontaneity with family and friends and total strangers with absolutely no goal
in mind but to be spontaneous. Strike up conversations with people, but not in
a scary stalker kind of way— simple little conversations can go a long way
toward making you feel comfortable being spontaneous.
These
points can definitely give a social engineer the upper hand when it comes to
pretexting. Having the ability to appear spontaneous is a gift.
No comments:
Post a Comment