Course Overview
1.0: Threats, Attacks, and Vulnerabilities
Section 1.0: Test Your Knowledge
Section 1.0: Identifying Scenario & Questions
2.0: Technologies and Tools
Section 2.0: Test Your Knowledge
Section 2.0: Identifying Scenario & Questions
3.0: Architecture and Design
1 of 3

1.2.3 Principles (Reasons for Effectiveness)

This section lays out the psychological games attackers may play on their victims in the real world.

Term

Examples

Attacker Motives

Authority: takes advantage of two types of reactions, Fear and Respect. Most people personal or professional have an authoritative source.

Bosses, VIPs, Parents

Attackers make use of Authority to convince victims that they are required to take these actions by moral standards.

Intimidation: similar to authority. A victim can feel intimidated by anyone other than an authority figure. An attacker can act loud and mean and threaten you just to get their way.  

An attacker may pretend to be a highly upset customer that threatens to complain about their issues to a boss or another real authority figure.

Attacker acts as an angry customer threatening to call corporate if they do get what they want.

Consensus/Social Proof: Consensus the attacker seems to be nicer, more understanding and sympathetic to the needs of its target. 

Social proof side of things is when the attacker tries to use familiar names or places of some sort to seem legitimate.

An attacker calls the help desk at a hospital looking for information about how to reach a “family member”. The attacker says things such as “I use to work at this hospital so I understand the rules but could you just give me this one favor. 

Attacker attempts to find common ground with their targets, such as a shared background, likes and dislikes, hobbies or even opinions to get some information from the victim.

Scarcity: offers the victims something they may want or something they know they can’t get.  

Attacker acts as a representative of a company victim is with and offers victims lifetime gift cards if they reset their password over the phone.

Attacker bribes victims with gifts or objects to get some type of information in return. 

Urgency: The attacker makes the situation seem critical than what is and get as much information from you as possible without giving you a chance to think.

An attacker calls the victims and tells them that their Gmail account will delete in 10 minutes and start asking a lot of personal information.

The attacker doesn’t want its victims to have time to think about the questions they are being asked. Since the victims believes it’s urgent in most cases, they give the information being asked. 

Familiarity/Liking: Uses an approach to make a victim feel liked and connected to its attacker. 

Attacker finds ways to connect with victims by complimenting or engaging in relatable conversation.

The attacker wants to make the victims forget that they are talking to a complete stranger and more like a friend. This gives the attacker the opportunity to dig for personal information.

Trust: this approach seeks to establish different levels of trust between an attacker and their victims. Some victims may require low level trust and others may need deep level; it all depends on the attacker’s purpose. 

Low Level Trust: attacker gets victims to talk their weekend plans.

Deep Level Trust: attacker gets victims to talk about personal problems currently in their life. 

The attacker knows that there are different levels of trust for its victims. The attacker tests the trust level of its current victims and plan accordingly to get the most out of it.