Q. Explain the concept of social engineering Framing. Why is it a key fundamental in a social engineering plan? Provide an example of Framing in your own context of a work or social setting.
Framing is how a Social Engineering target dynamically reacts to a situation based on life experiences and their own traits and characteristics (Hadnagy 159-160). Social Engineers use a technique called frame bridging to close the gap between the scenario a Social Engineer wants the target to respond to and personal facts about the target. A pretext is a strategy the Social Engineer has prepared to bridge the frame – in other words overcome resistance to the scenario.
Today I received the following phishing email. A screenshot of the email is below, and text with the link removed follows. The links are not live because it is a graphic, and no one should click on them if they were live.
My name is Veronica.
Your website or a website that your company hosts is infringing on a copyright-protected images owned by myself.
Take a look at this document with the links to my images you used at www.chasenfratz.com and my earlier publications to obtain the evidence of my copyrights.
Download it now and check this out for yourself:
(url probably leading to something bad was here)
I believe you have willfully infringed my rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damages as high as $150,000 as set forth in Section 504(c)(2) of the Digital Millennium Copyright Act (”DMCA”) therein.
This letter is official notification. I seek the removal of the infringing material referenced above. Please take note as a service provider, the Digital Millennium Copyright Act requires you, to remove or disable access to the infringing materials upon receipt of this notice. If you do not cease the use of the aforementioned copyrighted material a lawsuit will be commenced against you.
I have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the copyright owner, its agent, or the law.
I swear, under penalty of perjury, that the information in the notification is accurate and that I am the copyright owner or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
Best regards, Veronica Garcia
It’s possible that whoever sent this message, whether a person or a bot, distributed them to anyone they could get to who has a blog. Social Engineers deliberately choose words that evoke emotions in the receiver (Hadnagy 163). Clearly fear is what I’m supposed to feel while reading a message like this. There are a lot of scary-sounding legal terms and phrases thrown around, and the dollar amount of possible damages that supposedly could result if I don’t act is high.
The purpose of invoking strong emotions in a target is to get the amygdala in the brain to compel the target to act and click the link before the logical part of the brain says “wait that might be a phishing email” (Hadnagy 184-185). The basic human emotions of anger, surprise, fear, disgust, contempt, sadness or happiness are tools that Social Engineers exploit for different purposes (Hadnagy 163).
If I wasn’t sure about the authenticity of the above email, I could look up the law that has been cited and the name of the artist or designer claiming infringement to see if there is any possibility it might be real. I’m not even bothering to do that, because there are several things about my particular framing that this pretext did not succeed in bridging even that far.
I’m currently enrolled in a Social Engineering class and the kind of activity represented in this email is foremost in my mind and has been for weeks.
I’ve actually received a genuine email recently regarding trademark infringement. The allegation of trademark infringement was about an adhesive dots product I had been selling in my Etsy shop. I had used the phrase “glue dots” as a tag to help describe the product when another company claims the phrase “glue dots” as a registered trademark. In my opinion “glue dots” is way too generic a phrase to legitimately claim a trademark on, but my opinion means nothing. For one thing I’m not even an attorney. Etsy informed me that they had removed my listing for that product. Just to make sure the issue was real, I contacted the law firm mentioned in the email and the manufacturer of the product in question. The law firm did not answer my inquiry but I did confirm it actually exists and specializes in that type of law. Today’s phishing email is extra suspicious because there is no law firm mentioned. The manufacturer of the adhesive dots product responded to me and confirmed it was a real issue that they were trying to resolve. In short, I have some idea what a real email of this nature looks like and this is NOT it.
I’ve been involved with business blogging as part of my work for nearly 20 years, possibly since before the term “blogs” was even in wide use, and I have a pretty good idea about what copyright violation and fair use are. If I was actually guilty of this I would know! At least I think I would. Humility is important, because while people like us are busy working at something legitimate, malicious Social Engineers are planning new schemes instead. We can never let our guard down or assume that we know everything and will easily catch every scam.
Additional Framing Techniques
The Social Engineer who created this phishing example could have used the technique of reinforcing the frame, that is causing me to think about it and therefore strengthen it, if they had done even a little bit of OSINT (Open Source Intelligence) on me (Hadnagy 166). But it’s clear they did none, other than to use my web site url which may have been scraped by a bot.
For example the phrase “Your website or a website that your company hosts” is kind of a giveaway. I would have done a little more digging if they had said “the Fiber Arts section” or something like that indicating it might not be a generic scam email. Creating an email with a more personal and specific pretext via the knowledge gained by OSINT is called spear phishing.
Negating the frame is a way of inadvertently undermining the operation by reminding the target of what they should be suspicious about (Hadnagy 165). The phishers in this case avoided that blunder – they didn’t say anything like “Beware, this is not a scam email!”
Another way of leveraging the framing of a target is hinting at or insinuating something without directly coming out and saying it. This is called evoking the frame (Hadnagy 164). I would have known what the implied threat was if the phishers had said something like “if you don’t stop using our copyrighted material we will be forced to take serious action“. Kind of like a gangster in a movie or TV show saying “this is a nice place you got here, it would be a shame if something happened to it!“
Hadnagy, Christopher. Social Engineering: The Science of Human Hacking. John Wiley & Sons, Inc. 2018.
My final exam for Social Engineering class is due at 5 pm on Friday. When I’m answering questions, it’s useful to write as though I’m explaining the concepts to a general audience. I’m going to publish these answers on this blog as I write them, before they are turned in and graded, to keep me on track to work long enough to explain completely but not so long that I run out of time and skimp on the last couple of questions (that’s what happened at the midterm exam!). A lot of people have been asking me what Social Engineering is since I’ve been in this class. I do think it’s something everyone needs to know about as part of life skills so I’ll explain the best I can. Enjoy!
Q. Discuss the art and method of Influence and Manipulation.
First I’ll define the terms according to Christopher Hadnagy, author of our textbook “Social Engineering: The Science of Human Hacking”.
Social Engineering – “Social engineering is any act that influences a person to take an action that may or may not be in his or her best interests” (Hadnagy 7).
Influence – “Getting someone to want to do what you want them to do” (Hadnagy 123).
Manipulation – “Getting someone to do what you want them to do” (Hadnagy 151).
Social engineering is part art and part science, and method is where they come together (Hadnagy 157). Hadnagy brings up cooking as an example of a pursuit that combines art and science to create a satisfactory outcome. Gardening and aquatic animal keeping are a couple of my pursuits that are similar – science knowledge is needed to keep the organisms alive, and artistry helps make the environments harmonious and attractive. There are certain needs the organisms have that must be met but I have choices in what colors I can have, quantities, how I arrange the elements, how much splashing or bubbling do I want to create a soothing sound, and other aesthetic choices that affect the total presentation.
Part of the science of SE is framing and elicitation (Hadnagy 158). Framing is how someone dynamically reacts to a situation based on life experience and internal makeup (Hadnagy 159-160). Depending on the reaction you want, artistry helps to create an approach to the frame that is appropriate to achieve the objective. Social Engineers may be called on to create characters and costumes, choose words, use props, practice acting skills, storytelling and other creative enhancements. Preparation and practice are important, as is the ability to adjust to changing situations.
Elicitation is getting a target to volunteer information (Hadnagy 168). In order to cultivate the target to be open and trusting enough to share, artistry will again be used in a planned way as well as dynamically as conversation progresses. A social engineer might plan a scenario ahead of time or create one just by observing a target. Methods such as Ego Appeals, Mutual Interest, Deliberate False Statements, displays of Knowledge and the Use of Questions are methods Social Engineers can use to subtly direct the interaction (Hadnagy 168-182). There is art in how these methods are used, and also in choosing embellishments such as the above mentioned characters, costumes, props, etc.
Q. How are each applied to a social engineering plan?
Influence – Cialdini’s Six Principles of Influence are as follows (ChangingMinds.org):
“Reciprocity: Obligation to repay.” Both wanted and unwanted gifts will create an urge to reciprocate, but if we appeal to what the target really values, we will get a greater concession in return. Gifts don’t have to be material things – good feelings in the target aroused by gifts of compliments and humor are also effective (Hadnagy 125-128).
“Consistency and Commitment: Need for personal alignment.” We have a powerful drive to meet commitments because the consistency of ideals and behavior gives us a feeling confidence and strength. I’m adding my own assumption here that this may not apply to people with psychopathy and personality disorders (“Psychopathy”). You can appeal to the urge for internal consistency in other people by getting them to agree to a small request initially then a larger one later. Victimizers use your integrity and need to make your actions match your beliefs as a weapon against you. Keeping this in mind might help us to know when it’s ok to change our minds about a commitment that is no longer serving us. Consistency and commitment can also be good defenses against attacks, since that is a good protection against people looking for examples of hypocrisy as a Social Engineering weapon against us.
“Social Proof: The power of what others do.” When we are unsure about what is safe or acceptable we often look at the behavior of others as a guide (Hadnagy 149-150).
“Liking: The obligations of friendship.” Hadnagy explains different meanings of the word “like”. We tend to like people who are “like” us in some way, that we see as a member of our tribe, and we “like” people who we think like us (Hadnagy 146-148).
“Authority: We obey those in charge.” Possessing actual authority or knowledge gives a Social Engineer more confidence to act with authority, but faking it, implying it or transferring it by seeming to associate with a genuine authority will work also (Hadnagy 140-141).
“Scarcity: We want what may not be available.” We can be Social Engineered to respond to a perceived or real scarcity of goods, sale prices, time or any kind of resources (Hadnagy 134-136).
Hadnagy lists 6 principles of manipulation (Hadnagy 153):
2. “Environmental control.”
3. “Forced reevaluation.”
4. “Removal of power.”
It’s not an accident that these tactics are synonymous with types of abuse, emotional and sometimes even physical. Abusers abuse because they want the power and control it gives them (Davenport). It isn’t only individuals who might try to abuse us – organizations can do it too. I’ve written passionately and repeatedly on this subject in my class assignments, as you know, and in other writings, because of my theory that we as a culture tend to give far too much trust to institutions that have devoted vast research and resources to manipulate, and yes, abuse.
Q. What is the difference between the two?
Hadnagy’s definitions of influence and manipulation are nearly the same in terms of wording. In both cases, the social engineer wants the target to take an action that the social engineer wants. In an influence situation, the target wants to go along with the engineer (Hadnagy 151). That is a very slight difference, and Hadnagy acknowledges that not all will agree with his chosen definitions. When I first read “How to Win Friends and Influence People” by Dale Carnegie, a friend of mine didn’t want me to read it because in his words “It teaches you how to manipulate people”. My reply to him was my interpretation of a couple of the points I thought Carnegie was trying to make – the transactions and deals you make should benefit both parties, and whatever social techniques you use to get the results you want should be sincere (Winkelmann “My Opinion of…”).
I think Hadnagy is of a similar opinion. Manipulators don’t care about the feelings or well-being of the target, and the interaction will not be remembered fondly by the target (Hadnagy 151, 153). That’s detrimental to getting future business. In Hadnagy’s case, since part of his job is to educate clients, negative feelings interfere with the learning process and are to be avoided. I think he and Carnegie would agree that it is more important for both parties to come out of an interaction both feeling good about it than for the SE to “win” the transaction by getting the better of the target.
Of course many social engineers don’t mind harming the target, or they fully intend to harm the target – that’s when their actions become manipulation. For example the same male friend who was uneasy about me reading “How to Win Friends and Influence People” used manipulation on me and another woman to try to keep us from becoming friends. All three of us were part of a group that was going on a week long backpacking and camping trip. In preparation, he told me she didn’t like me and told her I didn’t like her. So for the first day of the trip we avoided each other. Due to the way the tents worked out, we were forced to share one the first night and weren’t happy about it. The next day we both had the same thought. “She’s not so bad.” We both decided to confide in each other what the male (now former) friend had told us. We had a good laugh and became best friends until she passed away in 2003. I was Maid of Honor at her wedding!
Q. Which method is more effective (give examples of circumstances/settings to be applied)?
I think it depends a lot on the circumstances. For example, if your goal is to have a productive future relationship with a target, you will take their welfare and emotions into account so that they associate you with a pleasant experience and are open to be influenced by you because they “like” you, as Cialdini teaches. If you plan to just use and discard the target when they are no longer needed, you don’t have to consider their well-being at all.
The archetype of the “snake oil salesman” is depicted in a music video I loved and watched a lot when I was a teenager, “Say Say Say” by Paul McCartney and Michael Jackson. The protagonists are con artists who travel from town to town in a wagon selling a bogus “strength potion”. They use pre-planned pretexts, such as a script and audience plants to Social Engineer the people in a town into buying a lot of the fake potion. By the time the customers realize it’s no good, the con artists are long gone and in another town sporting a different identity. When the law catches up to them, they use a distraction to evade (Giraldi). As long as they can get away quickly enough, they are not accountable and don’t have to make a good product. They only have to create the impression long enough to get the money.
Here is a personal example of when I experienced manipulation in an airport when being solicited for a donation. A man greeted me and offered me a free paperback copy of a vegetarian cookbook. I love to cook and I love vegetables so I said “sure, thanks” and took it. I was young and this was my first time encountering this particular SE situation in an airport so was not looking for it and not prepared with defenses. The man said “Aren’t you going to give a donation?” I thought a moment and gave him a dollar. He said that isn’t enough. I was not pleased about being manipulated, so I said “I think that’s pretty good for a free book. If you disagree, you can have it back and I’ll take back the dollar”. He just looked disgusted and waved me away. I was not unhappy about giving a dollar for the book, even though it’s not something I sought out. But I love recipe books, so a free book or a dollar book, either was fine with me. But I would have balked at any more than that. Neither of us was concerned about ever seeing each other again, so it was a very low stakes situation. Since he had correctly concluded he had gotten all he was ever going to get out of me, he didn’t bother to be civil one second longer than was productive.
The larger and more powerful an organization or individual is, the more they can insulate themselves from backlash caused by self-serving, fraudulent, unkind or unfair manipulations of people. For example last summer there were large corporations taking out television ads that put their brand in a good light, showing warm and positive scenes of how they were helping their employees and customers cope with the pandemic. News stories about those brands were sometimes in direct contrast to the images in the ads. Organizations can use their money and power to “buy” morality credits by performing certain good deeds and publicizing them or just artfully appearing to. In the “Say Say Say” video we see that the fictional con artists give their ill-gotten gains to an orphanage and stop to entertain the kids, so the viewers of the video will root for them (Giraldi). This tactic works in real life too.
Marketing and Public Relations are subsets of Social Engineering, according to Hadnagy’s definition. If organizations don’t even do good deeds but claim they want to someday, or are generally in favor of good things for society and they’d love it if YOU would do them, that is enough to counteract actual corporate hypocrisy in some situations (Chen 487-490, 517-518). Influential people and organizations have the money and power to buy a lot of Marketing and PR, so they are potentially not as accountable as the less powerful. For example, from years of selling art supplies online, with Amazon being one of the platforms I sold on, I’m personally acquainted with how Amazon treats people with no power and only the most infinitesimal trace of usefulness. Admittedly already skeptical about their corporate culture, I am not the only one to ponder the disconnect between Amazon’s paid feel-good ads and news stories about how workers are treated (Barrickman and Smith). In a paper I wrote last fall about Corporate Social Responsibility and Irresponsibility I speculated about the meaning behind the amounts of corporate public donations to social justice causes by Netflix, WalMart and Amazon (Winkelmann “Corporate Social Responsibility…”). Do these amounts reflect genuine commitment to the causes, a branding technique, the amount of resources available, or the amount of morality credits they feel they need to buy to compensate for their actual activities?
A malicious Social Engineer might intend to not only evade accountability, but plan to leave the target in a weakened condition as part of the strategy. Sometimes the goal is not merely profit but total defeat of the enemy.
Barrickman, Nick and Patrick Smith. “Amazon violates its own health and safety rules in COVID-19 coverup.” World Socialist Web Site, 2020, www.wsws.org/en/articles/2020/08/05/amzn-a05.html. Accessed 10 May 2021.
ChangingMinds.org. “Cialdini’s Six Principles of Influence”. Changing Works, 2002-2021, changingminds.org/. Accessed 16 March 2021.
Chen, Zhifeng, et al. “Corporate Social (Ir)Responsibility and Corporate Hypocrisy: Warmth, Motive and the Protective Value of Corporate Social Responsibility.” Business Ethics Quarterly, vol. 30, no. 4, Oct. 2020, pp. 486–524. EBSCOhost, doi:10.1017/beq.2019.50. Accessed 28 September 2020.
Davenport, Barrie. “61 Devastating Signs Of Emotional Abuse In A Relationship.” Live Bold and Bloom, 2021, liveboldandbloom.com/02/relationships/signs-of-emotional-abuse/. Accessed 11 May 2021.
Giraldi, Bob, director. “Say Say Say.” YouTube, Paul McCartney and Michael Jackson, uploaded by Giraldi Media, 1983, www.youtube.com/watch?v=aLEhh_XpJ-0. Accessed 10 May 2021.
Hadnagy, Christopher. Social Engineering: The Science of Human Hacking. John Wiley & Sons, Inc. 2018.
“Psychopathy.” Psychology Today, 2021, www.psychologytoday.com/us/basics/psychopathy. Accessed 11 May 2021.
Winkelmann, Carolyn Hasenfratz. “My Opinion of What Marketing is About”. Carolyn Hasenfratz Design. 2020. www.chasenfratz.com/wp/my-opinion-of-what-marketing-is-about/. Accessed 10 May 2021. — “Corporate Social Responsibility and Irresponsibility”. Carolyn Hasenfratz Design. 2020. www.chasenfratz.com/wp/corporate-social-responsibility/. Accessed 11 May 2021.