The term manipulation is often used interchangeably with influence. We at SEORG consider the intent of the social engineer critical to making this distinction. When the intent is positive and the target feels better for having met you, we consider that to be influence. However, when the social engineer will use any tactics for a “win” without any consideration of the target, that paves the way to manipulation. Targets of manipulation will often feel shame, anger, and resentment – none of which makes the social engineer a partner in security education.
Incentives are at the core of understanding human behavior, and as such are at the core of understanding why people do what they do. Understanding this can help us to learn how to motivate people to do things we want them to do.
For us to clearly understand this we need to have an understanding of what an incentive actually is: “An incentive is any factor (financial or non-financial) that enables or motivates a particular course of action, or counts as a reason for preferring one choice to the alternatives.”
For the purposes of social engineering, it is easy to break the incentives into three separate categories:
Based upon the target and the objective, it is prudent to identify which incentive is to be the central motivator of the manipulation. A good form of this concept is documented in the posting “The 3 Motivations of People, Material, Social and Ideological.” This excellent article was written by Ed Schipul and can be read here.
Financial incentives are the most common incentives due to their predominance in the economy and various government programs. A decent description of this was posted onknowledgerush.com and can be read here. Many scams take the approach of manipulation of financial incentives by promising large financial gain with minimal effort or cost. See Advance fee fraud and Lottery.
One example of such a scheme that worked for many years was Bernard Madoff.
Social Incentives relate to what would commonly be viewed as peer pressure. Social incentives relate to ones desire to be accepted and respected be the community. A wonderful study about the effects of social incentives and the power they carry can be found in the paper “Social Incentives: The Causes and Consequences of Social Networks in the Workplace” written by Oriana Bandiera, Iwan Barankay and Imran Rasul.
However, these concepts are not new at all, as can be found documented in an US Air Force study from 1975 “Management of Social Incentives in Air Force Technical Training” written by the US Air Force. Social incentive programs are often used within companies as a lower cost incentive program then an financial program to drive employee behavior to desired results. When pursing social incentives, it is important to understand what social aspect matters to the target, as each person is driven by a whole different set of incentives.
One commonality amongst humans is the desire to be accepted by our peers. Social engineers will often use this “built-in” desire to make people feel a sense of obligation into performing some act or thinking a certain way, making it easier for the social engineer to achieve their goals. We call this Social Validation. We know this works by just looking at the life of teenagers. How many PSA’s, school meetings and commercials warn of the dangers of smoking, drug use and the like… yet the fact that all of our friends do it can make us ignore all that counsel and “give it a try”.
Ideological incentives have to do with how one looks at themselves, as opposed to how social incentives relate to how others see them. Other ways to think about ideological incentives would be moral or ethical incentives. The most common source of Ideological incentive is religion, followed closely by common child stories such as Grimm Fairy Tales and common philosophers such as Aristotle. A common method to obtaining gain from another through manipulation of Ideological incentives is the pervasive “Will Work For Food” sign held by distraught looking individuals in high traffic areas.
When engaging in SE and intending to utilize incentives as part of the attack, it is important to obtain enough information about your target to know which type of incentive they will be most responsive further how to approach the chosen incentive.