Often when we think about social engineering we think about manipulating individuals by speaking to them. We think of talking the call center employee into doing our bidding or posing as a delivery representative and talking our way onto the facilities. We rely on our eyes and ears as we navigate the world but we often forget about, or don’t give enough credit to, the power of nonsexual touch. Let’s explore the role of nonsexual touch in communication and see how it can benefit the social engineer.
Research shows how simple touching can increase compliance, helping behavior, attraction, and can be used to signal power. Even the slightest touch can influence the way someone thinks about you or perceives the situation. Knowing how touch can influence your target is vital information every social engineer should be familiar with.
A 2003 study from the Université de Bretagne-Sud in Vannes, France showed that a simple light touch on the arm increased the likelihood of strangers helping an individual from 63% up to 90%. Similar techniques can be used to increase compliance. As an example, a study by Willis and Hamm asked individuals to sign a petition.; 81% of those touched signed the petition compared to 55% who were not touched. A second and similar study asked people to fill out a questionnaire. Simply touching the individuals asked to take the questionnaire increased their compliance from 40% to 70% – How would you like those results on your next social engineering pentest?
As it turns out, we can compound the positive effects of nonsexual touch by increasing the amount of touch administered. A study by Vaidis and Halimi-Falkowicz showed that touching an individual twice increased the likelihood that the individual would complete a survey over those individuals touched only once. Not surprisingly, when men were touched by a female, the effects were strongest. Even if the touch was nonsexual, it may be interpreted, subconsciously, by the individual to illicit even more favorable response.
It’s important to understand that these techniques can have vastly different results depending on the culture involved. In cultures where there is a high level of homophobia, a male touching a male on the arm will generate far less compliance than the same action in a different culture. In Poland, where high levels of homophobia exist, a 2010 study showed far less compliance between two men than a similar study conducted in 2007 in France, where touching is acceptable between men. Generally, a male to female or female to male touch will generate the most compliance, but it’s important to properly gauge your environment.
A position of dominance can be immediately achieved by light, nonsexual touch. Observations by Henley showed that people who touch others are of a higher status than those being touched. Summerhayes and Suchner showed that, in general, we look at people who touch others as having more power in our society. By simply touching someone on the forearm, we establish dominance over them which will increase compliance.
A 2007 study conducted by French researchers, Erceau and Gueguen, showed that touching someone for just one second makes them view you as more sincere, friendly, honest, agreeable, and kind. It is amazing that simply touching someone’s arm for one single second can make them think more favorable toward you.
Utilize the power of touch on your next social engineering engagement. When standing next to someone and attempting to gain access to an area or while attempting to extract information, reach out and gently touch their arm for a brief second while you are making your request. This simple action, when performed appropriately, will make your target think you’re more sincere, more dominant, more honest, and will increase compliance. Try two brief touches for even better results!
*** CAUTION: It is important to note that touching is not always appropriate and will not always yield positive results. Each situation must be interpreted as an isolated case. Use your best judgement by assessing the situation.***
When touching is appropriate, touch lightly on the upper arm as this is the safest place to touch someone that you don’t know. A simple light touch of your target’s arm can be the difference between a successful social engineering attack and an unsuccessful attack.
Using as a Social Engineer
As a Social Engineer, one can not run around touching everyone, or you may end up in trouble with the law. There are ways a social engineer can use the power of touch to create an endearing atmosphere that will turn your target into putty for your shaping.
Imagine this scenario…. you want to gain access to a building and, thanks to their Twitter status updates, you know the HR staff is out of town for a conference. You come in to the office, looking disheveled, with a coffee dripping resume.
You approach the desk and tell the front desk person you are here to see Mr. <Out of Town> but just need a minute to compose yourself. She looks at you, almost sad for you and says, “I’m sorry but he’s not here, he’s out of town.”
Sadly, you look at her and say, “What? I thought he said his trip to Miami was next week?”
“No honey, its this week.”
“Oh, please don’t tell him what a fool I am. I am so embarrassed. At least I don’t have to use this coffee soaked resume.”
She leans over and says, “It’s OK, we all have bad days”
You now reach up and touch her arm lightly and say, “Thank you so much ma’am. You really make this day just a little better. Would I be able to use your restroom before I go to my next interview, which I hope I didn’t mess up?”
The pretext, the emotional investment and the touch all greatly increases her chances of compliance, allowing you to plant your USB drives in the hallway and bathroom.
This is just one of many scenarios that allow for touch to enhance your chances of success. Can you think of others? Send us in your ideas to firstname.lastname@example.org