You’re sitting at home when you receive a call from a charity you’ve donated to in the past. They explain that they appreciate your previous donation and have been calling your neighbors who have been donating an average of $200. “Oh, I can’t afford that!” you respond. “We understand,” they say, “how about $20?” This, you think, you can do.

Unknowingly, you have just succumbed to a technique we in social engineering refer to as “concession.” What exactly is concession? How is it used? What are ways we can be more aware of concession being used against us? Let’s dive in.

What is Concession?

Concession, or “the act of conceding,” is defined as:

  1. The act or an instance of conceding (as by granting something as a right, accepting something as true, or acknowledging defeat).
  2. The admitting of a point claimed in argument.

How Concession Works

The basics of concession can be broken down into four steps. Once we understand these, we have a better probability of resisting this tactic. So, what are the basics of concession and reciprocity? Let’s look at them from the viewpoint of a malicious actor.

    1. Labeling the concessions. Malicious actors will make concessions to create feelings of indebtedness in their targets. In doing so, the target will have a very hard time, psychologically, ignoring the urge to reciprocate.
    2. Pressure to reciprocate. Now that the concession has been given by the attacker, there is a higher likelihood that the target will feel pressure to reciprocate with a similar act of giving.
    3. Make contingent concessions. These are “risk-free” concessions. These are used when trust is low or when the attacker needs to signal that they are ready to make other concessions.
    4. Make concessions in installments. The idea of reciprocity is deeply ingrained in our minds. Most people feel that if someone does them a favor, they should return that favor. Similarly, if someone is to make a concession, say in a negotiation or bargaining agreement, then the other party will instinctively feel obligated to “budge” a little bit too.

    Example of Concession Process

    As an example of this process, we can think about the famous con man Victor Lustig, he “sold” the Eiffel tower a number of times in his life.

  2. Concession in Social Engineering He used the following process:
    1. Labeling the concession. Once he had a target on the hook, he told them that he would tell them a secret, but they couldn’t share it with anyone else. It was of such high importance that he would concede to telling only them.
    2. Pressure to reciprocate. Once the target heard the secret news (the Eiffel tower was going to be scrapped and the cost of the metal was going to make someone very rich), they felt indebted to continue the discussion further and ask for more information. Many times, the targets would volunteer information like how wealthy they were or how much money they were able to invest.
    3. Make contingent requests. Victor would then make statements alluding to how he can only let a few people into the investment pool, and that he wasn’t sure if it could be them. By using concession aligned with scarcity, he really reeled in the target.
    4. Make concessions in installments. He would continually make concessions through meetings with his targets, until he successfully parted them from a very large sum of their money.

    Clearly a bad actor, but an effective use of concession.

    How Concession is Used

    In addition to the above examples, we see concession tactics used everywhere from telemarketers to car salesmen. They leverage the steps discussed above to entice you to feel like you’re getting a good deal or making a fiscally responsible decision. While good to be aware of, uses of concession are not necessarily malicious. However, concession can absolutely be used maliciously, as seen in the example of Victor Lustig.

    Professionally, vishers can use concession in many ways. For example, let’s say they are using the pretext of a virtual desktop infrastructure (VDI) upgrade. They may say something like “your VDI needs to be updated, but there are multiple ways we can go about this, so it is up to you. I can email you the instructions and you can run the upgrade yourself; it should take about 2 hours. Or I can do it for you.” By giving options, the other person feels like they are in control. Then, by giving one complicated option, and one simple option, they may concede to the simple option because it is so much easier. Now imagine how powerful this would be when leveraged maliciously by a professional social engineer! Clearly, concession tactics are worth learning about.

    Resisting Concession Tactics

    The first thing we need to do in order to resist concession tactics is to be aware of what they are. Reading this article is already the first step! Now that you understand just how concession works, you will be more likely to identify these techniques in real time. What if you can’t consciously identify these techniques, though? Remember to always trust your gut instincts. Often, once we know of something, we can subconsciously identify it even if we can’t quite name what is happening. This is true for social engineering tactics as well, including concession. Knowing this, we can trust ourselves when something feels off during a conversation. Do not be afraid to pause and give yourself a moment to process what is happening. Many times, this is the key to us protecting our information and ourselves from social engineering techniques.

    Stay Secure

    Awareness is the first step in any security program. It is imperative to know and understand the tactics the threat actors will use to social engineer us. Remember to trust your gut instincts and always give yourself a moment to gather your thoughts and check in with your feelings. Being aware of the concession tactic and checking in with yourself will help you to keep you and your information secure.

    Written by Shelby Dacko
    Human Risk Analyst at Social-Engineer, LLC