Most social engineering attacks share some basic components that enable them to be so effective. Some of those components are:
- Target evaluation: In many cases, attackers with specific targets in mind will evaluate those targets and determine how susceptible they are to specific types of social engineering. They will also evaluate their general level of awareness of computing technology and cybersecurity.
- Pretexting: Attackers will communicate, whether directly or indirectly, a lie, half-truth, or sin of omission in order to get someone to believe a falsehood. This belief may spur the victim into committing an action they had not intended or that runs counter to their interests.
- Psychological manipulation: Attackers exploit humans' willingness to place trust in others and prey upon their sometimes erroneous decision-making abilities. Attackers also exploit the inherent cognitive biases within all people to craft more effective and targeted attacks.
- Building relationships: The more comfortable and friendly a victim is with the attacker, the more likely they will trust the attacker. Attackers may therefore try to get to know their target on a personal level.
- Motivation: Attackers will try to motivate their target to take some action that will ultimately benefit the attacker.
In order to motivate their target, a social engineer will rely on one or more different techniques.
People tend to obey authority figures even when they know the requested action is either ethically dubious or counter to their own interests. They also tend to obey authority figures when they don't have enough information to accurately assess a situation. An attacker posing as an authority figure, like a police officer, is often more successful at enticing a victim to perform some action they shouldn't.
People tend to attach undue value to objects or ideas that are uncommon or otherwise difficult to obtain. A "secret" or "exclusive" item is more enticing to the victim than something they encounter every day. For example, the attacker may claim to reward a victim with a unique collectible that they cannot acquire anywhere else.
This is similar to scarcity, but with a time element involved. An attacker might encourage a victim to act quickly, lest the victim miss their opportunity at acquiring something. For example, a "limited time offer" will be more likely to pique a victim's interest.
This is similar to the concept of conformity, in which people tend to mirror the actions of others because they want to fit in. If a victim sees or believes they see an attacker engaging in some behavior, they may themselves engage in that behavior. This is more effective if the behavior is exhibited by a group of people whom the victim trusts. For example, a group of attackers working in concert may install a fake "antivirus" program on their computers, and the victim may decide to do the same in order to appear competent to their peers.
People are more likely to listen to someone and comply with their requests if they feel an affinity toward them. They may see themselves in this other person, such as having a similar speech pattern. Or, the other person may represent an ideal, such as someone who is physically attractive. Attackers can leverage this to be charming and persuasive to specific people.
Because fear is such a visceral emotion, it can motivate people to act in ways they normally wouldn't, just to purge themselves of that fear. Fear of loss is especially powerful. Attackers often use fear tactics to convince a victim that they will lose money or access if they do not comply.