Do you think you know what social engineering is all about? Maybe you do. Or maybe you only know what the best social engineers want you to know about their craft. In my studies of social engineering over the years, I've found a number of myths that surround it and it's practice. Let's see how many of your assumptions are correct.

Myth #1 – Social engineering is tricking people into giving up information

This is akin to the debate about hacking versus cracking. Cracking is hacking in the sense that much of it is a subset of hacking, but it is neither equivalent to nor completely separate from hacking. It is, however, appropriate to refer to most forms of cracking as hacking since it is a subset of it (just as every car is a vehicle but not every vehicle is a car).

The same sort of argument rises between social engineering purists and those in the field of security. Most security experts, when talking about social engineering, are talking about using it to trick people into giving up passwords or other sensitive information, which leads to other information, and so on. With that being said, social engineering purists tend to take that personally because it is only a small part of their discipline. As the name implies, social engineering, in a broader sense, is any method of intentionally altering the behaviors that exist between two or more people. In this more general sense, social engineering is an art form employed by people in roles ranging from teacher to politician.

Myth #2 – Social engineering is just "lying your ass off"

Many self-proclaimed social engineers will tell you this, but of course it isn't true. In fact, the majority of social engineering that takes place in the world around us has absolutely nothing to do with dishonesty. It's more a matter of presentation.

In some scenarios, there is no truth or dishonesty involved in manipulating an outcome. In particular, a philosophy is neither a truth nor a lie because it would not be a philosophy if it could be definitively proven or disproven . As an example, consider a situation like the impeachment of President Clinton. What were the facts in that scenario? He had sexual relations with a woman he wasn't married to at the White House and lied about it under oath in a court. These facts weren't argued by anyone. Rather, the to debate was whether or not he should be removed from office for it. Both sides argued philosophical points, but neither had to lie (whether they did or not).

In other scenarios, information is selectively included or left out. If a man cuts another man's head off and buries it in the woods, he certainly committed murder, right? But then again, what if it turned out that the man he killed had raped and murdered his daughter years before? Selectively presenting this information could sway nearly anyone in his or her opinion of the father's deeds.

In still other scenarios, the reaction of a person depends solely on his or her perspective. Sometimes people will lie to change someone else's perspective, but it's not precisely a lie if they don't realize that what they are saying isn't accurate. From one person's perspective, his or her car might have been stolen. From someone else's, it might have been commandeered by a police officer. Perspective, in this case, completely determines what happened but doesn't make either person's perceptions true or untrue.

Myth #3 – Social engineering is always done one-on-one

Social engineering, as I implied before, is a much broader topic than most people give it credit. Again, in the sense of security, most people think of it as a one-on-one activity and with good reason. It's analogous to the way a computer system is typically hacked into: a single weak-point is found in the overall security of that system and is the entire attack is focused on it either to take full control or to move to the next step in taking full control. For the very same reasons, penetration testing with social engineering will, more often than not, focus on individuals each step along the way.

Conversely, there are cases where the individual is not the focus but rather a group is seen as a single entity. In some such cases, a body politic is looked at similarly to a modular program where each function or procedure has its own purpose but that purpose is only useful in the grand scheme of the overall software. The great manipulators of the world use this approach all the time and most of us never realize they are consciously doing it. If you want a common example of this, take a look at the way many young girls will deal with people they don't like. Boys may fight and wrestle, but a manipulative girl will turn everyone she knows against their target using different techniques for each.

Another case where the group is exploited sees the group not as a body politic but simply a whole made of a set of identical parts. In much the same way a well-trained dog will maneuver an entire herd of animals as if the herd were a single creature, large groups of people can be swayed by emotional demagoguery. Sure, everyone is different, but in some settings it's easier to manipulate people all at once and in an overt manner. In groups, people are more easily swayed because they are no longer concerned solely in what they believe and feel but also by what they think their peers will believe and feel. People aren't easily influenced as a group when it comes to logic, but once you appeal to their emotions and the desire to fit in, you have a powerful weapon at your disposal. One of my favorite illustrations of this is from a study done in colleges many years ago. In experiments, teachers would give their entire classes sheets of paper with three pairs of lines. One pair was exactly the same length but the others were of different lengths. The pairs were in the same order on the sheets given to all but one of the students. Once the teacher instructed the students to find the pair of the same length, he or she would have the students raise their hands and vote for the pair that looked the same. What the study found was that roughly a third of the people with the different sheet would vote with the group. You may be thinking that a third isn't even half so this isn't a big deal. On the contrary, consider the fact that this one student, in each case, could tell without a doubt which answer was correct. If a third of the people can be swayed on a matter that concrete, then imagine how easily people can be manipulated in cases where there are patches of doubt.

Myth #4 – Social engineering works best when you intimidate people

When you see social engineering showcased in a movie or a demonstration, you typically will see someone making a call to some complete idiot and talking over his head, using big words and an aggressive tone. There is no denying that this can be a useful tactic, but it certainly isn't the rule.

The best social engineers in the world are great not because of what they do but because of what they see. They have an intuitive sense of a person's personality more quickly than the average person either by verbal and visual cues or by pure instinct. Once they have a fix on the person in question, they can use emotions ranging from fear to anger and behavior ranging from assertiveness to complete insecurity. Just think about the things that motivate you and how differently those same things affect your friends and family.

My favorite example of this can be seen in action in the workplace. Most people in positions of authority that do the hiring and firing fall into one of two categories. The first category includes those who are insecure and mask that insecurity by surrounding themselves with employees who either have weak personalities or are simply poor employees. These are the kind of bosses that you have to trick into coming up with new ideas because if you say you have an idea, they will dismiss it out of fear of looking bad. The second category includes bosses that are more secure in themselves and their own abilities. They tend to surround themselves with the most competent people they can find and won't think twice about hiring the guy who is smarter, better looking, and more educated themselves. These are the bosses who tend to encourage new ideas and input from those working under them. Both kinds of bosses can be swayed, but different approaches must be used and neither involves intimidation.

Myth #5 – Socially engineering members of the opposite sex works best if you are flirtatious

One of the most common social engineering methods out there is flirting. Anyone can do it and many people learn how to do it at a very young age. It can, however, backfire. The way people react to specific stimuli is more dependent on experience than any other factor, including gender.

The average person will react positively to a person who flirts with them, but only at first. Eventually, most people will catch on to the fact that they are just being played. Surprisingly to many, people will get to the point where any sort of flirtation is an immediate turn-off. Common desires can suddenly take a backseat to years of conditioning that have taught you that nobody flirts unless he or she wants something out of you that they wouldn't normally get. If you don't believe me, just look at how many men and women are attracted to the people who totally ignore them.

Besides, flirting is too obvious. Social engineering works best when it isn't obvious.

Conclusion

Social engineering, in all its forms, is both an art and a science. As with any science, there certainly are some useful rules. But in spite of them, art has a way of finding a way around the rules that science constructs.