Social Engineering & Phishing/Social Engineering Principles

Social Engineering Principles

Social engineering is the set of techniques adversaries use to influence people into revealing sensitive information or performing actions that weaken security. It targets humans — the part of the system that can be pressured, rushed, or socially coerced.

This course focuses on defensive understanding: how these attacks work, how to recognize the psychological trigger being used, and what practical verification steps and technical controls reduce risk.

A professional SE engagement should always close the loop with concrete mitigations and learning.

Cialdini’s 6 influence principles

Robert Cialdini identified six universal influence levers that attackers can abuse:

Defense trick: identify the trigger (authority, urgency, etc.), then switch to verification out-of-band.

Principle	Description	Common manipulation pattern
Reciprocity	We feel pressure to return favors	A request framed as “I helped you, now you should help me”
Commitment/Consistency	We try to stay consistent with past actions	Start with a tiny, harmless ask, then escalate
Social proof	We follow what others appear to do	“Everyone already did it” or “most employees have complied”
Authority	We comply with perceived authority	Impersonation of leadership, IT, finance, or auditors
Liking	We help people we like or identify with	Rapport-building before a sensitive request
Scarcity/Urgency	We act faster under time pressure	Short deadlines, threats of consequences, “act now” framing

Cialdini psychologie influence

Common cognitive biases attackers exploit

Authority bias

People tend to comply with someone they perceive as legitimate authority. That’s why impersonation of “IT”, “Finance”, or “Leadership” is so common.

Urgency and fear

Under stress, the brain shortcuts critical thinking. “Your account is compromised — act now” aims to trigger emotion before analysis.

Over-trust in familiar cues

We trust what feels familiar: logos, professional language, plausible context.

Cognitive overload

An overloaded employee handling 200 emails/day is more likely to misjudge a suspicious message.

Types of social engineering attacks

Type	Vector	Example (high-level)
Phishing	Email	Generic message pushing an urgent action via a link
Spear phishing	Targeted email	Personalized context to look internal/legitimate
Whaling	Executive targeting	High-impact request aimed at decision-makers
Vishing	Phone	Impersonation + pressure over a live call
Smishing	SMS	Short message with a link or callback request
Pretexting	Any	A believable story + role to justify a sensitive ask
Baiting	Physical/digital	A “tempting” lure that triggers unsafe behavior
Quid pro quo	Phone/email	Offer of help in exchange for sensitive action

phishing spear phishing pretexting vishing

The SE engagement cycle (defensive view)

An authorized awareness simulation (or a real-world attacker) often follows a cycle like this:

1. Reconnaissance → Understand environment and likely targets
2. Preparation    → Build a story and test assumptions (authorized scope only)
3. Approach       → Initial contact (email/call/message)
4. Outcome        → Measure behavior (click, report, escalation path)
5. Improvements   → Document evidence and deploy mitigations

Legal and ethical guardrails (GDPR + authorization)

⚠️ Always work within an explicitly authorized legal framework.

Before any awareness simulation:

Get written authorization (Rules of Engagement)
Define the scope (who can be included, which vectors are allowed)
Define limits (no real credential collection, no real compromise)
Plan an emergency stop mechanism if someone is distressed or harmed

legal Rules of Engagement GDPR

Flashcards

Flashcard

Which Cialdini principle is used when a message pressures you with a short deadline?

Flashcard

What’s the difference between phishing and spear phishing?

Flashcard

What is pretexting?

Practice exercise (defensive)

Analyze 3 real phishing examples (from public datasets)
For each: which Cialdini principle is being used?
Which cognitive bias is primarily targeted?
Identify indicators (sender domain, reply-to, URLs, urgency language)
Write a mini “awareness note” explaining the cues and what to do next

Exercises

Exercise 1 — Message analysis checklist

Create a simple checklist (max 6 criteria) to analyze a suspicious email/SMS/call. Apply it to 3 examples and conclude: risk, warning signals, recommended action.

Open Questions

Why do Cialdini principles still work even on “trained” people?

Next Lesson

You now understand the psychological foundations of social engineering. The next lesson moves to defensive OSINT: learning how publicly available information becomes risk, and how to audit your organization's exposure.

Next: OSINT Hygiene (Defensive)

Social Engineering & Phishing/Social Engineering Principles

Social Engineering Principles

A professional SE engagement should always close the loop with concrete mitigations and learning.

Cialdini’s 6 influence principles

Robert Cialdini identified six universal influence levers that attackers can abuse:

Defense trick: identify the trigger (authority, urgency, etc.), then switch to verification out-of-band.

Principle	Description	Common manipulation pattern
Reciprocity	We feel pressure to return favors	A request framed as “I helped you, now you should help me”
Commitment/Consistency	We try to stay consistent with past actions	Start with a tiny, harmless ask, then escalate
Social proof	We follow what others appear to do	“Everyone already did it” or “most employees have complied”
Authority	We comply with perceived authority	Impersonation of leadership, IT, finance, or auditors
Liking	We help people we like or identify with	Rapport-building before a sensitive request
Scarcity/Urgency	We act faster under time pressure	Short deadlines, threats of consequences, “act now” framing

Cialdini psychologie influence

Common cognitive biases attackers exploit

Authority bias

People tend to comply with someone they perceive as legitimate authority. That’s why impersonation of “IT”, “Finance”, or “Leadership” is so common.

Urgency and fear

Under stress, the brain shortcuts critical thinking. “Your account is compromised — act now” aims to trigger emotion before analysis.

Over-trust in familiar cues

We trust what feels familiar: logos, professional language, plausible context.

Cognitive overload

An overloaded employee handling 200 emails/day is more likely to misjudge a suspicious message.

Types of social engineering attacks

Type	Vector	Example (high-level)
Phishing	Email	Generic message pushing an urgent action via a link
Spear phishing	Targeted email	Personalized context to look internal/legitimate
Whaling	Executive targeting	High-impact request aimed at decision-makers
Vishing	Phone	Impersonation + pressure over a live call
Smishing	SMS	Short message with a link or callback request
Pretexting	Any	A believable story + role to justify a sensitive ask
Baiting	Physical/digital	A “tempting” lure that triggers unsafe behavior
Quid pro quo	Phone/email	Offer of help in exchange for sensitive action

phishing spear phishing pretexting vishing

The SE engagement cycle (defensive view)

An authorized awareness simulation (or a real-world attacker) often follows a cycle like this:

1. Reconnaissance → Understand environment and likely targets
2. Preparation    → Build a story and test assumptions (authorized scope only)
3. Approach       → Initial contact (email/call/message)
4. Outcome        → Measure behavior (click, report, escalation path)
5. Improvements   → Document evidence and deploy mitigations

Legal and ethical guardrails (GDPR + authorization)

⚠️ Always work within an explicitly authorized legal framework.

Before any awareness simulation:

Get written authorization (Rules of Engagement)
Define the scope (who can be included, which vectors are allowed)
Define limits (no real credential collection, no real compromise)
Plan an emergency stop mechanism if someone is distressed or harmed

legal Rules of Engagement GDPR

Flashcards

Flashcard

Which Cialdini principle is used when a message pressures you with a short deadline?

Flashcard

What’s the difference between phishing and spear phishing?

Flashcard

What is pretexting?

Practice exercise (defensive)

Analyze 3 real phishing examples (from public datasets)
For each: which Cialdini principle is being used?
Which cognitive bias is primarily targeted?
Identify indicators (sender domain, reply-to, URLs, urgency language)
Write a mini “awareness note” explaining the cues and what to do next

Exercises

Exercise 1 — Message analysis checklist

Create a simple checklist (max 6 criteria) to analyze a suspicious email/SMS/call. Apply it to 3 examples and conclude: risk, warning signals, recommended action.

Open Questions

Why do Cialdini principles still work even on “trained” people?

Next Lesson

Next: OSINT Hygiene (Defensive)