Skip to main content

Social Engineering or: How I Learned to Love a Flash Sale

Disclaimer: This was originally written as a blog post for a social engineering graduate class. It was developed to provide non-InfoSec and everyday folks with an explanation of what social engineering is. Hopefully, something that could be given to your parents or the grandmother that just got hired on at your company.

There's a misconception that social engineering is only used by nation-state actors, thieves, and used car salespeople. What people miss is that social engineering is all around us. It's in the media that we consume, it's in the habits that we have, and the bonds we form with people. By demystifying social engineering, we can help people understand that this isn't some fringe concept that is only employed by the mischievous and maleficent, but something that is used by everyone. It's easier to guard yourself against the everyday spring rain shower than it is a nuclear holocaust.


Each of us can probably imagine a time that we fell susceptible to the "Call within the next 5 minutes!" commercial or the "Flash Sale! Today Only!" offer at our favorite clothing store. It might surprise some people to find out that this common marketing technique is just another form of everyday social engineering. In social psychology, this is called the scarcity principle and it's the tendency of people to place a higher value on resources that are not in great supply. We've all seen the wild blitz that is Black Friday; one of the biggest events of the season for "getting the best deal of the year" and making sure that you beat the crowd to that one prized purchase. While you can find deals all of the holiday season companies marketing would love to have you believe that only on Black Friday will you get the best deals. Through creating a feeling that only on Black Friday will you get the best sale of the year and that if you were to come in later you might be missing out companies are creating an air of scarcity.

Of course, while a hacker might not be trying to convince you to buy a new TV they might just as easily be trying to convince you to send them your personal information. Recently there has been an influx of auto warranty scams. Many of these calls begin with the line "This is your final call regarding your expiring auto warranty" sending whoever picked up the line on the other end scrambling for their information thinking this is their last chance to get whatever information they need to correct an issue with their car's warranty. The similarities between these auto warranty scams and marketers flash sales are uncanny. Scammers are employing the same techniques to rob you of your personal information that marketing departments are using to pry open your wallets.


Have you ever needed a favor from a friend and tried to flatter and sweet-talk them before asking for what you needed? We can probably all think of the child telling their parents how much they love them before asking for ice-cream. We're all guilty of it. We want people to like us and we know that if they do they are more likely to help us out. When was the last time that you were willing to go out of your way for someone you didn't like after all? Unsurprisingly we don't normally think of this as social engineering, but in all reality that is exactly what it is. By buttering someone up persuasion and social psychology are being used to gain an advantage.

Unfortunately, criminals are using these techniques as well. To paint an example, imagine a friendly smiling individual coming up to you and saying that they heard through the grapevine that you might be able to help them. They are kind looking and are flattering you by letting you know how helpful your coworkers think you are. Their request for you to print their resume off their flash drive seems a little strange, but the last thing you want is them thinking you're not helpful. So far, they have been cordial, pleasant, and complimentary. You go ahead and plug in their flash drive, unknowingly installing a trojan, and print their resume for them. Strikingly they have used the same techniques on you that the ice-cream loving child has used on their parents.

Open Source Intelligence (OSINT)

Your child gets invited to a playdate with a new friend. For most of us, I'd imagine the first thing that we would do is Google the friend's parents. You get invited on a date with someone new you just met on Tinder. Wonder if they happen to be on Facebook? The latest water cooler gossip is that Jim in accounting got a DUI this weekend. Think there's any chance that it might show up somewhere online? For a lot of us, our first reaction is to Google. Whether that is how to fix a broken washing machine or for the details on the next interviewee this week. It's relatively standard at this point to Google not only ourselves but each other. As a society were always looking for just a bit more information and if that means Googling someone then grab a computer.

As with the trend, malign actors are using these same practices that we are using on a daily basis. The difference between Googling Jim in accounting and what these malign actors are doing is that they are using this information to find out details about you, me, and everyone else so that they can better profile for you for potential phishing. By knowing whether someone, for example, donates to a specific charity or participates in local softball meetups you can imagine how easy it would be to create a directed phishing email asking for confirmation information in regard to their latest donation or next weekend's softball match. What we are doing on a daily basis to follow up on the latest gossip is what criminals are doing every day to create more convincing ploys.

What can we do?

By recognizing that social engineering isn't some exotic practice only employed by spies and hardened criminals we can begin to better guard against it. When you can recognize the techniques that are being used against us and by us on an everyday basis you can far more easily recognize it when it's being used for harm. Knowing what is happening on Black Friday will help to understand what is happening when you get an automated call about your car warranty ending. It's not about fearing the everyday but knowing that we've already guarded against the extreme on an everyday basis already.