Hacking Humans: Social Engineering and the Psychology

TL;DR : Social engineering engagements are the most exciting and heart pumping, “in my opinion”. It doesn’t begin at the badge reader or the front desk. The access occurs when someone makes a decision. The cameras work. The badges work. The locks work. Failure happens when an employee makes a decision: “Does this person belong here or are they an intruder?” Operators don’t need to force their way in; rather, they only need to convince others to let them in. This topic is probably my favorite because it is the most difficult to fix.

Recognizing the Patterns

The operator collects open-source intelligence (OSINT) about the target, employees, and the organization before they begin the engagement. Operators search sites like LinkedIn, Facebook, Instagram and Glassdoor, which can reveal public profiles, interests, routines, check-ins, online posts, who just started a new role, when someone goes on vacation, or which employee openly posts about being overwhelmed. For the operator, most of this information is publicly available:

• Predictable daily patterns (movement patterns, arrival, and exit times)
  
  
• Public posts about travel, conferences, complaints, comments, or vacations

• Names of coworkers, managers, or departments

• Third-party relationships with contractors or other services

• Personal interests and hobbies (pets, sports, cars, etc.)

• Uniforms, equipment, tools, or bags that look familiar in the workplace

• Meeting and training days that leave access points open

• Distractions in the workplace such as small talk, headphones, and smoke breaks

• Photos and posts showing badges, floor names, room IDs, entrances, or parking

Information Equals Access

• People rush in a rush → Enter with the rush → Security wants to keep the line moving
  
  
• Someone important is away or traveling → Show up while they’re gone → No one with authority is there to question it
  
  
• Real names of managers or staff → Mention those names casually → Sounds like permission without proving it
  
  
• Which vendors or services are common → Pretend to be from one of them → Looks normal because it’s familiar
  
  
• Someone’s hobbies or interests → Use small talk to feel relatable → People trust who feels like them
  
  
• Complaints about being busy or understaffed → Offer to “fix the problem” → People let in help when they feel overwhelmed
  
  
• What uniforms, tools, or bags look normal → Carry something similar → People trust the item, not the person
  
  
• When meetings or training pull staff away → Go through while checkpoints are empty → No one is watching at the moment that matters
  
  
• Everyone holds the door → Piggyback someone inside → The habit overrides the rule
  
  
• Photos that show badges, rooms, or locations → Walk with confidence like they know where to go → Movement looks right, so no one questions it

Reading the Environment

The operator does not always need to rely on creating a persona or “play a character.” They can simply just learn how people inside the organization normally behave and interact. Every workplace develops its own rhythms and habits. The goal is to blend into those patterns rather than deviating from them. Successful movement is achieved by operating in a way the organization already expects and accepts. The operator should ask themselves these questions:

• Are most people alert or distracted?
• How do people naturally move within the organization?
• Is showing your badge a suggestion?
• Where is attention focused?
• Who decides the mood of the environment?
• Is this a fast environment?
• Is this a slow environment?
• Is this an organized environment?

Note

This is where automation bias comes in. The brain trusts what feels normal before it checks if it’s correct. When the operator moves at the right pace and looks like they already know where they’re going, people will assume the operator belongs. Research on automation bias shows that when something fits an expected pattern, the brain accepts it automatically instead of verifying it.

Defender tip

If the operator moves in a way that breaks the patterns of the organization, then you must be willing to question that person’s identity.

Why Organizations Still Fail

Organizations generally fail against social engineering because identification is done through a person’s behavior rather than technology. For example, badge readers, cameras, and visitor sign-ins are reliable, but these examples do not defend against a polite operator acting as an elevator technician, requesting employees to scan badges to reach their floor, which I did in fact do on an engagement. Most people are not intentionally ignoring the organization’s policy; most are going with the flow (they work and live their lives). They choose what feels safe and secure and not what is detailed within the organization’s policy. Here are some factors of why people ignore policy and blind spots operators can exploit:

• Staying on task with work
• A desire to avoid disrupting others
• Continuing their daily flow
• Assuming that someone else already confirmed identity
• Shift changes
• Returning from lunch
• Deliveries of packages
• High attendance Meetings
• Contractor or onboarding days

Note

The Human Reliability Analysis (HRA) (https://www.nrc.gov/docs/ml1025/ML102560372.pdf) from the U.S. Nuclear Regulatory Commission (NRC) and the Electric Power Research Institute (EPRI), tells us why trained people make predictable mistakes and errors which often occur when someone is in a routine and their attention is already somewhere else. This means routines are natural to people and this is why security fails. The NRC/EPRI states that “human error isn’t random, it appears when workload, context, and routine line up to create the error.”

The Human Vulnerability Stack

Exploiting human behavior is almost always successful in physical engagements. People are not careless; they want to move on in their daily life. They are walking to a meeting, juggling messages, thinking about work, personal life, or just trying to get through their day. In this environment, security becomes something they assume someone else will handle. The operator holds the advantage because people want to keep things moving.

Avoidance

Most people would rather avoid awkward situations and believe stopping someone they have never seen before feels wrong. Could you imagine interrupting a stranger in the middle of a work day and that person just happens to out rank you? The operator just needs to look like they belong in the environment and make it uncomfortable for the person thinking about confrontation. What stops people from speaking up:

• Not wanting to accidentally accuse someone who belongs there
• Assuming someone else will handle it

Policy says “challenge unknown individuals,” but instinct says “don’t.”

Authority

If someone walks through the door, dresses like management, talks like management, and holds items that look like management, people will most likely assume they are management. The operator only needs to be aware of their surroundings and not push their “authority” too far. The operator can also take this in a different direction and look like someone who is not a part of the environment but someone who is still in authority (e.g., security, police officers, lawyers, construction). How to have authority without evidence:

• The person sounds like they belong
• The person behaves like they have been here before
• Their body language says confidence

Routine

Most people have a daily routine and we really don’t like deviating from that routine. I can give some examples that are probably happening in a workplace: holding a door open for someone behind you in the morning rush, smoke breaks, and small talk lead to initial access. Routines are awesome for operators; just watch and learn the routine and do as everyone else does. Leverage the routine:

• People see a badge and let it pass without actually looking at it
• Someone holds the door because closing it feels rude
• Movements look normal, so no one stops to verify
• It worked before, so everyone assumes it’s still safe now

Apprehensive 

Some people rather avoid awkward situations. I definitely do. Personally, I couldn’t imagine myself publicly verifying if someone is legitimate in my workplace. Allowing them to continue feels comfortable and safe because “what if that person is more important than me? And what are the consequences if they are?” The operator benefits from that. They only need to appear like someone it would be uncomfortable to interrupt.

Complete The Story

When something does not quite add up, sometimes you may notice your mind tries to fill in the blanks to complete the story. If someone walks in with a clipboard, most people will assume they must have a task to complete. If they carry a laptop bag, they might assume they work here. The operator does not need to create a perfect story. The mind of the person watching will finish it for them. How the mind completes the picture:

• Laptop bag + badge on a lanyard → They work here
• They work here → They must have credentials
• They have credentials → They can be in this area
• They can be in this area → This isn’t my problem to verify

Believability, Props and Language

Believability

As operators, we just need to look like we belong in the environment. If we accomplish this, then most people won’t bat an eye. They will assume we’re legitimate and continue their day. A good example is, on a recent engagement, I entered through a door and noticed an employee saying good morning to everyone. I simply followed his lead and did the same. 

Props

Props are cool because we can use them to complete a story in someone’s mind. You can think of these as shortcuts the brain uses to categorize (e.g.,employee, manager,cConstruction). The operator does not need the perfect object; they just need the object that helps the brain finish the sentence on its own.

Props do the work:

• Holding a clipboard → They’re here for something →  They’re supposed to be here → No reason to stop them
  
  
• Toolbox or equipment → They’re fixing something → It’s already approved → Let them through
  
  
• Laptop bag + visible lanyard → They work here → They have access → They belong in this area → Not my job to verify
  
  
• Delivery uniform + package → They’re dropping something off → It’s been cleared → Just keep moving

Language

Language is super important. As an operator, this can be the most nerve racking moment when someone confronts you or when you really need to interact with someone to gain access. It can literally be the deciding moment of getting caught or moving further. The fastest way to stand out is using language that doesn’t make sense in the organization and the fastest way to blend in is to speak the way people inside already speak. Some tips for operators:

• Use words the same as someone who works here (i.e., research the industry’s jargon)
• Use words as someone who needs help (people are more inclined to lower their guard if you ask for help)
• Internal language asks where something is
• External language asks how something works
• Internal language assumes access exists
• External language asks permission to have it

Note

The Swiss Cheese Model (https://pmc.ncbi.nlm.nih.gov/articles/PMC1117770), a framework for understanding how multiple small failures can create a larger failure. The model is proposed by Professor James Reason, a cognitive psychologist specializing in human factors and accident analysis. It is a great example of how small issues can stack up to create a massive issue. If we had badge checks, front desk, etc. as a slice of cheese and each slice is meant to stop the operator, but the operator can utilize small gaps caused by distractions, assumptions, timing, workload, or trust. When these gaps line up, the operator has a straight path through the system. The Swiss Cheese Model is from Professor James Reason’s work and it’s used in fields like aviation, engineering, and healthcare to explain how everyday conditions and routine oversights can accidentally create larger issues. 

Defender Tip

Question the situation, not the person. If something makes someone look legitimate, you should feel comfortable questioning the person.

Responsibility and the Turning Point

Responsibility

I’d like to leave management with this note: I’ve personally given many outbriefs and some managers target their employees for punishment. I’m not telling management how to manage employees, but I guarantee you operators could do the same to management personnel as the operator did their employees. Management has a responsibility to teach and train employees on social engineering. An employee holding the door open for an operator is not a failure; this is someone genuinely thinks they are doing a kind gesture. This is something to document and the correct answer for this scenario would be, stop the individual, request identification or badge presentation, and verify that they are authorized to enter. This shows where security and humans collide. The job of the operator is to report it, teach from it, and help the organization improve and manage not by punishment but by learning.

The Turning Point

My conclusion is that we are at a turning point: security technology keeps improving (badges, biometrics, check-ins, and even AI-assisted systems) and, while these tools help, they do not replace people. Someone still has to make a decision and ask themselves the question if they should speak up or stay on the same path and ignore the situation. Defending against social engineering is a difficult task, but training and practice in the workplace is essential in preventing social engineering. Technology can assist security, but it cannot make the decision for someone.