Social Engineering: The Science of Human Hacking
The complete human hacking framework — from OSINT and target profiling through influence, elicitation, and nonverbals, to the M.A.P.P. defense program. Hadnagy draws on Cialdini, Ekman, and Dreeke to build a science-grounded SE methodology.
- › Apply the SE Pyramid: OSINT → profiling → pretext → rapport → elicitation → execution
- › Conduct OSINT gathering using LinkedIn, job postings, DNS, and Google dorks
- › Profile targets using DISC model (D/I/S/C) and adapt communication style accordingly
- › Design effective pretexts with authority, OSINT grounding, and graceful exit
- › Apply eight influence principles: reciprocity, obligation, scarcity, authority, social proof, etc.
- › Use elicitation techniques: deliberate false statement, bracketing, mutual sharing, framing
- › Read nonverbal baseline vs. discomfort signals (comfort/discomfort, self-soothing, barriers)
- › Distinguish influence (ethical) from manipulation (exploitative)
- › Implement M.A.P.P. defense: identify patterns → policies → SE pentests → awareness training
- › Classify SE attack vectors: phishing, vishing, SMiShing, physical impersonation
Install this skill and Claude can design authorized social engineering test scenarios (phishing emails, vishing scripts, physical pretexts), DISC-profile communication samples to adapt tone and framing, evaluate security awareness programs against the M.A.P.P. framework, and analyze influence principles at work in specific attack scenarios
Human beings are the most reliably exploitable attack surface in any organization and technical controls alone cannot close that gap — understanding SE psychology enables security teams to measure and reduce human-layer risk through realistic testing and targeted awareness training rather than checkbox compliance
- › Drafting a pretext phishing email for an authorized pentest engagement that uses authority, urgency, and OSINT-derived organizational context to simulate a realistic credential-harvesting attempt
- › Analyzing a stakeholder's email communication style, assigning a DISC type, and rewriting a persuasion pitch to match their decision-making preferences for a security initiative buy-in
- › Evaluating a company's current security awareness program against the four M.A.P.P. pillars and identifying which structural gaps leave the organization most exposed to vishing attacks
Social Engineering: The Science of Human Hacking Skill
Core Philosophy
Social engineering exploits human psychology, not technical vulnerabilities. Understanding it from both attack and defense perspectives is required — you cannot defend against what you don’t understand. Social engineering is a tool; intent determines whether it builds or destroys.
The SE Pyramid (bottom to top):
OSINT (Open Source Intelligence)
↓
Profiling / Targeting
↓
Pretext Development
↓
Rapport / Influence
↓
Elicitation / Execution
↓
Goal AchievementPhase 1: OSINT Collection
Technical OSINT Sources
- LinkedIn: job titles, colleagues, technologies used, org chart
- Social media: routines, locations, relationships, opinions
- Company website: about pages, press releases, contact info
- WHOIS / DNS: infrastructure, tech stack, registrant info
- Job postings: tells you exactly what software, tools, and problems a company has
- Google dorks:
site:company.com filetype:pdf,"internal use only" site:company.com
Nontechnical OSINT
- Dumpster diving: discarded documents, org charts, vendor relationships
- Physical observation: badge colors, uniform details, how employees enter/exit
- Overheard conversations: coffee shops, parking lots near target buildings
What to Extract
For each target, build a profile including:
- Full name, title, reporting structure
- Communication style and vocabulary
- Relationships and trusted contacts
- Current projects and pain points
- Technology and tools used
- Hobbies/interests (for rapport building)
Phase 2: Profiling via DISC
The DISC model categorizes communication styles for rapid profiling:
| Style | Traits | Approach |
|---|---|---|
| D (Dominance) | Direct, decisive, result-oriented, impatient | Skip small talk; be concise, focus on results and efficiency |
| I (Influence) | Enthusiastic, talkative, relationship-focused | Build rapport, be friendly, let them talk |
| S (Steadiness) | Loyal, methodical, avoids conflict, risk-averse | Be warm, patient; reassure; never pressure |
| C (Conscientiousness) | Analytical, detail-oriented, quality-focused | Present facts, data, details; be precise |
How to Profile Quickly
- Email length and punctuation (short/direct = D; enthusiastic/exclamatory = I; careful/thorough = C)
- LinkedIn writing style
- How they answer the phone (cut to the chase vs. chatty)
- Meeting behavior
Application: tailor your pretext, communication style, and rapport approach to the target’s DISC profile.
Phase 3: Pretexting
A pretext is the false identity/scenario you create to justify your presence and requests.
Effective Pretext Design
- Start with authority or alignment: “I’m calling from IT security / vendor / corporate”
- Build on real information from OSINT — specific names, current projects, recent events
- Create urgency appropriately: not too urgent (suspicious) but enough to reduce deliberation
- Keep it simple: the more complex the lie, the more likely it breaks under questions
- Have an exit: plan how the conversation ends naturally
High-Value Pretexts
- New IT employee: “I’m setting up accounts and need to verify your current access”
- Vendor support call: “We’re doing a scheduled maintenance check on your [specific software]”
- Senior executive’s assistant: “Mr. [name] needs this information for a meeting at 2pm”
- Security auditor: “I’m conducting our annual assessment, can you show me your badge?”
- New employee asking for help: people naturally want to help newcomers
Pretext Failure Points
- Not knowing enough about the target’s real situation (OSINT gap)
- Over-claiming knowledge (raises suspicion)
- Hesitation or verbal stumbles when asked probing questions
- Breaking character when unexpected questions arise
Phase 4: Rapport Building
Core Techniques
- Artificial time constraint: “I only have a minute, but…” reduces perceived threat
- Validate ego: recognize their expertise, ask their opinion
- Ask “how” questions: “How did you handle that situation?” gets more than “what”
- Active listening + paraphrase: repeat back what they said; people feel heard
- Find common ground: same interests, shared experiences, mutual contacts
- Mirroring: match their energy level, pace, vocabulary
The Tribe Mentality
Humans instinctively trust those who belong to their in-group. Create belonging by:
- Using internal jargon/acronyms you learned from OSINT
- Referencing specific people they know
- Expressing shared frustrations (“IT is always slow, right?”)
Phase 5: Influence Principles (Cialdini + Extended)
These are cognitive shortcuts that bypass rational deliberation:
The Eight Principles
-
Reciprocity: people feel obligated to return favors. Give first.
- “I found this issue in your system and wanted to give you a heads up…”
-
Obligation: social pressure to fulfill roles/commitments once accepted.
- “As a security professional, you’d want to know if…”
-
Concession: if you give something up, they give something up (door-in-face technique).
- Ask for something large first; when refused, ask for the smaller actual target.
-
Scarcity: urgency from limited availability.
- “This window closes in 2 hours…” Use carefully — obvious urgency creates suspicion.
-
Authority: compliance increases with perceived authority.
- Uniform, title, name-dropping known executives, official-looking communication.
-
Consistency/Commitment: people act consistently with prior commitments.
- Get small yes answers → leads to larger agreement.
-
Liking: people comply more for people they like.
- Find genuine common ground; mirror their style.
-
Social Proof: “Everyone else is doing it.”
- “All the other departments have already updated their credentials…”
Influence vs. Manipulation
Influence: leaves the person feeling good about the interaction, would still agree if they knew the full picture. Manipulation: exploits against the person’s interests; they’d object if they knew. Professional SE pentesting → influence only.
Phase 6: Elicitation
Getting information without direct questions — questions raise guards; statements with implied gaps get responses.
Elicitation Techniques
-
Deliberate false statement: state something slightly wrong; experts instinctively correct it.
- “I heard your company uses Salesforce for CRM.” (When you believe they use something else.)
-
Flattery + curiosity: “You obviously know a lot about this — I’m curious how you handle X.”
-
We/assumption: include yourself and them in a hypothetical.
- “If we were trying to secure that system, we’d probably need to know…”
-
Bracketing: give a range; they’ll correct to the actual number.
- “That project must have cost somewhere between $50k and $500k…”
-
Mutual sharing: share benign info about yourself to trigger reciprocal sharing.
Framing
How you present a choice determines how it’s perceived.
- “Would you like to share your password?” = suspicious
- “To verify your identity so I can help you, I just need your password” = compliance-inducing frame
Dynamic framing: pivot the frame mid-conversation if resistance is encountered.
Phase 7: Nonverbal Communication
Baseline First
Establish normal behavior before looking for deception/discomfort. Everyone’s normal is different.
Comfort vs. Discomfort Signals
Comfort: open posture, forward lean, genuine (Duchenne) smile (reaches eyes), relaxed facial muscles
Discomfort (potential indicators of stress, not necessarily deception):
- Self-soothing: touching face/neck, rubbing hands
- Barrier creation: crossed arms, leaning back, objects placed between people
- Feet pointing toward exit
- Microexpressions of contempt, fear, or disgust
- Pacifying behaviors increase after specific questions
Caution: nonverbal signals indicate stress, not necessarily deception. Context matters.
Attack Vector Reference
Phishing
- Spearphishing: personalized to target using OSINT
- Key elements: urgency, authority, relevance (reference their real projects/concerns)
- Goal: credential theft, malware installation, information disclosure
Vishing (Voice Phishing)
- Pre-call research: know their systems, vocabulary, recent events
- Establish authority fast (15 seconds)
- Handle objections with re-framing
- Have a graceful exit ready
SMiShing (SMS Phishing)
- Higher open rates than email; less scrutiny
- Short message, clear action, urgency
- Leverage OTP pretexts, package delivery, banking alerts
Impersonation (Physical)
- Uniform or badge creates immediate authority
- Tailgating: follow authorized person through secure door
- Confidence matters more than costume details
- Have cover story and “graceful bailout” ready
Defense: M.A.P.P. Framework
Mitigation Against Phishing and Pretexting (4-step program):
Step 1: Identify Attack Patterns
Train employees to recognize:
- Urgency + authority combination
- Requests that bypass normal process
- Out-of-band communication (executive emailing directly for wire transfer)
- Information requests that seem reasonable but lead to access
Step 2: Develop Actionable Policies
- Verification procedures: call-back policy before sensitive actions
- Process enforcement: wire transfers require in-person/known-number verification
- Escalation path: who to call when something seems off
- Punishment-free reporting: make it safe to report suspicious contacts
Step 3: Regular Real-World Testing (SE Pentests)
- Conduct unannounced phishing/vishing campaigns
- Measure click rates, credential disclosure rates, phone compliance rates
- Track improvement over time; test after training
Step 4: Security Awareness Programs
- Scenario-based training: show real-world examples, not just theory
- Teach recognition, not just rules: rules can be social-engineered around
- Create a reporting culture: “If in doubt, report it”
- Repeat and refresh: awareness decays; quarterly touchpoints minimum