How a person's name can be vital in a Social Engineering operation.
Within the following post, I decided to take a dive into the realm of Social Engineering, to follow up on a subject that I have always been interested in: the science of subliminal manipulation and influence.
Throughout the post, we will be specifically looking into one of the main techinques used by marketing teams to get customers to respond positively to offers and deals.
What is SE (Social Engineering)?
According to wikipedia, Social Engineering is defined to be:
[...] the psychological manipulation of people into performing actions or divulging confidential information. [...]
It is also often referred to as "Human Hacking", due to it's malicious nature, and can commonly be found crossing over into the corporate world on an extremely modest scale through the means of marketing and advertising, with marketers even being described as "real time personalizers".
What's so important about a name?
As spoken by Dale Carnegie:
A person’s name is to that person, the sweetest, most important sound in any language.
Names are potentially the most overlooked vector within any kind of human interaction, and have huge potential for subtle exploitation. Humans have been proven to positively react to their own name even without intenting to.
A study concluded that the brain activates when hearing the subjects own name, with data indicating a predominantly posterior network that includes the middle temporal cortex, the left superior temporal cortex, the middle occipital gyrus and cuenus. Another anterior network of activation was found in the middle frontal cortex, and superior frontal cortex.
How is the use of names relevant to SE?
Names have been proven to provide an illusion of positive feelings within the recipient. Upon correctly using someone's name you immediately form a base level of mutual admiration for the rest of the relationship to depend on, while incorrectly using someone's name can greatly damage the interaction, far further than anyone is willing to admit. As quoted by the researcher Tracy Rank-Christman:
In one experiment, we found that the underlying mechanism had to do with feelings of respect. Misidentified consumers felt less respected, whereas those who were identified correctly felt more respected.
Furthermore, research from the Stanford Graduate School of Business, found that by adding the recipients name to the subject line of an email can lead to a variety of positive outcomes, as stated in the white-paper:
We found that including the name of the recipient in the subject line of the email increased the probability of the recipient opening the email by 20%. This translated into a downstream 31% increase in sales leads, and a 17% decrease in the number of recipients unsubscribing from the email campaign. Our findings provide evidence for the effectiveness of personalization and for the role of non-informative content; i.e., that the effects are statistically and economically significant. The findings motivated our partner company to alter its default email strategy to include the recipient’s name in the subject-line of the email.
Ultimately, although using someone's name may seem trivial, doing so allows for a feeling of personalisation and understanding.
Personalisation is important as any message sent from speaker to recipient isn't necessarily actually being processed by said recipient, and the use of their name not only catches their attention in an instance, but it also implies that what is being said is of utmost importance to them in particular, as quoted on "getseennow":
If a company, an organization or an individual cannot be bothered to ascertain who they’re sending information to, I doubt that information will be of particular interest or relevance to the recipient.
When it comes to implementing the technique within Social Engineering, it may not seem groundbreaking, although considering how easy it is to obtain someone's name, and how little you risk by doing so, it is certainly a good trick to have in the book. Especially considering the fact that it has been proven time and time again to work a noticeable amount in the long term.
If you really boil it down to it's core, the only reason this is effective at all, is ignorance towards an individual. The reason an email with the targets name in it stands out is because said recipient is so used to seeing generic spam mail. Similarly, in Social Engineering, the target is so used to being spoken to like a cog in a machine, the simple idea of hearing their name can greatly increase the chances of said person developing a subconscious liking towards the attacker, helping you achieve what you initially set out to do: leak potentially sensitive information.
Are names something to be aware of?
In a short-term, one to one interaction, I think the answer is yes, they are at least something to be aware of, as they are of course easy to slip into conversations by nature, while also being potentially game-changing.
On the other hand, in a long-term one to one relationship, I don't think the use of names will greatly improve your chances of a successful attack, especially considering the amount of alternate opportunities you will have within the engagement.
Within a phishing attack, as an attacker.
I also think that the insertion of names into phishing e-mails can greatly increase the chances of the attack being successful, purely due to the statistics found by the Stanford Graduate School of Business. Imagine you are sending out 50 identical emails to a group of company employees with a malicious password reset page linked inside. You are probably going to get some hits, although users are definitely more likely to open the link and comply if the subject of the email is something like:<INSERT NAME>, a password reset is required.
Rather than:Reset your password now!
This process may seem lengthy just for a couple of extra hits, but keep in mind this can all be automated, especially considering the fact that most companies follow an email format (i.e. John Doe becomes jdoe@company.com).
Within a vishing attack, as an attacker.
Similarly to the concept of using someone's name in an email to be perceived as trust-worthy, this is also effective within a vishing (voice phishing) attack, hence why scammers and social engineers have a reputation for opening calls with "Hi, is this <NAME>?"
Not only does this sentence immediately instate a false sense of security upon the target, but they also subconsciously think to themselves "the caller has my full name and number, only a trusted source would have this".
Is the use of names maliciously something to be wary of?
Undeniably so, these studies have proven that although we may not consciously notice it, our brain does give the speaker an advantage in terms of whether they are trust-worthy. Upon hearing about this technique, it has certainly made recognising said technique easier in the wild, with most marketing calls or salesmen opening with my name somewhere in the greeting.
Summary
In conclusion, the use of names to subconsciously form bonds with strangers is clearly a technique that works, and has a vast amount of research to support it. Although as with everything, it is heavily dependent on the context of the situation. One mispronunciation of someone's name can greatly damage your chances at leaking valuable information, and may not be worth taking the chances, especially if you are simultaneously focusing on other vital parts of the attack.