Select Page

A recent study by the Université du Luxembourg has emphasized how the efficiency of social engineering attacks can be increased with the help of rewards.  Which rewards?  Well, chocolate, of course.

Social engineering is the use of storytelling and lies to get someone to do something for you, or to give you something like sensitive or confidential information.  The study of 1,208 people was co-authored by Dr André Melzer who describes in the paper how criminals can increase the results of social engineering attacks by using the sense of obligation we feel after receiving a small gift, or after doing something that makes us feel good:

“When someone does something nice for us, we automatically feel obliged to return the favour. This principle is universal and important for the way we function as a society. However, this internal pressure can also be exploited to achieve certain purposes, such as encouraging someone to divulge a password.’

The study used undercover researchers carrying University of Luxembourg bags who asked passing pedestrians about their attitude towards computer security.  Then the researchers asked them for their password.  During the interview the researchers gave the interviewees gifts, including chocolate.  The research showed that this small gift greatly increased the likelihood of participants giving away their password.  The gift that had the most effect was chocolate and the study shows that even the timing of the gift can affect the results:

  • If the chocolate was only given out afterwards, 29.8 per cent of participants revealed their passwords.
  • If the chocolate was received generally beforehand, a total of 43.5% of the respondents shared their password with the interviewer

The researchers did not test any of the passwords so there is no knowing if the participants were lying or not, but the fact that people actually gave an answer was significant.  So, beware of geeks bearing gifts as they may steal the keys to your kingdom.

Alternatively, we can also combat this form of bribery by giving ourselves and our clients more chocolate, thus reducing the importance of the reward.