Influence | Head Hacker

Social Engineering Zombies… Getting people playing your game

In the wonderful world of InfoSec we often talk about zombies, and the associated botnet zombie army. With our army of machines we can do our evil bidding, and wreak havoc upon the unexpected users of the Interwebs.

So what’s this got to do with social engineering? Well I was talking to Jayson Street last week about some of the techniques I have used to get information and assistance from people on the inside of an organisation to help me with an engagement, and I kind of a likened this to creating my own little army of zombies who are willing to do my bidding when asked.

So I will just talk you through a few scenarios, you can then use this information to help formulate your own approach on engagements, and use this information to enhance your training and awareness around social engineering.

One of the key things to realise when you’re looking to do anything that requires influencing and manipulating people, is that we are all going about life playing our own game, or if you’re an NLP fan, operating in your own frame. So when we want someone to accommodate our requests, we need to get them to stop playing their game, and start playing ours. We need to re-frame

One of my most successful approaches to this is social engineering is the use of the fake, and slightly altered get out of jail free letter. This letter will start off with congratulating the individual on challenging you, and to then further explain a modified story of what the engagement is, and that they can now be brought into the circle of trust and help facilitate.

This does a few things. First of all we are starting with positive acknowledgement of success. We all like to be told when we have done well, and having this confirmed in written form as well as verbally is a double whammy. You may even want to take this opportunity to anchor the positive emotions for later use. Next we are given formal written approval to help out on this engagement, so it must be official, and now feel abit more important. Lastly, and I think this is my favourite part; they are in brought into the circle of trust. No one likes anything more than to be part of the secret squirrel brigade, it’s all hush hush and James Bond like.

I find this approach works especially well with security guards. So then you have your zombie, who has internal knowledge and access to most areas within the facility.

Another approach is that of rapport and conformity. This approach requires time invested outside of the targeted facility. The recon process is essential, so you will build up a good understanding of the company, the various departments, and some key senior names etc. You then identify a common location where employees gather. This could be a lunch time or after work cafe or pub, basically somewhere that over time you can have a high level of certainty you will have the same people appear repeatedly.

The next stage is then to build up some rapid friendships, familiarity and some form of common ground. Everyone’s approach here is different, however as I have mentioned before I use the mentalism and beer route, on the premise that most people like a drink, and magic.

So from here people will see me doing different demos in that environment, work your way around to the target, whilst building up their interest. At the appropriate time you start interacting, showing the individuals something interesting, and getting people laughing and having a good time. We like people who make us laugh, and we like people who we consider to be similar to ourselves. Now is the opportunity to also ask information about them, where they work, what department etc, this is achieving confirmation of your research, and is building up rapport. You can then reciprocate with false information about you recently joining the company also, and mentalism etc is your hobby when you’re not working it such and such department.

Now we have a new friend. Friends look out for each other. We can use this friend to get abit more information about the business, strengths and weaknesses. Now when we look to get into the company we can utilise our friend, either entering at the same time as them, or having reception call them to verify you.

So there are just two examples of methods you can use to get people playing your game, you may look to use this directly as described or more indirectly and use these techniques for misdirection to assist a colleague to gain entry.

Finally I will give you a hypnotic example of creating your own REAL Zombie utilising the power of the mind.

Those of you who are not familiar with hypnosis may be poo pooing this already, but please read on for enjoyment if nothing more.

So in this scenario I will use the similar approach with making a new friend, or at least building up a relationship that allows me to demonstrate mentalism and hypnotic phenomena.

So I will go through the motion, and assuming the subject is working well with me and what many would class as the more impressive phenomena such as amnesia is working, then I would look to make a post hypnotic suggestion and give amnesia for the suggestion. As an example you could give the suggestion that the next time you meet and say “let me in” you believe 100% unconditionally that I am authorised to be onsite, and to have access to any areas requested. You then remove conscious memory of this suggestion, in the knowledge that the subconscious will act as expected. If there is going to be a big time gap, it is important to include some time frames in the suggestion also.

The next step is of course to try it. Obviously you have tested other phenomena before giving this post hypnotic suggestion, so you do have a level of confidence, however the brain is a strange and mysterious things, and many things can impact the work you have done before hand. So as with all social engineering engagements, have a plan B, C, D, etc.

The longest I have gone between giving a post hypnotic suggestion, and executing it is a week, however in theory with the correct instruction and intent it should work weeks, months or a year’s gap. In my experience the less time you leave the suggestion, the more successful the results, however this is no doubt a skill issue with me, practice practice

As with all of this, look to practice with permission, and try things on a less elaborate scale. So try just making friends with people in pubs and cafes to test your rapport building skills. Try and get people to help you out in different situations and environments, get them playing your game. If you interested in the hypnosis side of things, of course most importantly is to learn the foundations first and then build up, then when you are at the right stage, try simple to understand post hypnotic suggestions. Something like when I tap you on the shoulder and ask you for a beer you will believe I have just bought you one and its now your turn. The process for the suggestions are all the same, obviously some have more of an impact if they don’t work than others.

Subjects lend me your ears… Especially the right one!

Language and communication is of great importance when it comes to manipulation as part of social engineering, or any situation where you want to try and get your way.

So it would be interesting to learn that your double your chances of getting your desired outcome, simply by making your request to the right ear.

Well its totally true. I have tried this myself, of course I haven’t been carrying out documented studies, but there does seem to be some factor of increase when making requests, and having someone be compliant and receptive when you ask via the right ear.

I heard about these studies that focused on the natural expression of the hemispheric asymmetries. This is all about how your brain operates and processes request, based on studies around the left side of the brain, controlling the right and visa versa. Psychologists in Italy carried out studies that showed that sounds are processed differently based on the ear they are received into. The study showed that verbal input into the right ear had an increased level of presidency in the brain, and it is the left hand side of the brain that then carries out the linguistic processing.

The research they carried out, seemed to show that the different sides of the brain are tuned for positive and negative emotions, and speaking into the right ear is then processed by the more positive side of the brain.

So next time your trying to influence and manipulate, I recommend you make your requests into the right ear. What have you got to lose.

Social Engineering… Is It Ethical??

When I speak to people (non Infosec passionate types) about the work and research I do around the content I post on Head Hacker, I normally get a few responses. Shock, Disgust and Intrigue. People are shocked because they are not aware of some of these skills and process, they are disgusted because it’s not right, it’s not ethical, and a breach of human rights, and then we have the intrigue as I start to really explain what it’s all about, and what I am doing. People are curious of how this knowledge can help and protect them.

So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. I have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and can’t be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally.

In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people don’t care? I think it is a real issue that all professionals should consider, and take time to reflect upon.

Why people think Social Engineering is unethical….

In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals.

The key issue here is the perception and it’s a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you don’t really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments.

In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, it’s the individual who is responsible for the actions and result.

Why and how I think Social Engineering can be ethical….

The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I don’t think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldn’t evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day; we have all been doing this since birth. We all have different reasons for manipulation; perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, it’s considered ethically and morally ok.

So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things.

It’s a little grey….

So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employ? Should people who are subject to social engineering activities be punished for being the weak link in the chain? If you gain generic permission, let’s say to hypnotise, then you use this permission to extract sensitive data, is that ok? I am sure we can all think of many more situations that are not so clear.

To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt don’t do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position.

I certainly don’t think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate.

So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what you’re planning, put yourself in the subject’s position, how would you feel if someone did to you, what you are planning on doing to them. If you’re happy, then its most like a good sign you will be operating in an ethical manner.

No one has all the answers, but it’s a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.

Setting your motivation… Mind Scripts

Getting into character is an important part of being successful on a social engineering engagement. You may be physically impersonating a sales guy, engineer, employee, or you may be carrying out your fiendish work remotely gathering data, and setting up meetings. Either way you should be clear in your mind who you are, who you are engaging with, and what you want out of the activity, you need to be clear on your motivation.

When I think of this, my immature side (say nothing) hears a rather camp actor shouting at the director asking, “what’s my motivation darling”. OK so I am odd, lets use the above imagery to demonstrate the motivation to run through the opposition to score

So with this in mind I wanted to quickly talk about something a little NLP’esk that I think you will find helpful, and if full embraced will really help with your attitude, approach, body language, facial expression, tonality and more when carrying out an engagement. This little something is called Mind Scripts, and is something I first heard about when studying cold reading and hypnosis, but have also heard similar approaches from an NLP context, and in sales type books on engaging and building rapport with people. (I am not 100% sure who coined this term, I think it may have been Ian Rowland, but please don’t hold me to that).

So what is a Mind Script? Well a mind script is just a simple, short,concise and positive statement about the activity or interaction you are about to engage in. This statement you repeat to yourself mentally before and during the engagement.

Don’t reject this concept just yet please, as some pointless simplistic activity. You will actually find that you make a huge difference as to how you come across to the person(s) you are interacting with when you you run an appropriate mind script. If you think about it we are unconsciously running a mind script of some kind all of the time, simply waking up and telling yourself its going to be a crappy day, then becomes a script you will be running. This then effects how you interact, attitude and the effect you have on others unknowingly.

Here are a couple of example of a mind script to give you an idea of how simple they are. I then encourage you to try running appropriate scripts before going into meeting, interacting with people one to one as a form of practice. If you think about it, it really does make sense, but I would like to hear from people with their thoughts, comments, success and failures. Obviously remember there is NO FAIL

I know you, you know me, I belong here

I like you, you like me, this will go well

I respect you, you respect me, and we will have a good discussion

I am an expert, you know I am an expert, there will be confidence in my recommendations

Hopefully you get the general idea from these brief examples, think positive, be positive. A positive mental attitude, positive things happen to positive people, that’s what I tell myself anyway

Sub Zero Mind Reading.. The Art of Cold Reading

I know what your thinking! See what I did there Seriously though this post is going to give you a little insight into cold reading, what its all about, a few facts and some ideas how you might want to put this skill to good use.

Wikipedia Definition – Cold reading is a series of techniques used by mentalists, illusionists, fortune tellers, psychics, mediums and con artists to determine or express details about another person, often in order to convince them that the reader knows much more about a subject than they actually do. Without prior knowledge of a person, a practiced cold reader can still quickly obtain a great deal of information about the subject by analyzing the person’s body language, age, clothing or fashion, hairstyle, gender, sexual orientation, religion, race or ethnicity, level of education, manner of speech, place of origin, etc

So what is cold reading all about? Essentially its the process of giving general statements (Barnum Statements) that an individual will find and believe to be very specific and meaningful to them as an individual. This can be achieved by generic statements, or using information gleamed from other sources, body language and general observation.

You may have experienced this yourself if you have been to see a psychic, palm reader or similar. Now before anyone flames me, I am not saying that some people may not have a gift, or at least believe they do, but I have not seen for myself or seen anything documented that convinces me that some sort of cold reading is not at work. Depending on your scepticism you may find the experience interesting, revealing and worth the money, you probably also like to read about your star signs in the daily newspaper also.

The reason I don’t bother trying to convince people otherwise is for two reasons. First of all we are all entitled to our own opinions, and as long as you are entering into the experience with a sound head on your shoulders, and are happy to shell out the money, I guess there is no harm. The other reason is that I have tried to explain in my opinion why its all a load of crap, and I had the opposite outcome and the individuals involved believed that I had some sort of psychic abilities. I thought it was rather humorous, so I will quickly give an overview of the story.

So I was in a pub (common theme here) and a couple of friends where talking about how they had been to see a psychic and how accurate they were, and how it would help them make some difficult decisions they are being faced with. So I said I thought it was all a load of crap, etc etc, and I could prove it as I could give them a reading using a system I had partially learnt at the time. So I went through the process with the first friend, getting them to visualise, etc etc. Then gave them what they called an amazing reading, they were amazed at the accuracy for things I couldn’t have known. The other friend was then also keen after this. Another reading, totally different and again spot on. I was sure I had proven my point. Sadly the result was that as well as being a hypnotist, I must also have some sort of psychic powers, I have the gift…… I give up

From a social engineering perspective I believe there are a few benefits. With my style of SE, where I look to use a mixture of performance, mentalism, hypnosis etc to get information in a social environment it has obviously benefits as the example above gives. You can leverage a good cold reading to then have an intensive and revealing discussion, and during this time extract specific information you may be after for an engagement. Its probably not a surprise after this type of phenomena people are either very curious and want to discuss more, or have totally bought into you, rapport is at an all time high and they could be willing to share all sorts with you.

Obviously once you become more familiar with the process, and the lingo you can simply use the methods and statements in a non psychic setup. Simply use the cold reading techniques to aid with getting buy in, manipulating a subject. You can use these skills to make people more interested in you as well as making people uncomfortable. This can be done in person, via the phone and even my mail. As the statements will appear to give you knowledge about the situation, individual and context of discussion. I really do suggest people look into cold reading at some level with the mindset of applying it in a social engineering context.

If you are interested in reading about cold reading, and how it can be used for manipulation I really do recommend The Full Facts of Cold Reading, by Ian Rowland. Its contents will help you understand the techniques of cold reading, where you take and use these techniques is up to you.

Feel free to check out the Resources section regularly for my recommended readings and products.

Examples of Barnum Statements:

You’ve gone through a lot of ups and downs over the past few years, emotionally and financially, and that has caused some stress in your life.
You have a creative streak that you aren’t always able to indulge in.
You have a fear of rejection.
You feel guilty about and worry about things that are completely out of your control.
You are often too critical of yourself.
Some of your goals seem to be a little unrealistic
You do not accept what others tell you to believe

Derren Brown’s Enigma… Awesome Show!!

Last night I went to see Derren Brown’s Enigma show at the Alexandra Theater in Birmingham. Its not surprise that I am a huge fan of his work, hes a great manipulator and performer. The show was excellent, I really enjoyed the control Derren has over his audience, and what I consider to be very subtle and highly effective linguistic skills. The show lasted almost 3 hours including a little break (I took the opportunity to do some card mentalism at the bar), and he really was on form throughout. Derren asked that no one speaks about the content of the show, so I will respect his wishes, but I really do recommend you go and see the show if you can, you will not be disappointed. The show has given me some other ideas and applications for my mentalism, as well as another possible SE approach, I look forward to developing these.

I will say I only had one disappointment, and that was not getting to say hello to Derren after the show. Apparently he wasnt feeling to well, which is fair enough, shame the guy on the door was a complete arse (not part of Derren’s entourage).

I am sure this will be released on DVD at some point as I believe it was filmed, and he has a new book coming out soon, so if your a fan keep on the look out.

Ride the waves of sensation… Its all about anchoring

You know when you see an object, or hear a song and it instantly takes you back to a moment, and you begin to experience feelings and emotions as if you where re living it. This is essentially what anchoring is, and this is an association we can force and link with an action, sound or situation. We can use this via an NLP approach, or using Hypnosis in the form of a post hypnotic suggestion based trigger.

Wikipedia Definition – Anchoring is a neuro-linguistic programming term for the process by which memory recall, state change or other responses become associated with (anchored to) some stimulus, in such a way that perception of the stimulus (the anchor) leads by reflex to the anchored response occurring. The stimulus may be quite neutral or even out of conscious awareness, and the response may be either positive or negative. They are capable of being formed and reinforced by repeated stimuli, and thus are analogous to classical conditioning.

So its all very interesting, but what good is the knowledge of anchoring to anyone. There are many benefits from a treatment perspective, as well as being a professional in general. In both of these scenarios the subject can focus, concentrate and imagine themselves in a situation of peacefulness, happy, or situation where confident assuming this is the goal. When the subject is in this state, reliving, seeing, feeling, hearing everything associated with this experience, and as it builds this can be anchored to a touch to a specific part of the body. The result should now be that this pleasurable, confident feeling or what ever it may be can be instantly associated when the specific part of the body is touched. These anchors don’t last forever so in the case of therapy should be reinforced on a regular basis, but I am sure its clear to see how this can help when perhaps nervous about giving a presentation, or a situation that may make you nervous, triggering the anchor to give you a boost.

I know what your thinking, this is all well and good, but I am a social engineer, I am about manipulation and getting the job done, I am not interested in therapy for others, and trying to cheer people up when they are feeling down. So don’t you think there may be situations where it would be advantageous to bring someone into a cheerful state when you are trying to manipulate them? Are we not more responsive and accommodating when happy, rather than sad? How about creating a situation of confusion or doubt, where there is uncertainty in your presence somewhere.

These are all situations you can generate and then anchor for later use, alternatively if you observe a naturally occurring anchored sequence that could be used to your benefit, you can simply steal that anchor. As with other methods I have described, my standard approach to these techniques is to carry out the work in a non work environment, so in a bar, cafe etc. A simple effect for confusion could be making someone think green was yellow, and then anchoring that confused state to an arm tap. If you decided to go the hypnosis route, its really more a post hypnotic trigger. So you will give someone instruction under hypnosis that at a later date when you show them something, say something or touch them somewhere they will act in a certain way. Under hypnosis the trigger can be alot more detailed, and seems to last for a longer period of time.

Obviously creating the opportunity is the really difficult part, so that will all be dependant on people styles and how touchy feely, both you are your subject are, as obviously for anchoring some physical contact is usually required.

So this is pretty easy for you to practice with a friend or partner, if you look on YouTube you can see various videos of people doing this. Essentially get your friend or partner to close their eyes and remember a time when they felt a great sense of well being, get them to develop that thought, so they are back there now, seeing what they say, hearing what they heard. As you see the smile, grin or laughter give a firm touch to the right knee (as an example), I normally add the comment of “Thats Right” as you re-experience those emotions now.

Now have them relax and become kinda neutral in feeling, then touch the knee again, this should bring a smile to the face, having them once again experience those positive, enjoyable thoughts, putting them into a happy state. It sounds simple, and it is. Get permission from those you practice with, remember to be responsible and ethical. You can practice anchoring on yourself, however I find trying to focus more difficult as you try and remember what your doing, so leave this until after you are familiar with the process.

Gaining Access.. As easy as abracadabra, alakazam

Some of you may have gathered by now, as well as infosec, social engineering, and hypnosis, I am also interested in abit of trickery pokery, magic.

In recent months I was asked to carry out an impromptu social engineering exercise as a favour to someone. Of course I obliged, almost bit their hand of infact, but we will keep that a secret. Anyway, I had discussed the generic process and results of this test with a few people, and they also found it amusing and suggested I made a post. So here we go.

You know the recon, give the building a little tour, and you are not surprised to see access controlled doors, locked windows and turnstiles on the main entrance to stop tail gating. However as we continue on our little wander we find a rear entrance, however it is also access controlled. No big surprise. However we see from the corner of our eye, something beautiful, thats right its smokers corner. The smoker is a common helper to the social engineer, and normally we could fake having a cigarette. Two problems, I have no smokes, and I don’t smoke. However I do have a set of cards on me, as I have been taking every opportunity to practice some of my tricks when ever a spare 5 minutes arise. So I sit down on the bench just up from smokers corner, and start shuffling the cards and having a little mess about.

Almost 45 mins later, a few people have been and gone, but one guy just cant resist any more. He approaches me, and in a joking tone asks “What do you think you are, a magician or something?” There is my cue. I show he a simple trick, card prediction. Hes impressed and laughing, rapport is building. He asks me if I know any others? So I get him to pick a card, and then remember it, and then go through the deck and reveal his card. He is loving it, and lets face it, who doesn’t like magic However its getting cold, and I have got work to do. So I suggest we best go in, as I am cold, and my work wont do itself. He kindly walks we me to the rear entrance, and without asking swipes his card and lets me in. Access Gained.

I am still not sure if what happened next was a good or bad thing, but he asks me if I know any more tricks and if I would show his work mates. I explained I need to get on, but I can do something quickly. So he takes me to the first floor, and to where he sits with his two work mates. I do a quick triple card routine, which involves abit of mind reading. They are amazed and loved it. Now I really need to go.

I head down a corridor and located a small empty meeting room. Locate a network point, and plug in my La Fonera. Lights are on, we have lift off. I head back down to the rear entrance, a few people are off out for a cigarette. I tail gate and head back to the car.

In the comfort of the car, I load up BT4, connect to my La Fonera, that’s connected to the corporate network and do what needs to be done. With that little smirk on my face, of what a great few hours I have had.

So basically the magic was just another method to build rapport, and a point to build upon. I don’t think it could be used everywhere, but in general people like magic, and are fascinated buy it. The best bit was the debrief the next day with the company, they couldn’t believe the chain of events, and of course again I have to show them one of the tricks.

So I have posted the basics of this due to requests, but also to demonstrate a key thing when social engineering. Use what you know, and what you have available to you and think out of the box.

Building Rapport and getting Buy In… Simples

Everything related to social engineering, and the various skills we have discussed all need a foundation to work from to give us the influencing power we need to have the victim / subject doing our deeds. So how do we set-up this foundation? We need to build rapport, and get the appropriate buy in. We need the person or people we are interacting with to believe 110% that we are who we say we are, and that the requests we make of them, no matter how strange are legitimate and well founded.

Wikipedia Definition – Rapport is one of the most important features or characteristics of unconscious human interaction. It is commonality of perspective: being “in sync” with, or being “on the same wavelength” as the person with whom you are talking.

Some people are better at this than others, I am sure there are various personal and cultural reasons for this, but I will go through the steps and thought processes I go through myself, when looking to build rapport, and get someone working with me to achieve my goal.

First of all consider the situation from the 3rd person, put yourself in their situation. When you start to consider your approach and communication from their perspective you can start to rehearse what your going to say and how your going to act, and give a performance you would consider believable. I appreciate alot of us will be more paranoid than the average person due to the industry we work in, but I think you get the right idea. Pitch it at the right level, and aim for success, rapport, buy in, and ultimately influence and leverage.

Then is the option of faking it. What I mean is act as if rapport already exists, and you have known the group or individual you are interacting with for years. It may sound odd, but doing this will put you at ease, and you will give off unconscious signals, and these will be picked up and mirrored by the people you are speaking with, and you can continue forward from there. Personally I would say incorporate this concept to some extent, but don’t really on it fully, and bundle it with other rapport building techniques.

First impression count. Walking up to someone, smiling and extending your hand and greeting sets up a situation of social compliance. The fact they smile back and shake your hand means you have succeeded in your initial rapport building exercise. You asked them to do something and they did, you have leverage. From here there are various possibilities to elevate your situation. Perhaps you will use information you have gathered from open source information gathering techniques, or build upon the guise you have formed for interaction. Perhaps you are playing the part of a sales man, technician, cleaner, etc.

Matching and Mirroring techniques. This is essentially mimicking, but not to a level that someone thinks your taking the piss. So what we are talking about is mirroring someone’s posture, gestures, breathing and such like. The reason for this process working is, the basis that people like people who are like themselves. From here you can change the tempo and watch for them unconsciously mirroring you, this leads to the rapport and buy in on an unconscious level.

Identifying similarities and listening. Another key element to building rapport is identifying similar interests (real or fake) and listening to the other person. Everyone likes the sound of their own voice, some more than others. This works really well at getting compliance, and all you need to do is drop in the occasional request or command, and get acceptance and confirmation and you know you are on your way.

Finally I will say that ensuring you look the part for the role you are playing, and you have the knowledge that should be associated with that role, and giving reassurance to your victim / subject. So if the role you are playing is of a telco engineer, have a basic comprehension of the lingo used, location of kit, who you should be interacting with, and wear the right clothes and badges. Take things a step further, and set expectations, and reassurance of what is going to happen, whether this is real or not doesn’t matter, this is just to get buy in.

So to summarise, I look to consider how my approach will be interpreted by the victim / subject, ensure I look the part, clothes, badges, business cards, tools, knowledge, etc. I communicate in a confident, influential manner, remain assertive, but open to discussion and listen. From here I will use appropriate opportunities to verify rapport and buy in, once confirmed go about getting what is needed. This last part is key. If you have not succeeded with getting buy in, most times its not worth pushing your luck, you would be best of rethinking your approach, and who to interact with. We will look later at reading the body signals to understand what someone is experiencing, and this is another useful skill for measuring your progression when building rapport.

Like many of the skills in SE, practice is a key element in success. I encourage you to go out and make friends with strangers you meet on the street, in bars etc. This is great practice for building rapport, you can use your other skills to spark conversation, magic, mentalism, and if its not working bosh them under and tell them YOU WILL LIKE ME

Cialdini’s 6 Rules of Influence.. Pick your weapon wisely

Robert Cialdini was a professor of psychology at Arizona State University until late 2009, when I believe he retired. So if you have not heard of this guy, I think your missing out on some valuable information. After many years of research and study he has come up with 6 rules of influence. 6 points that can be put to good use to improve your chances of getting the result your looking for.

Cialdini has a very popular book available that I have linked to on the resources page called “Influence: The Psychology of Persuasion”. I have not read the book myself, but its on my list and I am sure its a worth while read. So now your thinking, you have not read the book, so what on earth are you posting about. Well, I have seen a recording of a seminar he gave in the US on his 6 rules, and I thought this information would be good to share, spark some interest, and encourage you to try them out, and perhaps take up some further reading. I am sure once you read the 6 points, they will make sense and seem obvious (like most things do once we understand) and you will be able to recall situations you have been in the past where this information may be have used, or helpful to you.

So without further a do, the 6 points.

1 – Reciprocation
This is most likely the most useful rule. Its the rule of reciprocation, the fact that its human nature to feel the need to return a favour. Its this feeling, the feeling of obligation that puts us in such a powerful situation. If I was to ask you to lend me some money for a drink, of course I would be grateful. Should you ask in the future for the same of course I would do the same, I would feel obliged to return that favour. Reciprocation does not always need to be a exact / specification exchange, the point to focus on is the obligation. So seems obvious, but many of us just throw away this powerful weapon of obligation. How often have you done something for someone, and then when they ask say thank you, you destroy the situation with “No problem, it was nothing”. Kiss it good bye, you have lost your vantage point. We have are in an excellent position when someone thanks us for something, its a point of leverage. So next time your in this situation you can simply same the following “No problem, I know you would do the same for me”. In that simple response you ensured the obligation to return the deed is cemented. The great thing about obligation, there is no real time limit on when you decide to cash it in.

Another point of leverage is when someone says no. No one likes to hear it, and no one likes to say it either. We can use the rule of reciprocation in this situation also, in the form of concessions. An example is the following. You ask your boss if you can have funding to go to an expensive conference, and you are denied. You then retreat with your tail between your legs. A few days later you ask again, but this time for a cheaper conference. This is seen as a new request, and once again, no, access denied. We can be more successful if we look for reciprocation. After someone says no, they are vulnerable, and would ideally like to please. This is the time to strike and ask again for something more reasonable. There is a high probability of this being accepted, due to reciprocation. So next time you want to attend a conference, aim higher, and when denied ask for the conference you wanted to go to. You stand a higher chance, and if they said yes anyway to the more expensive conference you are sure they would not have agreed to, then even better.

2 – Scarcity
The next rule utilises the desire for something there isn’t a lot of, when something is scarce. The approach here is to communicate in a way as to highlight what someone will lose as a result of not going in the direction you want them to. In order to get even more acceptance exclusivity is something else that can be added to the scarce mix for additional success. An example for this can be easily demonstrated when we talk about information. If we are to tell someone that we have exclusive information, about a limited one time offer, people are hooked. The thought that not everyone is privy to this information, and the fact that this something will soon be unavailable, makes the proposal even more inviting. Give some thought as to how you can use this principle.

3 – Authority
If an expert says something, then it must be true. This is something we all find ourselves falling victim to, well I gave him my information because he was an expert, an authoritative figure. So to establish ourselves as a point of authority, we need to ensure we establish ourselves early on as someone who is knowledgeable, and trustworthy before trying to influence someone. When doing this it is essential to build rapport, and also to bring to the table negative information as well as the positive, this builds the sense of trustworthiness, as well as being knowledgeable on something, and as a result being an authoritative figure.

4 – Consistency
We are more willing to say yes to a request that is consistent with something they have already said or done. If we look for people to make a commitment to something, there stands a good chance they will be consistent with what they have said or written. Research shows if we can get someone to commit to doing something verbally, or ideally written down they are more likely to do it. It is this fact, that they have already said and confirmed they will do something that gives us the consistency.

5 – Consensus
If others are doing it, we are most likely to do it, its the power of the crowd. If there is a peception that everyone else thinks something is a good idea, or an individual is knowledgeable / authoritative, then we tend to fall in line and accept often without question that it must be true. If a friend was to introduce someone to you, and tell you that they are brain surgeon, you must likely will believe so. This is possibly a difficult example, as challenging the fact would be difficult.

6 – Liking
People prefer to say yes, to those they know and like. We can increase our chances of someone liking us by identifying similarities, complimenting people, and by cooperative efforts. We like people who are like us, we like people who like us and say so, and we like people we can work with in a cooperative way. This is another reminder of why rapport is so important.

I hope this information will be useful and some what interesting, as you can see some topics where touched on more than others. I will say that these 6 rules work globally, however research has shown that some are more significant in some countries more than others.

Reciprocation scores high in the US and UK, Authority scores high in ASIA, Consistency is very important in Germany, and Liking is very important in Spain.