Social Engineering and Mirroring the Emotional State

Effective social engineers are "high self-monitors"—they subconsciously pick up social cues and adjust their presentation, identifying topics of interest, appearing non-threatening through nonverbal cues, and modulating emotional state to match others. Research by Mark Snyder shows some people excel at this naturally.

What personality traits make some individuals particularly good at social engineering? Robin Dreeke shared his insights on characteristics of an effective and successful social engineer in a recent post on Social-Engineer.Org. Robin’s article highlights the following traits:

Being able to identify topics that are of interest to the subject and then validating “the individual’s belief in his or her own sense of greatness”
Being able to appear non-threatening through nonverbal interactions, such as the facial expression or the body posture
Being able to use voice to reinforce that the social engineer “is a safe and good person to converse with”

One way to summarize these characteristics is to use the personality trait called high self-monitor, of which I learned while reading Click: The Magic of Instant Connections by Ori and Rom Brafman. The authors describe research by Mark Snyder that shows that some people particularly good at picking up on “social cues and adjusting how they act and how they are perceived by others.” Mark called these people high self-monitors because they can “monitor (observe and control) their self-presentation and expressive behavior.” (Mark wrote a book on the topic of self-monitoring.)

Individuals characterized as high self-monitors excel at modulating their emotional state to match that of others. In fact, research suggests that they do this subconsciously. This ability makes them naturals at identifying the right topic for the discussion and being friendly during both verbal and nonverbal interactions.

Can people learn to be high self-monitors? I suspect so, but I haven’t seen any research regarding this. Have you?

For more on social engineering, see my earlier posts on the asymmetry of data value and on integrating social engineering into an information security assessment.

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →