The Seven Deadly Social Engineering Vices

The Seven Deadly Social Engineering Vices

By Stu Sjouwerman, for Security Awareness Training

You may not be aware that there is a scale of seven deadly vices connected to social engineering. The deadliest social engineering attacks are the ones that have the highest success rates, often approaching 100%. What is the secret of these attacks, how come they succeed so well?

Your own observations show you that people are very different. Some are always enthusiastic and willing to learn something new. Others are more conservative but courteous to their co-workers. A bit further down this scale are people that always looks like they are bored with life and then at the bottom are those who just don’t care and basically are in apathy about everything.

Successful social engineers first determine where their target is on this scale, and then select an attack that will have the highest degree of success with that person, trying to closely match their target’s look on life.

This scale of vices can be approached from either a negative or positive side. You can either call it gullibility or you can call it trust, call it greed or self-interest, but since we’re talking vices here we’ll stick to the negative labels.

Here are seven social engineering attacks that I hope are a good example of each one of the deadly vices, but note there is always overlap and things are not that clear-cut. We are dealing with humans after all!


The attacker left a USB stick next to the washing basin in the restroom of the floor that had the executive offices and their administrative assistants. It was clearly marked ‘Q1 Salary Updates’. The USB drive had modified malware on it that installed itself and called home from any workstation it was plugged into. This attack was 90% effective.


The attacker focused in on the CEO of his target company. He did his research, found the CEO had a relative battling cancer and was active in an anti-cancer charity. The attacker spoofed someone from the charity, asked the CEO for his feedback on a fund-raising campaign and attached an infected PDF. Mission achieved, the CEO’s PC was owned and the network followed shortly after. And of course holding the door open for a stranger with his hands full of boxes is a classic ‘Courtesy’ piggybacking example that we all know.

Article continued here

This excerpt appears with permission from

399 total views, 2 views today

(Visited 1 times, 1 visits today)

14 thoughts on “The Seven Deadly Social Engineering Vices

  1. Computer hacking could be virtually stopped: If the penalties were severe enough! I mean…. long prison times , property confiscation and even death penalties!

    • Way to go John, I think people who drop litter should also recieve the death penalty. But not corrupt politicians from your hometown, they are only sick right?

    • calm down man, I think street criminals would be better death penalty. Would you prefer to get killed in real life , or get stolen 100$ from your credit card?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.