What do these shoes have to do with Cybersecurity?

Nothing really.

However, they do link to a story about human emotions and particularly how flattery is really effective as a psychological lever used by con artists to get their marks participating in their scams.

Let me tell you what happened…

I bought these shoes just a few weeks ago and really like them a lot. (For anyone who cares: yes I admit they are not the real Golden Goose, but a much cheaper South African rip-off version. Don’t judge me please.)

A week ago, after a lovely lunch with one of our clients, - my first face-to-face meeting with customers in 18 months - I walked past a supermarket feeling pretty happy with myself and the world. I was not rushed, nor stressed, or anxious, just generally in a pretty good space.

So when this young guy called out to me “Hey nice shoes” I instantly felt flattered because as mentioned above, I really love these shoes. Receiving his compliment, made me stop and say thanks. The young man had light brown hair, was very skinny, and was well dressed. At first glance, he appeared like a European tourist, so when he asked where I got them from I happily supplied the details of the local store. He nodded and complimented me some more and then came a bit closer and in a serious voice asked:

“Tell me, are you judgmental?”

Here he directly linked into my ego again, because obviously, I don’t want to be seen as “judgmental”. By protesting that no, I don’t consider myself so, I believe he also framed my mind to switch off my “judgmental” or critical thinking. But that’s just a theory.

He then proceeded to tell me a sad story about how he just recently came out and that his highly conservative parents threw him out of the house. That he’s been living on the streets and hasn’t eaten anything proper in days and that he would give anything for a bottle of coca-cola. Feeling bad for him, but not willing to give him any money I offered to buy him some food in the supermarket. He was really polite and seemed genuinely grateful so I agreed to pay for some of the essentials he needed. In we went together.

At some point, I felt a bit uncomfortable as he came a bit too close to me and invaded my personal space, but I’m generally quite sensitive to this, so discounted this feeling as my own issue. He started loading his basket with more and more stuff. After about 10 minutes, I realized he was taking advantage, but at that point, I was so deep into it that I couldn’t admit this to myself. I also didn’t want to cause a scene, so just asked him to hurry up so I could get back to work. Begrudgingly, I paid way more than I would have ever given him in cash. As I walked out the door I realized he took me for a ride and probably also tried to steal my phone when he came so uncomfortably close to me and my handbag.

On my walk back to the office, I reflected on this bizarre experience and realized that I just fell for a typical street con. And this despite me preaching security awareness for a living. I felt like a double face-palm was in order.

So what did I do wrong here?

1. Firstly, he got me through plain old flattery. Flattering our ego is a good way to build rapport. Rapport building is one of the techniques social engineers use to get us to lower our inhibitions and make us trust them. Note to self: receiving compliments about shoes is obviously a weakness I have and which I should watch out for more.

2. Interestingly enough, another way of creating rapport and trust is by sharing (or pretending to share) something personal or private. When someone confesses something to you, it releases oxytocin (the cuddle, feel-good hormone) and makes us more likely to share something in return. This is a very common and effective technique used by social engineers.

3. He caught me in a moment of relaxation. This I found quite interesting, as we often warn that people are most likely to be tricked when stressed or anxious. When it comes to “empathy” feeling rushed highly influences how we react. According to the famous seminary experiment about the Good Samaritans: “The amount of "hurriedness" induced in the subject has a major effect on helping behaviour”. In simple terms, if I was more in a rush or more stressed to make it back to the office on time, I probably would have just waved him off.

4. I felt something wasn’t right but I was so deep in it, that I was too ashamed or embarrassed to stop it. Apparently, this happens to a lot of victims and scammers work with that. Having to admit to ourselves that we are being scammed, is a big hit to our ego. We don’t like being seen as stupid, so we rather play along.

What I find interesting is that I should know a lot of this stuff as it is literally my job to warn people about these types of tricks, yet I still fell for it. Changing security culture or human nature is really not an easy task. Sharing stories from the real world though helps to raise awareness and bring across principles that apply both in the real and digital world. Even if they are a bit embarrassing. Feel free to make nice comments about my shoes though anytime.