Developing rapport

While similar to the principle of liking, rapport goes beyond that by creating a relationship or bond with the victim.

In fact, building rapport is about creating a trusting relationship with the victim with the objective to make the victim feel comfortable and thus more prone to execute a given task or to give some sensitive information. As humans, we tend to share data freely with people we trust, and thus for an attacker, developing an instant rapport is key.

There are many tactics that an attacker can leverage to create rapport, so let’s see the most used tactics to develop rapport.

Using appropriate body language

To develop rapport, it is key that the victim doesn’t perceive you as a potential threat; instead, you should represent a friendly figure that is there to help and listen. For example, for an attacker, a stressed or nervous attitude may cause distrust in the victim, while a relaxed attitude will be reflected in a more friendly body language that will make the victim feel more engaged and comfortable.

Figure 1.12 – Example of using body language to influence the victim

As seen in the preceding figure, a person with relaxed body language gives confidence to the victim to perform a dangerous action (in this case, to provide a security PIN).

Using your knowledge to help

Being arrogant by presuming deep technical knowledge will not help to build rapport. Instead, attackers will look for opportunities to help others with their technical knowledge. This tactic will help to build an almost instant rapport with the victim because first, the victim is now in debt to the attacker, but also because the attacker unconsciously set themself as a technical expert in the eyes of the victim.

Figure 1.13 – Using your knowledge to build rapport

As seen in the preceding figure, the attacker uses their knowledge to build rapport with the victim while also setting themself as an expert. Then, they leverage it to execute the attack by giving a false link to the victim that will collect the victim’s credentials.

Complimenting

Let’s be honest, we all like compliments, and this is another great way to build rapport. Of course, it needs to be subtle; as mentioned, this is an art form, and abusing any tactic may be perceived by the victim and that will not cause the desired effect. Instead, this needs to be natural and genuine to ensure the victim will feel it in that way. Some examples of compliments are saying something nice about the clothes they are wearing, or any other characteristics of the person such as the color of their eyes, their lovely smile, or even their attitude.

Figure 1.14 – Example of using compliments to influence the victim

As seen in the preceding figure, the attacker compliments the victim by stating that they are very smart and cares about security. That compliment creates rapport and the attacker will leverage that to trick the user to put their password into a non-secure page, allowing the attacker to capture the victim’s credentials.

Supporting other points of view

There are people that may feel discriminated against because their opinion is part of a minority group. In those cases, an attacker may leverage that to create instant rapport by supporting that point of view in front of the victim. As mentioned, this needs to seem genuine and to achieve that, the attacker must understand the topic they are supporting very well in order to be able to drive a friendly conversation with the victim to further their relationship of trust.

Figure 1.15 – Example of influencing the victim by creating a rapport

As seen in the preceding figure, an attacker would take the opportunity of someone complaining about security policies to agree with the victim (to build rapport) and then to offer a “solution” to avoid that security policy, which, in the end, will enable the attacker to access data and corporate systems.