Psychological manipulation tactics: the art of social engineering defence

Course description:

This immersive course explores the psychology behind social engineering attacks, including pretexting, quid pro quo, and honey traps. Through interactive roleplays, real-world case studies, and team exercises, participants will learn to recognise and counter manipulation tactics in both professional and personal contexts. Designed to be engaging and memorable, with no exams—just practical, hands-on learning.

This course description is open source. Feel free to use it.

Course outline

Duration: 1 day (6 hours, including breaks)

Format: In-person or virtual (adaptable for both)

Audience: Security teams, customer-facing staff, HR professionals, and anyone interested in human behaviour and security.

Timetable

Session 1: The psychology of manipulation (60 mins)

  • Core principles: authority, urgency, reciprocity, and consistency in social engineering

  • Real-world cases: The Twitter bitcoin scam (2020), fake IT support calls, romance scams

  • Activity: “Spot the hook” – identify the psychological trigger in sample scam messages

Session 2: Tactics deep dive (90 mins)

  • Pretexting: Creating fake scenarios (e.g., impersonating colleagues or officials)

  • Quid pro quo: Fake rewards or exchanges (e.g., “help me and I’ll help you”)

  • Honey traps: Romantic or emotional manipulation

  • Hands-on: Analyse real scam scripts and identify red flags

Break (15 mins)

Session 3: Defence strategies (90 mins)

  • The “trust but verify” framework for organisations

  • Personal protection: Digital hygiene and social media awareness

  • Roleplay: “The suspicious request” – participants practise resisting manipulation

Lunch (30 mins)

Session 4: Red team vs blue team exercise (120 mins, optional)

  • Based on the 2016 Ubiquiti Networks $46M CEO fraud case

  • Red team: Designs a multi-tactic social engineering attack

  • Blue team: Implements detection and response protocols

  • Debrief: What worked, what didn’t, and key takeaways

Session 5: Building resilience (45 mins)

  • Creating personal and organisational defence plans

  • Quiz: “Scam or legit?” – evaluate real-world scenarios

  • Q&A and wrap-up discussion

Resources required

  • Sample scam call recordings and email transcripts

  • Roleplay scenario cards for different attack types

  • Red team/blue team briefing documents

  • Quiz materials with real case examples

  • Printed “psychological triggers” cheat sheets

Key activities explained

  1. “Spot the hook” activity
    Participants analyse real scam messages to identify which psychological principles (authority, urgency etc.) the attacker is exploiting

  2. Roleplay: “The suspicious request”
    In pairs, one participant plays an attacker using pretexting tactics while the other practises verification and refusal techniques

  3. Red team vs blue team exercise
    Teams recreate a sophisticated business email compromise scenario, with one side attacking and the other defending

Takeaways

  • Personal “manipulation detection” checklist

  • Experience recognising different social engineering tactics

  • Practical scripts for verifying suspicious requests

  • Completion certificate

Notes for facilitators

  • Emphasise the ethical boundaries of roleplay exercises

  • For virtual delivery, use breakout rooms for small group activities

  • Encourage participants to share personal experiences (without sensitive details)

  • Keep the tone engaging but serious when discussing real-world impacts

This course transforms abstract security concepts into tangible, memorable lessons through experience-based learning and collaboration.

Last update: 2025-06-08 13:05