The Art of Social Engineering E-Book

The Art of Social Engineering

Uncover the secrets behind the human dynamics in cybersecurity

Cesar Bravo

Desilda Toska

BIRMINGHAM—MUMBAI

The Art of Social Engineering

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwin Dinesh Kharwa

Senior Editor: Isha Singh

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Ponraj Dhandapani

DevRel Marketing Coordinator: Marylou De Mello

First published: October 2023

Production reference: 1270923

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN 978-1-80461-364-1

www.packtpub.com

To our beloved son, Thomas.

This book, born during the wondrous days of your arrival, symbolizes the power of dedication and passion. We want you to know, dear Thomas, that you are the very spark that ignited the flames of commitment and purpose within our hearts.

Just as we watched you take your first steps, stumble, and then rise with unyielding determination, so too did this book evolve through countless revisions, fueled by our relentless dedication. It stands as a testament to the incredible potential that resides within us all when we pursue our dreams with unwavering passion.

Thomas, you are the embodiment of inspiration. Your boundless curiosity and fearless exploration of the world around you remind us daily that anything is possible with dedication and perseverance.

This book is dedicated to you, our little motivator, to encourage you to dream without limits, to reach for the stars, and to remind you that your passion can set the world ablaze.

May it serve as a living testament to the limitless possibilities that await you, and as a constant reminder that, with dedication, there are no heights you cannot reach. Your presence has filled our lives with immeasurable joy, and we dedicate this book to you as a token of our love and belief in your limitless potential.

With all our love, Mom and Dad

Cesar and Desilda

Foreword

It’s my privilege to introduce The Art of Social Engineering, written by Cesar Bravo and Desilda Toska. Both authors are not just scholars in cybersecurity but also inventors who have pioneered some of the most groundbreaking tools and methodologies we use today. Their combined expertise provides an unparalleled depth of understanding of the intricate dance of human psychology and digital security.

Over the years, as I’ve navigated the ever-evolving corridors of cybersecurity, it has become clear that no firewall or encryption protocol can offer a foolproof defense against a hacker armed with a deep understanding of human behavior. The most complex security system can crumble with misplaced trust, a single innocent click, or an unsuspecting reply. Social engineering is, in essence, the act of manipulating people into divulging confidential information, not necessarily through technical means but through the power of persuasion, deception, and psychological manipulation.

This book offers more than just a glimpse into the techniques used by social engineers; it serves as a comprehensive guide, a deep dive into the intricate web of tactics, strategies, and real-world examples. Whether you’re a seasoned security expert, a business owner trying to safeguard your assets, or just a curious reader, there’s something in these pages for you.

Bravo and Toska have not merely presented a manual; they’ve crafted a masterpiece. They have blended their profound knowledge with engaging narratives, making complex concepts digestible and relatable. It’s a journey through the delicate balance between trust and caution, intuition and investigation, safety and vulnerability.

As our world further intertwines with technology, and as the lines between the digital and the physical continue to blur, understanding the art and science of social engineering becomes paramount. This book isn’t just about understanding the threats; it’s about fostering a culture of vigilance, critical thinking, and continuous learning.

Humans are and will continue to be our most important defense.

In the hands of Cesar Bravo and Desilda Toska, you’re not just reading about social engineering; you’re delving into the minds of masters. Prepare to be enlightened, to be astounded, and most importantly, to be prepared.

Stay safe, stay informed, and always remember – the most important line of defense is an educated mind.

Rhonda Childress

VP and Chief Innovation Officer Security and Resiliency at Kyndryl

Kyndryl Fellow

IBM Fellow Emeritus

Contributors

About the authors

Cesar Bravo is a researcher who has created and patented more than 100 inventions related to cybersecurity in the US, Germany, China, and Japan.

Cesar has been working with several universities across the world to teach cybersecurity at all levels, including a master’s degree in cybersecurity (in which he also served as thesis director).

In recent years, Cesar has become a recognized speaker (including a TEDx talk) with international presentations in the UK, Germany, Mexico, the US, and Spain.

His last book, Mastering Defensive Security, was translated into several languages, and with thousands of copies sold around the world, it is widely recognized as a must-read book in cybersecurity.

Desilda Toska (de Bravo) embarked on her professional journey as a QA engineer, honing her skills through years of dedicated work. Starting out as a consultant, she quickly ascended the ranks to become a first-line manager and eventually assumed the role of the head of the automation practice at IBM CIC Italy. During her tenure at IBM, Desilda discovered her fervent passion for crafting innovative programs using IoT technologies. This enthusiasm led her to become a prominent female inventor with several inventions patented in the ever-evolving field of technology, particularly in the realm of cybersecurity. Equipped with an unquenchable thirst for knowledge, Desilda earned her MSc degrees from the University of Tirana, Albania, and a Doctorate Magistrale degree from the University of Milan, Italy, both in computer science. Desilda has expanded her horizons yet again as a university teacher.

This book is dedicated to those who stand as sentinels against the crafty architects of social engineering.

To the bold souls venturing into the cybersecurity journey, this book is a call to action, a testament to the indomitable human spirit, and a reminder that in the face of ever-evolving threats, we possess the power to do what’s right and protect the world.

May this book serve as a shining example of wisdom, empowering you to thwart the schemes of those who seek to exploit the human element. Together, we can fortify the digital landscape and protect the innocent from the cunning wiles of social engineering.

Our hope is that this book will inspire you to embrace the same dedication and passion that we poured into its creation.

About the reviewer

Anton Belik has worked in the cybersecurity field for more than 15 years. He was the CEO of a security start-up, Pyrobox, and helped build security teams from scratch at several high-load projects, start-ups, and big manufacturing companies. He is passionate about the web, network, cloud, hardware security, and social engineering. He is a certified Offensive Security Certified Professional and a member of the JBFC security community.

I’d like to thank my family and friends who understand the time and commitment it takes to research and test data that is constantly changing. Working in this field would not be possible without the supportive community.

Table of Contents

Preface

Part 1: Understanding Social Engineering

1

The Psychology behind Social Engineering

Technical requirements

Disclaimer

Understanding the art of manipulation

Examining the six principles of persuasion

Developing rapport

Using appropriate body language

Using your knowledge to help

Complimenting

Supporting other points of view

Leveraging empathy

Leveraging influence for defensive security

Summary

Further reading

2

Understanding Social Engineering

Technical requirements

Detecting social engineering attacks

Social media attacks

The lost passport

The federal government grant

Romance scam

Fake investment

Fake advertisements

Social engineering and the crypto scam

Summary

3

Common Scam Attacks

Technical requirements

What is a scam?

The Nigerian scam (419)

The history of the scam

Identifying the Nigerian scam

Types of Nigerian scams

Funny Nigerian scams

Avoiding these scams

Other scams

The investor scam

The Business Email Compromise scam

Fraud compensation

Scambaiting

Summary

4

Types of Social Engineering Attacks

Technical requirements

Disclaimer

Phishing attacks

History of phishing attacks

Famous phishing attacks

Types of phishing attacks

Baiting

Physical baiting

Cyber baiting

Protecting yourself against baiting

Dumpster diving

Tailgating

Quid pro quo

Free tech support

Free software to download

How to protect yourself against quid pro quo attacks

Pretexting

Fake job offers

False charities

Watering hole

Crypto mining

Summary

Further reading

Part 2: Enhanced Social Engineering Attacks

5

Enhanced Social Engineering Attacks

Technical requirements

Disclaimer

Targeted attacks

Identifying high-value targets

OSINT

OSINT tools

OSINT methods

OSINT use cases

Web-based attacks

Fake logins

Fake updates

Scareware

Fake pages

Magic-ware

Hacking-ware

Gaming-based attacks

Forum-based attacks

Adware

Summary

6

Social Engineering and Social Network Attacks

Disclaimer

Social engineering through mobile applications

Malicious apps and app-based attacks

Exploiting app permissions for data access

The challenges in identifying and mitigating such attacks

Social engineering via social networks

Clickbait attack

WhatsApp-based attacks

Instagram-based attacks

Other attacks

Sextortion

Fake news attacks

Forex scams

Summary

7

AI-Driven Techniques in Enhanced Social Engineering Attacks

Technical requirements

Artificial intelligence in social engineering attacks

The growing role of AI in social engineering

AI-driven social engineering techniques

Strategies for combating AI-enhanced social engineering attacks

Understanding the threat landscape

Implementing effective security measures

Fostering a culture of security and awareness

Strengthening collaboration and information sharing

Understanding deepfakes

Deepfake videos

How to detect deepfake videos

Deepfake audio

Implications for social engineering attacks

Other AI attacks

Summary

8

The Social Engineering Toolkit (SET)

Technical requirements

SET

Importance of understanding SET in cybersecurity

Installing and setting up SET

System requirements for SET installation

Downloading and installing SET

Executing SET

Understanding the main components and modules of SET

Social-Engineering Attacks

Penetration Testing (Fast-Track)

Other options

Mitigation and defense against SET attacks

Technical controls and vulnerability management

User awareness and training

Email and web filtering

IR and TI

Access controls and privilege management

Continuous monitoring and response

Summary

Further reading

Part 3: Protecting against Social Engineering Attacks

9

Understanding the Social Engineering Life Cycle

Technical requirements

Disclaimer

The history of the social engineering life cycle

The iconic Kevin Mitnick

The social engineering life cycle

Reconnaissance

Target selection

Pretext development

Engagement

Exploitation or elicitation

Execution (post-exploitation)

How to stay protected

Control your social media posts

Configure your privacy settings on social media

Beware of fake profiles

Be cautious

Be careful with dating sites

Avoid social media bragging

Be mindful of your posts

Remove image metadata

Implement awareness campaigns

Summary

10

Defensive Strategies for Social Engineering

Technical requirements

Disclaimer

Importance of defensive strategies

Recognizing social engineering red flags

Employee awareness campaigns

Phishing campaigns and countermeasures

CTF exercises

Enhanced cybersecurity training

Assessing the effectiveness of existing cybersecurity training programs

Identifying gaps and areas for improvement

Case studies and lessons learned

Analyzing real-world social engineering incidents

Extracting valuable lessons from past experiences

Summary

11

Applicable Laws and Regulations for Social Engineering

Technical requirements

Examples of laws and regulations around the world

Convictions for social engineering – lessons learned from notable cases

Summary

Index

Other Books You May Enjoy

Preface

Social engineering is one of the most common methods used by attackers to steal data and resources from people, companies, and even governments.

This book, The Art of Social Engineering, provides readers with a comprehensive understanding of social engineering attacks and how to protect against them. It starts by explaining the psychological principles behind social engineering attacks and the current threat landscape and providing a series of examples to help you identify those attacks.

After that, you will learn about the most interesting psychological principles used by attackers, including influence, manipulation, rapport, persuasion, and empathy. You will also understand how attackers leverage technology to enhance their attacks by using fake logins, impersonating emails, displaying fake updates, and even using social media as their favorite means to execute attacks.

Of course, the book will also teach you how to develop your own defensive strategy, including awareness campaigns, phishing campaigns, cybersecurity training, capture the flag, and many more tools and techniques.

By the end of this book, you will have a good knowledge of social engineering, which will enable you to easily identify, prepare, and protect against the ever-growing threat of social engineering attacks and keep you and your organization safe!

Who this book is for

This book is for cybersecurity professionals who want to expand their knowledge of the tools, strategies, and mechanisms used in social engineering attacks.

It is also suitable for professionals who want to change their mindset to increase their level of awareness against social engineering attacks, IT specialists who want to understand how to prevent social engineering attacks, and students who want to improve their knowledge of social engineering attacks and their relevance in the current context of social media.

It is also useful to managers and other decision-makers who want to understand the impact of social engineering on their companies, HR managers who want to create strategies to reduce the possibility of social engineering attacks, and government officials who want to understand the impact of social engineering attacks on politics.

What this book covers

Chapter 1, The Psychology behind Social Engineering, provides a deep dive into the art of manipulation and how attackers leverage psychological principles to influence the actions of victims.

Chapter 2, Understanding Social Engineering, provides an overview of the most common social engineering attacks on social media, how to spot them, and how to avoid them.

Chapter 3, Common Scam Attacks, provides a comprehensive overview of the most common types of scams and how to avoid them.

Chapter 4, Types of Social Engineering Attacks, provides a comprehensive examination of the most common social engineering attack types, coupled with guidance about how to recognize and prevent them.

Chapter 5, Enhanced Social Engineering Attacks, helps you discover how technology is being used by attackers to elevate their social engineering techniques and learn effective methods for the detection and prevention of these attacks.

Chapter 6, Social Engineering and Social Networks Attacks, provides an exploration of the wide-ranging landscape of social engineering attacks through social networks and mobile apps, including comprehensive guidance on how to protect against those attacks.

Chapter 7, AI-Driven Techniques in Enhanced Social Engineering Attacks, explores the intersection of AI and social engineering in cybersecurity, covering AI’s role in advanced attacks, the impact of deepfakes, and AI-driven phishing attacks.

Chapter 8, The Social Engineering Toolkit (SET), provides a deep dive into the SET framework, including its installation and configuration and a comprehensive review of its components, plus invaluable insights into mitigating and defending against SET-driven attacks.

Chapter 9, Understanding the Social Engineering Life Cycle, provides a thorough exploration of the social engineering life cycle, meticulously unveiling its distinct stages while equipping you with indispensable knowledge to protect you and your organization against these attacks.

Chapter 10, Defensive Strategies for Social Engineering, helps you discover modern defensive strategies against social engineering threats, including employee awareness, phishing countermeasures, practical exercises, capture-the-flag exercises, cybersecurity training, and real-world case studies.

Chapter 11, Applicable Laws and Regulations for Social Engineering, helps you navigate the legal landscape, uncovering the protective measures and regulatory frameworks designed to combat social engineering, plus lessons learned from notable legal cases.

To get the most out of this book

While this book is self-contained and there are no prerequisites, basic cybersecurity knowledge is a plus.

Software/hardware covered in the book

Operating system requirements

The Social Engineering Toolkit (SET)

Linux

You can complement the knowledge in this book by also reading Mastering Defensive Security by Cesar Bravo, as that will give you a more in-depth understanding of the cybersecurity field.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "This patent shows a cognitive system capable of identifying and preventing scam attacks: https://patents.google.com/patent/US10944790B2/en?inventor=cesar+bravo.”

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "Then, to make this even more attractive, notice that the button says One-click transfer without password."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read The Art of Social Engineering, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781804613641

Part 1: Understanding Social Engineering

Part 1 is about acquiring a comprehensive understanding of social engineering, the types of attacks, as well as the psychological concepts used by attackers.

This part has the following chapters:

1

The Psychology behind Social Engineering

You have probably heard the term social engineering before, either in the news (as part of a big scam) or even in your job as part of the annual security awareness program.

But what is social engineering? Well, to make it simple, we can just say that social engineering is the art of manipulating people to perform an action that will provide a benefit for the attacker. That action could be in the form of disclosing information, executing an action (such as executing a command), or even disabling or bypassing a security measure.

In other words, social engineering is focused on “hacking” the users, not the systems.

Now, to better understand social engineering, it is imperative to understand the psychology, principles, and tactics behind those attacks. Attackers will leverage a set of psychological concepts, principles, and tactics to successfully manipulate the victim. They will then use the art of manipulation to influence the victim to either reveal sensitive information (passwords, users, etc.) or even perform a given action (such as disabling the antivirus).

Understanding those tactics will help you to identify when you are a target and avoid falling into these elaborate attack vectors. For this reason, in this chapter, we will cover the following main topics:

Technical requirements

There are no technical requirements for this chapter.

Disclaimer

All characters in the illustrations are fictional characters.

Illustrations are inspired by real attacks; therefore, the language used (including spelling and grammatical errors) is intentional.

Understanding the art of manipulation

Social engineering is the art of manipulating users to perform actions or divulge confidential information for the benefit of the attacker.

Examples of those actions can be as follows:

Additionally, examples of the types of information that the attacker may want to gather from the victims are as follows:

While most people believe they will never fall victim to this type of attack, the truth is that we are all susceptible to a social engineering attack.

In fact, social engineering attacks have evolved into well-fabricated scenarios that are carefully crafted to leverage a series of physiology paradigms to effectively trick and manipulate the victim without them even noticing that they are under attack.

Therefore, organizations must invest time and resources to include social engineering awareness campaigns as part of their cybersecurity strategy to reduce the risks of employees falling into these types of attacks.

A common mistake is to focus social engineering awareness campaigns on IT people, while in reality, attackers prefer to attack other employee profiles, as follows:

Figure 1.1 – Manipulating non-IT employees

Figure 1.2 – Manipulating overwhelmed users

Figure 1.3 – Manipulating sales teams

Figure 1.4 – Manipulating executive assistants

Of course, those are only a few examples of groups that are more prone to be attacked by a social engineering attack, but in the end, what we want to highlight is the importance of ensuring that the organization is well-trained and aware of the threats of social engineering attacks.

The bottom line is that users are the biggest layer of defense to prevent those attacks in your organization, therefore, ensuring that everyone is well-trained to recognize those attacks should be a key component in your cybersecurity strategy.

Now, while manipulation is the art used by attackers, there are a lot of psychological principles behind this that enable the attacker to successfully manipulate users not only to perform those actions but to do it without doubting the intention of the attacker. Now, let’s review them in detail.

Examining the six principles of persuasion

As mentioned, social engineering is an art, an art that can be improved with time but can also be learned by applying several tactics.

Those tactics were highlighted by Robert Cialdini (behavioral psychologist) in the book The Psychology of Persuasion, in which he divides those tactics into six key principles, as shown in the following figure:

Figure 1.5 – Key principles of influence

Now, let’s review each of those principles:

Figure 1.6 – Example of using reciprocity to influence a victim

Figure 1.7 – Example of using commitment to influence a victim

Figure 1.8 – Example of using social proof to influence the victim

Figure 1.9 – Example of using authority to influence the victim

The following figure shows an example of how an attacker can use some compliments to like the victim and gain their trust:

Figure 1.10 – Example of using liking to influence the victim

Figure 1.11 – Example of using scarcity to influence the victim

Now, there are other key tactics and techniques used in social engineering attacks that are not included in that list such as developing rapport, empathy, and pretexting, so let’s review them in detail.

Developing rapport

While similar to the principle of liking, rapport goes beyond that by creating a relationship or bond with the victim.

In fact, building rapport is about creating a trusting relationship with the victim with the objective to make the victim feel comfortable and thus more prone to execute a given task or to give some sensitive information. As humans, we tend to share data freely with people we trust, and thus for an attacker, developing an instant rapport is key.

There are many tactics that an attacker can leverage to create rapport, so let’s see the most used tactics to develop rapport.

Using appropriate body language

To develop rapport, it is key that the victim doesn’t perceive you as a potential threat; instead, you should represent a friendly figure that is there to help and listen. For example, for an attacker, a stressed or nervous attitude may cause distrust in the victim, while a relaxed attitude will be reflected in a more friendly body language that will make the victim feel more engaged and comfortable.

Figure 1.12 – Example of using body language to influence the victim

As seen in the preceding figure, a person with relaxed body language gives confidence to the victim to perform a dangerous action (in this case, to provide a security PIN).

Using your knowledge to help

Being arrogant by presuming deep technical knowledge will not help to build rapport. Instead, attackers will look for opportunities to help others with their technical knowledge. This tactic will help to build an almost instant rapport with the victim because first, the victim is now in debt to the attacker, but also because the attacker unconsciously set themself as a technical expert in the eyes of the victim.

Figure 1.13 – Using your knowledge to build rapport

As seen in the preceding figure, the attacker uses their knowledge to build rapport with the victim while also setting themself as an expert. Then, they leverage it to execute the attack by giving a false link to the victim that will collect the victim’s credentials.

Complimenting

Let’s be honest, we all like compliments, and this is another great way to build rapport. Of course, it needs to be subtle; as mentioned, this is an art form, and abusing any tactic may be perceived by the victim and that will not cause the desired effect. Instead, this needs to be natural and genuine to ensure the victim will feel it in that way. Some examples of compliments are saying something nice about the clothes they are wearing, or any other characteristics of the person such as the color of their eyes, their lovely smile, or even their attitude.

Figure 1.14 – Example of using compliments to influence the victim

As seen in the preceding figure, the attacker compliments the victim by stating that they are very smart and cares about security. That compliment creates rapport and the attacker will leverage that to trick the user to put their password into a non-secure page, allowing the attacker to capture the victim’s credentials.

Supporting other points of view

There are people that may feel discriminated against because their opinion is part of a minority group. In those cases, an attacker may leverage that to create instant rapport by supporting that point of view in front of the victim. As mentioned, this needs to seem genuine and to achieve that, the attacker must understand the topic they are supporting very well in order to be able to drive a friendly conversation with the victim to further their relationship of trust.

Figure 1.15 – Example of influencing the victim by creating a rapport

As seen in the preceding figure, an attacker would take the opportunity of someone complaining about security policies to agree with the victim (to build rapport) and then to offer a “solution” to avoid that security policy, which, in the end, will enable the attacker to access data and corporate systems.

Leveraging empathy

Empathy is defined as the ability to understand and share the feelings and emotions of others. In this case, an attacker will put themself in a difficult situation in the hope that the victim will feel empathy and then be more vulnerable to fall into a trap to give information, perform a questionable action, or even bypass a security process to help the attacker during the difficult situation.

Figure 1.16 – Using empathy to bypass some security controls

The preceding figure shows a great example of how an attacker can leverage empathy to bypass a security control.

Notice that to enhance the chances of success, the attacker will search for a victim that is more likely to feel empathy for a given situation. For example, in this case, the attacker targeted a victim that is a mom and, therefore, is more likely to feel empathy for a situation in which a supposedly pregnant girl is suffering, and thus the victim would be willing to bypass a security process to help the pregnant girl.

Leveraging influence for defensive security

The good news is that you can also apply those psychological principles (such as influence) to enhance the cybersecurity culture in your organization.

In fact, here are some examples of how you can leverage some social engineering concepts in your organization:

Important note

Those kinds of programs work better if people are also awarded a digital badge that highlights their new Cybersecurity Advocate title.

As mentioned before, this technique is more powerful when combined with other tactics.