Trust, Familiarity & Social Proof
You trust someone because they feel familiar, not because they are trustworthy. Attackers manufacture that feeling deliberately.
The Setup
Riya joined a logistics company as a finance executive. On day three, a LinkedIn request arrived: "Karan Mehta," same company logo, senior title, three mutual connections (including her manager).
She accepted.
Over two weeks, Karan helped her navigate internal processes, tagged her in useful articles, and appeared consistently in her feed. Then:
"I've already cleared it with Priya. Could you just process this vendor payment? System migration issue. I'll send the PO reference separately."
Riya had never met Karan in person. But his name was familiar. He'd helped her. He knew her manager.
She processed the payment.
Karan Mehta wasn't real. The profile was created during her onboarding—when unfamiliar names in familiar contexts feel safe. The mutual connections were fake. The company logo was copied. The "help" was the setup.
She wasn't careless. She was systematically manipulated.
What Is Actually Happening
Trust builds through repeated exposure. Attackers manufacture it deliberately.
7x
more likely to comply with requests from someone you've seen before — even if you haven't verified who they are.
Familiarity feels like safety to the brain. Attackers know this and exploit it.
Source: Zajonc, R.B., "Attitudinal Effects of Mere Exposure", Journal of Personality and Social Psychology, 1968; confirmed in digital trust studies, 2022-2024Weeks of Setup
Every interaction is designed to lower your resistance before the actual ask. The rapport is fake. The goal is familiarization.
70% Boost
Just 2-3 mutual connections increases request acceptance by 70%. Attackers seed fake profiles with carefully chosen contacts to pass the casual check.
87% Trust Them
87% of people trust online reviews as much as personal recommendations. Attackers purchase fake reviews because they're cheap, effective, and widely trusted.
The Herd Effect
"Your colleagues already did this" is pressure, not information. The herd signal makes non-compliance feel abnormal.
The Mere Exposure Effect
The more you see someone, the more positively you evaluate them — even if nothing about them has changed. Attackers exploit this by appearing repeatedly before making their request. They don't need to convince you of anything. They just need to stop being strangers.
This is why warm-up attacks work on experienced professionals. The brain's trust mechanism doesn't verify whether familiarity was earned or faked.
Fake Reviews & Social Proof
When you can't independently evaluate something, you trust what others say. The problem: social proof is trivially easy to fake.
Scam platforms display fake profit screenshots. Fake recruitment agencies post testimonials from people who don't exist. Fraud pages use AI-generated endorsements.
Before trusting reviews on an unfamiliar platform:
- Search the company name + "scam" or "complaint" on independent sites
- Verify registration with the regulatory body directly
- Check for reviews on platforms the company doesn't control
Fake Profile Spotter
Four LinkedIn-style profiles are shown below - two real, two fabricated. Judge each one before the annotated reveal shows exactly which signals give fake profiles away.
What That Just Showed You
1. Familiarity is a feeling, not verification. Your brain treats "I've seen this before" as safety. Attackers manufacture that feeling. It tells you nothing about who they actually are.
2. Fake reviews influence you even when you know they exist. Awareness helps only if you actively verify independently. Passive knowledge isn't enough.
3. Context is the weapon. Karan didn't claim to be CEO. He claimed to be an ordinary colleague with the right internal details. That context is what made the request feel legitimate.
4. The ask comes after the trust. A stranger's request triggers skepticism. The same request from someone familiar triggers compliance. The warm-up period is the entire attack.
Four Things Worth Doing
1. Verify requests through a separate channel. Someone asks for money, access, or data via LinkedIn? Call your HR department or a known colleague. The message is not proof of identity.
2. Search for independent reviews before trusting them. On unfamiliar platforms, search the company name on Google and independent review sites. Only positive reviews on their own site is a red flag.
3. Question "everyone else did it." This is pressure, not information. Verify with the specific people mentioned — not with the person making the claim.
4. Verify new connections before complying with requests. Check their employment through your internal directory or a colleague — not through a link they provide.
One Question Before You Continue
Riya processed a fraudulent payment after two weeks of helpful interactions with Karan's fake profile. What made this attack effective despite her professional experience?