Social engineering goes to the movies

These films offer an entertaining way to understand how social engineering works.

If you fall for a social engineer's trickery, it's embarrassing.

As long as it's happening to someone else, though, it can make for great cinema.

Security experts John Sileo and Chris Hadnagy gave us examples of some of their favorite social engineering scenes as portrayed in film. These movies offer an entertaining way to understand how social engineering works.

See the slideshow version for a look at the movie posters.

Matchstick Men

Con men Roy (Nicholas Cage) and Frank (Sam Rockwell) start their scam by calling victims and trying to selling them water filtration systems for hundreds of dollars. The same system is available for just $50 in a store. While working the phones, the two employ many classic social engineering moves, such as passing the phone from Frank to Roy who poses as Frank's boss, giving the operation more credibility.

From there, the two head to a victim's home where they pose as federal agents and inform the victim they have been scammed by the water filtration con. But, they say, if the victim will just sign a form that gives them authorization to withdraw money from the victim's bank account, they might just be able to track down the thieves. Of course the victim's bank account is then emptied, and the small water filtration price leads to a much bigger take for Frank and Roy.

Want to know more? Get CSO's ultimate guide to social engineering --an 11-page PDF chock full of examples, tactics, and defensive strategies (free CSO Insider registration required)

There are many more surprises along the way, but, as Hadnagy said, he doesn't "want to give a spoiler... but this movie is about a scam wrapped in an social engineering gig wrapped in a con. It is a twister and really good."

Ferris Bueller's Day Off

An adept and charming con man at just 17, Ferris Bueller (Matthew Broderick) doesn't want to go to school one day and pulls out all kinds of social engineering scams in order to take the day off without consequences. He manages to get his friends Cameron and Sloane in on playing hooky, too.

In a memorable scene, Cameron calls school principal Mr. Rooney, pretending to be Sloane's father and asking that Sloane be dismissed because her grandmother has died. Rooney, initially thinking it is another one of Ferris Bueller's pranks, is rude to the caller. But when Ferris places a call on the other line to Mr. Rooney, Rooney realizes the first caller is not Ferris and panics--assuming that caller must indeed be Sloane's father. Sloane is then released for the day.

"He used the technology of day to his advantage," explained Sileo. "Although the technology has changed, the techniques social engineers use really haven't. Utilizing people's ignorance, pretexting, pretending to be someone you aren't&mdashthese are all techniques that have all been around for years."

The Thomas Crown Affair

A wealthy but bored business man, Thomas Crown (Pierce Brosnan) decides to pull off an art heist at New York's Metropolitan Museum of Art just for the fun and challenge of it.

Crown is well known at the museum long before the heist because he spends many hours there, hanging out in the Impressionist gallery and getting to know the guards. This alone makes it easier for him to pull off the crime, according to Sileo.

"That's the whole authority technique," he said. "Utilizing a combination of confidence and the perception of authority. It's such a simple example."

When it is time to pull off the theft, Crown hires a group of Romanian men who pose as a Trojan Horse of sorts by infiltrating one of the galleries and pretending to be guards. They cut off the air conditioning and claim to be there to clean the gallery, but are ultimately caught by the museum's official guards and a struggle ensues.

During a chaotic scene in which everyone is evacuated, Crown manages to slip a titanium briefcase under a security gate to prevent it from closing; he slides under the gate into a completely different gallery without being seen. Because of the distraction elsewhere he is able to steal the painting "San Giorgio Maggiore at Dusk" by Monet, valued at $100 million.

Dirty Rotten Scoundrels

Hadnagy describes Dirty Rotten Scoundrels as "another classic about two con men fighting for the right to stay in their territory."

The first confidence man, as one French police officer describes him, is an American named Freddie (Steve Martin) who poses as a wounded soldier in a wheel chair. Using this ploy to appear helpless and trustworthy, Freddie swindles money from female victims "for an operation for his grandmother."

The other, more sophisticated social engineer in the film is Lawrence (Michael Caine), who runs his cons in the finer hotels in Southern France and poses as a prince who needs funds "to free his enslaved people" or "to fight the communists."

Eventually they team up when Freddie begs Lawrence to teach him some of his ways and Freddie then plays the memorable part of Ruprecht, the prince's bizarre monkey-boy younger brother. ("Not Mother?") Lawrence cons money from female victims by proposing marriage, collecting funds, and only then introducing them to Ruprecht. Once the women meet Ruprecht, they break off the engagement, leaving their money behind and leaving Lawrence and Freddie to begin the scam all over again.

Catch Me If You Can

The movie is based on the life story of Frank Abagnale, known as one of history's most infamous social engineers.

While still just a teenager, Abagnale (Leonardo DiCaprio) runs away from home and manages to pose as Pan Am pilot and scam thousands of miles of free flights around the world. While he's at it, he also cashes millions of dollars in forged checks from Pan Am.

Abagnale also successfully pretends to be a doctor and a teacher before he is ultimately caught by the FBI (years later).


Penetration testers before it became a common security career, Martin Bishop (Robert Redford) and his team are paid to break into companies that want to put their security put to the test.

In one scene Martin and teammate Carl (River Phoenix) create a distraction at the front desk of a secure building. Carl, posing as a delivery person, insists he be let in to make a delivery; while he argues with the guard, an increasingly agitated Martin waits behind him posing as a father late for his daughter's birthday party being held upstairs. He eventually gets through by barking at the guard, still engaged in a fight with Carl, to "push the damn buzzer!"

Six Degrees of Separation

"The finest example" of a social engineering example in film, according to Sileo.

Inspired by the true story of con artist David Hampton, Will Smith plays Paul, a young man who manages to fool the wealthy New York City couple Ouisa and Flan Kittredge (Stockard Channing and Donald Sutherland).

Paul shows up at the Kittredges' Fifth Avenue home one night, bleeding and asking for assistance. He claims to be the son of actor Sidney Poitier, and also says he knows the Kittredges' children, two of whom attend Harvard University.

Paul is well-spoken, charming and a skilled cook. After some time, he wins the Kittredge family over. They lend him money and allow him to stay with them for the night. After the experience is over, the Kittredges are shocked to learn Paul is a con man who has scammed many other wealthy families in their social circle as well.

"He uses all kinds of techniques," said Sileo. "He appeals to their humanity, he charms them, he appeals to their sense of familiarity by claiming he met their son at Harvard, so it is obvious he did some background research. That's exactly what is happening on social networking now. But today, you don't have to walk up to an apartment to pull this kind of thing off. A person's association with others you know on a place like Facebook makes them seem trustworthy."

Join the CSO newsletter!

Error: Please check your email address.

More about FacebookFBIHarvard UniversityMetropolitan Museum of ArtPhoenixRockwell

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts