An observed identity complies with fraudulent requests framed as coming from authority figures. Attackers exploit hierarchical trust (e.g., impersonating executives or IT staff) to coerce actions like fund transfers or system access, bypassing normal verification and governance processes.

An observed identity makes decisions under fabricated urgency or scarcity. Adversaries manufacture crises or time-limited opportunities to push hasty responses, leading to actions such as rushed approvals, insecure credential entry, or bypassing established controls.

An observed identity alters behavior due to threats or intimidation. Attackers leverage fear of punishment, loss, or exposure to override rational judgment, compelling risky actions like disclosing sensitive data or authorizing unauthorized access.

An observed identity places trust in communications or interactions that appear familiar. Exploitation of trusted relationships enables adversaries to bypass skepticism, securing sensitive information or network access under the guise of legitimacy.

An observed identity feels compelled to reciprocate after receiving favors or perceived benefits. Attackers exploit this obligation bias by offering gifts, free tools, or assistance that subtly pressure the target to provide credentials, access, or other sensitive concessions.

An observed identity engages with content crafted to exploit curiosity or novelty. Lures such as leaked documents, sensational topics, or “secret” files trick targets into opening malicious links or files, exposing enterprise systems to compromise.

An observed identity is motivated by promises of personal gain. Attackers leverage incentives such as prize offers, gift cards, or fraudulent investments to encourage disclosure of credentials or execution of unsafe actions, risking data loss or fraud.

An observed identity acts out of compassion or helpfulness without verifying legitimacy. Adversaries stage emergencies (e.g., stranded coworkers, distressed callers) to gain unauthorized access, exploit privileged systems, or elicit sensitive data.

An observed identity complies with escalating requests after an initial concession. Attackers exploit psychological pressure to “stay consistent,” moving from minor harmless asks to major compromises such as sharing passwords or granting privileged access.

An observed identity complies with requests framed as widely accepted or socially validated. Attackers exploit herd mentality, claiming that peers or leadership already took similar actions, reducing resistance and leading to risky behaviors like mass credential submission.

An observed identity is deceived despite believing they are invulnerable to manipulation. Overconfidence makes the target more likely to overlook warning signs, fall for fake “tests” or challenges, and inadvertently compromise enterprise security.

An observed identity succumbs to attacker persistence when overwhelmed. Adversaries exploit fatigue or information overload (e.g., MFA push bombing) to force acceptance of malicious requests, bypassing layered defenses.

An observed identity responds to offers framed as exclusive or time-sensitive. Adversaries play on fear of missing opportunities to provoke rushed engagement, leading to disclosure of sensitive information or activation of unsafe processes.

An observed identity makes decisions based on compassion or sympathy. Adversaries exploit humanitarian instincts through fabricated causes, disaster relief scams, or emotional stories, resulting in financial fraud or unauthorized access.

An observed identity accepts false narratives crafted to justify attacker requests. By posing as auditors, regulators, or service staff, adversaries use pretexting to rationalize access to credentials, systems, or sensitive data, bypassing normal scrutiny.