The "2+2=5" Concept: A Subtle Tactic in Social Engineering

Understand the core Idea 

Social engineering relies on psychological manipulation to extract information from unsuspecting individuals, and one of its most effective techniques is pretexting.  

This method involves fabricating a scenario or presenting false information to elicit a response - often causing the target to unknowingly volunteer sensitive details.  

A practical example of this principle is the "2+2=5" concept, where a statement containing incorrect information prompts a response that corrects the error. For instance, if someone claims “2+2=5,” the natural reaction is to respond with the correct answer: “No, it equals 4.” Although this correction seems harmless, it demonstrates how a social engineer can subtly influence a conversation and extract knowledge without directly requesting it. 

By applying pretexting at a larger scale, attackers can craft convincing scenarios that prompt individuals to reveal confidential details, often without realising they are being manipulated.  

Another well-known portrayal of this technique appears in Season 1 episode 1 of Mr. Robot (eps1.0_hellofriend.mov), where the protagonist, Elliot, borrows a target’s phone under the pretext of calling a relative, but instead calls himself, in order to get his number.  

This act demonstrates how social engineers create believable scenarios to gain access to information. 

Influencing conversations through misdirection 

Imagine an interaction where one person states, “2+2=5.”  

The responder, recognising the mistake, immediately corrects them: “No, it equals 4.” While seemingly harmless, this interaction showcases a fundamental aspect of social engineering - eliciting information by influencing the direction of a conversation.  

The moment the responder provides the correct answer, they have unknowingly volunteered valuable information without being directly asked for it. 

This approach can be applied on a larger scale, particularly in cybersecurity contexts, where attackers employ similar tactics to extract confidential details. 

Kevin Mitnick’s Perspective on Social Engineering 

Kevin Mitnick, a renowned computer security consultant and former hacker, explored the method of pretexting in his book Ghost in the Wires. He described how directly asking for sensitive information often raises suspicions.  

Instead, a more effective approach is to act as though one already possesses the information but present it incorrectly. In many cases, the target instinctively corrects the error, unwittingly providing the precise details the social engineer was seeking. 

Mitnick’s principle underscores the psychological tendency of people to correct misinformation, which can be leveraged to extract classified or sensitive data. 

Preventing Information Leakage 

Given how subtly social engineering can influence responses, individuals and organisations must be aware of how they react to seemingly minor inaccuracies.  

The key to preventing accidental disclosure lies in minimal engagement. Returning to the "2+2=5" example, appropriate responses could be: 

• “Yes.” 

• “No.” 

• “I’m not sure.” 

Each of these answers avoids offering further information that could aid an attacker. While “No” is technically accurate, it still does not elaborate beyond necessary clarification.  

By withholding additional details and not volunteering information, it reduces the likelihood of unknowingly steering the conversation toward sensitive areas. To further prevent falling victim to a pretexting attack ensure that you should: 

• Be wary of unsolicited requests: If someone contacts you unexpectedly and asks for sensitive information, verify their identity through official channels. 

• Never share personal details too quickly: Legitimate organisations typically won’t ask for confidential data via email, phone, or text. 

• Check for inconsistencies: Scammers often make subtle mistakes in names, email addresses, or the context of their requests - pay close attention! 

• Use multi-factor authentication (MFA): This adds an extra layer of security in case your credentials are compromised. 

• Trust cautiously: Even if a request seems genuine, take a moment to confirm it directly with the supposed sender. 

• Limit sharing personal information online: Oversharing on social media can provide attackers with details they use to craft convincing schemes. 

• Report suspicious activity: If you suspect a scam, notify your employer, bank, or relevant authorities to help prevent further attacks. 

Conclusion 

The "2+2=5" technique exemplifies how subtle nudges can shape conversations and extract valuable insights. Whether in cybersecurity or everyday interactions, awareness of how information is unintentionally revealed is crucial.  

The exact same applies with Mr. Robot, where Elliot borrows a target’s phone under a false pretext and uses social engineering to rely on deception in order to manipulate trust and extract information. By practicing measured responses and limiting volunteered corrections, individuals can mitigate their risk of falling victim to these tactics. 

Safeguarding sensitive information and ensuring compliance is essential in today’s digital landscape. At Data Privacy Simplified, we help organisations strengthen their data security, navigate regulatory requirements, and implement effective protection measures. 

Take the next step in securing your organisation - contact us today  at enquiries@dataprivacysimplified.co.uk or visit our website (Data Privacy Simplified | Data Protection) to learn how we can support your data protection needs. 

Our Services Include: 

• Data Protection Officer as a Service (DPOaaS) 

• Caldicott Guardian as a Service 

• Chief Information Security Officer as a Service (CISOaaS) 

• Cybersecurity Audits & Consultancy 

• Gap Assessments, ROPA, DPIAs, and DSPT/GDPR Audits 

• Policy and Procedure Development 

• SAR Support Services  

• EU & UK Representative Services 

• ISO27001 and Cyber Essentials Compliance Support 

• Bespoke and Accredited Training in IG and Cyber Security 

From consulting and compliance to training and operational support, we offer a one-stop shop for all your information governance, privacy, and cybersecurity needs—tailored for health, education, and public sectors. 

Let’s build a more secure future together.