Chapter 1: Literature Review
What is Social Engineering?
The term Social Engineering is simply the process of manipulating the user into disclosing either his sensitive information or his personal identifiable information (which could be referred to as PII) to the social engineer. According to (Conteh and Schmick, 2016) social engineering is also known as human hacking. Additionally, it is regarded as the hacker’s strategy to trick and manipulate people’s tendency to trust and engage in a specific behavior online for malicious and financial gain (Conteh and Schmick, 2016). Social engineering is arguably the single greatest security risk a company can experience when even the most sophisticated protective security measures are ineffective and powerless when users are getting manipulated by social engineers. Furthermore, (Krombholz et al., 2015) argue that it is repeatedly simple for social engineers to get users to infect their computers or mobile phones by tempting them to click on harmful links or visiting fake websites that seem legitimate for them, or downloading and installing malicious applications. Eventually, the victims of such attacks are widely known as a company’s insider threats regardless of whether their error was intentional or not.
Primary operations of Social Engineering
As it has been previously mentioned that protective security measures such as firewalls or antivirus software will definitively be significant if users are easily tricked into clicking on malevolent links or revealing their credentials online. (Williams, Beardmore, and Joinson, 2017) discuss that social engineering has been proven to be relatively a successful method to get inside the organization in the sense of pressuring or persuading the users to perform irrational actions such as disclosing their credentials and sensitive information. In order for social engineers to succeed in their attempts, (Williams, Beardmore, and Joinson, 2017) also discuss that several psychological procedures are executed that exploit social norms and obligations in the process. These include reciprocity, conformity, and authority.
The term reciprocity according to (Happ, Melzer, and Steffgen, 2016) is basically a psychological principle that exists in cultures all around the world. It’s the feeling of being obligated to return a favor regardless of the original favor. Additionally, reciprocity is a fundamental factor of social interactions amongst individuals in society. Ultimately, reciprocity is an important factor of social interactions amongst people in society, and in terms of online communication, it increases the inclination to reveal personal information.
Secondly, the term conformity can be referred to according to (Bullée et al., 2017) as social proof which is the process of convincing a user that his coworkers have already performed the requested tasks or have already provided their personal information. Social engineers tend to usually adopt a friendly stance in an attempt to obtain information. Furthermore, (Bullée et al., 2017) explain that the hacker tries to convince certain users that their coworkers has been giving him the same information so in that case, they will feel pressure to conform eventually. In some cases, especially for male users when they respond kindly, especially to women who may use flattering techniques or flirtation to tempt their target to confidently carry on the interaction further.
Eventually, the most effective social strategy method that most users fall victim to is authority. (Bullée et al., 2017) defines the term as the principle that describes the tendency of users to comply with the requests of authority figures. It is typically the case when the social engineer creates a sense of trust with the user by impersonating an authoritative figure in an attempt to gain access to their account credentials. (Bullée et al., 2017) also argues that hackers tend to instill a sense of urgency in their target victims luring them to make decisions quickly instead of considering other potential options.
The attack vectors of Social Engineering
Although the strongest security measures are increasingly advanced, promoted, and implemented, the number of data breaches within organizations is still increasing and that’s for good reason. Cyber-criminals regularly target the weakest defense line to a company which is the user, because human error, whether or not it is intentional, is still the simplest way the hacker gets access into the system. Conteh and Schmick, (2016) argue that social engineers apply alternate routes to persuasions that exploit the psychological vulnerabilities of users which leads to influencing their emotions towards: Fear, Obedience, Greed, and helpfulness. These are the four human emotions and behaviors hackers most commonly utilize to take advantage of the user’s emotions in order to carry out their attacks.
(Hadnagy, 2011) defined the term Fear in his book as an unpleasant emotion that is triggered by the notion that someone is dangerous. Fear is arguably one of the most manipulated emotions when it comes to social engineering. A user may receive an email message informing them that their account has been compromised and requires a new password for example. These kinds of malevolent email messages strike fear in the mind of the user and manipulate him to react abruptly in order to avoid serious consequences.
The second emotion is Obedience, which is defined by (Hadnagy, 2011) as complying with an order, request, or submission to an authoritative figure. Generally, individuals are taught throughout their childhood to always obey and trust the authorities without questioning the validity of their correspondence and comply with their instructions and guidance. There are some scamming attempts that are frequently disguised as an email message, instant message, or a phone call from an individual or a group of authority. Falling to those attempts can have some serious consequences.
Thirdly, the term Greed is typically the desire to acquire more money or anything else for that matter. Scammers are widely known for their attempt to persuade their victims to perform a certain action and reward them afterward. The reward can typically be an amount of money provided that the victims share their banking information beforehand.
Eventually, Helpfulness which is typically about the willingness to provide any sort of help to others. The social engineer will generally disguise himself as someone who needs assistance. The attacker can pose as a new employee and may start asking questions concerning account passwords or the location of the server room or security offices etc…
The motivation behind social engineering attacks
(Kumar and Carley, 2016) argues that to effectively prevent social engineering attacks, it is essential to consider the reason and the motivation of hackers. Furthermore, many researchers have analyzed the effective security measures used to prevent social engineering attacks in addition to trying to investigate the motivation behind these attacks. Moreover, sometimes the real purpose for deploying the attack remains unknown and the situation might get more complicated if the attacker were in a different country.
The motives behind social engineering attacks vary massively. They can attack the users for a number of reasons. According to (Halaseh and Alqatawna, 2016), some of the potential reasons for the attacks are:
- Financial. The motivation of a social engineer when deploying an attack on the users is to lure them into disclosing their sensitive information and credentials so that hackers can have full access to their bank accounts. Alternatively, the hacker may as well sell that information to others on the dark web.
- Access to proprietary information. The social engineer typically intends to gain access to the system and gain as much information about the company as possible. The system in that case will be inevitably compromised, however the intent of the hacker is not to inflict damage upon the system but to understand the procedure and the policies and the sensitive information. That can kind of attack can also be done by launching Advanced Persistent Threat (APT) attacks whereby the hacker infiltrates the network through a phishing email and remain undetected for a long period of time.
- Revenge. According to (Conteh and Schmick, 2016), it is one of the ways to cause problems to someone indirectly. That kind of motive is now very common and can be also utilized for scamming and fraudulent purposes, and even for inappropriate content online
- Fun. There are social engineers whose intent is to create chaos among the general public, like for instance the spread of email messages about a fictitious computer virus.
Types of social engineering attacks
With regard to the human vulnerabilities of social engineering (Conteh and Schmick, 2016) argues that, as far as cyber security specialists are concerned, social engineering attacks are regarded as totally ineffective against advanced security measures while it aims primarily to exploit humans’ vulnerabilities and lure them into divulging sensitive data. Social engineering attacks have many different aspects and features such as the physical, social, reverse social engineering, and Socio-technical aspects.
- Physical approach. In that kind of approach, the hacker performs some sort of physical actions in an attempt to gather sensitive data ranging from personal information such as names, and dates of birth about the users to valid credentials for computer systems. (Krombholz et al., 2015) notes that the often method used in that attack is dumpster diving in which the hacker attempts to search for valuable information in the organization’s dumpster which can be a significant source of information for hackers.
- Social approach. According to (Krombholz et al., 2015) it is comparatively the most important approach that leads to successful social engineering attacks. The process involves the attacker relying on persuasion methods to manipulate their targets. The attacker first tries to develop a relationship with their victims to the extent that he will be viewed positively by the recipient and therefore will be highly likely to be trusted.
- Reverse Social Engineering. In that kind of attack, (Krombholz et al., 2015) discuss that the attacker attempts to convince the user that they are having a problem on their computer and that they are a trustworthy entity. The social engineer’s main objective is to get the user to make the first move by asking him for a plausible solution. The process the hacker goes through consists of three main steps and which include sabotaging, advertising, and assisting. Basically, the hacker first attempts to sabotage the user’s computer by infecting it with malicious software. The attacker advertises that they possess the solution to fix the problem afterward. Finally, when the user asks for help, the hacker will resolve the problem he created by asking the user for their password beforehand.
- Socio-Technical Approach. In that kind of attack, (Krombholz et al., 2015) discuss that the hackers use a method called the Baiting attack. The hacker leaves storage devices infected with malevolent software in places where it could be easily picked up by individuals. Additionally, in order for their hacking attempt to be successful, hackers exploit the curiosity of users by adding tempting labels on the devices such as “private contents” or “confidential”. Another common socio-technical method is phishing which is usually done by sending fake email messages that look legit containing malicious downloadable attachments to a large group of people instructing them to follow the instructions which eventually lure them into revealing their credentials.
Preventive measures against Social Engineering
Regardless of how effectively secured the network might seem to cyber security specialists, the human aspect will always remain a vulnerability. Users are inevitably the last line of defense against social engineering attacks. Conteh and Schmick, (2016) discuss the important countermeasures that companies ought to deploy in order to prevent their users from falling victim to social engineering attacks:
- Training and Education. Training the staff to identify and take action against social engineering attacks is essential and a step forward from getting their system compromised. Conteh and Schmick, (2016) also argue that exposing users to previously engaged social engineering techniques to familiarize themselves with the attacks and build awareness amongst them.
- Security Policy. The company ought to have a well-written policy that includes technical and non-technical elements that are driven by executive management.
- Technical Procedures. The network should have multiple layers of defense to protect sensitive data and the networking infrastructure.
Conteh and Schmick, (2016) argue that software such as Intrusion Detection Systems (IDS) and sophisticated firewalls have to be implemented on all computers.
- Audits and Compliance. It is important for companies to verify that their security policy is being adhered to on a regular basis. Furthermore, executing some of the important detective controls including reviewing networking logs, re-validating employees’ permissions, and checking desktop configurations should at least be done every week.
Aims and Research Questions:
1) Aims
The goal of this research is to attain a better comprehension of social engineering attacks that basically exploit human psychological weaknesses, luring online users to engage in particular behaviors online for financial gain and other malevolent gains.
Another purpose of this research is to learn who is more susceptible to falling victim to fake email messages in terms of their gender, age, and their educational background, and to what extent do users know about social engineering threats, which can lead to identity theft and security breaches, and finally to learn whether users possess the notion that they are always safe online and cannot be reached or targeted by hackers.
2) Research Questions:
This research explores the questions:
- What are the psychological factors that play a role in luring employees to follow the instructions within illegitimate email messages?
- Who is more susceptible to be deceived by phishing attacks?
- To what degree do online users have insufficient knowledge on social engineering techniques and lack strategies to identify vulnerabilities and scams?
- To gain an insight into whether users believe they are immune to social engineering?
Research Methods:
1) Introduction
There are two different research methods that are applied in all kinds of studies to extract and gather empirical information. Additionally, Chu and Ke (2017) state that research methods are traditionally labeled as qualitative and quantitative methods that have comparatively far more attention in the scholarly community. Those two methods are aimed at identifying educational problems using different approaches.
Yilmaz (2013) defines quantitative research as research that explains events according to numerical data which are analyzed by means of mathematically based methods, specifically statistics. Furthermore, it can be referred to as a type of empirical research in which the process of testing a theory consists of variables that are measured with numbers and analyzed with statistics in order to determine if the theory explains or predicts phenomena of interest. Yilmaz (2013) also defined qualitative research as an emergent, interpretive and naturalistic approach to the study of people, cases, social situations, and processes in their natural settings to reveal the meanings that people attach to their experiences of the world.
2) Research Approach:
This research makes use of a quantitative research strategy in the sense that there will be empirical numeric data produced in the end of the study. It is defined as a scientific method for the collection of empirical data, modeling and analysis of data, and evaluation of results. Kumar (2019) defined in his book that quantitative methods are relatively specific, well-structured, have been frequently tested for their validity and reliability and can be explicitly defined and recognized. The reason for choosing this research method mainly because the data that will be collected can be is expressed in numerical form through online questionnaires and analyzed statistically. Furthermore, the numerical data can be organized and thoroughly analyzed statistically to produce empirical results of the study. Additionally, the quantitative research ought to help in learning how many users are getting socially engineered by having their psychological weaknesses exploited by social engineers who are characterized by (Happ, Melzer, and Steffgen, 2016) as psychology experts that exploit typical human vulnerabilities such as fear and greed, using specific classes of attacks, as well as the proportion of individuals who lack the knowledge on phishing and scams and whether they think that security measures and awareness ought to be sufficient to keep them safe online.
3) Research Method:
The methods of data gathering can be used across studies that are classified as quantitative, qualitative, or mixed methods. The way a particular method is implemented to collect data determines the classification of the study to a larger extent. Kumar (2019) argues that there are several quantitative methods that can be used to collect the data.
The choice of the chosen method depends on the purpose of the study which is learning about how likely online users are susceptible to follow instructions within phishing emails, the proportion of online users who are prone to be victimized by social engineering attacks, in addition to those users who lack the strategies to detect malicious emails, and eventually to gain an insight on the percentage of users who are under the impression that are they are always safe from social engineering attacks.
Consequently, the use of an online questionnaire to collect the information that are essentially required to answer my research questions is ought to be utilized throughout this research.
Kumar (2019) discussed in his book that online questionnaires have become quite common nowadays due to the advancement in communication technology. One of the main reasons why the online questionnaire has been selected as the quantitative research method in this research is that:
- It is less expensive in the sense that interviewing participants is not required, and it is relatively convenient when it is administered collectively to a study population (Kumar, 2019).
- It offers considerable anonymity and all participants will be exempt from live interaction with the interviewer. Furthermore, all sensitive questions will be answered with accurate information.
4) Data Collection:
Rowley (2014) discusses that questionnaires are one of the quantitative methods used to collect data, and therefore many researchers in business and other areas of social sciences link research with questionnaires. According to (Rowley, 2014), a lot of effort ought to be allocated into producing a good questionnaire that collects accurate data that answers the research questions.
Throughout this research, a questionnaire that will include open and closed questions will be conducted as a means of collecting accurate and relevant data in order to answer the research questions. Rowley (2014) argues that closed questions are quick for respondents and are always composed of a number of options from which the user will have to select, whereas open questions simply invite respondents to provide data or offer short comments which one or two sentences and allow respondents to use their own language and express their own views.
In terms of distributing the questionnaire, it is mandatory early in the process to explain the purpose of my research in addition to giving a brief introduction to myself and the reason for seeking their answers and opinions as clearly as possible; and assure them that it is completely confidential. Moreover, it is crucial to be clear about the amount of time that the questionnaire survey will take, because (Rowley, 2014) argues that if the questionnaire survey takes too long to complete then it will be highly likely that the participants will skip through the questions and will inevitably leave sections of the questionnaire incomplete or totally abort the whole process.
Eventually, there are several ways of delivering the questionnaire, but the one that will be used throughout this research is an email-based survey tool which will be Qualtrics to conduct data collection and analyze the responses and will ultimately be sent to all the contacts and friends I know on social media to complete the survey and carry on bypassing the questionnaire completion request onto their contacts.
References:
- Conteh, N. and Schmick, P. (2016). Cybersecurity: risks, vulnerabilities, and countermeasures to prevent social engineering attacks. International Journal of Advanced Computer Research, 6(23), pp.31-38.
- Krombholz, K., Hobel, H., Huber, M. and Weippl, E. (2015). Advanced social engineering attacks. Journal of Information Security and Applications, 22, pp.113-122.
- Williams, E., Beardmore, A. and Joinson, A. (2017). Individual differences in susceptibility to online influence: A theoretical review. Computers in Human Behavior, 72, pp.412-421.
- Happ, C., Melzer, A. and Steffgen, G. (2016). The trick with a treat – Reciprocity increases the willingness to communicate personal data. Computers in Human Behavior, 61, pp.372-377.
- Bullée, J., Montoya, L., Pieters, W., Junger, M. and Hartel, P. (2017). On the anatomy of social engineering attacks-A literature-based dissection of successful attacks. Journal of Investigative Psychology and Offender Profiling, 15(1), pp.20-45.
- Bullée, J., Montoya, L., Pieters, W., Junger, M. and Hartel, P. (2017). On the anatomy of social engineering attacks-A literature-based dissection of successful attacks. Journal of Investigative Psychology and Offender Profiling, 15(1), pp.20-45.
- Hadnagy, C. (2011). Social engineering. Indianapolis: Wiley Publishing, Inc.
- Kumar, S. and Carley, K. (2016). Approaches to understanding the motivations behind cyber attacks. 2016 IEEE Conference on Intelligence and Security Informatics (ISI), pp.307-309.
- Halaseh, R. and Alqatawna, J. (2016). Analyzing CyberCrimes Strategies: The Case of Phishing Attack. 2016 Cybersecurity and Cyberforensics Conference (CCC), pp.82-88.
- Chu, H. and Ke, Q. (2017). Research methods: What’s in the name? Library & Information Science Research, 39(4), pp.284-294.
- Yilmaz, K. (2013). Comparison of Quantitative and Qualitative Research Traditions: epistemological, theoretical, and methodological differences. European Journal of Education, 48(2), pp.311-325.
- Happ, C., Melzer, A. and Steffgen, G. (2016). The trick with a treat – Reciprocity increases the willingness to communicate personal data. Computers in Human Behavior, 61, pp.372-377.
- Rowley, J. (2014). Designing and using research questionnaires. Management Research Review, 37(3), pp.308-330.