Social Engineering (SE) is the process of deceiving an individual or a group of people to take a certain action(s) or disclose sensitive information in favour of the perpetrator. According to Atkins and Huang (2013), SE is the exploitation of human psychological weaknesses by scammers to attack innocent individuals.
SE can either occur in-person (face-to-face), via phone calls (vishing), emails (phishing), text messages (smishing), or social media platforms. According to Abass (2018), Social Engineers utilize diverse mechanisms in sharing malicious software in obtaining information, defraud, or gain unauthorized access to information systems.
The main motivation of Social Engineers is to obtain sensitive information, install malware, financially defraud victims, or have specific actions taken in their favour.
According to EY (2018), 550 million emails were sent out by a single phishing campaign during the 1st quarter of 2018. SE has become the number one top cyber threat to organizations.
Over 90 percent of successful hacks and data breaches are as a result of phishing (Cybersecurity Ventures, 2019). SE generally involves less investment and low technology to be successful, hence perpetrators are enthused to use this medium to achieve their malicious goals.
In the study of Atkins & Huang (2013), the top 3 triggers used in phishing emails to raise the attention of the recipients “were: alert, warning, attention; verification of account; and invalid login attempts”. They further stated that the top 3 persuasion techniques used in phishing emails were authority, politeness, and urgency. Also, the top three triggers used in advance fee e-mails to raise the attention of recipients were: Nigeria 419 funds, business proposal & winning of lottery. The use of authoritative and emotional persuasions by Social Engineers is able to convince victims to lose concentration on SE attacks. The attitude of believing what people say continues to expose users to SE attacks.
According to Flores (2016), the following factors significantly influence employees’ resilience to SE: trust, risky behaviors, general information security awareness, security and computer knowledge, intention, and target-related information. He mentions that national culture has a substantial effect on the information security behavior of employees and determines their SE security behaviors.
In the study of Sheng et al (2010), 90% of persons who click on phishing links will proceed to share information with the perpetrator(s). 57% of people who had previously received anti-phishing training fell for 40% of phishing during the roleplay, whilst people who had not received previous anti-phishing training fell for 60% of phishing. They conclude that men are less vulnerable to phishing attacks than women because men have more technical knowledge and training than women. Individuals from the ages of 18 to 25 are also more vulnerable to phishing attacks because, they are less educated and trained, have fewer years in Internet usage, and are not risk-averse. Also, participants who received training fell for 28% of phishing messages after the training. This suggests, education is essential to combat phishing, but it is not the ultimate solution.
There are several ways to protect ourselves against all forms of SE attacks. The following non-technical and cost-effective measures; can help prevent and reduce SE attacks.
- Continuous awareness is the cheapest and the most effective way of combating SE attacks. Irrespective of the expensive technical tools and controls implemented by organizations, lack of continuous staff awareness can totally ruin all the colossal investments made in securing information.
- Extreme caution should be taken before opening e-mails or messages from senders you do not know.
- Extreme caution should be taken when clicking on links in e-mail, social media, or text messages unless you are convinced about it.
- Do not respond to suspected messages either through e-mail, social media, SMS, or phone calls.
- Beware of whom you share information with, either face to face or electronically.
- Organizations need to formulate, implement, and strictly enforce information security policies with emphasis on SE.
- At the national level, enacting and enforcing stringent laws or regulations against SE can also help fight the menace.
To ensure the fight against SE is successfully won, it is extremely important to understand SE and map up strategies to secure information in various spheres: personal, organizational, national, and international levels. The literature reviewed in this article and the non-technical and cost-effective recommendations provided can help achieve this to a very large extent.
Sherrif Issah – (IT GRC Consultant | PCI-QSA | Trainer @ Digital Jewels Ltd. | Member, Institute of ICT Professionals Ghana
For comments, contact author firstname.lastname@example.org | Mobile: +233243835912
For further reading
Abass, I. A. M. (2018). Social Engineering Threat and Defense: A Literature Survey. Journal of Information Security, 09(04), 257–264. https://doi.org/10.4236/jis.2018.94018
Atkins, B., & Huang, W. (2013). A Study of Social Engineering in Online Frauds. Open Journal of Social Sciences, 01(03), 23–32. https://doi.org/10.4236/jss.2013.13004
Flores, W. R. (2016). Shaping Information Security Behaviors Related to Social Engineering Attacks. In PhD Thesis. https://www.diva-portal.org/smash/get/diva2:925493/FULLTEXT02.pdf
Global, E. Y., & Security, I. (2018). Is cybersecurity about more than protection?
Morgan, S. (2019). 2019 Official Annual Cybercrime Report. 2019 Report by Cybersecurity Ventures Sponsored by Herjavec Group, 12.
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., & Downs, J. (2010). Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. Conference on Human Factors in Computing Systems – Proceedings, 1, 373–382. https://doi.org/10.1145/1753326.1753383