Experimental social engineering: investigation and prevention

Jan-Willem Bullee

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

181 Downloads (Pure)

Abstract

Social engineering is the usage of social manipulation and psychological tricks to make the targets assist offenders in their attack. This practice manifests itself in e.g. phishing emails or cold call telephone scams. The aim of the thesis was to investigate the understanding of social engineering attacks in an organisational setting. In particular, the effectiveness both of the threat and the countermeasures was investigated. Tree kinds of social engineering experiments were performed, each using a different modality (i.e. Face-to-Face (F2F), email and telephone). In each experiment, the targets (i.e. participants) were persuaded to perform actions that contribute to their victimisation. The subjects (N = 162) in the F2F experiment were visited by an offender in their offices and asked them to hand over their office keys. The subjects (N = 593) in the email experiment received a phishing email with the request to provide Personally Identifiable Information (PII). The subjects (N = 92) in the telephone experiment were persuaded to download and execute software from an untrustworthy website. A portion of the participants in both the F2F and telephone experiment received an intervention to reduce victimisation. The result was that 58.62% of those in the F2F experiment complied with the offender, compared to 36.96% who were priorly informed on how to detect and react to social engineering. In the telephone experiment, 40% complied with the offender, compared to 17.2% who received an intervention. Furthermore, 19.3% of those who received a generic phishing email complied, compared to 28.9% that received a spear phishing email. There was no effect of age, sex and using authority on victimisation found, whereas having had an intervention, receiving a spear phishing email and cultural background did have an effect. It is concluded that awareness raising about dangers, characteristics and countermeasures related to social engineering proved to have a significant positive effect on protecting the target. The research also shows that awareness-raising campaigns reduce the vulnerability only in the short term. In phishing emails, the use of a personalised opening sentence increases its success. The results of these experiments allow practitioners to focus awareness campaigns to maximise their effectiveness.
Original languageEnglish
Awarding Institution
Supervisors/Advisors
  • Hartel, Pieter H., Supervisor
  • Junger, Marianne , Supervisor
  • Montoya, Lorena , Advisor
Place of PublicationEnschede
Publisher
Print ISBNs978-90-365-4397-2
DOIs
Publication statusPublished - 6 Oct 2017

Fingerprint

Electronic mail
engineering
Telephone
experiment
telephone
Crime Victims
Experiments
victimization
Machiavellianism
campaign
Software
manipulation
Hand
website
Websites
offender
vulnerability
threat
Research

Keywords

  • Experimental
  • Social
  • Engineering
  • Attacks
  • countermeasures
  • Phishing

Cite this

Bullee, J-W. (2017). Experimental social engineering: investigation and prevention. Enschede: Centre for Telematics and Information Technology (CTIT). https://doi.org/10.3990/1.9789036543972
Bullee, Jan-Willem. / Experimental social engineering : investigation and prevention. Enschede : Centre for Telematics and Information Technology (CTIT), 2017. 178 p.
@phdthesis{c89e21eedfbe43f599b8eefd2358ea11,
title = "Experimental social engineering: investigation and prevention",
abstract = "Social engineering is the usage of social manipulation and psychological tricks to make the targets assist offenders in their attack. This practice manifests itself in e.g. phishing emails or cold call telephone scams. The aim of the thesis was to investigate the understanding of social engineering attacks in an organisational setting. In particular, the effectiveness both of the threat and the countermeasures was investigated. Tree kinds of social engineering experiments were performed, each using a different modality (i.e. Face-to-Face (F2F), email and telephone). In each experiment, the targets (i.e. participants) were persuaded to perform actions that contribute to their victimisation. The subjects (N = 162) in the F2F experiment were visited by an offender in their offices and asked them to hand over their office keys. The subjects (N = 593) in the email experiment received a phishing email with the request to provide Personally Identifiable Information (PII). The subjects (N = 92) in the telephone experiment were persuaded to download and execute software from an untrustworthy website. A portion of the participants in both the F2F and telephone experiment received an intervention to reduce victimisation. The result was that 58.62{\%} of those in the F2F experiment complied with the offender, compared to 36.96{\%} who were priorly informed on how to detect and react to social engineering. In the telephone experiment, 40{\%} complied with the offender, compared to 17.2{\%} who received an intervention. Furthermore, 19.3{\%} of those who received a generic phishing email complied, compared to 28.9{\%} that received a spear phishing email. There was no effect of age, sex and using authority on victimisation found, whereas having had an intervention, receiving a spear phishing email and cultural background did have an effect. It is concluded that awareness raising about dangers, characteristics and countermeasures related to social engineering proved to have a significant positive effect on protecting the target. The research also shows that awareness-raising campaigns reduce the vulnerability only in the short term. In phishing emails, the use of a personalised opening sentence increases its success. The results of these experiments allow practitioners to focus awareness campaigns to maximise their effectiveness.",
keywords = "Experimental, Social, Engineering, Attacks, countermeasures, Phishing",
author = "Jan-Willem Bullee",
note = "CTIT PhD Thesis Series No 17-443, ISSN 1381-3617",
year = "2017",
month = "10",
day = "6",
doi = "10.3990/1.9789036543972",
language = "English",
isbn = "978-90-365-4397-2",
publisher = "Centre for Telematics and Information Technology (CTIT)",
address = "Netherlands",

}

Experimental social engineering : investigation and prevention. / Bullee, Jan-Willem.

Enschede : Centre for Telematics and Information Technology (CTIT), 2017. 178 p.

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

TY - THES

T1 - Experimental social engineering

T2 - investigation and prevention

AU - Bullee, Jan-Willem

N1 - CTIT PhD Thesis Series No 17-443, ISSN 1381-3617

PY - 2017/10/6

Y1 - 2017/10/6

N2 - Social engineering is the usage of social manipulation and psychological tricks to make the targets assist offenders in their attack. This practice manifests itself in e.g. phishing emails or cold call telephone scams. The aim of the thesis was to investigate the understanding of social engineering attacks in an organisational setting. In particular, the effectiveness both of the threat and the countermeasures was investigated. Tree kinds of social engineering experiments were performed, each using a different modality (i.e. Face-to-Face (F2F), email and telephone). In each experiment, the targets (i.e. participants) were persuaded to perform actions that contribute to their victimisation. The subjects (N = 162) in the F2F experiment were visited by an offender in their offices and asked them to hand over their office keys. The subjects (N = 593) in the email experiment received a phishing email with the request to provide Personally Identifiable Information (PII). The subjects (N = 92) in the telephone experiment were persuaded to download and execute software from an untrustworthy website. A portion of the participants in both the F2F and telephone experiment received an intervention to reduce victimisation. The result was that 58.62% of those in the F2F experiment complied with the offender, compared to 36.96% who were priorly informed on how to detect and react to social engineering. In the telephone experiment, 40% complied with the offender, compared to 17.2% who received an intervention. Furthermore, 19.3% of those who received a generic phishing email complied, compared to 28.9% that received a spear phishing email. There was no effect of age, sex and using authority on victimisation found, whereas having had an intervention, receiving a spear phishing email and cultural background did have an effect. It is concluded that awareness raising about dangers, characteristics and countermeasures related to social engineering proved to have a significant positive effect on protecting the target. The research also shows that awareness-raising campaigns reduce the vulnerability only in the short term. In phishing emails, the use of a personalised opening sentence increases its success. The results of these experiments allow practitioners to focus awareness campaigns to maximise their effectiveness.

AB - Social engineering is the usage of social manipulation and psychological tricks to make the targets assist offenders in their attack. This practice manifests itself in e.g. phishing emails or cold call telephone scams. The aim of the thesis was to investigate the understanding of social engineering attacks in an organisational setting. In particular, the effectiveness both of the threat and the countermeasures was investigated. Tree kinds of social engineering experiments were performed, each using a different modality (i.e. Face-to-Face (F2F), email and telephone). In each experiment, the targets (i.e. participants) were persuaded to perform actions that contribute to their victimisation. The subjects (N = 162) in the F2F experiment were visited by an offender in their offices and asked them to hand over their office keys. The subjects (N = 593) in the email experiment received a phishing email with the request to provide Personally Identifiable Information (PII). The subjects (N = 92) in the telephone experiment were persuaded to download and execute software from an untrustworthy website. A portion of the participants in both the F2F and telephone experiment received an intervention to reduce victimisation. The result was that 58.62% of those in the F2F experiment complied with the offender, compared to 36.96% who were priorly informed on how to detect and react to social engineering. In the telephone experiment, 40% complied with the offender, compared to 17.2% who received an intervention. Furthermore, 19.3% of those who received a generic phishing email complied, compared to 28.9% that received a spear phishing email. There was no effect of age, sex and using authority on victimisation found, whereas having had an intervention, receiving a spear phishing email and cultural background did have an effect. It is concluded that awareness raising about dangers, characteristics and countermeasures related to social engineering proved to have a significant positive effect on protecting the target. The research also shows that awareness-raising campaigns reduce the vulnerability only in the short term. In phishing emails, the use of a personalised opening sentence increases its success. The results of these experiments allow practitioners to focus awareness campaigns to maximise their effectiveness.

KW - Experimental

KW - Social

KW - Engineering

KW - Attacks

KW - countermeasures

KW - Phishing

U2 - 10.3990/1.9789036543972

DO - 10.3990/1.9789036543972

M3 - PhD Thesis - Research UT, graduation UT

SN - 978-90-365-4397-2

PB - Centre for Telematics and Information Technology (CTIT)

CY - Enschede

ER -

Bullee J-W. Experimental social engineering: investigation and prevention. Enschede: Centre for Telematics and Information Technology (CTIT), 2017. 178 p. https://doi.org/10.3990/1.9789036543972