social engineering attacks

Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain control
over a computer system, or to steal personal and financial information. It uses psychological
manipulation to trick users into making security mistakes or giving away sensitive information.

1. Research your chosen topic and learn as much as you can about how it works.
o What are the specific techniques that criminals use?
Recent research has discovered that there are certain terms and techniques that are
associated with SE and go perhaps far beyond technology and more so into human error and
social psychology. Three key aspects of social psychology, alternative routes to persuasion
(i.e., central route and peripheral route), attitudes and beliefs that affect human interactions,
and techniques for persuasion and influence, could help explain the emotional cues for
manipulated SE attacks [18].In a central route to persuasion, SE attackers persuade victims to
provide desired information without fabricating unreal scenarios. Thus, this comparatively
direct route, which depends on the responder‘s logical thinking toward the marshaled
information from the attacker, does not normally succeed. The other route, peripheral route
to persuasion, can be leveraged by SE attackers to bypass logical argument and
counterargument and seek to trigger intrusion. In the peripheral route to persuasion, the
attacker tends to make the intended victim more susceptible to persuasion by triggering
strong emotions such as fear or excitement in order to interfere with the victim‘s ability to
respond. Attitudes and beliefs refer to the differences between the victim‘s attitude and
beliefs about the SE attacker and SE attacker‘s attitudes and beliefs about his anticipated or
definite victims. Rooted in social psychology, persuasion and influence techniques rely on
peripheral routes to persuasion that are effective to influence others. Six factors can
constitute effectual persuasions: authority, scarcity, liking and similarity, reciprocation,
commitment and consistency, and social proof [19].Furthermore, SE attacks are categorized
into human-based and technology-based intrusions. Human-based attacks are interactions
between the attacker and the victim who possesses valuable information. In contrast,
technology-based attacks access confidential information by employing computer software
programs such as pop-up windows, e-mail attachments, and websites, etc. While maliciously
generated e-mail attachments and websites seek the victim‘s natural tendency to trust
others to divulge information or perform actions, a vicious script-embedded pop-up window
manipulates the victim‘s psychological fear of getting into trouble by repeatedly prompting
the victim to re-enter his/her user username and password because the network connection
was interrupted and the window will surreptitiously deliver the information entered to the
attackers[2]. A typical SE attack is composed of four steps: information gathering,
relationship development, exploitation, and execution. An SE attacker initially gathers
information about the target(s) such as names, phone numbers, birth dates from publicly-
accessible information such as directories and organizational charts.
 Xin (Robert) Luo,Richard Brody, Alessandro Seazzu, Stephen Burd, ―Social Engineering: The
Neglected Human Factor for Information Security Management‖, Information Resources
Management Journal, 24(3), 1-8, July-September 2011
Peltier, T. (2006). Social Engineering: Concepts and Solutions. Information System Security,
15(5), 13–21. doi:10.1201/1086.106589 8X/46353.15.4.20060901/95427.3
Rusch, J. (1999). The Social EngineeringofInternetFraud. Paper presented at the INET‘99
Conference, San Jose, CA

What are the risks to individuals and organizations?

Individuals make themselves even more vulnerable to social engineering attacks by not expecting to
ever be a victim of such an attack, and many will never know that they were a victim of such an attack.
The majority of the public are not aware of this technique, and do not fully comprehend the extent to
which these techniques to obtain information, can be used, and the potential it holds for dire personal,
economic and social consequences and losses for the individual and institution. An individual may
believe that the information they possess is of no particular value to another person, nor could it be
used for any malicious act, and will thus be more willing to disclose information freely. However, the
social engineer is dedicated to researching various aspects and gathering information from various
sources. There are two main perspectives of social engineering the psychological perspective and the
computer science perspective. The psychological perspective focuses on the emotional state and
cognitive abilities of the individual while the computer science perspective focuses on information
sensitivity, one of the cornerstones of information security [8]. A social engineer is considered to exist
under the white hats society, welcome the information that is seemingly harmless for an organization; as
it may play a crucial role in convincing others they are real[9,10,11,12]. The secret of success for social
engineering is that users are very much prone to being deceived if you gain their trust and if they are
manipulated in a certain manner [13,14].
Social engineers frequently follow a certain route where the intention can be just the opposite in some
cases. This is called reverse tricking [10]. Essentially, the attacker creates a problem where the user will
be directly affected; then contact is made by telephone leaving a number for the user to call back. This
so called ‗penetration‘ is a technique where an outsider disguises as a member of organization staff to
obtain passwords, etc.[15].

Mataracioglu, T., 2009. Social Engineering: Attack and Protection Methods. TUBITAK
BILGEM Cyber Security Institute – Course Notes.
Mitnick, K.D. and Simon, W.L., 2002. The Art of Deception. Indianapolis: Wiley
Publishing
Arslantas, M.B., 2004. Methods Used in Internet Crime. MEB Head Office of Information
Technologies. Available from:
http://egitek.meb.gov.tr/EgitekHaber/EgitekHaber/s75/bılsım sucları.htm
Hasan, M., Prajapati, N., Vohara, S., 2010. Case Study on Social Engineering Techniques
for Persuasion. International Journal on Applications of Graph Theory in Wireless Ad Hoc
Networks and Sensor Networks
Slatalla, M., Quittner, J., 1995. Masters of Deception: The Gang that Ruled Cyberspace.
New York: Harper Collins.
Voyager, 1994. Janitor Privileges, 2600: The Hackers‘ Quarterly
 TolgaMataracioglu, SevgiOzkan, Ray Hackney, ―Towards a Security Lifecycle Model
against Social Engineering Attacks : SLMSEA,‖ Proceedings of the Nineteenth Americas
Conference on Information Systems, Chicago, Illinois, August 15-17, 2013
https://www.researchgate.net/profile/Rajeev-Kumar-5/publication/
309234725_Social_Engineering_Hacking_a_Human_Being_through_Technology/links/
5806568908aeb85ac85f4742/Social-Engineering-Hacking-a-Human-Being-through-
Technology.pdf

o What are some best practices for preventing and detecting this type of identity theft?
2. Write a reflection paper that addresses the following questions:
o What is the emerging trend in identity theft online that you chose to research?
In social engineering attacks, scammers impersonate trusted officials, like customer
service representatives at a bank, to con unsuspecting victims out of millions of dollars
every year. The “engineering” part doesn’t have to be technical in these types of attacks,
which is part of what makes them such a pervasive threat. By pretending to be someone
else, scammers aim to trick a person into giving them information that they shouldn’t. A
social engineer doesn’t need to crack your password. Instead, they try to get you to give
it to them over the phone by claiming there’s something wrong with your account, and
that they’re here to help.

According to the FBI's 2021 Internet Crime Report, 323,972 individuals reported being a
victim of one of several types of social engineering attacks, resulting in nearly $45
million in losses. And that’s only reported scams — true numbers are estimated to be
exponentially higher as many victims fail to report incidents out of shame or
embarrassment. In particular, business email compromise attacks (BEC) took a
staggering toll. Since 2016, these attacks have resulted in over $43 billion in losses.

The most prevalent social engineering scams take place over the phone or through
malicious links in emails. Well-crafted schemes carry all the signs of legitimacy, using
personal details collected from the dark web or even from social media to catch even
the most careful individuals off-guard. Though the spotlight has been on how fraudsters
use stolen data for account originations, data breaches also give social engineers more
personal information to exploit in a social engineering attack, improving their ability to
target individuals and commit fraud in the digital age.

The more specific an attacker makes their scam, the harder it is to see through it. You
can roll your eyes at the emails in your spam folder saying you’ve won a cruise, but you
have to take a long look at the sender’s address before you write off a message claiming
to have been sent by your boss.
o How does this type of identity theft work?
Social engineering fraud is a broad term that refers to the scams used by criminals to
exploit a person’s trust in order to obtain money directly or obtain confidential
information to enable a subsequent crime. Social media is the preferred channel but it is
not unusual for contact to be made by telephone or in person.
 o What are the risks to individuals and organizations?
In cybercrime, these “human hacking” scams tend to lure unsuspecting users into
exposing data, spreading malware infections, or giving access to restricted systems.
Attacks can happen online, in-person, and via other interactions. Scams based on social
engineering are built around how people think and act.
o What are some best practices for preventing and detecting this type of identity theft?
Social engineering is the term used for a broad range of malicious activities
accomplished through human interactions. It uses psychological manipulation to trick
users into making security mistakes or giving away sensitive information.

Social engineering attacks happen in one or more steps. A perpetrator first investigates
the intended victim to gather necessary background information, such as potential
points of entry and weak security protocols, needed to proceed with the attack. Then,
the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions
that break security practices, such as revealing sensitive information or granting access
to critical resources.
o What are your thoughts on the future of identity theft online?

Social engineering attacks manipulate victims by attacking the weakest link. Social engineering requires
that a victim stands in an asymmetric knowledge-relation to the attacker, who uses this asymmetry to
establish technocratic control over the victim [1]. Technocrats are people with a skill or specific technical
knowledge such as dentistry or economic planning. Asymmetric knowledge occurs when people or
groups have more significant satisfaction and knowledge than other people in the specific knowledge
area. Hatfield [1] elaborates on social engineering attacks from 1842 until the current cyber age.

J. M. Hatfield, "Social engineering in cybersecurity: The evolution of a concept", Comput. Secur., vol. 73,
pp. 102-113, Mar. 2018.

https://ieeexplore.ieee.org/abstract/document/9743471

Social engineering fraud is a broad term that refers to the scams used by criminals to exploit a person’s
trust in order to obtain money directly or obtain confidential information to enable a subsequent crime.
Social media is the preferred channel but it is not unusual for contact to be made by telephone or in
person.

The notion of social engineering has appeared recently in the study of online fraudulent activities
(Blommaert & Omoniyi, 2006; Holt & Graves, 2007; Huang & Brockman, 2011; King & Thomas, 2009;
Mann, 2008; Ross, 2009; Workman, 2008; Zook, 2007). This stream of research has centered on the
exploitive nature of deceptive communications employed by social engi- neers in the commission of
fraudulent acts. Accounts of such acts are built on the assumption that people fall victim to scams
because they are ignorant, naïve, or greedy (King & Thomas, 2008). This study, instead, would suggest
that neither gullibility nor ignorance explains the success of such frauds. The study, focusing on online
fraud, will show that social engineers are able to exploit human weaknesses to obtain desired behaviors
and privilege information via psychologically constructed com- munications. These fraudsters can
skillfully manipulate victims into an emotionally vulnerable state with a disguised, attractive e-mail.

Blommaert, J., & Omoniyi, T. (2006). E-mail fraud: Language, tech- nology, and the indexicals of
globalization. Social Semiotics, 16, 573- 605. doi:10.1080/10350330601019942

King, A., & Thomas, J. (2009). You can’t cheat an honest man: Making ($$$s and) sense of the Nigerian e-
mail scams. In F. Schmallegar, & M. Pittaro (Eds.), Crimes of the internet (pp. 206-224). Saddle River, New
Jersey: Pearson Educat ion.

Workman, M. (2008). Wisecracker: A theory-grounded investigation of phishing and pretext social

engineering threats to information secu- rity. Journal of personality and Social Psychology, 9, 1-27.

https://www.scirp.org/html/36435.htm