When it comes to securing online systems, people are invariably the weakest link. Users are easily tricked into disclosing confidential information. Education and creating public awareness about the danger of cybercrime helps prevent people falling for scams, new research shows.
PhD researcher Jan-Willem Bullee conducted various ‘social attacks’ at the University of Twente (UT) and analysed the effectiveness of countermeasures. These are some of his findings: a personalised phishing email is 50 percent more effective than an email with a general salutation. Forty percent of employees installed malicious software following a scam telephone call. And: education works, provided that there is not too much time between the information and the scam attack.
“Social engineering” involves manipulation and psychological tricks on the part of the scammer aimed to draw the victim into the scam. Ultimately, these people will actively participate in the scam. Known examples of this are phishing emails and Microsoft phone scams. In his research, Bullee conducted three “social attacks” targeting hundreds of test subjects to examine how effective these attacks really are. He also looked for ways to reduce the number of victims.
Three simulated attacks
For example, nearly 600 employees of the UT were sent a phishing email which asked them to disclose personal information. Half of these emails started with a general greeting, the other half was personalised. The results: 19.3 percent of the recipients of the general email complied, compared with 28.9 percent of recipients of a personalised email. In short: adding the recipient’s name makes scam attacks considerably more effective.
|Examples of social engineering
Would you fall for social engineering? The research contains several very devious examples:
In addition, Bullee conducted an experiment in which he used a chat trick among 200 university staff to persuade them to give their office key to a stranger. No fewer than 59 percent complied. Bullee: “Sometimes, they even gave us their complete set of keys, including their house and car keys.”
In a third experiment, he approached 162 employees by telephone and asked them to download malicious software, which in fact was harmless, obviously. Forty percent of staff moved to install the software.
Victims overestimating themselves
A striking conclusion of this research is that victims are convinced beforehand that they won’t fall for this sort of scam. Before the experiments started, all interviewed staff members indicated that they would never install the software and 97 percent insisted they would never give any key to a stranger.
The three studies also show similar results among different groups: men, women, elderly or young people. When it comes to phishing emails, results depend on how long people are employed. Staff who were employed for less than four years tended to fall victim more often.
The most important question is, of course, how best to prevent social attacks. The research found that good information can be effective. The test subjects were divided into groups beforehand. The group who received information about how to spot scams scored much better both in the key experiment (37 percent of them gave their keys against 59 percent of those who were not informed) and in installing the software (17 versus 40 percent). However, the learning effect decreases as the time interval between information and the attack becomes larger. For this reason, it is very important to keep repeating the message over and over again and keep people alert the researcher concludes.