FRAUD HELP DESK

THE DUTCH NATIONAL ANTI-FRAUD HOTLINE

Something fishy?
Report fraud to us between 09.00 and 17.00 Monday to Friday
11 Oct 2017
‘Education helps prevent cyber crime’

When it comes to securing online systems, people are invariably the weakest link. Users are easily tricked into disclosing confidential information. Education and creating public awareness about the danger of cybercrime helps prevent people falling for scams, new research shows.

PhD researcher Jan-Willem Bullee conducted various ‘social attacks’ at the University of Twente (UT) and analysed the effectiveness of countermeasures. These are some of his findings: a personalised phishing email is 50 percent more effective than an email with a general salutation. Forty percent of employees installed malicious software following a scam telephone call. And: education works, provided that there is not too much time between the information and the scam attack.

“Social engineering” involves manipulation and psychological tricks on the part of the scammer aimed to draw the victim into the scam. Ultimately, these people will actively participate in the scam. Known examples of this are phishing emails and Microsoft phone scams. In his research, Bullee conducted three “social attacks” targeting hundreds of test subjects to examine how effective these attacks really are. He also looked for ways to reduce the number of victims.

Three simulated attacks
For example, nearly 600 employees of the UT were sent a phishing email which asked them to disclose personal information. Half of these emails started with a general greeting, the other half was personalised. The results: 19.3 percent of the recipients of the general email complied, compared with 28.9 percent of recipients of a personalised email. In short: adding the recipient’s name makes scam attacks considerably more effective.

Examples of social engineering

Would you fall for social engineering? The research contains several very devious examples:
Suppose that you have traveled all day and arrive at your hotel. You check in and go to your room. Then almost immediately the phone rings. You hear the voice of a woman who pretends to be Rebecca from the front desk. She apologises for something that apparently went wrong when you checked in and asks you to pass on your credit card details once again. What would you do?

Another example:
Your office door is closed and can only be opened with a special key accessible only to staff. One morning you meet a guy calling himself Jack Smulders who claims to work for the company that supplied the key. Apparently, there have been some problems with the lock and he asks whether he can check your key. He then puts the key on a reading device and tells you nothing is wrong with it. However, the key must be reactivated in his van which is parked outside. Would you part with your key?

In addition, Bullee conducted an experiment in which he used a chat trick among 200 university staff to persuade them to give their office key to a stranger. No fewer than 59 percent complied. Bullee: “Sometimes, they even gave us their complete set of keys, including their house and car keys.”

In a third experiment, he approached 162 employees by telephone and asked them to download malicious software, which in fact was harmless, obviously. Forty percent of staff moved to install the software.

Victims overestimating themselves
A striking conclusion of this research is that victims are convinced beforehand that they won’t fall for this sort of scam. Before the experiments started, all interviewed staff members indicated that they would never install the software and 97 percent insisted they would never give any key to a stranger.

The three studies also show similar results among different groups: men, women, elderly or young people. When it comes to phishing emails, results depend on how long people are employed. Staff who were employed for less than four years tended to fall victim more often.

Preventive education
The most important question is, of course, how best to prevent social attacks. The research found that good information can be effective. The test subjects were divided into groups beforehand. The group who received information about how to spot scams scored much better both in the key experiment (37 percent of them gave their keys against 59 percent of those who were not informed) and in installing the software (17 versus 40 percent). However, the learning effect decreases as the time interval between information and the attack becomes larger. For this reason, it is very important to keep repeating the message over and over again and keep people alert the researcher concludes.

Photo © Dayna Bateman/Flickr.comCC BY-NC-SA 2.0