![Sample our Social Sciences journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/110822/TOC-Subject-Sample-2021-Social-Sciences.jpg"})
ABSTRACT
End users present a key challenge for the protection of contemporary information security systems. The manipulation of people through deceit to gain access to sensitive information and otherwise secure systems is known to hackers, information security practitioners, and other technologists as “social engineering.” To date, little research has investigated the attributes that people who engage in such deception – so-called “social engineers” – associate with vulnerable targets. To address this gap, this study engages in a grounded theory-based analysis of interviews with nonprofessional and professional social engineers. The results describe six attributes of a “model victim” for social engineers, a hypothetical person considered particularly susceptible to social engineering deceptions: (1) prized, (2) uninformed, (3) unconcerned, (4) outgoing, (5) connected, and (6) controlled. Additionally, this study describes heuristic categories described by participants to help make decisions about target vulnerability which include target socio-demographic characteristics, social roles, and organizational positions. Implications for theory, future research, and policy are considered.
Acknowledgments
The author would like to acknowledge Richard Goe and Alexandra Pimentel, who were both involved in the data gathering process for this study. Additionally, appreciation is given to Ken Tunnell who provided invaluable feedback on a prior draft.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1. Use of official and business statistics have limitations, particularly when describing internet-facilitated crimes (Yar, Citation2008). Yet these statistics are still useful for demonstrating that such frauds are a problem, even if they may not be the most accurate in communicating the precise prevalence or harm caused by such frauds.
2. The Internet Crime Complaint Center (IC3) (Citation2020, p. 27) defines “phishing/vishing/smishing/pharming” scams as “unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials.”
3. The term “social engineering” originates in the late 1800s to describe reformatory attempts to use social science and policy to increase the efficiency and effectiveness of organizations and institutions (Hatfield, Citation2018). There is little evidence to suggest that the term was adopted by hackers, phone phreaks, and other technologists with this history in mind.
4. Cross (Citation2019, p. 129) has described illicit activities that drift between on- and off-line vectors as “cyber-enabled offenses.”
5. 40.5% our participants report engaging in criminal social engineering in some capacity at some point in their lives, a figure derived from self-report questions. In total, fifteen participants admitted to or described engaging in some form of illegal social engineering (3 nonprofessional social engineers and 12 security auditors). Additionally, this percentage does not count two security auditors who reported finding out in retrospect that their activities were illegal while conducting a security audit.
6. One analytic literature review by Tetri and Vuorinen (Citation2013) describes three procedural dimensions of social engineering including persuasion, fabrication, and data gathering. The authors specifically note that data gathering can be useful for target selection but do not go into the elements that comprise a suitable target.
7. To our knowledge, only one study finds a connection between being less educated and likelihood of fraud victimization (Lee & Soberon-Gerrer, Citation1997).
8. Whitty’s (Citation2018) conclusion regarding the role of education is specific to romance frauds and is restricted to middle-aged women.
9. Whitty (Citation2018) did not directly measure social isolation. Instead, this study examined the role of kindness, finding that less kind individuals were more likely to be subjected to romance scams. The authors then posit that one reason for the association may be that less kind may be indirectly measuring social isolation (pp. 108–109).
10. The IRB protocol number for this study is 8194.
11. While only ten participants openly invoked the need for a target to have some valued resource, this is likely because this requirement was often taken for granted. Further, no one provided counter-evidence that this theme was considered unimportant
12. The author is uncertain if the participant could actually extract 50 million dollars from an executive in this fashion. The claim is likely an exaggeration to help make their argument that social engineers may select a target for the authority they possess within an organization. Hyperbole aside, the point still stands that authority is a potentially desired resource for the social engineer. We did ask multiple participants if they personally knew of organizations who sustained significant losses to this degree and answers were generally negative, those some claim to know some organizations that did sustain such losses. This adds credence to the idea that this claim may tend toward hyperbole.
13. Various authors have explored the development of trust online (e.g., Henderson & Gilding, Citation2004). Criminologists have also explored the development of trust in online black market networks (e.g., Dupont et al., Citation2016; Lusthaus, Citation2018).
14. Bernard recognized that the use of heuristics was more probabilistic. He explicitly noted this while explaining that he might target nurses because they tend to be helpful. He added a caveat, stating that there is “some percentage of ‘em, maybe a quarter of ‘em that are just mean.”