Three recent research papers on the social engineering techniques and their effectiveness in phishing are reviewed. The main ideas are summarised, strengths, weaknesses and usefulness of the research in a business context are discussed.
Photo by Setyaki Irham on Unsplash
Introduction
This report shall review three recent research papers on the use of social engineering techniques in phishing. Two of the papers evaluate the effectiveness of social engineering persuasion techniques used in phishing. The third paper investigates a broader range of hacking techniques that use social engineering. The papers were evaluated for their strengths and weaknesses and their usefulness in a business context. The format of an annotated bibliography is used for this review. If you are interested in what the structure of an annotated bibliography should look like, then have a read of What is an annotated bibliography? This report is based on an assignment which was submitted for the Dark Web subject (ITC578) at Charles Sturt University.
Reviews
Lawson, P., Pearson, C. J., Crowson, A., & Mayhorn, C. B. (2020). Email phishing and signal detection: How persuasion principles and personality influence response patterns and accuracy. Applied Ergonomics, 86, 103084. https://doi.org/10.1016/j.apergo.2020.103084
Summary of the Main Ideas and Arguments
Lawson et al. (2020) performed research on 102 student participants using an online survey to explore the relationship between the effectiveness of social engineering persuasion techniques used in phishing emails and personality traits. Participants were tested on the Big Five personality traits test of neuroticism, extroversion, openness, agreeableness, and conscientiousness (Costa & McCrae, 1992). Survey emails were assessed by researchers on four of the six principles of social engineering persuasion being: commitment/consistency, liking, authority and scarcity (Cialdini, 1987). Research results were analysed using signal detection theory to measure how well participants distinguished between legitimate and phishing emails (Canfield et al., 2016).
The results confirmed previous research findings that high extroversion levels correlate with increased susceptibility to phishing. It also confirmed previous findings that individuals with higher impulse control perform better at detecting phishing emails. The research found that extroverts are more susceptible to phishing emails that use liking and scarcity principles. People with the agreeable personality trait were most susceptible to the authority principle. The liking persuasion principle (i.e., the use of logos and brand recognition) in emails was rated as the most trustworthy of both legitimate and phishing emails.
Evaluation of Strengths and Weaknesses
The research confirmed previous findings regarding personality traits and susceptibility to phishing and new findings relating to which personalities are more susceptible to persuasion techniques. Although the researchers performed a literature review of other research related to phishing susceptibility, which showed factors such as age and participation and that phishing identification training played a part in phishing susceptibility, these factors were not considered in the research. The research also failed to consider or try to simulate real-world phishing where users can inspect email hyperlinks or email headers such as the name and email address of the sender.
Usefulness
The research is useful to organisations that wish to train users on how to avoid phishing attacks. Trainers can focus on persuasion techniques that are most effective and on personalities that are most susceptible.
Butavicius, M., Parsons, K., Pattinson, M., & McCormac, A. (2015). Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails. Australasian Conference on Information Systems, Adelaide, South Australia.
Summary of the Main Ideas and Arguments
Butavicius et al. (2015) performed research on 121 student participants to measure how effective four of the six persuasion techniques are in phishing and spear-phishing. Participants were instructed in a lab environment on how to hover over a link in an email body to show the intended destination and then given emails that used three of the six social engineering persuasion techniques: authority, social proof and scarcity, and emails that used none. Participants then rated responses on how safe they thought the links were to click. Research results were analysed using signal detection theory. Participants were worst at detecting spear-phishing emails, with 71% of participants evaluating the emails as safe to click. Participants found genuine emails were safe to click 77% of the time and phishing emails to be safe 37% of the time. Interestingly, phishing emails that contained no use of persuasion principles had the highest level of link safety confidence. The study confirmed other research, which found that participants with poor impulse control performed worse at detecting phishing emails.
Evaluation of Strengths and Weaknesses
The research highlighted that existing phishing awareness training is ineffective against spear-phishing attacks, with the paper’s discussion offering training techniques to improve cognitive impulse control. There was no mention of whether the from address of the email headers was shown to participants, and the paper did not provide a sample of phishing emails used. This is important as display name spoofing or email address spoofing is easily detectable upon visual inspection (Szathmari, 2018). Therefore, the high confidence level in spear-phishing results may not reflect a real-world scenario.
Usefulness
The research provides insights into the effectiveness of phishing and spear-phishing and how effective training, especially in improving impulse control, may improve the phishing susceptibility of users. One of the most interesting findings is that phishing which did not deploy the use of any persuasion techniques was the most effective, and conveying this to users in training should be essential so that users remain vigilant against phishing attacks and not just be wary of emails which use the authority or scarcity persuasion technique.
Lohani, S. (2019). Social Engineering: Hacking into Humans. International Journal Of Advanced Studies Of Scientific Research (IJASSR), 4(1), 385–393.
This conference paper by Lohani (2019) is a high-level survey of the most popular social engineering techniques used today in cyber-attacks. According to the paper, 95% of cybersecurity attacks involve social engineering. The paper describes these social engineering techniques and provides recent examples for some of them. The most prevalent techniques are phishing, spear phishing, baiting, watering hole attack, pretexting attack and quid pro quo. The paper also offers fourteen different practical mitigation solutions to mitigate these attacks.
Phishing is sending an email impersonating a person or popular service and inviting the user to click on a link in the email and perform some action to steal sensitive information from the user, such as the user’s credentials. Lohani offers several real-world examples of phishing, such as the Apple ID account lockout scam. Lohani details the techniques used by threat actors to generate these fake login pages with the use of the Social Engineering Toolkit. Spear phishing is similar to phishing except that the emails are targeted at a specific person such as an important employee in a business. The threat actor will gather information about the target and use this in crafting specific emails to target the individual in a phishing attack.
Evaluation of Strengths and Weaknesses
The paper provides high-level details of how phishing techniques work and how threat actors use ready-made toolkits to carry out attacks. The language is non-technical and provides screenshots of real-world examples for at least the first four techniques. However, there are no real-world examples for pretexting attacks or quid pro quo attacks, and little effort is dedicated to explaining how these attacks work. Fourteen practical mitigation techniques are discussed, but they are not described in great detail, nor do they explain how they can mitigate specific social engineering attacks. Much of the advice is generic cyber security guidance such as “use a strong password” and “install anti-virus software”. Although the paper provides a reference list at the end, it does not adequately source many of the statistics used in the body of the paper on the effectiveness and popularity of social engineering techniques in cyber-attacks.
Usefulness
The paper is useful in explaining how threat actors carry out social engineering attacks in a non-technical way that would appeal to a broad audience. Although the advice for mitigation is generic, it offers one good piece of advice: to increase awareness of social engineering attacks through education.
Discussion
Important Issues not addressed in the literature
Research by Lawson et al. (2020) and Butavicius et al. (2015) highlight how a person’s personality and the use of social engineering persuasion techniques in phishing can trick users into clicking hyperlinks unsafely. Both studies highlight how phishing awareness training can help prevent users from falling victim to phishing. In the discussion of Butavicius et al. (2015), there is a suggestion that cognitive impulsivity training aimed at making users more vigilant could improve outcomes. Lohani (2019) lists awareness training as a mitigation strategy for social engineering attacks. In the literature review conducted, no research attempted to measure how effective different kinds of awareness training would be against phishing attacks or how people with different personalities may respond to phishing awareness training. A possible future study could be to have participants respond to phishing emails before and after different kinds of training to gauge which training techniques are most effective against which kinds of users at improving a users awareness of phishing in a simulated or real-world phishing scenario.
Lessons Learnt
The most crucial lesson in this literature review is that social engineering attacks are the most significant threat to cybersecurity in organisations, with phishing and spear-phishing being the most effective techniques. An important fact learnt is that people with extroverted personalities, people with high levels of agreeableness and low levels of impulse control are at high risk of falling victim to phishing.
Recommendations on improving security in the workplace
Social engineering awareness training focusing on phishing and spear phishing is an essential strategy for improving an organisation’s security posture. There are specific types of people at greater risk of falling victim to phishing, such as young people, extroverted people, people with high levels of agreeableness and people with low levels of impulse control. Human resource departments often perform personality tests when hiring employees. This data could be used to target training for individuals with personality traits that make them more susceptible to phishing. Organisations can use the research to improve their phishing awareness training by educating users on personalities that are more susceptible to phishing.
Conclusion
A literature review was carried out in three papers on the use of social engineering techniques in phishing. Research by Lawson et al. (2020) and Butavicius et al. (2015) shows that extroverted personalities are more susceptible to phishing, as well as people with low impulse control. Although Lawson et al. research found that the persuasion principle of ‘liking’ was most effective in tricking users into clicking hyperlinks, Butavicius et al. found that not using a persuasion principle and making a phishing email look inconspicuous is even more effective. All three papers in the review cited that phishing awareness training was effective in mitigating the risk of a person falling victim to a phishing attack, and future research in this area was suggested.
References
Butavicius, M., Parsons, K., Pattinson, M., & McCormac, A. (2015). Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails. Australasian Conference on Information Systems, Adelaide, South Australia. https://www.researchgate.net/publication/303812216_Breaching_the_Human_Firewall_Social_engineering_in_Phishing_and_Spear-Phishing_Emails
Canfield, C. I., Fischhoff, B., & Davis, A. (2016). Quantifying Phishing Susceptibility for Detection and Behavior Decisions. Human Factors: The Journal of the Human Factors and Ergonomics Society, 58(8), 1158–1172. https://doi.org/10.1177/0018720816665025
Cialdini, R. B. (1987). Influence: The Psychology of Persuasion. Harper Business. Costa, P. T., & McCrae, R. T. (1992). Neo PI-R Professional Manual. SAGE Publications. http://refhub.elsevier.com/S0003-6870(20)30047-8/sref7
Lawson, P., Pearson, C. J., Crowson, A., & Mayhorn, C. B. (2020). Email phishing and signal detection: How persuasion principles and personality influence response patterns and accuracy. Applied Ergonomics, 86, 103084. https://doi.org/10.1016/j.apergo.2020.103084
Lohani, S. (2019). Social Engineering: Hacking into Humans. International Journal Of Advanced Studies Of Scientific Research (IJASSR), 4(1), 385–393. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3329391#
NIST. (1996, September). Generally Accepted Principles and Practices for Securing Information Technology Systems. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=890092
Szathmari, G. (2018, October 14). Five Ways to Identify Phishing Emails. Iron Bastion Security Blog. https://blog.ironbastion.com.au/five-ways-to-detect-phishing-emails/