A Study of Social Engineering in Online Frauds

Abstract

Social engineering is a psychological exploitation which scammers use to skillfully manipulate human weaknesses and carry out emotional attacks on innocent people. This study examined the contents of 100 phishing e-mails and 100 advance-fee-scam e-mails, and evaluated the persuasion techniques exploited by social engineers for their illegal gains. The analyses showed that alert and account verification were the two primary triggers used to raise the attention of phishing e-mail recipients. These phishing e-mails were typically followed by a threatening tone via urgency. In advance-fee e-mails, timing is a lesser concern; potential monetary gain is the main trigger. Business proposals and large unclaimed funds were the two most common incentives used to lure victims. The study revealed that social engineers use statements in positive and negative manners in combination with authoritative and urgent persuasions to influence innocent people on their decisions to respond. Since it is highly unlikely that online fraud will ever be completely eliminated, the most important strategy that can be directed to combat social engineering attacks is to educate the public on potential threats from perpetrators.

Share and Cite:

Atkins, B. and Huang, W. (2013) A Study of Social Engineering in Online Frauds. Open Journal of Social Sciences, 1, 23-32. doi: 10.4236/jss.2013.13004.

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1] Applegate, S. D. (2009). Social engineering: Hacking the wetware. Information Security Journal, 18, 40-46.
[2] Bardzell, J., Blevis, E., & Lim, Y. (2007). Human-centered design considerations. In M. Jakobsson, & S. Myers (Eds.), Phishing and countermeasures (pp. 241-259). Hoboken, New Jersey: John Wiley & Sons, Inc.
[3] BBC News (2004). Suicide of internet scam victim.
[4] http://news.bbc.co.uk/2/hi/uk_news/england/cambridgeshire/3444307.stm
[5] Blommaert, J., & Omoniyi, T. (2006). E-mail fraud: Language, technology, and the indexicals of globalization. Social Semiotics, 16, 573-605. doi:10.1080/10350330601019942
[6] Brandt, A. (2006). How bad guys exploit legitimate sites (electronic version). PC World, 24, 39.
[7] Capaldi, N. (1971). The art of deception. New York: Donald W. Brown Inc.
[8] Carey, L. (2009). Can PTSD affect victims of identity theft: Psychologists say yes. http://www.associatedcontent.com/article/2002924/can_ptsd_affect_ victims_of_identity.html
[9] Emigh, A. (2007). Mis-education. In M. Jakobsson, & S. Myers (Eds.), Phishing and countermeasures (pp. 260-275). Hoboken, New Jersey: John Wiley & Sons, Inc.
[10] Gilbert, D. T., & Malone, P. S. (1995). The correspondence bias. Psychological Bulletin, 117, 21-38. doi:10.1037/0033-2909.117.1.21
[11] Gulati, R. (2003). The threat of social engineering and your defense against it. SANS Institute InfoSec Reading Room. http://www.sans.org/rr/papers/index.php?id=1232
[12] Harley, D., & Lee, A. (2007). The spam-ish inquisition. ESET antivirus and security white papers. http://www.eset.com/download/whitepapers/CommonHoaxes+Chain Letters%28May2008%29.pdf
[13] Harley, D., & Lee, A. (2009). A pretty kettle of phish. ESET antivirus and security white papers. http://www.eset.com/download/whitepapers/PhishingOnline.pdf
[14] Holt, T. J., & Graves, D. C. (2007). A qualitative analysis of advance fee fraud e-mail schemes. International Journal of Cyber Criminology, 1, 137-154. http://www.cybercrimejournal.com /thomas&danielleijcc.htm
[15] Huang, W., & Brockman, A. (2011). Social engineering exploitations in online communications: Examining persuasions used in fraudulent e-mails. In T. Holt (Ed.), Crime online: Correlates, causes, and context (pp. 87-111). Durham, NC: Carolina Academic Press.
[16] James, L. (2005). Phishing exposed. Rockland, MD: Syngress Publishing.
[17] Kay, R. (2004). Phishing. Computerworld, 38, 44.
[18] King, A., & Thomas, J. (2009). You can’t cheat an honest man: Making ($$$s and) sense of the Nigerian e-mail scams. In F. Schmallegar, & M. Pittaro (Eds.), Crimes of the internet (pp. 206-224). Saddle River, New Jersey: Pearson Education.
[19] Kornblum, A. (2006). Enforcement takes the fight to the phishers. IEBlog, The Microsoft Internet Explorer Webblog. http://blogs.msdn.com/ie/archive/2006/06/22/643173.aspx
[20] Larcom, G., & Elbirt, A. J. (2006). Gone phishing. IEEE Technology and Society Magazine, 25, 52-55. doi:10.1109/MTAS.2006.1700023
[21] Lilly, P. (2009). Nigerian police crack down on scammers, shut down hundreds of websites. Maximum PC. http://www.maximumpc.com/article/news/nigerian_police_crack_down_scammers_shuts_down_hundreds_websites
[22] Litan, A. (2007). Phishing attacks escalate, morph and cause considerable damage. Business Wire, Lexis Nexis Academic Database.
[23] Long, J. (2008). No tech hacking: A guide to social engineering, dumpster diving, and shoulder surfing. Rockland, MA: Syngress Publishing.
[24] MailFrontier, Inc. (2004). Anatomy of a phishing email, 2004. http://www.mailfrontier.com/docs/MF_Phish_Anatomy.pdf
[25] Mann, I. (2008). Hacking the human: Social engineering techniques and security measures. Burlington, VT: Gower Publishing Company.
[26] Manske, K. (2000). An introduction to social engineering. Information Systems Security, 9, 53-60. doi:10.1201/1086/43312.9.5.20001112/31378.10
[27] Mather, M., Shafir, E., & Johnson, M. (2000). Misrememberance of options past: Source monitoring and choice. Psychological Science, 11, 132-138. doi:10.1111/1467-9280.00228
[28] McQuade III, S. C. (2006). Understanding and managing cybercrime. Boston, MA: Allyn and Bacon.
[29] Microsoft (2009). Scams that promise money, gifts, or prizes. http://www.microsoft.com/protect/yourself/phishing /hoaxes.mspx
[30] Mitnick, K., & Simon, W. (2002). The art of deception: Controlling the human element of security. New York, New York: Wiley Publishing.
[31] Musgrove, M. (2005). “Phishing” keeps luring victims. The Washington Post. http://www.washingtonpost.com/wpdyn/content/article/2005/10/21/ AR2005102102113.html
[32] National White Collar Crime Center (2008). Internet crime report. Washington, DC: Bureau of Justice Assistance. http://www.ic3.gov/media/annualreport/2008_IC3Report.pdf
[33] NExT Web Security Services (2007). 419 Nigerian advance fee fraud scam lifestyle. http://nextwebsecurity.com /419LifeCycle.asp
[34] Nickerson, R. (1998). Confirmation bias: A ubiquitous phenomenon in many guises. Review of General Psychology, 2, 175-220. doi:10.1037/1089-2680.2.2.175
[35] Jakobsson, M., & Myers, S. (2007). Phishing and countermeasures: Understanding the increasing problem of electronic identity theft. New York, New York: Wiley Publishing.
[36] Raman, K. (2008). Ask and you will receive. McAfee Security Journal, 1-12.
[37] Richardson, R. (2007). CSI survey 2007: The 12th annual computer crime and security survey. Computer Security Institute. http://www.csi.org
[38] Ross, D. (2009). ARS dictaminis perverted: The personal solicitation e-mail as a genre. Journal of Technical Writing and Communication, 39, 25-41. doi:10.2190/TW.39.1.c
[39] Sturgeon, W. (2003). Nigerian money scam: What happens when you reply? Silicon.com: The spam report. http://www.silicon.com/research/specialreports/thespamreport/0,39025001,10002928,00.htm
[40] Symantec Corporation (2009). Symantec global internet security threat report trends for 2009. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
[41] Taylor, S., & Fiske, S. (1975). Point of view and perception so causality. Journal of Personality and Social Psychology, 32, 439-445. doi:10.1037/h0077095
[42] The Internet Crime Complaint Center (2009). 2009 Internet crime report. http://www.ic3.gov/media/annualreport /2009_IC3Report.pdf
[43] Thompson, S. (2006). Helping the hacker? Library information, security, and social engineering. Information Technology and Libraries, 25, 222-225.
[44] Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: Heuristics and biases. Science, 185, 1124-1130. doi:10.1126/science.185.4157.1124
[45] United States Department of State (1997). Nigerian advance fee fraud. Bureau of International Narcotics and Law Enforcement Affairs. Washington DC: United States Department of State.
[46] United States Secret Service (n.d.). Public awareness advisory regarding “4-1-9” or advance fee fraud schemes. Washington DC: United States Secret Service. http://www.secretservice.gov/alert419.htm
[47] University of Houston (2005). Phishing scams. http://www.uh.edu/infotech/news/story.php?story_id=802
[48] US Federal Trade Commission (2008). Consumer fraud and identity theft compliant data: January-December, 2007. Washington DC: Federal Trade Commission. http://www.ftc.gov/semtinel/reports/semtinel-annual-reports/sentinel-cy2007.pdf
[49] Wall, D. S. (2001). Cybercrimes and the internet. In D. S. Wall (Ed.), Crime and the internet (pp. 1-17). New York: Routledge.
[50] Wall, D. S. (2004). Digital realism and the governance of spam as cybercrime. European Journal on Criminal Policy and Research, 10, 309-335.
[51] Workman, M. (2008). Wisecracker: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of personality and Social Psychology, 9, 1-27.
[52] Yoo, J. (2006). Phishing: A survey. http://zoo.cs.yale.edu.classes/cs490/05-06b/yoo.dunne.pdf
[53] Zajonc, R. (1968). Attitudinal effects of mere exposure. Journal of Personality and Social Psychology, 9, 1-27.
[54] Zook, M. (2007). Your urgent assistance is requested: The intersection of 419 spam and new networks of imagination. Ethics Place and Environment, 10, 65-88.

Journals Menu
Follow SCIRP
Contact us
+1 323-425-8868
customer@scirp.org
WhatsApp +86 18163351462(WhatsApp)
Click here to send a message to me 1655362766
Paper Publishing WeChat

Copyright © 2024 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.