banks and companies race to harden their technical security defenses to avoid
being hacked directly, criminals seek to target the humans who represent the
social engineering is now used in an estimation of more than two-thirds of all
cyberattacks. With the upcoming tactics and technologies, it appears as if
things are about to get a whole lot worse. Because simply, most of the time,
taking advantage of your natural desire to trust is easier than discovering or
finding ways to hack your software. In Addition, you don’t need programming
skills; all you need is communication skills or writing emails.
paper will start with a definition for each of social engineering, fraud,
online fraud and why social engineering fraud is growing? Also, we will discuss
the principles of social psychology and some applications or common social
engineering attacks. At the end, we will provide some advices to avoid becoming
Problem Definition. 4
Related Work. 5
Comparison and evaluation for the existing solutions. 7
dictionary, as a business, fraud was defined as “the crime of getting money by
tricking or deceiving people”. (1) The internet fraud refers to a fraud
that is tied by the. Deceitful solicitations or transactions and transmitting
the proceeds of the fraud to a financial foundation are being managed and
committed through the online services; it can be conducted in chat rooms,
e-mail, and web sites.
From the context of
information security, social engineering is defined as an art of psychological
manipulation of people so they could give up confidential information; it
is also a type of confidence
trick for the purpose of information gathering, fraud, or system access. (2)
Criminal Police Organization (Interpol) has identified the social engineering
fraud as one of the world’s emerging fraud trends. Few years ago, there was a
spike in this type of fraud and by 2015 reported losses has reached to nearly
$1bn, By comparison global credit card fraud was $16bn.
Within the past 12
months, about 60 percent of security leaders have admit that their
organizations may have fallen victim to social engineering. And 94 percent say
tactics such as spear phishing and watering hole attacks represent significant
With the internet
facility and growth, having information on your target is a key part of social engineering;
information can be bought through hacked company data so the criminals could
study their victim’s social media profile online.
As social engineering
depends mainly on psychological manipulation, we would like to mention the
three aspects of social psychology especially the psychology of persuasion. (4)
1. Alternative routes to persuasion
Criminals can convince
victims by saying some statement at the beginning of their interaction that
triggers strong emotions such as excitement or fear. This way is mostly used in
frauds that involve strong personal interaction, such as telemarketing fraud. This
way forms a kind of victim distraction and it serve to interfere with his/her
ability to perform a logical thinking.
2. Attitudes and beliefs
It involves the
victim’s belief and attitude about the person soliciting his money over the
internet versus the criminal’s attitudes and beliefs about his intended or
3. Persuasion and influence techniques
In social psychology,
there are many factors that are highly used to persuade or influence others.
Here are some of them:
people are highly likely being responsive to assertions of authority, even when
the person who purports to be in a position of authority is not physically
when an advertisement says that this product or offer is for a limited time
and similarity: by the human tendency, having similarities in characteristics
identical with someone or sharing the same interests provides a strong
incentive for us to adopt a mental shortcut in dealing with that person, only
because of that matching.
III. Related Work
professionals say that the human, who trusts people easily, is the weakest link
in the security chain. Without checking legitimacy, it would be very easy to
get exposed to any risk. As we have read in articles and papers, here are some
of the common social engineering attacks:
distrust: It is often done by people who had a fight with you, but it also can
be done by nasty people. Their next step is to step in as a hero and gain your
trust by creating distrust in your mind about others, in this way they can extortionists
or threaten you with disclosure. Trying to guess weak passwords, social engineering
or hacking helps them accomplish an access to your email or any social media
account and then altering private or sensitive data such as images, videos and
audio. These personal information or data can be forwarded to your friends or
family members to create drama and embarrassment.
2. Response to a
question you never had: You will receive an email, phone call or a message that
is pretending to be a response for your help request from a company that is
used by millions of people like a bank or a software company. You might ignore
it if you are not interested or you don’t use the mentioned service, but there
is a chance that you will respond because you need that service or product.
scenarios: It is very similar to phishing attacks and it is based on the people
needs, if you offered something that people want, many of them will take the
bait. This kind of attack is popular on websites offering to download something
or on social networking sites. Malicious software can infect the people who
take the bit. An example of a baiting scenario is shown in Figure (1).
IV. Comparison and evaluation for the existing solutions.
Social engineering attacks are becoming more popular, the criminal’s
imagination is the only limit to the number of ways they can socially engineer
victims and users. Everyone might get exposed to social engineering attack and
we would like to mention some advices to help you avoid becoming a victim:
1. If you receive a
suspicious email or message, do a small research using search engines to get
the real site of the company or their phone number and contact them to make
sure of what you have received.
2. Don’t enter your
personal or financial information in any reply message, it is a scam.
3. Ignore or reject
the offers and requests for a help.
4. Download programs
and applications from well-known companies only.
5. Keep your
anti-virus software up-to-date and use firewalls and email filters.
6. Help non-technical
friends and family and aware them of these attacks.
7. Use strong and
complex passwords which doesn’t include any personal information and use the two
Social engineering is not necessarily considered unethical, there is a
grey area. It is similar to the debate of hacking and ethical hacking; it always
depends on the intention of the action maker. Seeking permissions and using the
information to benefit, educate and aware the people will make social
Defining certain forces and principles that lie at the foundations of
cultural growth will assist social engineering become a respectable science,
lows and rules can help in limiting the social engineering fraud but will not
conclusion, we would like to say that grey areas are not reasons to do social
engineering attacks, but ethics is not one of the criminals concern. So you
must keep protecting yourself and be aware of websites you open and software
you download on your device.