skip to main content
research-article

Catch Me if You Can : "Delaying" as a Social Engineering Technique in the Post-Attack Phase

Published: 16 April 2023 Publication History

Abstract

Much is known about social engineering strategies (SE) during the attack phase, but little is known about the post-attack period. To address this gap, we conducted 17 narrative interviews with victims of cyber fraud. We found that while it was seen to be important for victims to act immediately and to take countermeasures against attack, they often did not do so. In this paper, we describe this "delay" in victims' responses as entailing a period of doubt and trust in good faith. The delay in victim response is a direct consequence of various SE techniques, such as exploiting prosocial behavior with subsequent negative effects on emotional state and interpersonal relationships. Our findings contribute to shaping digital resistance by helping people identify and overcome delay techniques to combat their inaction and paralysis.

References

[1]
Ajzen, I. 1991. The theory of planned behavior. Organizational behavior and human decision processes. 50, 2 (1991), 179--211.
[2]
Aldawood, H. and Skinner, G. 2019. A taxonomy for social engineering attacks via personal devices. International Journal of Computer Applications. 975, (2019), 8887.
[3]
Aldawood, H. and Skinner, G. 2020. An Advanced Taxonomy for Social Engineering Attacks. International Journal of Computer Applications. 177, 30 (2020), 1--11.
[4]
Algarni, A. et al. 2016. Measuring source credibility of social engineering attackers on Facebook. 2016 49th Hawaii International Conference on System Sciences (HICSS) (2016), 3686--3695.
[5]
Algarni, A. et al. 2013. Social engineering in social networking sites: Affect-based model. 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013) (2013), 508--515.
[6]
Algarni, A.A.M. et al. 2013. Toward understanding social engineering. Proceedings of 8th International Conference on Legal, Security and Privacy Issues in IT Law; Law & Practice: Critical Analysis and Legal Reasoning (2013), 279--300.
[7]
Algarni, A.A.M. and Xu, Y. 2013. Social engineering in social networking sites: Phase-based and source-based models. International Journal of e-Education, e-Business, e-Management and e-Learning. 3, 6 (2013), 456--462.
[8]
Alharthi, D.N. et al. 2020. A taxonomy of social engineering defense mechanisms. Future of Information and Communication Conference (2020), 27--41.
[9]
Alturki, A. et al. 2020. Factors influencing players' susceptibility to social engineering in social gaming networks. IEEE Access. 8, (2020), 97383--97391.
[10]
American Professional Society on the Abuse of Children (APSAC) Practice Guidelines: Forensic Interviewing in Cases of Suspected Child Abuse: https://forensicresources.org/resources/american-professional-society-on-the-abuse-of-children-apsac-practice-guidelines-forensic-interviewing-in-cases-of-suspected-child-abuse/. Accessed: 2021-09-08.
[11]
Arachchilage, N.A.G. and Love, S. 2013. A game design framework for avoiding phishing attacks. Computers in Human Behavior. 29, 3 (2013), 706--714.
[12]
Batson, C.D. and Powell, A.A. 2003. Altruism and prosocial behavior. (2003).
[13]
Beals, M. et al. 2015. Framework for a taxonomy of fraud. Financial Fraud Research Center. (2015).
[14]
Bezuidenhout, M. et al. 2010. Social engineering attack detection model: Seadm. 2010 Information Security for South Africa (2010), 1--8.
[15]
Bhagyavati, B. 2007. Social Engineering. Cyber Warfare and Cyber Terrorism. IGI Global. 182--190.
[16]
Bierhoff, H.-W. and Fetchenhauer, D. 2006. How to explain prosocial and solidary behavior: A comparison of framing theory with related meta-theoretical paradigms. Solidarity and Prosocial Behavior. Springer. 225--242.
[17]
Boshmaf, Y. et al. 2013. Design and analysis of a social botnet. Computer Networks. 57, 2 (2013), 556--578.
[18]
Boshmaf, Y. et al. 2011. The socialbot network: when bots socialize for fame and money. Proceedings of the 27th annual computer security applications conference (2011), 93--102.
[19]
Bryant, A. and Charmaz, K. 2010. Grounded theory in historical perspective: An epistemological account. Handbook of grounded theory. (2010), 31--57.
[20]
Bullée, J.-W.H. et al. 2015. The persuasion and security awareness experiment: reducing the success of social engineering attacks. Journal of experimental criminology. 11, 1 (2015), 97--115.
[21]
Button, M. and Cross, C. 2017. Cyber Frauds, Scams and their Victims.
[22]
Chang, J.J. and Chong, M.D. 2010. Psychological influences in email fraud. Journal of Financial Crime. (2010).
[23]
Cialdini, R.B. and Cialdini, R.B. 1993. Influence: The psychology of persuasion. (1993).
[24]
Clevenger, S. et al. 2018. Understanding Victimology: An Active-Learning Approach. Routledge.
[25]
Clevenger, S. et al. 2018. Understanding victimology: an active-learning approach. Routledge.
[26]
Conteh, N.Y. and Schmick, P.J. 2021. Cybersecurity Risks, Vulnerabilities, and Countermeasures to Prevent Social Engineering Attacks. Ethical Hacking Techniques and Countermeasures for Cyber-crime Prevention. IGI Global. 19--31.
[27]
Conway, D. et al. 2017. A qualitative investigation of bank employee experiences of information security and phishing. Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017) (2017), 115--129.
[28]
Court, D. et al. 2009. The consumer decision journey. McKinsey.
[29]
Cross, C. et al. 2016. The reporting experiences and support needs of victims of online fraud. Trends and issues in crime and criminal justice. 518 (2016), 1--14.
[30]
Cullen, A. and Armitage, L. 2016. The social engineering attack spiral (SEAS). 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber Security) (2016), 1--6.
[31]
Cyber Criminology: Exploring Internet Crimes and Criminal Behavior: https://www.crcpress.com/Cyber-Criminology-Exploring-Internet-Crimes-and-Criminal-Behavior/Jaishankar/p/book/9781439829493. Accessed: 2019--12--10.
[32]
Del Pozo, I. et al. 2018. Social engineering: Application of psychology to information security. 2018 6th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW) (2018), 108--114.
[33]
Endler, N.S. and Parker, J.D. 1994. Assessment of multidimensional coping: Task, emotion, and avoidance strategies. Psychological assessment. 6, 1 (1994), 50.
[34]
Festinger, L. 1957. A theory of cognitive dissonance. Stanford university press.
[35]
Flick, U. 2018. An Introduction to Qualitative Research. SAGE.
[36]
Floersch, J. et al. 2010. Integrating thematic, grounded theory and narrative analysis: A case study of adolescent psychotropic treatment. Qualitative Social Work. 9, 3 (2010), 407--425.
[37]
Foozy, C.F.M. et al. 2011. Generic taxonomy of social engineering attack and defence mechanism for handheld computer study. Malaysian Technical Universities International Conference on Engineering & Technology, Batu Pahat, Johor (2011).
[38]
Goodman, L.A. 1961. Snowball sampling. The annals of mathematical statistics. (1961), 148--170.
[39]
Hadnagy, C. 2010. Social engineering: The art of human hacking. John Wiley & Sons.
[40]
Halevi, T. et al. 2016. Cultural and psychological factors in cyber-security. Proceedings of the 18th International Conference on Information Integration and Web-based Applications and Services (2016), 318--324.
[41]
Harley, D. 1998. Re-floating the titanic: Dealing with social engineering attacks. European Institute for Computer Antivirus Research. (1998), 4--29.
[42]
Hindelang, M.J. et al. 1978. Victims of personal crime: An empirical foundation for a theory of personal victimization. Ballinger Cambridge, MA.
[43]
Hirschi, T. and Gottfredson, M. 1993. Commentary: Testing the general theory of crime. Journal of research in crime and delinquency. 30, 1 (1993), 47--54.
[44]
Hull, C.L. 1935. The conflicting psychologies of learning-a way out. Psychological Review. 42, 6 (1935), 491.
[45]
Ivaturi, K. and Janczewski, L. 2011. A taxonomy for social engineering attacks. International Conference on Information Resources Management (2011), 1--12.
[46]
Jansen, J. and Leukfeldt, R. 2018. Coping with cybercrime victimization: An exploratory study into impact and change. Journal of Qualitative Criminal Justice and Criminology. 6, 2 (2018), 205--228.
[47]
Kerr, S. 1975. On the Folly of Rewarding A While Hoping for B., Academy of Management Journal, Vol. 18, New York, NY. (1975).
[48]
Komter, A. 2007. Gifts and social relations: The mechanisms of reciprocity. International Sociology. 22, 1 (2007), 93--107.
[49]
Krombholz, K. et al. 2015. Advanced social engineering attacks. Journal of Information Security and applications. 22, (2015), 113--122.
[50]
Lamb, M.E. et al. 2011. Tell me what happened: Structured investigative interviews of child victims and witnesses. John Wiley & Sons.
[51]
Lancaster, K.J. 1966. A new approach to consumer theory. Journal of political economy. 74, 2 (1966), 132--157.
[52]
Liang, H. and Xue, Y. 2009. Avoidance of information technology threats: A theoretical perspective. MIS quarterly. (2009), 71--90.
[53]
Lippmann, W. and Curtis, M. 2017. Public opinion. Routledge.
[54]
Luhmann, N. 2018. Trust and power. John Wiley & Sons.
[55]
Lusthaus, J. 2012. Trust in the world of cybercrime. Global crime. 13, 2 (2012), 71--94.
[56]
Mandi, G.J. 2014. Social Engineering and Security of Corporate Resources. Security Management International: Project Idea and Implementation. 2, (2014), 149.
[57]
Mann, I. 2017. Hacking the human: social engineering techniques and security countermeasures. Routledge.
[58]
Manske, K. 2000. An introduction to social engineering. Inf. Secur. J. A Glob. Perspect. 9, 5 (2000), 1--7.
[59]
Maslow, A.H. 1943. A theory of human motivation. Psychological review. 50, 4 (1943), 370.
[60]
McNeeley, S. 2015. Lifestyle-routine activities and crime events. Journal of Contemporary Criminal Justice. 31, 1 (2015), 30--52.
[61]
Meier, R.F. and Miethe, T.D. 1993. Understanding theories of criminal victimization. Crime and justice. 17, (1993), 459--499.
[62]
Mink, J. et al. 2022. DeepPhish: Understanding User Trust Towards Artificially Generated Profiles in Online Social Networks. Proc. of USENIX Security (2022).
[63]
Mitnick, K.D. and Simon, W.L. 2003. The art of deception: Controlling the human element of security. John Wiley & Sons.
[64]
Mouton, F. 2018. Social Engineering Attack Detection Model. University of Pretoria.
[65]
Mouton, F. et al. 2016. Social engineering attack examples, templates and scenarios. Computers & Security. 59, (2016), 186--209.
[66]
Mouton, F. et al. 2014. Social engineering attack framework. 2014 Information Security for South Africa (2014), 1--9.
[67]
Mouton, F. et al. 2014. Towards an ontological model defining the social engineering domain. IFIP International Conference on Human Choice and Computers (2014), 266--279.
[68]
Mueller, R.A. 2019. Episodic narrative interview: Capturing stories of experience with a methods fusion. International Journal of Qualitative Methods. 18, (2019), 1609406919866044.
[69]
Nhan, J. et al. 2009. Finding a pot of gold at the end of an Internet rainbow: Further examination of fraudulent email solicitation. International Journal of Cyber Criminology. 3, 1 (2009), 452.
[70]
Nohlberg, M. and Kowalski, S. 2008. The cycle of deception: a model of social engineering attacks, defenses and victims. (2008).
[71]
Ohanian, R. 1990. Construction and validation of a scale to measure celebrity endorsers' perceived expertise, trustworthiness, and attractiveness. Journal of advertising. 19, 3 (1990), 39--52.
[72]
Okenyi, P.O. and Owens, T.J. 2007. On the anatomy of human hacking. Information Systems Se-curity. 16, 6 (2007), 302--314.
[73]
Ozkaya, E. 2018. Learn Social Engineering: Learn the art of human hacking with an internationally renowned expert. Packt Publishing Ltd.
[74]
Petty, R.E. and Cacioppo, J.T. 1986. The elaboration likelihood model of persuasion. Communication and persuasion. Springer. 1--24.
[75]
Pilz, D. 2007. Krisengeschöpfe: zur Theorie und Methodologie der objektiven Hermeneutik. Springer-Verlag.
[76]
Pirelli, G. et al. eds. 2017. The Ethical Practice of Forensic Psychology: A Casebook. Oxford University Press.
[77]
Pratt, T.C. et al. 2010. Routine online activity and internet fraud targeting: Extending the generality of routine activity theory. Journal of Research in Crime and Delinquency. 47, 3 (2010), 267--296.
[78]
Rege, A. 2009. What's Love Got to Do with It Exploring Online Dating Scams and Identity Fraud. International Journal of Cyber Criminology. 3, 2 (2009).
[79]
Reichertz, J. 2007. Abduction: The logic of discovery of grounded theory. Sage London.
[80]
Salahdine, F. and Kaabouch, N. 2019. Social engineering attacks: A survey. Future Internet. 11, 4 (2019), 89.
[81]
Schneier, B. 2000. Inside risks: semantic network attacks. Communications of the ACM. 43, 12 (2000), 168.
[82]
Schurz, G. 2008. Patterns of abduction. Synthese. 164, 2 (2008), 201--234.
[83]
Sindre, G. 2011. A Double-Cross Policy against Social Engineers. (2011).
[84]
Star, S.L. 1993. Cooperation without consensus in scientific problem solving: Dynamics of closure in open systems. CSCW: Cooperation or conflict. Springer. 93--106.
[85]
Tariq, M.A. et al. 2012. Storytelling for tackling organized cybercrime. 26th BCS Conference on Human Computer Interaction, 12th-14th September 2012, Birmingham, UK (2012), 1--4.
[86]
Tetri, P. and Vuorinen, J. 2013. Dissecting social engineering. Behaviour & Information Technology. 32, 10 (2013), 1014--1023.
[87]
The reporting experiences and support needs of victims of online fraud: 2017. https://aic.gov.au/publications/tandi/tandi518. Accessed: 2020-02--22.
[88]
Thornberg, R. and Charmaz, K. 2014. Grounded theory and theoretical coding. The SAGE hand-book of qualitative data analysis. 5, (2014), 153--69.
[89]
Tolman, E.C. 1923. A Behavioristic Account of the Emotions. Psychological review. 30, 3 (1923), 217.
[90]
Twitchell, D.P. 2009. Social engineering and its countermeasures. Handbook of research on social and organizational liabilities in information security. IGI Global. 228--242.
[91]
Uebelacker, S. and Quiel, S. 2014. The social engineering personality framework. 2014 Workshop on Socio-Technical Aspects in Security and Trust (2014), 24--30.
[92]
UKCIS 2019. Digital Resilience Framework: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/831217/UKCIS_Digital_Resilience_Framework.pdf.
[93]
Van de Merwe, J. and Mouton, F. 2017. Mapping the anatomy of social engineering attacks to the systems engineering life cycle. Proceedings of the Eleventh International Symposium on Human Aspects of Information Security & Assurance (HAISA 2017) (2017).
[94]
Van de Weijer, S.G. and Leukfeldt, E.R. 2017. Big five personality traits of cybercrime victims. Cyberpsychology, Behavior, and Social Networking. 20, 7 (2017), 407--412.
[95]
Van Wilsem, J. 2013. Bought it, but never got it'assessing risk factors for online consumer fraud victimization. European Sociological Review. 29, 2 (2013), 168--178.
[96]
Van Wyk, J. and Benson, M.L. 1997. Fraud victimization: risky business or just bad luck American Journal of Criminal Justice. 21, 2 (1997), 163--179.
[97]
Wagner, R.K. et al. 1999. Tacit knowledge in sales. Tacit knowledge in professional practice. (1999), 155--182.
[98]
Wilcox, P. et al. 2014. Personality and opportunity: An integrated approach to offending and victimization. Criminal Justice and Behavior. 41, 7 (2014), 880--901.
[99]
Williamson, O.E. 1993. Calculativeness, trust, and economic organization. The journal of law and economics. 36, 1, Part 2 (1993), 453--486.
[100]
Workman, M. 2007. Gaining access with social engineering: An empirical study of the threat. In-formation Systems Security. 16, 6 (2007), 315--331.
[101]
Yin, R.K. 2018. Case study research and applications: Design and methods. (2018).

Cited By

View all
  • (2024)A review of organization-oriented phishing researchPeerJ Computer Science10.7717/peerj-cs.248710(e2487)Online publication date: 27-Nov-2024
  • (2024)When the "Matchmaker" Does Not Have Your Interest at Heart: Perceived Algorithmic Harms, Folk Theories, and Users' Counter-Strategies on TinderProceedings of the ACM on Human-Computer Interaction10.1145/36897108:CSCW2(1-29)Online publication date: 8-Nov-2024
  • (2024)Social Engineering Shoulder Surfing Attacks (SSAs): A Literature Review. Lessons, Challenges, and Future DirectionsAdvanced Research in Technologies, Information, Innovation and Sustainability10.1007/978-3-031-48855-9_17(220-233)Online publication date: 3-Jan-2024

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Human-Computer Interaction
Proceedings of the ACM on Human-Computer Interaction  Volume 7, Issue CSCW1
CSCW
April 2023
3836 pages
EISSN:2573-0142
DOI:10.1145/3593053
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 April 2023
Published in PACMHCI Volume 7, Issue CSCW1

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. comping strategies
  2. cybercrime
  3. digital resilience
  4. post-attack
  5. social computing
  6. social engineering
  7. usable security
  8. user behavior
  9. victim's vulnerabilities

Qualifiers

  • Research-article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)155
  • Downloads (Last 6 weeks)9
Reflects downloads up to 25 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A review of organization-oriented phishing researchPeerJ Computer Science10.7717/peerj-cs.248710(e2487)Online publication date: 27-Nov-2024
  • (2024)When the "Matchmaker" Does Not Have Your Interest at Heart: Perceived Algorithmic Harms, Folk Theories, and Users' Counter-Strategies on TinderProceedings of the ACM on Human-Computer Interaction10.1145/36897108:CSCW2(1-29)Online publication date: 8-Nov-2024
  • (2024)Social Engineering Shoulder Surfing Attacks (SSAs): A Literature Review. Lessons, Challenges, and Future DirectionsAdvanced Research in Technologies, Information, Innovation and Sustainability10.1007/978-3-031-48855-9_17(220-233)Online publication date: 3-Jan-2024

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media