Social engineering in social networking sites : how good becomes evil

Social Engineering (ES) is now considered the great security threat to people and organizations. Ever since the existence of human beings, fraudulent and deceptive people have used social engineering tricks and tactics to trick victims into obeying them. There are a number of social engineering techniques that are used in information technology to compromise security defences and attack people or organizations such as phishing, identity theft, spamming, impersonation, and spaying. Recently, researchers have suggested that social networking sites (SNSs) are the most common source and best breeding grounds for exploiting the vulnerabilities of people and launching a variety of social engineering based attacks. However, the literature shows a lack of information about what types of social engineering threats exist on SNSs. This study is part of a project that attempts to predict a persons’ vulnerability to SE based on demographic factors. In this paper, we demonstrate the different types of social engineering based attacks that exist on SNSs, the purposes of these attacks, reasons why people fell (or did not fall) for these attacks, based on users’ opinions. A qualitative questionnaire-based survey was conducted to collect and analyse people’s experiences with social engineering tricks, deceptions, or attacks on SNSs.

Social engineering in social networking sites : the art of impersonation

Social networking sites (SNSs), with their large number of users and large information base, seem to be the perfect breeding ground for exploiting the vulnerabilities of people, who are considered the weakest link in security. Deceiving, persuading, or influencing people to provide information or to perform an action that will benefit the attacker is known as “social engineering.” Fraudulent and deceptive people use social engineering traps and tactics through SNSs to trick users into obeying them, accepting threats, and falling victim to various crimes such as phishing, sexual abuse, financial abuse, identity theft, and physical crime. Although organizations, researchers, and practitioners recognize the serious risks of social engineering, there is a severe lack of understanding and control of such threats. This may be partly due to the complexity of human behaviors in approaching, accepting, and failing to recognize social engineering tricks. This research aims to investigate the impact of source characteristics on users’ susceptibility to social engineering victimization in SNSs, particularly Facebook. Using grounded theory method, we develop a model that explains what and how source characteristics influence Facebook users to judge the attacker as credible.

No laughing matter: Blaming the victim of online fraud

There is a strong sense of negativity associated with online fraud victimization. Despite an increasing awareness, understanding about the reality of victimization experiences is not apparent. Rather, victims of online fraud are constructed as greedy and gullible and there is an overwhelming sense of blame and responsibility levelled at them for the actions that led to their losses. This belief transcends both non-victims and victims. The existence of this victim-blaming discourse is significant. Based on interviews with 85 seniors across Queensland, Australia, who received fraudulent emails, this article establishes the victim-blaming discourse as an overwhelmingly powerful and controlling discourse about online fraud victimization. However, the article also examines how humour acts as a tool to reinforce this discourse by isolating victims and impacting on their ability to disclose to those around them. Identifying and challenging this victim-blaming discourse, as well as the role of humour and its social acceptance, is a first step in the facilitation of victim recovery and future well-being.

'But I've never sent them any personal details apart from my driver's licence number...': Exploring seniors' attitudes towards identity crime

Identity crime is argued to be one of the most significant crime problems of today. This paper examines identity crime, through the attitudes and practices of a group of seniors in Queensland, Australia. It examines their own actions towards the protection of their personal data in response to a fraudulent email request. Applying the concept of a prudential citizen (as one who is responsible for self-regulating their behaviour to maintain the integrity of one’s identity) it will be argued that seniors often expose identity information through their actions. However, this is demonstrated to be the result of flawed assumptions and misguided beliefs over the perceived risk and likelihood of identity crime, rather than a deliberate act. This paper concludes that to protect seniors from identity crime, greater awareness of appropriate risk-management strategies towards disclosure of their personal details is required to reduce their inadvertent exposure to identity crime.

Boiler room scams destroy lives yet police blame victims

The Queensland Organised Crime Commission of Inquiry recently handed down its findings examining how organised crime has been policed in recent years. While media attention has been focused on the implications for child sexual exploitation and paedophilia, the report also made some substantial findings related to financial crimes such as investment fraud (commonly known as boiler rooms scams). Quite disturbingly, the report notes a strong victim blaming mentality that police expressed towards individuals who invested in fraudulent companies and who subsequently lost money in these boiler room scams. The attitude of the police towards boiler room victims was largely one of apathy towards the likelihood of any investigation, and of blame towards victims for not doing what was perceived to be “due diligence”. This finding illustrates several myths which are argued to exist around investment fraud victims, particularly around the concept of “due diligence”. It also feeds into the idea that victims are greedy/naïve and financially illiterate/not investment savvy. These are both problematic and largely inaccurate. Drawing on examples from my own research with fraud victims, the article will illustrate the complexity and sophistication of many boiler room schemes and demonstrate the difficulties in identifying fraudulent investment opportunities.