Article Preview
TopIntroduction
The last few years have seen increasing social engineering attacks rather than automated exploits; these cybercrimes are becoming more common and increasingly sophisticated as social engineers create diverse cunning methods and ingenious scenarios to trick targeted victims into divulging confidential information. Phishing remains the most used method due to the ease of approaching targets through e-mail, social networks, and other emerging communication means. Security reports show that 75% of businesses reported being a victim of spear-phishing in 2020 (Proofpoint, 2021). According to Verizon (2021), 36% of data breaches used phishing and 85% of these breaches involved the human element in 2021. The worldwide lock-down application has recently resulted in an explosion of pandemic-themed phishing lures, such as offering financial assistance, vaccination appointments, and health advice sent in the name of government agencies.
The foundations of social engineering are not new; it applies psychological principles that have evolved over thousands of years. Indeed, one of the first known social engineering instances might be traced back to the 11th century BC with using the Trojan horse in the Greek methodology (Strauss, 2007). Currently, it is the use of deception and persuasion to fool unsuspecting users, or employees, into violating security policies, whether to gain access or to obtain sensitive data (Mitnick and Simon, 2003).
Phishing often takes the form of pretexting or sending spoofed e-mails that appear to be legitimate from trusted sources (Hong, 2012) to gain users’ trust and influence them to fulfill a request or to download attachments that load the malware into their systems (Figure 1). The effectiveness of these threats significantly relies on how fast the message can trigger the desired response (Hadnagy et al. 2015; Wright et al. 2014). Moreover, both cognitive (Vishwanath et al. 2011, 2015, 2018; Musuva et al. 2018; Cho et al. 2016) and technical features (Mao et al. 2013; Le Page et al. 2018; Chiew et al. 2018) are exploited to deceive users into falling for the phish and are known to have a major impact on phishing victimization (Van Der Heijden et al., 2019).Spear phishing is a more selective approach of this attack; it is a direct attack at a specific target or targets that uses a complex and persuasive scheme to generate a higher success rate based on the analysis of the victim's online profile and personal disclosed information (Hamoud and Aimeur., 2020). Hackers take plenty of time to conduct a deep search on target users and create more relevant and specific messages. For instance, they can make forged official documents that include the victim's personal information.
Figure 1.
The impact of successful phishing attacks in 2020 (Proofpoint,2021)