Social engineering attacks exploit social interaction science to effciently deceive people so that they directly give information away. Concepts of trust are frmly embedded in culture and tricksters are nothing new. This raises questions about how to protect the public against social engineering attacks. Awareness messaging can bring attention to social engineering and online dangers. However, it is unclear whether these awareness techniques are actually effective in protecting people.
Junger, Montoya and Overink wanted to see if awareness messaging such as priming and warnings effectively prevent social engineering attacks. The researchers distributed three slightly different questionnaires to a total of 290 Dutch people at a shopping centre. All of the questionnaires asked participants to disclose their email address, a part of their bank account number and the details of their last online purchases. The one questionnaire exposed (primed) participants to the topic and included questions on phishing and cybercrime issues. The second questionnaire started with explicit warnings not to give out personal information. The remaining questionnaire only asked for the email, banking and purchase information. Around 90 people answered each version, forming three groups. The researchers then calculated the fnal risk score of each group based on the disclosed personal information.
The researchers found relatively high levels of disclosure across all groups. Around 80% of all participants disclosed personal information when asked. These results are not shocking, as people generally trust each other. The person delivering the survey was also a young, friendly-looking man; which may have increased disclosure rates.
The results suggest that neither the priming questions nor the warnings were effective in reducing disclosure. Surprisingly, those who received a warning were actually more likely to share information about their last online shopping locations. It is possible that participants did not view the priming or warnings as personally relevant or pay attention to them. They may not have given priority to security when someone interrupted them while shopping to fll out a questionnaire. This may also have resulted in greater disclosure.
There is a pressing need for greater education on social engineering attacks. More work on the effectiveness of cybersecurity awareness campaigns is needed. It is important to determine educative priorities as teaching everything at once may not increase awareness. Poorly designed awareness or warning campaigns could actually produce adverse effects. Certain specifc warnings may increase disclosure of some types of personal information and require extra attention. Effective interventions should be evidence-based and sensitive to the particular characteristics of the audience.
Poorly designed awareness or warning campaigns could actually produce adverse effects.