Fool Me Once, Shame on Me - A Qualitative Interview Study of Social Engineering Victims

Abstract

Security breaches still continue to flourish despite of the many technical measures in place. More often than not, the human users get the blame. Social engineering attacks use various manipulation techniques to fool users into giving away sensitive information or make security mistakes that are further exploited in cyber attacks. This study has investigated how common, cyber-enabled social engineering attacks, such Business Email Compromise (BEC) phishing and romance scams can be used to exploit individuals, systems or organizations. We investigate studies from the literature and apply a qualitative approach based on in-depth interviews with sample victims of such attacks. Our results contribute to the understanding of why established social engineering protection measures sometimes fail and how the victims have experienced the aftermath of such events. Based on our findings and literature comparison, we provide reflections on how mitigations can be improved to reduce the success rate of social engineering attacks.