What makes online social engineering different from face-to-face engagements?
When the social engineer engages their target through technologically mediated communications (TMC) there are many more opportunities to manipulate the target’s perception of both the social engineer and the situation. Online, a social engineer can easily take on the identity of anyone they wish to impersonate and create any pretext (the story facilitating their scam) to enhance their likelihood for success. In this line of research, I systematically examine the social-cognitive factors that make phishing more enticing to potential victims. By manipulating a few words in a message, we have observed wildly different click-rates (67% versus 29%) for the same email. Within this framework, we use the NIST Phish Scale as a guide to measure difficulty. Currently, LabX is exploring the manipulation of User Context (the message’s Premise Alignment in the NIST Phish Scale) and Message Features to better understand how these influence click-rates. Within this effort, we seek to better understand how usability principles may also be incorporated within phishing messages. The objective of this research is to improve understanding of the principles underlying ROSE attacks generally, beyond just email-based attacks. This understanding is critical to keeping users safe when they are not behind the corporate firewall. A user who is compromised within your organization can pose a threat even if they are compromised through their personal device.