Internet-based Social Engineering Attacks, Defenses and Psychology: A Survey

TL;DR

This survey analyzes how social engineering attacks exploit psychological factors and techniques, highlighting the gap in current defenses which focus mainly on technical solutions, and proposes a roadmap for more effective defense strategies.

Contribution

It introduces a novel perspective by examining psychological factors and techniques in social engineering, and suggests a systematic approach for improved defenses.

Findings

Attacks exploit psychological factors deliberately.

Current defenses mainly use technical solutions.

Limited success of existing defense methods.

Abstract

Social engineering attacks are a major cyber threat because they often serve as a first step for an attacker to break into an otherwise well-defended network, steal victims' credentials, and cause financial losses. The problem has received due amount of attention with many publications proposing defenses against them. Despite this, the situation has not improved. In this paper, we aim to understand and explain this phenomenon by looking into the root cause of the problem. To this end, we examine the literature on attacks and defenses through a unique lens we propose -- {\em psychological factors (PFs) and techniques (PTs)}. We find that there is a big discrepancy between attacks and defenses: Attacks have deliberately exploited PFs by leveraging PTs, but defenses rarely take either of these into consideration, preferring technical solutions. This explains why existing defenses have achieved limited success. This prompts us to propose a roadmap for a more systematic approach towards designing effective defenses against social engineering attacks.