Understanding UK University Students’ Susceptibility to Social Engineering Attacks through Scenarios: A Case of Smartphone Interfaces
Understanding UK University Students’ Susceptibility to Social Engineering Attacks through Scenarios: A Case of Smartphone Interfaces
Understanding UK University Students’ Susceptibility to Social Engineering Attacks through Scenarios: A Case of Smartphone Interfaces
Published on, Sept 19, 2024 — Supervised by, Dr. Burak Merdenyan
Published on, Sept 19, 2024 — Supervised by, Dr. Burak Merdenyan
Published on, Sept 19, 2024 — Supervised by, Dr. Burak Merdenyan
Table of Contents
Table of Contents
Background
Background
Background
This research was conducted in partial fulfilment of my Master's Degree in Human-Centred Interactive Technologies at the University of York, under the guidance of Dr. Burak Merdenyan.
The decision to pursue research in Human-Centred Cybersecurity stemmed from my interest in Human Factors: Technology in Context and my desire to explore a new area beyond interaction design, which is my field of expertise. This research study gave me a unique opportunity to explore how users interact with technology in their everyday life that involves security threats.
This research was conducted in partial fulfilment of my Master's Degree in Human-Centred Interactive Technologies at the University of York, under the guidance of Dr. Burak Merdenyan.
The decision to pursue research in Human-Centred Cybersecurity stemmed from my interest in Human Factors: Technology in Context and my desire to explore a new area beyond interaction design, which is my field of expertise. This research study gave me a unique opportunity to explore how users interact with technology in their everyday life that involves security threats.
This research was conducted in partial fulfilment of my Master's Degree in Human-Centred Interactive Technologies at the University of York, under the guidance of Dr. Burak Merdenyan.
The decision to pursue research in Human-Centred Cybersecurity stemmed from my interest in Human Factors: Technology in Context and my desire to explore a new area beyond interaction design, which is my field of expertise. This research study gave me a unique opportunity to explore how users interact with technology in their everyday life that involves security threats.
Team
Team
Team
Researcher x 1
Supervisor x 1
Researcher x 1
Supervisor x 1
Researcher x 1
Supervisor x 1
Duration
Duration
Duration
3 Months (June - Aug 2024)
3 Months (June - Aug 2024)
3 Months (June - Aug 2024)
Skills
Skills
Skills
Literature Review
Qualitative Research
Thematic Analysis
Advanced Prototyping
Literature Review
Qualitative Research
Thematic Analysis
Advanced Prototyping
Literature Review
Qualitative Research
Thematic Analysis
Advanced Prototyping
Overview
Overview
Overview
The study investigates UK university students' susceptibility to social engineering attacks through smartphones. Through a qualitative study approach, 13 UK university students were observed in a scenario based observation study that simulated various social engineering attacks.
The findings of the study showed that despite claiming high cyber security knowledge, many students failed to detect common social engineering attacks. Other findings include, gap in knowledge and application, reduced caution in familiar contexts and so on. The main takeaway is that while students are aware of basic phishing tactics, their knowledge does not fully extend to newer forms of social engineering, particularly on mobile platforms. This highlights the need for targeted cybersecurity education, focusing on both technical defences and behavioural strategies to mitigate the growing risks of mobile-based social engineering attacks.
The study investigates UK university students' susceptibility to social engineering attacks through smartphones. Through a qualitative study approach, 13 UK university students were observed in a scenario based observation study that simulated various social engineering attacks.
The findings of the study showed that despite claiming high cyber security knowledge, many students failed to detect common social engineering attacks. Other findings include, gap in knowledge and application, reduced caution in familiar contexts and so on. The main takeaway is that while students are aware of basic phishing tactics, their knowledge does not fully extend to newer forms of social engineering, particularly on mobile platforms. This highlights the need for targeted cybersecurity education, focusing on both technical defences and behavioural strategies to mitigate the growing risks of mobile-based social engineering attacks.
The study investigates UK university students' susceptibility to social engineering attacks through smartphones. Through a qualitative study approach, 13 UK university students were observed in a scenario based observation study that simulated various social engineering attacks.
The findings of the study showed that despite claiming high cyber security knowledge, many students failed to detect common social engineering attacks. Other findings include, gap in knowledge and application, reduced caution in familiar contexts and so on. The main takeaway is that while students are aware of basic phishing tactics, their knowledge does not fully extend to newer forms of social engineering, particularly on mobile platforms. This highlights the need for targeted cybersecurity education, focusing on both technical defences and behavioural strategies to mitigate the growing risks of mobile-based social engineering attacks.
Research Gap
Research Gap
Research Gap
As a UX Designer, I led the redesign of the onboarding experience for restaurants onto Foaps. My primary responsibility was to integrate WhatsApp as a new ordering channel, ensuring a seamless user experience while adhering to Meta’s API requirements. I was involved in all phases of the project, from gathering requirements to designing high-fidelity prototypes for Meta approval and the Beta release. I collaborated closely with the onboarding, sales, and development teams to ensure the solution was scalable and future-proof.
As a UX Designer, I led the redesign of the onboarding experience for restaurants onto Foaps. My primary responsibility was to integrate WhatsApp as a new ordering channel, ensuring a seamless user experience while adhering to Meta’s API requirements. I was involved in all phases of the project, from gathering requirements to designing high-fidelity prototypes for Meta approval and the Beta release. I collaborated closely with the onboarding, sales, and development teams to ensure the solution was scalable and future-proof.
As a UX Designer, I led the redesign of the onboarding experience for restaurants onto Foaps. My primary responsibility was to integrate WhatsApp as a new ordering channel, ensuring a seamless user experience while adhering to Meta’s API requirements. I was involved in all phases of the project, from gathering requirements to designing high-fidelity prototypes for Meta approval and the Beta release. I collaborated closely with the onboarding, sales, and development teams to ensure the solution was scalable and future-proof.
Research Questions
Research Questions
Research Questions
RQ1. Do UK university students check for browser security cues and the legibility of websites when interacting with them online on their smartphones?
RQ2. Do UK university students check for security cues and the legitimacy of emails and social media profiles to avoid phishing and impersonation when interacting with them on their smartphones?
RQ3. What are the typical responses and actions taken by UK university students upon identifying a social engineering attack on their smartphones?
RQ4. What level of cyber security awareness does the UK university students have and how does this influence their susceptibility to social engineering attacks on smartphones?
RQ5. What past experience do UK university students have as victims of social engineering attacks, and how does this influence their susceptibility to social engineering attacks on smartphones?
RQ1. Do UK university students check for browser security cues and the legibility of websites when interacting with them online on their smartphones?
RQ2. Do UK university students check for security cues and the legitimacy of emails and social media profiles to avoid phishing and impersonation when interacting with them on their smartphones?
RQ3. What are the typical responses and actions taken by UK university students upon identifying a social engineering attack on their smartphones?
RQ4. What level of cyber security awareness does the UK university students have and how does this influence their susceptibility to social engineering attacks on smartphones?
RQ5. What past experience do UK university students have as victims of social engineering attacks, and how does this influence their susceptibility to social engineering attacks on smartphones?
RQ1. Do UK university students check for browser security cues and the legibility of websites when interacting with them online on their smartphones?
RQ2. Do UK university students check for security cues and the legitimacy of emails and social media profiles to avoid phishing and impersonation when interacting with them on their smartphones?
RQ3. What are the typical responses and actions taken by UK university students upon identifying a social engineering attack on their smartphones?
RQ4. What level of cyber security awareness does the UK university students have and how does this influence their susceptibility to social engineering attacks on smartphones?
RQ5. What past experience do UK university students have as victims of social engineering attacks, and how does this influence their susceptibility to social engineering attacks on smartphones?
Methodology
Methodology
Methodology
A concurrent think-aloud observation study, followed by an interview and a questionnaire with 13 UK university students.
Complete a set of tasks for all five scenarios that were carefully designed to simulate different types of social engineering attacks on a smart phone.
An inductive thematic analysis of qualitative data to develop codes and themes.
A concurrent think-aloud observation study, followed by an interview and a questionnaire with 13 UK university students.
Complete a set of tasks for all five scenarios that were carefully designed to simulate different types of social engineering attacks on a smart phone.
An inductive thematic analysis of qualitative data to develop codes and themes.
A concurrent think-aloud observation study, followed by an interview and a questionnaire with 13 UK university students.
Complete a set of tasks for all five scenarios that were carefully designed to simulate different types of social engineering attacks on a smart phone.
An inductive thematic analysis of qualitative data to develop codes and themes.
Scenario Design
Scenario Design
Scenario Design
The selection of type of attacks for each scenario is based on both the practicality of simulating these attacks and the gaps found in the literature. In each scenario, at various points the participants are promoted to enter personal information from the persona. These points are referred to as “deception points”. These points are categorised into levels based on the sensitivity of the information shared and the stage at which the participants fell for the attack.
The selection of type of attacks for each scenario is based on both the practicality of simulating these attacks and the gaps found in the literature. In each scenario, at various points the participants are promoted to enter personal information from the persona. These points are referred to as “deception points”. These points are categorised into levels based on the sensitivity of the information shared and the stage at which the participants fell for the attack.
The selection of type of attacks for each scenario is based on both the practicality of simulating these attacks and the gaps found in the literature. In each scenario, at various points the participants are promoted to enter personal information from the persona. These points are referred to as “deception points”. These points are categorised into levels based on the sensitivity of the information shared and the stage at which the participants fell for the attack.
Scenario 1: Smishing
Scenario 1: Smishing
Scenario 1: Smishing
Story
Story
Story
Yesterday, you ordered a new set of headphones from Amazon. You were expecting it to be delivered by today, however, this morning you received a text message saying that there has been a delay with your package.
Yesterday, you ordered a new set of headphones from Amazon. You were expecting it to be delivered by today, however, this morning you received a text message saying that there has been a delay with your package.
Yesterday, you ordered a new set of headphones from Amazon. You were expecting it to be delivered by today, however, this morning you received a text message saying that there has been a delay with your package.
Tasks
Tasks
Tasks
Track your package.
Claim the gift voucher.
Track your package.
Claim the gift voucher.
Track your package.
Claim the gift voucher.
Scenario 2: Impersonation
Scenario 2: Impersonation
Scenario 2: Impersonation
Part 1: Instagram
Part 1: Instagram
Part 1: Instagram
Story
Story
Story
One day, you received a follow request on Instagram from a distant cousin of yours. She is almost the same age as you, and you haven't talked to her for ages. Recognising her, you accept the request without much hesitation. A week later, while you were scrolling through the instagram feed you
received a message.
One day, you received a follow request on Instagram from a distant cousin of yours. She is almost the same age as you, and you haven't talked to her for ages. Recognising her, you accept the request without much hesitation. A week later, while you were scrolling through the instagram feed you
received a message.
One day, you received a follow request on Instagram from a distant cousin of yours. She is almost the same age as you, and you haven't talked to her for ages. Recognising her, you accept the request without much hesitation. A week later, while you were scrolling through the instagram feed you
received a message.
Tasks
Tasks
Tasks
Check the messages and react/respond accordingly.
Check the messages and react/respond accordingly.
Check the messages and react/respond accordingly.
Part 2: WhatsApp
Part 2: WhatsApp
Part 2: WhatsApp
Story
Story
Story
Harry King is a guy you know from Uni. He does MSc. in Computer Science and you know he is a genius in programming and 3D modelling. One day you got a text from Harry, on WhatsApp.
Harry King is a guy you know from Uni. He does MSc. in Computer Science and you know he is a genius in programming and 3D modelling. One day you got a text from Harry, on WhatsApp.
Harry King is a guy you know from Uni. He does MSc. in Computer Science and you know he is a genius in programming and 3D modelling. One day you got a text from Harry, on WhatsApp.
Tasks
Tasks
Tasks
1. Check the messages and react/respond accordingly.
2. Forward the WhatsApp message.
1. Check the messages and react/respond accordingly.
2. Forward the WhatsApp message.
1. Check the messages and react/respond accordingly.
2. Forward the WhatsApp message.
Scenario 3: Pharming
Scenario 3: Pharming
Scenario 3: Pharming
Story
Story
Story
You have invited your parents for your graduation in York and your parents have agreed to fly in to attend the ceremony. To show your gratitude, you decided to book a hotel for them. However, hotels in York were expensive due to graduation season and you are on a tight budget. While searching for
decent affordable hotels online, you come across a banner ad on a popular hotel booking website that catches your attention.
You have invited your parents for your graduation in York and your parents have agreed to fly in to attend the ceremony. To show your gratitude, you decided to book a hotel for them. However, hotels in York were expensive due to graduation season and you are on a tight budget. While searching for
decent affordable hotels online, you come across a banner ad on a popular hotel booking website that catches your attention.
You have invited your parents for your graduation in York and your parents have agreed to fly in to attend the ceremony. To show your gratitude, you decided to book a hotel for them. However, hotels in York were expensive due to graduation season and you are on a tight budget. While searching for
decent affordable hotels online, you come across a banner ad on a popular hotel booking website that catches your attention.
Tasks
Tasks
Tasks
Book the hotel for your parents.
Book the hotel for your parents.
Book the hotel for your parents.
Scenario 4: Spear Phishing
Scenario 4: Spear Phishing
Scenario 4: Spear Phishing
Story
Story
Story
You have been working part-time at Sainsbury’s Supermarket for almost 6 months now. Your manager James has been very supportive throughout your job ever since you joined Sainsbury’s. One day you receive an email from the James.
You have been working part-time at Sainsbury’s Supermarket for almost 6 months now. Your manager James has been very supportive throughout your job ever since you joined Sainsbury’s. One day you receive an email from the James.
You have been working part-time at Sainsbury’s Supermarket for almost 6 months now. Your manager James has been very supportive throughout your job ever since you joined Sainsbury’s. One day you receive an email from the James.
Tasks
Tasks
Tasks
Check the email and react/respond accordingly.
Check the email and react/respond accordingly.
Check the email and react/respond accordingly.
Scenario 5: Baiting
Scenario 5: Baiting
Scenario 5: Baiting
Story
Story
Story
You are a Spotify user and you have been thinking of getting a premium membership.
You are a Spotify user and you have been thinking of getting a premium membership.
You are a Spotify user and you have been thinking of getting a premium membership.
Tasks
Tasks
Tasks
Get the student discount for your account.
Get the student discount for your account.
Get the student discount for your account.
Key Findings
Key Findings
Key Findings
While students have a general awareness of security cues, they sometimes lack the knowledge to interpret them. They do not actively check for these indicators unless they are visiting unfamiliar sites or receiving email or SMS from unknown sources. It is more of a preventive measure in unfamiliar contexts.
Familiarity with the user interface and procedure reduces vigilance. Many students fell victim to attacks involving popular sites like Amazon or Spotify. The trust in the interface led students to overlook security cues, such as the full URL and legitimacy of email. This highlights the importance of user interface design in creating a false sense of security, showing that social engineers can exploit this trust and familiarity to increase the effectiveness of their attack.
Students exhibit selective cybersecurity awareness. While most UK university students were familiar with phishing attacks, they were less aware of other forms of social engineering, such as smishing and social media impersonation.
Previous experience with cyber attacks play a crucial role in shaping security behaviour. Participants who had encountered phishing or similar attacks in the past demonstrated more caution and had developed personal coping mechanisms, such as using separate accounts for potentially risky and suspicious activities.
Huge gap between perceived and actual cybersecurity knowledge. Many participants overestimated their cyber security knowledge, rating themselves highly in the questionnaire despite falling victim to several attacks during the simulation. This suggests that overconfidence may contribute to increased vulnerability, as students may not feel the need to be vigilant if they believe they are already well-protected.
While students have a general awareness of security cues, they sometimes lack the knowledge to interpret them. They do not actively check for these indicators unless they are visiting unfamiliar sites or receiving email or SMS from unknown sources. It is more of a preventive measure in unfamiliar contexts.
Familiarity with the user interface and procedure reduces vigilance. Many students fell victim to attacks involving popular sites like Amazon or Spotify. The trust in the interface led students to overlook security cues, such as the full URL and legitimacy of email. This highlights the importance of user interface design in creating a false sense of security, showing that social engineers can exploit this trust and familiarity to increase the effectiveness of their attack.
Students exhibit selective cybersecurity awareness. While most UK university students were familiar with phishing attacks, they were less aware of other forms of social engineering, such as smishing and social media impersonation.
Previous experience with cyber attacks play a crucial role in shaping security behaviour. Participants who had encountered phishing or similar attacks in the past demonstrated more caution and had developed personal coping mechanisms, such as using separate accounts for potentially risky and suspicious activities.
Huge gap between perceived and actual cybersecurity knowledge. Many participants overestimated their cyber security knowledge, rating themselves highly in the questionnaire despite falling victim to several attacks during the simulation. This suggests that overconfidence may contribute to increased vulnerability, as students may not feel the need to be vigilant if they believe they are already well-protected.
While students have a general awareness of security cues, they sometimes lack the knowledge to interpret them. They do not actively check for these indicators unless they are visiting unfamiliar sites or receiving email or SMS from unknown sources. It is more of a preventive measure in unfamiliar contexts.
Familiarity with the user interface and procedure reduces vigilance. Many students fell victim to attacks involving popular sites like Amazon or Spotify. The trust in the interface led students to overlook security cues, such as the full URL and legitimacy of email. This highlights the importance of user interface design in creating a false sense of security, showing that social engineers can exploit this trust and familiarity to increase the effectiveness of their attack.
Students exhibit selective cybersecurity awareness. While most UK university students were familiar with phishing attacks, they were less aware of other forms of social engineering, such as smishing and social media impersonation.
Previous experience with cyber attacks play a crucial role in shaping security behaviour. Participants who had encountered phishing or similar attacks in the past demonstrated more caution and had developed personal coping mechanisms, such as using separate accounts for potentially risky and suspicious activities.
Huge gap between perceived and actual cybersecurity knowledge. Many participants overestimated their cyber security knowledge, rating themselves highly in the questionnaire despite falling victim to several attacks during the simulation. This suggests that overconfidence may contribute to increased vulnerability, as students may not feel the need to be vigilant if they believe they are already well-protected.
Last Update — April, 2024