Designing Tools to Guard Against Social Engineering Attacks

Chair: Evangelos Niforatos, e.niforatos@tudelft.nl 
Mentor: Tilman Dingler, t.dingler@tudelft.nl
 

Background: Cybercriminals and, increasingly, nation-sponsored attackers are causing substantial damage to economies and are disrupting authorities, governments, critical infrastructures, as well as individuals. In up to 95% of cases, incidents are a direct or indirect result of user-centered attacks, most importantly social engineering. Social engineering generally refers to the act of exploiting the weakest link in cybersecurity: the human. People are persuaded to take certain actions that result in non-favoured outcomes, such as unauthorized access to their information. With the advent of generative AI, attackers have new tools at their disposal to target individuals on a highly personal and realistic level (e.g., deep fakes).

Goal: To better protect against such attacks, this project leverages the power of large language models (LLMs) to create chatbots that walk users through common attacks and teaches users how to spot patterns and defend against them. Additionally, this project aims to produce tangible simulation kits, i.e., a physical kit that simulates common scenarios of social engineering attacks, including things like phishing emails, USB drives, and phone call scripts. Users can interact with these items as the chatbot guides them through the recognition and response process.

Methods: Desktop research and a systematic literature review will build the basis to uncover common social engineering attacks and their countermeasures. The combination of chatbot and simulation kit will be subject of an in-depth evaluation in the form of an experiment to assess its effectiveness in inoculating users against social engineering attacks.

Impact: Social engineering attacks target the weakest link. Equipping people with skills to spot can fortify against manipulation attempts can keep their credentials, identity, and wealth safe.

Relevance: Social engineering attacks are currently run by individuals, groups, and state actors. We need an informed public that can tell when they are being manipulated.

Readings

• Bullee, J. W., & Junger, M. (2020). How effective are social engineering interventions? A meta-analysis. Information & Computer Security, 28(5), 801-830.
• Hadnagy, C. (2010). Social engineering: The art of human hacking. John Wiley & Sons.