Open Journal of Social Sciences
2013. Vol.1, No.3, 23-32
Published Online August 2013 in SciRes (http://www.scirp.org/journal/jss) DOI:10.4236/jss.2013.13004
Copyright © 2013 SciRes. 23
A Study of Social Engineering in Online Frauds
Brandon Atkins1, Wilson Huang2
1Department of Criminal Justice, Moultrie Technical College, Tifton, USA
2Department of Sociology, Anthropology, and Criminal Justice, Valdosta State Univers ity, Valdosta, USA
Email: jbatkins@vald o st a.edu
Received July 16th, 2013 ; revised August 17th, 2013; accepted August 21st, 2013
Copyright © 2013 Brandon Atkins, Wilson Huang. This is an open access article distributed under the Creative
Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium,
provided the origina l w o rk is properly cited.
Social engineering is a psychological exploitation which scammers use to skillfully manipulate human
weaknesses and carry out emotional attacks on innocent people. This study examined the contents of 100
phishing e-mails and 100 advance-fee-scam e-mails, and evaluated the persuasion techniques exploited by
social engineers for their illegal gains. The analyses showed that alert and account verification were the
two primary triggers used to raise the attention of phishing e-mail recipients. These phishing e-mails were
typically followed by a threatening tone via urgency. In advance-fee e-mails, timing is a lesser concern;
potential monetary gain is the main trigger. Business proposals and large unclaimed funds were the two
most common incentives used to lure victims. The study revealed that social engineers use statements in
positive and negative manners in combination with authoritative and urgent persuasions to influence in-
nocent people on their decisions to respond. Since it is highly unlikely that online fraud will ever be com-
pletely eliminated, the most important strategy that can be directed to combat social engineering attacks is
to educate the public on potential threats from perpetrators.
Keywords: Advance-Fee Scam; Internet Fraud; Online Fraud; Phishing; Social Engineering
Introduction
The notion of social engineering has appeared recently in the
study of online fraudulent activities (Blommaert & Omoniyi,
2006; Holt & Graves, 2007; Huang & Brockman, 2011; King &
Thomas, 2009; Mann, 2008; Ross, 2009; Workman, 2008; Zook,
2007). This stream of research has centered on the exploitive
nature of deceptive communications employed by social engi-
neers in the commission of fraudulent acts. Accounts of such
acts are built on the assumption that people fall victim to scams
because they are ignorant, naïve, or greedy (King & Thomas,
2008). This study, instead, would suggest that neither gullibility
nor ignorance explains the success of such frauds. The study,
focusing on online fraud, will show that social engineers are
able to exploit human weaknesses to obtain desired behaviors
and privilege information via psychologically constructed com-
munications. These fraudsters can skillfully manipulate victims
into an emotionally vulnerable state with a disguised, attractive
e-mail.
The severity and consequences of online frauds warrant an
analysis of this type of crime. According to the Consumer Sen-
tinel (US Federal Trade Commission, 2008), 221,226 com-
plaints concerning Internet-related fraud were filed by consum-
ers in 2007, up from 205,269 in the previous year. E-mail com-
munication plays an important role in Internet crimes. In 2008,
the Internet Crime Report (National White Collar Crime Center,
2008) revealed that e-mail was the most frequent contact me-
thod used by perpetrators of Internet fraud (74%) The total
dollar loss in 2009 for all referred cases of Internet fraud was
$559.7 million which is up $295.1 million from the previous
year. The average monetary loss in 2009 was $575, while some
advance-fee scams reported average losses of up to $1500 (The
Internet Crime Complaint Center, 2009). The emotional impact
and lingering effects on victims scammed by computer fraud
can also be grave. Some phishing victims can suffer from dis-
orders ranging from embarrassment to depression, which some
psychologists liken to post traumatic stress disorder (Carey,
2009). The Federal Trade Commission reported that 31% of
identity theft victims who had credit cards taken out in their
name required over 40 hours to correct credit issues and faced
consequences such as harassment by creditors (48%), loan re-
jections (25%), and criminal investigations (12%). According
to data retrieved from the Internet Crime Complaint Center, the
median loss filed per victim was the highest among check fraud
($3000), confidence fraud ($2000) and Nigerian advance-fee
fraud ($1650). In one rare and extreme case, a British man
committed suicide when victimized by an Internet money-
laundering scam (BBC News, 2004).
The Social Engineering Perspective
The most direct discussions on social engineering can be
found in applied psychology (Long, 2008; Mann, 2008; Raman,
2008; Thompson, 2006; Workman, 2008). The term “social
engineering” involves a process of deceiving people into giving
away confidential information. Social engineers run a type of
con game” to scam people. Social engineers are individuals
who intentionally mislead and manipulate people for personal
benefit (Huang & Brockman, 2011). Mann (2008) defines so-
cial engineering as “to manipulate people, by deception into
giving out information, or performing an action” (p. 3). A
number of tactics are employed by the social engineer to impact
B. ATKINS, W. HUANG
Copyright © 2013 SciRes.
24
the emotional state of the victim, consequently influencing their
willingness to disclose personal information (Workman, 2008).
Social engineering attacks can occur at the corporate or indi-
vidual level. By use of deception, social engineers obtain per-
sonal information, commit fraud, or gain computer access
(Thompson, 2006).
Gaining access to or control of an information system is not
the only goal of a social engineering attack. Other goals may
include gaining money or other valuable items, such as finan-
cial records. A Social engineer greatly depends on his/her abil-
ity to develop a trusting relationship with the target (Mitnick &
Simon, 2002; Thompson, 2006). Social engineering attacks
take place at both the physical and psychological level. The
most common locations for the social engineer to seek unau-
thorized information and access and work toward a psycho-
logical attack include the workplace, telephone, trash cans, and
the Internet. Psychological attacks focus on persuasion, imper-
sonation, ingratiation, conformity, and friendliness (Workman,
2008).
Social engineers rely on cognitive biases or errors in the
mental process to initiate and execute their attacks (Raman,
2008) and produce automatic emotional responses in their vic-
tims. Cognitive biases may include choice supportive bias,
exposure effect, and/or anchoring (Raman, 2008). Choice sup-
portive bias is when an individual has a tendency to remember
past experiences as being more positive than negative (Mather,
Shafir, & Johnson, 2000). For example, an individual who pur-
chases items on eBay may unintentionally enter his/her credit
card information to a fraudulent site posing as eBay, claiming
they have not received payment on a purchased item. Confir-
mation bias states that people will collect and interpret informa-
tion in a way that confirms their views (Nickerson, 1998). For
example, if employees regularly see custodians in specific uni-
forms they may not be alarmed at the site of an imposter wear-
ing the same uniform. Therefore, the social engineer is able to
gain access without having to identify himself/herself. Expo-
sure effect claims that people like items and people that are
familiar to them (Zajonc, 1968). For instance, someone who is
involved with online social networks may be more willing to
visit a malicious website claiming to have an “online dating
service”. Anchoring suggest that a person focuses on identify-
ing a noticeable trait (Tversky & Kahneman, 1974). For exam-
ple, fraudulent websites displaying identical logos of actual
banks may deceive visitors.
Some common social errors can arise from fundamental at-
tribution bias, salience effect, and pressing conformity, com-
pliance, and obedience. Fundamental attribution error states
that individuals assume the behaviors of others and directly
reflect permanent characteristics, which define the person (Gil-
bert & Malone, 1995). Therefore, social engineers try to make a
positive first impression in order to gain the trust of their victim.
However, Huang and Brockman (2011) also revealed that so-
cial engineers have used persuasive statements in either positive
or negative tones—or both—to attack online users. The sali-
ence effect suggests that a person who stands out the most in a
group is the least influential person (Taylor & Fiske, 1975).
This is why social engineers are experts at fitting in to their
surroundings. Pressures of conformity, compliance, and obedi-
ence cause people to change their behaviors (Raman, 2008).
Social engineers have learned to predict the responses to these
pressures. By using authority and manipulation, a social engi-
neer may pretend to be an executive, and even without provid-
ing identification may convince an employee to give over cru-
cial information.
Social engineers use cognitive biases and social errors to
help them devise the best approach for an attack. A person’s
awareness or recognition plays a large role in their decision
making process. A person who is perceived to be bad is gener-
ally avoided, whereas a person that is good or familiar tends to
be accepted. Social engineers use this to their advantage by
presenting themselves in a positive manner and making good
first impressions. With the knowledge of cognitive biases and
errors, social engineers have discovered new techniques to
influence behavior.
Categorie s o f Soc i a l Engineering
Social engineering can be divided into two different catego-
ries: computer-based deception and human-interaction-based
deception. In both methods, before the social engineer conducts
an attack, they perform some kind of background research on
their target. One example is to simply walk into an organiza-
tion’s facilities and read names off the information board.
These boards will usually provide helpful information, includ-
ing department names and sometimes the names department
heads. Another approach to background research is the practice
of dumpster diving—simply going to the target organization’s
trash cans and analyzing the contents. If people and organiza-
tions are not too careful about what they throw away in the
trash, the contents of their trash cans may prove valuable to a
social engineer.
In the computer-based approach to deception, the social en-
gineer relies on technology to deceive the victim into supplying
the information needed to fulfill the purpose. For example, this
can be performed through the use of fake pop-ups that trick
victims into believing they must reveal passwords in order to
remain connected to the organization’s computer network. The
authorization information is then sent off to the social engineer,
who can use this information to gain access to the organization
network (Gulati, 2003).
The human-interaction approach of social engineering is
based primarily on deception through human interaction. The
attack becomes successful by taking advantage of the victim’s
natural human inclination to be helpful and liked (Gulati, 2003).
This can be performed through various forms of impersonation.
For example, the social engineer can pose as a repairman, IT-
support person, fellow employee, manager, or trusted third
party in order to gain the victim’s trust and thus unauthorized
access to desired information.
Types of Social Engineering Attacks
The variation and extent of social engineering attacks are
only limited by the creativity of the hacker (Manske, 2000).
These attac ks prove to be effect ive because t hey target the most
vulnerable link of any organization, its people. Social engi-
neering attacks have the potential to bypass the best technical
security and expose an organization’s critical information.
There are numerous types of social engineering attacks; a few
include Trojan e-mail and phishing messages, advance-fee
fraud, impersonation, persuasion, bribery, shoulder surfing, and
dumpster diving.
Among them, Trojan e-mail and phishing messages are two
of the most common examples of social engineering attacks.
B. ATKINS, W. HUANG
Copyright © 2013 SciRes. 25
They are technical attacks in nature, but they actually rely on
strategically constructed messages to lure victims to open at-
tachments or click on embedded hyperlinks. This makes these
classic examples, which assist technical exploits, a very com-
mon feature in many social engineering attacks. According to
Manske (2000) these attacks serve as stepping stones to the
attacker’s ultimate goal, which could be, for example, complete
control of an organization’s network servers. Phishing e-mails
or Trojan attacks can be employed to collect private informa-
tion or system credentials, or potentially to compromise the
security of the user’s operating system by installing malicious
software that allows the attacker full access to the system. In
2007, phishing attacks accounted for more than a quarter of all
reported computer crimes (Richardson, 2007).
Another common technique employed by social engineers is
the use of fake credentials. This can be a simple ploy executed
by printing fake business cards, or a more elaborate tactic such
as creating counterfeit identification cards or security badges.
The use of contemporary technology has made it easy to create
hard-to-detect duplicates of identification cards. With that in
mind, attackers do not always need to create the most realistic
looking fake credentials as they are able to sell a good story to
go with it. According to Applegate (2009), in one vulnerability
assessment, an attacker created a very simple green plastic
badge with a commonly seen recycling symbol. When caught
going through the dumpsters by the organization’s security
personnel, the attacker assumed the role of a recycling coordi-
nator doing a compliance inspection. The attacker claimed that,
because the organization was not sorting its recyclable waste
aside, the company leadership could be subject to a large fine
from the government (Applegate, 2009). As a result of this
simple trick, supervisors from the organization personally en-
sured all paper products were separated off to the side for the
remainder of the assessment. Each day the social engineer re-
turned to collect presorted paper products and sorted through
them at leisure to look for any information of value. This at-
tacker was so successful at this trick that he was given a tour of
the organization later in the week and was able to come and go
at will once personnel got used to seeing him on a daily basis.
Social Engineers can utilize various techniques to imperson-
ate a person. Attackers will often conduct impersonation attacks
by calling personnel in the target organization on the telephone,
pretending to be coworkers from a different department, re-
porters, or even students doing research. Social engineers will
even carry out impersonation attacks in person by walking into
a selected organization utilizing fake credentials or a good story
to elude security.
Additional techniques frequently employed by social engi-
neers are persuasion attacks. Persuasion attacks consist of the
social engineer tricking a person into giving critical information
or to assist the attack in a different way. Oftentimes the victim
is persuaded into believing the attacker is doing him/her a favor
in some way. The victim, then, feels obligated to assist the at-
tacker even when organizational policies may be violated. In a
variation of this attack, the social engineer uses persuasion
techniques to have the employee bypass company procedures
in order to hurry up the process or bypass the problem alto-
gether.
Types of Online Fraud
Some of the more common forms of online fraud are credit
card fraud, identity theft fraud, web and e-mail spoofing (re-
ferred to as phishing), IM spimming (similar to spoofing, but
involving the use of instant messaging), high-tech disaster fraud,
and online hoaxes (referred to as advance-fee fraud) (Harley &
Lee, 2007; McQuade, 2006). While considerable time could be
spent on each form of fraud, the current work primarily focuses
on web and e-mail spoofing (phishing) and online hoaxes (ad-
vance-fee fraud), since these are two of the most well-known
and recognizable scams involving a variety of deceptive tech-
niques exploited in online communications.
Phishing
Phishing is a growing area of Internet fraud with the number
of victims on the rise. In 2007, the number of US adults who
reported receiving phishing e-mails was 124 million, up from
109 million in 2005 (Litan, 2007). According to Jakobsson and
Meyers (2007: p. 1), phishing is a form of social engineering in
which the attacker (or phisher) fraudulently retrieves confiden-
tial or sensitive information by imitating a trustworthy or public
organization. Phishing, sometimes called brand spoofing, in-
volves the use of e-mails that originate from businesses with
which targeted victims have been, or are currently associated.
In the past few years there has been an alarming trend both in
the increase and complexity of phishing attacks. Some of the
most common businesses and industries associated with phish-
ing include banks, online businesses (e.g., eBay and PayPal),
and online service providers (e.g., Yahoo and AOL). Unsus-
pecting victims receive e-mails that appear to be from these
entities, usually suggesting suspicious activity regarding the
account and requesting personal information (e.g., personal
identification numbers, credit card numbers, and social security
numbers). The phisher ultimately seeks to use the victim’s per-
sonal information for individual gain (Larcom & Elbirt, 2006).
The e-mails convince up to 20 percent of recipients to respond
to them, sometimes leading to financial losses, identity theft,
and other forms of fraud (Kay, 2004). Association with certain
types of “brands” is an effective technique that allows scam-
mers to steal information directly or be able to use social engi-
neering to persuade users to disclose financial information
(James, 2005; Harley & Lee, 2009).
Phishing Operations
Two basic methods are commonly employed by phishers to
steal valuable personal identification (APWG, n.d.). The first
method is the technical artifice method, which involves infect-
ing personal computers with malicious software. This software
is capable of recording keystrokes entered by the user, and
sending that information to the phisher. This software can also
redirect Internet users from legitimate websites to false ones via
a remote connection. The next method that phishers employ is
social engineering, which, is defined by Yoo (2006) as “gaining
intelligence through deception or also as using human rela-
tionships to attain a goal” (p. 8). Phishers using social engi-
neering techniques employ deceptive devices to trick Internet
users into a situation where they are willing to disclose sensi-
tive information. Usually, the social engineering methods
launch a false e-mail urging the receiver to click on a linked
website appearing to come from a genuine business. After
clicking the link, the user is actually brought to a fraudulent site
asking for personal financial information such as credit card or
B. ATKINS, W. HUANG
Copyright © 2013 SciRes.
26
bank account numbers. Phishers then use the records they ob-
tained to swindle money from the credit card or bank account,
or even apply for a new credit card with a false identity.
Phishing tactics and targets vary in social engineering appli-
cations. While some simpler e-mails contain fill-in forms, other
more complex ones direct victims through a variety of synthetic
websites. As phishing is performed mostly for financial reasons,
the most commonly attacked sector in 2009 was financial ser-
vices, which accounted for 74% of reported phishing activity
for that year (Symantec Corporation, 2009). The next most
active area of phishing was the Internet service provider, at 9%.
Although fraudsters are not as likely to produce monetary gains
in this area, it is likely that they are able to use the stolen in-
formation and accounts to further their phishing activities, such
as sending mass e-mails through the stolen accounts. The third
most lucrative segment for phishers is retail, accounting for 6%
of phishing attacks. Phishers attempt to purchase goods online
and request that the items be shipped to a location which the
phisher has access to. The Symantec study (2009) revealed that
the difference between financial scams (74%) and all other
areas (26%) lies in the relative ease and immediate financial
reward for successful deception.
One common feature that phishing e-mail messages at-
tempted to do is to imitate a creditable entity. Some fraudsters
use tricks to make their e-mails seem more legitimate. These
tricks include the use of company logos, hyperlinks to the home
page of the company, false return addresses. The next step in
the phishing process is to create a message that requires the
recipient to take a specific action, such as replying to the phish-
ing e-mail, completing a form provided by the e-mail, or click-
ing on a guided link. The content within the messages vary,
with the most common form claiming to require information for
account verification or security upgrade. Because fraudulent web-
sites and e-mail messages are detected quickly and subse-
quently blocked, the messages are typically written to instill a
sense of urgency in the reader. Criminals push for their victims
to respond immediately by threatening termination of the ac-
count if a reply is not received promptly (MailFrontier, 2004).
After the users have clicked the fake link and entered into the
spoofed site, it is essential that the web pages appear authentic
to the user. The deceptive online features used by phishers in-
clude company logos and slogans, page layouts, fonts, and co-
lor schemes (MailFrontier, 2004). Many online phishers are not
only effective in replicating the graphic look of legitimate web-
sites, but also in adding some of the indicators users typically
look for a website’s security and authenticity. These include the
use of a safety padlock in a menu bar, an https device in the
URL, and a “TRUST-e” symbol (University of Houston, 2005).
In earlier days, one could examine a website’s URL and be
more confident of detecting a counterfeit site; since early phishers
used domain names that were only similar to the valid company
they were spoofing. Today’s fraudsters, however, can make the
company’s actual domain name visible, such as www.ebay.com,
but when the user clicks on the hyperlink it really directs them
to the phisher’s website.
Advance-Fee Fraud
As it has been demonstrated criminals use the Internet to
commit all types of fraud; however, the largest dollar losses are
attributed to advance-fee fraud e-mail messages. These mes-
sages are sent from individuals claiming to need assistance
moving a large sum of money out of their country. Receivers of
these messages who respond often become victims of fraud and
identity theft. There has been a large amount of criminological
research that has explored the prevalence and incidence of
fraud, where criminals gain property or money from victims
through deception or cheating. Most fraud involves some type
of interaction between the victim and the offender, either
through face-to-face meetings, or telephone-based exchanges
(Holt & Graves, 2007). As individuals around the world have
increasingly become dependent on the Internet, criminals have
begun to use it as a means to commit fraud (Wall, 2001).
Advance-Fee Fraud Operations
Advance-fee fraud gets its name because these schemes re-
quire the victim to pay the scammer in advance with the prom-
ise of receiving rewards later. This scam is neither the most
costly nor frequent Internet crime; however, it remains to be the
most ubiquitous and well-known of all cyber-crimes. Nigeria
419 scams are a very common type of advance-fee fraud where
scammers generally claim to be from Nigeria and execute a
variety of deceptive schemes that require victims to front
money (Microsoft, 2009). Scams like the Nigeria 419 scam are
frequently carried out from areas such as local cyber cafes,
which have become the target of more recent raids from Nige-
ria’s Economic and Financial Crimes Commission (Lilly, 2009).
Nonetheless, Internet scammers often remain undeterred by law
enforcements efforts (Goodman & Brenner, 2002). The circum-
stances in Nigeria illustrate the conditions created by lenient
laws and enforcement concerning the Internet.
Advance-fee fraud initially appeared as handwritten letters in
postal mail or faxes in the 1980s (United States Department of
State, 1997). These scams began to spread via e-mail in the
early 1990s as individuals began adopting e-mail technology. In
the past decade, advance-fee schemes have been labeled as
spam, or unsolicited bulk e-mails with multiple messages that
offer illicit or counterfeit services and information (Wall,
2004).
Although there may be individuals who act alone to initiate
contact and sol icit informati on, the scammers gene rally work in
small teams with a specialized division of labor. Nigerian
scammers are different than con artists who hope for a quick
score by taking their gain in a single transaction—known as a
short con. Nigerian scammers work on a long con, one designed
to play out over time and gradually drain a victim’s assets.
Contrary to public perceptions, the goal of most Nigerian ad-
vance-fee fraud scams is not to simply empty a bank account by
immediately obtaining financial information as some other
scams do.
Rather than obtaining a quick score, the scammers intend to
draw increasingly large sums from the victim, who is manipu-
lated into looking for additional sources to supply them. The
relationship between the scammer and the victim can drag out
for months, and the transformation can be complex (NExT,
2007). The US Secret Service (n.d.) adds that, if carried to the
conclusion, the victim often will be enticed to come to Nigeria
for the final financial coup de grace.
Advance-fee scams have many variants, but they all share the
same essential characteristics. First, a large sum of money will
become available because of some tragic event. Most of the
time the event will be very specific, such as a plane crash, ma-
jor catastrophe (World Trade Center in 2001 or the Earthquake
B. ATKINS, W. HUANG
Copyright © 2013 SciRes. 27
in Haiti 2010), an auto accident, political conflict, or a fatal
disease. Usually they will include legitimate names of the
wealthy victim. This allows the scammer to provide a URL link
to a legitimate source that confirms both the accident and the
actual death, providing credibility. Second, the scammer reports
that the money remains unclaimed and provides reasons why
swiftness is needed in order to claim it, and secrecy needs to be
maintained to protect the project.
Third, a reason for the need to rush the transfer, usually be-
cause of political conflict or a looming deadline in which the
money will be given back to the bank or government, adds a
sense of urgency to the transaction. Fourth, the scammer always
implies that the transaction needs help from a foreigner in order
to evade laws, or outsmart others who are also after the funds,
or to avoid leaking that the fortune exists. This is done to em-
phasize the compelling requirement of secrecy. Finally, the
direct attempt to establish direct personal contact between the
scammer and the recipient comes. Occasionally, this may be a
direct request for information, including personal details and
bank account number and bank’s routing number. However, in
most variations, the scammer initially requests only a reply,
which can lead to extended email exchange or phone calls
(Sturgeon, 2003). In some circumstances, the e-mail will in-
clude attachments containing pictures or other information to
improve credibility. However, the attachments may also contain
malware that includes spyware or worms capable of extracting
the recipient’s e-mail address book or allowing the users’ PC to
be used to rela y fu rther e-mails through a legitimate system.
Given the unlikely scenarios, it might seem implausible that
any Internet users, most likely people with some sophistication
and basic literacy skills, would fall victim to the scams. At least
with increasing visibility and awareness of the scam, it would
seem that, the prevalence of vi ctimizatio n woul d decrease. Nev-
ertheless, victimization continues to increase.
The Internet has greatly expanded the pool of potential vic-
tims while reducing the costs of committing fraud. These and
other factors have resulted in deceptive e-mails being sent out
to an estimated 10 million-plus recipients worldwide daily,
which is a very conservative estimate (King & Thomas, 2008).
Scammers send out large numbers of e-mails in order to capture
the relatively small number of respondents who are attentive to
the persuasions embodied in the e-mails. The investigation be-
low attempts to address what deceptive techniques have been
used in scam e-mails. Generally when studying crime, re-
searchers will focus on the motivations of the offender. Instead
of focusing on motivations, this study investigates the persua-
sive techniques that drive victims to fall for the online fraud-
sters’ scams.
Methodology
To examine the deceptive operations and techniques used in
phishing and advance-fee e-mails, the study has collected a
sample of 200 fraudulent e-mails related to the two types of
scam. These e-mails were gathered from a data archive main-
tained by an anti-phishing site, MillerSmiles, in Great Britain,
and also from the inbox of the researchers. A total of 100
phishing e-mails were gathered from the MillerSmiles site, and
another 100 advance-fee e-mails were gathered collectively
from the MillerSmiles site, as well as the researcher’s mail
inboxes. No overlap in the collected data existed between the
two sets of e-mails. The archived e-mails were used to increase
the number and diversity of the sample e-mails
The 100 phishing e-mails were strategically gathered from
the MillerSmiles site. The MillerSmiles site offers an alpha-
betical listing of company names. At the bottom of the home-
page they offer a list of top targets by scams. From her e , the to p
three targets were selected (PayPal, eBay, HSBC bank) and to
have one main banking institution from the United States and
the UK, Bank of America and Abbey bank were chosen. In
order to gather 100 e-mails, 20 were collected from each insti-
tution.
For each of the five institutions, e-mails were selected be-
tween 6/08/2010 (the day that the e-mail extractions began) and
6/08/2009 (retrospective to the previous 12 months). The Mil-
lerSmiles site offers a collection of 300 e-mails for each institu-
tion. All e-mails between the aforementioned dates were print-
ed and then numbered, selecting every 5th e-mail for the sam-
ple. If any e-mail was repetitive or used any language other
than English a rotation would be skipped (e.g. if e-mail 5 is the
same as e-mail 1, e-mail 5 is skipped and e-mail 10 is the next
to be chosen) until 20 e-mails were reached for a chosen insti-
tution. Once 20 e-mails were selected for each institution, the
e-mails were printed and coded based on the codebook created
for this study.
Another 100 e-mails for advance-fee frauds were gathered
from the inboxes of the researchers as well as the MillerSmiles
website. Due to the low number of advance-fee e-mails on the
MillerSmiles site, only 15 e-mails were gathered, with the other
85 e-mails coming from the researchers’ inboxes. The selection
criteria and process for the previously mentioned 85 e-mails
were consistent with that of prior studies (Blommaert &
Omoniyi, 2006; Ross, 2009; Huang & Brockman, 2011). The
criteria were the e-mails had to be written in English despite
grammatical errors or typos found in the text; they had to ap-
pear to be full letters, showing an e-mail address, subject line,
salutation, body text, and closing; and they had to reflect the
sender’s control of funds, power of monetary distribution, and
knowledge of scheme procedures. Spamming e-mails that did
not fit into solicitations for personal privileged information or
monetary funds were excluded. For example, these exclusions
included e-mails promoting low home mortgage rates, brand-
name products at extremely low prices, online dating, online
drugs, sex enhancement pills, and x-rated entertainment.
Measuring Triggers and Persuasions
Each of the 100 phishing e-mails were read and coded based
on triggers. Triggers can be defined as the main reason or sub-
ject of the deceptive e-mail. In phishing mails, these triggers
can be an account update, account verification, account suspend-
sion/disabled/frozen etc. Triggers for the 100 advance-fee e-
mails were coded based on incentives. Incentives are classified
into five types according to the e-mail content: Nigeria 419
funds, lottery winning, working at home, job offer, and busi-
ness proposal.
Eight types of persuasive techniques were applied to the 200
e-mails. These techniques were authority, urgency, tradition,
fear/threat, attraction/excitement, pity, politeness, and formality.
Definitions of these persuasions are based on Capaldi (1971),
Huang and Brockman (2011), and Ross (2009). After coding
the e-mails, the collected data were entered into Microsoft Ex-
cel and then transferred into SPSS. Definitions of the persua-
sions are provided below.
B. ATKINS, W. HUANG
Copyright © 2013 SciRes.
28
1) Authority: Persuasive statements used to create legitimacy,
trust, and credibility. Institutional markers such as affiliations
and professional titles are included;
2) Pity: Refe rs to sy mpa thy an d char ity expressed i n th e mes-
sages;
3) Tradition: An appeal to ideal values such as honor and
legacy comm onl y rec ognized by the public;
4) Attraction: An incentive which can draw excitement or a
sense of subversive joy. Examples of attraction include huge
cash prizes, easy job offers, or opportunities for profits;
5) Urgency: A stress on the exigency of the situation. Urgent
statements are used to stress the requirement to respond promptly
to receive the offer or award. They can also be stated in a nega-
tive tone, such as threat to disable account if a request is not
fulfilled in tim e;
6) Fear/threat: Used to intimidate the reader. Examples of
fear/threat include; threat to delete account, freeze account, or
suspend account;
7) Politeness: Used to construct the author as a real human
being. Examples of politeness would be the use of please, thank
you, et c.;
8) Formality: Professional terms used to convince the reader
that the letter is legitimate and safe. Examples of formality
include the use of confidentiality, safety, etc.
Social engineers take advantage of all elements of the e-
mails they send. One need not to read the body of the e-mail to
see the persuasive phrases social engineers use. Often the sub-
ject line, the title of the e-mail which highlights the main con-
cern, contains such words as alert, warning, attention, and up-
date followed by exclamation points to strike fear in the reader.
Sometimes, social engineers use friendly salutations (e.g., Dear
Valued Customer/Member) and closures (e.g., Best Regards,
Sincerely, Thank you) to make a positive first impression and
familiar appearance. Regardless of the approach used by scam-
mers, the e-mails always show institutional affiliations. The
authors have to enhance fundamental attributions to encourage
recipients to comply with the e-mails’ request for action (Gil-
bert & Malone, 1995).
Results
Table 1 identifies the triggers that were used in phishing
Table 1.
Triggers used in phishing e-mails (N = 100).
Triggers %
Security upgrade/update of account 13%
General (unspe cified) upg rade/update of account 6%
Alert, warning, attention 18%
Account verif i cation 18%
Account suspension/disabled/frozen 8%
Purchase confirmation 8%
Invalid logi n attempts 17%
Identity ve r i fi cation 5%
Other 7%
Total 100%
mails. The top three triggers used by scammers were: alert,
warning, attention (18%); account verification (18%); and inva-
lid login attempts (17%). Phishers often use triggers that catch
the reader’s attention and immediately cause a sense of fear.
For example, senders of fraudulent e-mails will include subject
lines such as “NOTIFICATION OF LIMITED ACCOUNT AC-
CESS” or “Attention Your Account Has Been Violated!” to
strike immediate fear in the reader. The “others” category is
made up of triggers such as policy violation, purchase cancella-
tion, reward offer, complete survey, leave feedback, and auc-
tion response. Due to the low frequency of occurrences these
categories were grouped into one category for better analysis.
Scammers also use urgent statements to persuade readers to
reply quickly to their e-mails. Table 2 portrays that 71% of the
phishing e-mails expressed urgent statements. For example,
senders will include statements like “you have to log-in within
48 hours after receiving this notice to re-update your Internet
banking account for urgent review,” “You have 3 days to con-
firm account information or your account will be locked,” and
You have 24 hours to click on the link below and confirm your
PayPal personal information, otherwise your ATM Debit/ Cre-
dit Card access will become restricted.” Other words like
ASAP”, “account suspension”, “account deleted”, “new mes-
sage waiting”, and “new bill” are used sometimes followed by
multiple exclamation points to instill a sense of urgency in the
recipient.
Table 2 also shows that fear/threat is used in 41% of the
phishing e-mails. Using fear/threat allows the phishers to de-
mand readers to respond, for fear that not responding in a
timely manner will result in unwanted consequences. For ex-
ample, senders will use phrases such as “failure to verify ac-
count will lead to account suspension,” “your account has been
limited,” and “due to an unusual number of login attempts, we
had to believe that, there might be some security problem on
your account.” Senders will often inform the users of why they
have received the messages, command the users to take proper
action and threaten them with unwanted consequences if they
do not comply immediate ly. This logical sequence is consiste nt
with the notions of conformity, compliance, and obedience
(Huang & Brockman, 2011).
Polite statements are often used in phishing e-mails as a way
to build a friendly relationship between the phisher and the
potential victim. Seventy-four percent of the phishing e-mails
used polite statements. Sometimes, social engineers use
friendly salutations (e.g., Dear Valued Customer/Member) and
closures (e.g., Best Regards, Sincerely, Thank you) to make a
positive first impression and familiar appearance. Scammers
will sometimes use formality in their e-mails to make the reader
feel safe. Of the e-mails analyzed, 55% used formality to at-
Table 2.
Persuasions used in phishing e-mails (N = 100).
Types of Persuasions % Yes
Authority 100%
Urgency 71%
Fear/Threat 41%
Politeness 74%
Formality 55%
B. ATKINS, W. HUANG
Copyright © 2013 SciRes. 29
tempt to establish a trusting relationship with the reader. Phish-
ing e-mails will often use confidential statements or the use of
safeguards to ensure the reader that no one else will be able to
see the information except for the “trusted entity”. For example,
senders often include statements like “it may contain confiden-
tial or sensitive information” or “Unauthorized recipients are
requested to preserve this confidentiality”.
Table 3 details the average number of persuasions used
across the triggers types in phishing e-mails. The triggers with
the greatest mean number of persuasions utilized included:
account suspension, disabled, or frozen (4.50); invalid login at-
tempts (4.18); and identity verification (3.80). The grand mean
suggests that scammers have used 3 or 4 persuasions on aver-
age per phishing e-mail. Further analyses were conducted to
examine the average number of persuasions used per e-mail by
financial institutions. The three greatest means were found in
PayPal (3.75), Bank of America (3.75), and Abbey Bank (3.70).
An ANOVA test was administered to test differences of group
means amongst institutions, the results showed no statistical
significance. Results suggest that the average number of per-
suasions used by phishers did not differ by the financial ta rgets
that they had chosen.
Table 4 displays incentives used in the advance-fee fraud
e-mails. As the data show, fraudsters use Nigeria 419 funds
(46%) and business proposals (41%) most often. Unlike phish-
ing e-mails, advance-fee e-mails use direct incentives such as
large sums of money, work-from-home jobs, and business op-
portunities to attract the attention of recipients.
Table 5 exemplifies the persuasions used in the 100 ad-
vance-fee e-mails collected for this study. Just as phishing e-
mails use authority to create an image of legitimate entity, ad-
vance-fee e-mails also use authority as a way to develop legiti-
macy. However, persuasions are used more elaborately in ad-
vance-fee fraud e-mails. Social engineers attempt to explain the
nature and source of the funds in detail in order to convince the
reader that the offer is legitimate. As shown in the collected
mails, social engineers pretend to be executives of corporations,
attorneys, retired FBI officials, and doctors in order to further
their credibility. Eighty-four percent of the advance-fee e-mails
Table 3.
Number of persuasions used in phishing e-mails by trigger types (N =
100).
Triggers Mean number of
persuasions used
Security upgrade/update of account 3.54
General upgr ade/update of ac count 2.83
Alert, warning, attention 3.44
Account ve ri fication 3.56
Account suspe nsion/disabled/frozen 4.50
Purchase c onfirmation 2.75
Invalid login attempts 4.18
Identity verification 3.80
Other 3.14
Grand mean 3.59
Table 4.
Triggers used in advan c e -fee e-mails (N = 100).
Incentives %
Nigeria 419 funds 46%
Lottery winning 6%
Work from home 2%
Job offer 4%
Business proposa l 41%
Payment approval 1%
Total 100%
Table 5.
Persuasions used in adv ance-fee e-mails (N = 100).
Types of Persuasions % Yes
Authority 84%
Urgency 70%
Tradition 28%
Attraction/Excitement 94%
Pity 31%
Politeness 78%
Formality 24%
used authority to persuade readers to fall for the scam.
Urgent responses are critical for advance-fee fraudsters to
scam their readers. If readers do not reply quickly, scammers
run the risk of being caught and shut down. Of the e-mails re-
viewed 70% expressed urgent statements. Urgent responses
used in advance-fee fraud e-mail are similar to those used in
phishing e-mails. For example, social engineers will add state-
ments like “Please I want you to quickly help me out of this bad
situation because my life is not safe here,” and closing state-
ments such as “waiting with thanks”. This sometimes entices
the reader to hurry and respond because they believe someone’s
life is in danger
Tradition is sometimes used in advance-fee e-mails to trigger
an emotional response from the reader. Readers will sometimes
respond to fraudulent e-mails in hopes that they can help a per-
son, family, or organization in need. Social engineers often use
tradition along with pity, using statements such as “My late
husband who was a contractor with Zimbabwan government on
commercial farming was assassinated with my only son by the
Zimbabwan rebel troop,” “I am contacting you because of my
inheritance fund that my late mother deposited in the famous
banks in Cote dIvoire”, and “because of the war my late father
sold his shipping company and took me to a nearby country
Cote dIvoire.” Of the advance-fee fraud e-mails coded one of
the most commonly used persuasions by social engineers in
advance-fee fraud e-mails is attraction/excitement. Attraction/
excitement is used in advance-fee e-mails to make readers be-
lieve that they have just won a large sum of money or the op-
portunity to make a large sum of money by doing little or noth-
B. ATKINS, W. HUANG
Copyright © 2013 SciRes.
30
ing in order to attain it. Ninety-four percent of all advance-fee
e-mails tested used attraction/excitement. Social engineers of-
ten menti on large sums of money to immedia tely cause a sense
of excitement to the reader. Offers like “I was assigned by two
of my colleagues to seek for a foreign partner who will assist us
in the transfer of US $27,500,000.00,” and “If your company
acts as the beneficiary of this fund 35% of the total sum will be
for you for providing the account”. Another way attraction/
excitement is used is through the use of “lottery winnings”.
Social engineers will use greetings such as “Attention lucky
winner” and then go on to state “We are pleased to notify you
the winner of our Internet lottery draws.” The reader will then
be instructed to give over confidential information in order to
receive the la rge sum of money.
Pity, another persuasive element employed by social engi-
neers, is sometimes used in advance-fee e-mails to trigger a
sympathetic feeling from the reader. Thirty-one percent of the
e-mails analyzed used pity as a way to obtain confidential in-
formation from the reader. Social engineers will fabricate sto-
ries of the death of loved ones or concerns of personal safety/
health for help. Pity along with tradition is used to dramatize
their story and make readers feel sympathetic. Examples of pity
include “I honorably inherited from my late father Mr. D.
Mummar, who the Empigigo rebels killed recently in a political
crisis in our country that resulted in war” and “the above sum
belongs to our deceased father who died along with his entire
family in the Benin plane crash 2003.”
Another persuasive element often used in advance-fee e-
mails is politeness. Using polite statements allows the scammer
to build a friendly relationship with the reader in hopes that the
reader will reveal important information. Seventy-eight percent
of the e-mails coded used politeness. Social engineers use friendly
salutations and closings to make the reader feel as if there is a
connection between him/her and the author of the e-mail often
including text such as “Thanks for your greatest kindness,”
Thanks and god bless you and your family,” and “Please
help me get out of this situation and our almighty will bless
you.”
Lastly, it is important for the author of advance-fee e-mails
to make the reader feel that the e-mails are safe and any infor-
mation given by the reader will be used for only purposes stated
in the e-mail. The use of formality is used in 24% of the tested
e-mails. Statements of security and confidentiality include “I
wish for the utmost confidentiality in handling this transaction
and “I assure you that this transaction is completely safe and
legal.”
Table 6 describes the mean number of persuasions used by
trigger types. The largest mean numbers of persuasions used by
scammers can be found in business proposal (4.41), Nigeria
419 funds (4.11), and work from home opportunities (4.00).
Overall, scammers used an average of 4 persuasions per e-mail.
Among the mean differences of trigger types, the ANOVA test
revealed a significance level of .028. It is suggested that busi-
ness proposal, Nigeria 419 funds, and work at home involve a
significantly greater number of persuasions used in advance-fee
scams.
Discussion and Conclusion
The analysis and results revealed in the study underscores the
importance of examining triggers and persuasive techniques
used in social engineering attacks. The findings indicate that
Table 6.
Number of persuasions used in advance-fee e-mails by trigger types (N =
100).
Trigger Mean number of persuasions used
Nigeria 419 funds 4.11
Lottery wi nning 2.33
Work from home 4.00
Job offer 3.50
Business prop osa l 4.41
Payment approval 3.00
Grand mean 4.09
alert/warning/attention and account verification were the two
primary triggers used to raise the attention of e-mail recipients.
These phishing emails were typically followed by a threatening
tone via urgency. In advance-fee fraud emails, timi ng is a lesser
concern; potential monetary gain is the main trigger. Business
proposals and large unclaimed funds were the two most com-
mon incentives used to lure victims. In both phishing and ad-
vance-fee emails, authority and politeness were employed
widely. It seems that social engineers intend to use the combi-
nation of these two persuasive techniques to increase the le-
gitimacy of the e-mail and at the same time the sense of cour-
tesy commonly seen in business practices.
This study also discovered that social engineers have con-
structed statements in positive and negative manners to per-
suade readers to fall victim to their scams. Online fraudsters
have used e-mails to tap into emotions such as excitement, pity
and fear to affect viewers. The use of authoritative and often-
times emotional persuasions has caused readers to drop their
guards against potential risks. The study showed that politeness
and formality were used frequently as a way to make the reader
feel comfortable and secure in responding to the e-mail. By
exploiting human weaknesses, social engineers have strategized
and carried out emotional attacks on innocent people. As social
engineers continue to get better at attacks through deceptive
persuasions, potential victims need to prepare themselves for
counter attacks at any given time.
Social engineering attacks are easy to commit and very dif-
ficult to defend against because they focus on the human factors.
Since most people are usually helpful in attitude and tend to
believe that this type of attack will not happen to them, they are
often fooled without even knowing they have been a victim of
an online fraud. The natural human tendency to take people at
their word continues to leave users vulnerable to social engi-
neering attacks. Ultimately, the best way to defend against so-
cial engineering attacks is through education. This can be ac-
complished by training users to be aware of the value of the
information resources at their disposal as well as by creating
awareness of human hacking techniques, which makes it easier
for users to detect a social engineer. Education has been a stra-
tegy used by governments and businesses to prevent online
fraudulent acts. Efforts have been made by organizations to
raise awareness of social engineering through speeches, pam-
phlets, web pages, and the delivery of security messages in
e-mails sent to users (Huang & Brockman, 2011).
B. ATKINS, W. HUANG
Copyright © 2013 SciRes. 31
Cautions have also been raised concerning the psychological
effects that educational campaigns may have on users (Bardzell,
Blevis, & Lim, 2007; Emigh, 2007; Mann, 2008). Looking at it
from a customer’s viewpoint, banks have been perceived as
security providers who are assumed to offer protection advice
and warnings to users. According to Mann (2008), although the
strategy used has good intentions, when a user receives new
communications from the bank about security updates, he/she
has been pre-programmed to follow the instructions or visit the
suggested link. Since ordinary users feel ignorant when it
comes to IT, they know they must follow the instructions of the
experts. Users will often follow their emotions and what is
familiar to them to make their decisions on what to do, usually
ignoring security threats, faulty traps, or future financial losses
they are facing. Expecting users to be able to distinguish be-
tween a fraudulent e-mail and a legitimate e-mail and not to
follow the instructions in the former is an unattainable expecta-
tion (Emigh, 2007).
It is very unlikely that advance-fee fraud and phishing
e-mails will ever be completely eliminated. The creation of
anti-spam laws such as the CAN-SPAM Act of 2003 in the
United States and international directives by the European Un-
ion have had little impact on the volume of e-mails sent out
daily (Wall, 2004). There is also no easy way to identify the
fraudsters responsible for these messages due to the use of
spoofing and software that conceal an individual’s location.
Thus, it is difficult for law enforcement agencies to effectively
deal with fraudulent e-mails.
These challenges have led to a greater reliance on techno-
logical defenses developed by private sectors to combat social
engineering attacks. Microsoft and other computer companies
have embodied phishing filters, security firewalls, and e-mail
authentication devices in their online application software as
frontline barriers (Brandt, 2006; Kornblum, 2006). These pro-
viders are adaptive to the competitive environment and have the
technical expertise to better control and monitor the flow of
e-mail communications. Their supporting role in fighting online
frauds has complemented many aspects of police efforts in
crime prevention. As to ordinary citizens, preventative strate-
gies remain the most practical and useful ones (Musgrove,
2005). These include never providing account information in
response to a solicitation e-mail, constantly changing pass-
words, typing or copying URL addresses from legitimate
sources instead of following a hyperlink embedded in an e-mail,
and calling the financial institution directly when suspicions
arise from an e-mail. Overall, a basic understanding of the op-
erations of social engineering attacks coupled with constant
skepticism will reduce chances of victimization of such attacks.
It is understandable that no easy solutions can be identified to
prevent online fraud from occurring. Nonetheless, more legisla-
tive efforts in the area of online fraud and computer crimes, in
general, are needed. By this it is meant that there must be ade-
quate statutes addressing the various computer crimes and their
punishment, and consistent rulings from the courts as to how
the law can be ap p lied to crimes online. Although governmental
agencies are dedicating more staff and resources to the investi-
gation and prosecution of computer crimes, many legal scholars
question whether the legal system will be able to handle high-
technology crimes in the future. In many areas it seems that
technology changes faster than the laws themselves. As soon as
a statute has been enacted to regulate an activity, the technol-
ogy may change and the statute becomes either obsolete or no
longer covers all possible activities. Therefore, education re-
mains the most effective approach to prevent online frauds.
Social scientists should continue their role in this approach to
educate the public on potential threats from social engineering
perpetrators.
REFERENCES
Applegate, S. D. (2009). Social engineering: Hacking the wetware.
Information Security Jo u r n al, 18, 40-46.
Bardzell, J., Blevis, E., & Lim, Y. (2007). Human-centered design
considerations. In M. Jakobsson, & S. Myers (Eds.), Phishing and
countermeasures (pp. 241-259). Hoboken, New Jersey: John Wiley
& Sons, Inc.
BBC News (2004). Suicide of i n ternet scam victim.
http://news.bbc.co.uk/2/hi/uk_news/england/cambridgeshire/344430
7.stm
Blommaert, J., & Omoniyi, T. (2006). E-mail fraud: Language, tech-
nology, and the indexicals of globalization. Social Semiotics, 16, 573-
605. doi:10.1080/10350330601019942
Brandt, A. (2006). How bad guys exploit legitimate sites (electronic
version). PC World, 24, 39.
Capaldi, N. (1971). The art of deception. New York: Donald W. Brown
Inc.
Carey, L. (2009). Can PTSD affect victims of identity theft: Psycholo-
gists say yes.
http://www.associatedcontent.com/article/2002924/can_ptsd_affect_
victims_of_identity.html
Emigh, A. (2007). Mis-education. In M. Jakobsson, & S. Myers (Eds.),
Phishing and countermeasures (pp. 260-275). Hoboken, New Jersey:
John Wiley & Sons, Inc.
Gilbert, D. T., & Malone, P. S. (1995). The correspondence bias. Psy-
chological Bulletin, 117, 21-38. doi:10.1037/0033-2909.117.1.21
Gulati, R. (2003). The threat of social engineering and your defense
against it. SANS Institute InfoSec Reading Room.
http://www.sans.org/rr/papers/index.php?id=1232
Harley, D., & Lee, A. (2007). The spam-ish inquisition. ESET antivirus
and security white papers.
http://www.eset.com/download/whitepapers/CommonHoaxes+Chain
Letters%28May2008%29.pdf
Harley, D., & Lee, A. (2009). A pretty kettle of phish. ESET antivirus
and security white papers.
http://www.eset.com/download/whitepapers/PhishingOnline.pdf
Holt, T. J., & Graves, D. C. (2007). A qualitative analysis of advance
fee fraud e-mail schemes. International Journal of Cyber Criminol-
ogy, 1, 137-154.
http://www.cybercrimejournal.com /thomas&danielleijcc.htm
Huang, W., & Brockman, A. (201 1 ). Social engineering exploi tations in
online communications: Examining persuasions used in fraudulent
e-mails. In T. Holt (Ed.), Crime online: Correlates, causes, and con-
text (pp. 87-111). Durham, NC: Caroli na Aca demic Press.
James, L. (2005). Phishing exposed. Rockland, MD: Syngress Publish-
ing.
Kay, R. (2004). Phishing. Computerworld, 38, 44.
King, A., & Thomas, J. (2009). You can’t cheat an honest man: Making
($$$s and) sense of the Nigerian e-mail scams. In F. Schmallegar, &
M. Pittaro (Eds.), Crimes of the internet (pp. 206-224). Saddle River,
New Jersey: Pearson Educat ion.
Kornblum, A. (2006). Enforcement takes the fight to the phishers.
IEBlog, The Microsoft Internet Explorer We bbl og.
http://blogs.msdn.com/ie/archive/2006/06/22/643173.aspx
Larcom, G., & Elbirt, A. J. (2006). Gone phishing. IEEE Technology
and Society Magazine, 25, 52-55. doi:10.1109/MTAS.2006.1700023
Lilly, P. (2009). Nigerian police crack down on scammers, shut down
hundreds of websites. Max imum PC.
http://www.maximumpc.com/article/news/nigerian_police_crack_do
wn_scammers_shuts_down_hundreds_websites
Litan, A. (2007). Phishing attacks escalate, morph and cause consider-
able damage. Business Wire, Lexis Nexis Academic Database.
B. ATKINS, W. HUANG
Copyright © 2013 SciRes.
32
Long, J. (2008). No tech hacking: A guide to social engineering, dump-
ster diving, and shoulder surfing. Rockland, MA: Syngress Publish-
ing.
MailFrontier, Inc. (2004). Anatomy of a phishing email, 2004.
http://www.mailfrontier.com/docs/MF_Phish_Anatomy.pdf
Mann, I. (2008). Hacking the human: Social engineering techniques
and security measures. Burlington, VT: Gow e r Publishing Company.
Manske, K. (2000). An introduction to social engineering. Information
Systems Security, 9, 53-60.
doi:10.1201/1086/43312.9.5.20001112/31378.10
Mather, M., Shafir, E., & Johnson, M. (2000). Misrememberance of op-
tions past: Source monitoring and choice. Psychological Science, 11,
132-138. doi:10.1111/1467-9280.00228
McQuade III, S. C. (2006). Understanding and managing cybercrime.
Boston, MA: Allyn and Bacon.
Microsoft (2009). Scams that prom ise m one y, gifts, or prizes.
http://www.microsoft.com/protect/yourself/phishing /hoaxes.mspx
Mitnick, K., & Simon, W. (2002). The art of deception: Controlling the
human element of security. New York, New York: Wiley Publishing.
Musgrove, M. (2005). “Phishing” keeps luring victims. The Washing-
ton Post.
http://www.washingtonpost.com/wpdyn/content/article/2005/10/21/
AR2005102102113.html
National White Collar Crime Center (2008). Internet crime report.
Washington, DC: Bureau of Justice Assistance.
http://www.ic3.gov/media/annualreport/2008_IC3Report.pdf
NExT Web Security Services (2007). 419 Nigerian advance fee fraud
scam lifestyle.
http://nextwebsecurity.com /419LifeCycle.asp
Nickerson, R. (1998). Confirmation bias: A ubiquitous phenomenon in
many guises. Review o f G e ne r a l Psychology, 2, 175-220.
doi:10.1037/1089-2680.2.2.175
Jakobsson, M., & Myers, S. (2007). Phishing and countermeasures:
Understanding the increasing problem of electronic identity theft.
New York, New York: Wiley Publishing.
Raman, K. (2008). Ask and you will receive. McAfee Security Journal,
1-12.
Ri chardson, R. (2007). CSI survey 2007: The 12th annual computer crime
and security survey. Computer Security Institute. http://www.csi.org
Ross, D. (2009). ARS dictaminis perverted: The personal solicitation
e-mail as a genre. Journal of Technical Writing and Communication,
39, 25-41. doi:10.2190/TW.39.1.c
Sturgeon, W. (2003). Nigerian money scam: What happens when you
reply? Silicon.com: The spam report.
http://www.silicon.com/research/specialreports/thespamreport/0,390
25001,10002928,00.htm
Symantec Corporation (2009). Symantec global internet security threat
report trends for 2009.
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitep
aper_internet_security_threat_report_xv_04-2010.en-us.pdf
Taylor, S., & Fiske, S. (1975). Point of view and perception so causal-
ity. Journal of Personality and Social Psychology, 32, 439-445.
doi:10.1037/h0077095
The Internet Crime Complaint Center (2009). 2009 Internet crime re-
port.
http://www.ic3.gov/media/annualreport /2009_IC3Rep ort.pdf
Thompson, S. (2006). Helping the hacker? Library information, secu-
rity, and social engineering. Information Technology and Libraries,
25, 222-225.
Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: He-
uristics and biases. Science, 185, 1124-1130.
doi:10.1126/science.185.4157.1124
United States Department of State (1997). Nigerian advance fee fraud.
Bureau of International Narcotics and Law Enforcement Affairs.
Washington DC: Un ited States Department of State.
United States Secret Service (n.d.). Public awareness advisory regard-
ing “4-1-9” or advance fee fraud schemes. Washington DC: United
States Secret Service.
http://www.secretservice.gov/alert419.htm
University of Houston (2005) . Phishing scams.
http://www.uh.edu/infotech/news/story.php?story_id=802
US Federal Trade Commission (2008). Consumer fraud and identity
theft compliant data: January-December, 2007. Washington DC: Fe-
deral Trade Commission.
http://www.ftc.gov/semtinel/reports/semtinel-annual-reports/sentinel-
cy2007.pdf
Wall, D. S. (2001). Cybercrimes and the internet. In D. S. Wall (Ed.),
Crime and the internet (pp. 1-17). N ew Y o rk: Routledge.
Wall, D. S. (2004). Digital realism and the governance of spam as
cybercrime. European Journal on Criminal Policy and Research, 10,
309-335.
Workman, M. (2008). Wisecracker: A theory-grounded investigation of
phishing and pretext social engineering threats to information secu-
rity. Journal of personality and Social Psychology, 9, 1-27.
Yoo, J. (2006). Phi shi ng: A su rvey.
http://zoo.cs.yale.edu.classes/cs490/05-06b/yoo.dunne.pdf
Zajonc, R. (1968). Attitudinal effects of mere exposure. Journal of Per-
sonality and Social Psychology, 9, 1-27.
Zook, M. (2007). Your urgent assistance is requested: The intersection
of 419 spam and new networks of imagination. Ethics Place and En-
vironment, 10, 65-88.