Abstract
Social engineering is a modern form of fraud that is widely implicated in contributing to information security breaches. This study situates social engineering in past criminological work on fraud and analyzes qualitative interviews with social engineers to elucidate the emotional experiences of perpetrating such frauds. The results of this analysis indicate that social engineering interactions are characterized by an emotional experience of situational tension and the subsequent resolution of that tension. The analysis then turns to factors that modulate the quality and intensity of the emotional experience of social engineering perpetration. These factors include the social distance between the social engineer and the mark, the social engineer’s framing the mark, and both perceived and actual efficacy in utilizing skills involved in management of self and situation. This study suggests that the emotional experience of social engineering parallels that of other frauds and is revelatory of the motivations behind the experiences.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Self-report questions were used to derive the percentage of those engaged in prior criminal social engineering. Fifteen participants in total admitted to or described engaging in some form of illegal social engineering (12 security auditors and 3 non-professional social engineers). The percentage omits an additional 2 security auditors who reported retroactively discovering having engaged in behavior that violated laws while conducting security audits.
References
Abraham, S., & Chengalur-Smith, I. S. (2010). An overview of social engineering malware. Technology in Society, 32, 183–196.
Aleroud, A., & Zhou, L. (2017). Phishing environments, techniques, and countermeasures: A survey. Computers and Security, 68, 160–196.
Aurigemma, S., & Mattson, T. (2017). Privilege or procedure. Computers and Security, 66, 218–234.
Bachmann, M. (2010). Deciphering the hacker underground. In T. J. Holt & B. Schell (Eds.), Corporate hacking and technology-driven crime (pp. 105–126). IGI Global.
Balleisen, E. J. (2017). Fraud: An American history from Barnum to Madoff. Princeton University Press.
Ben-Asher, N., & Gonzalez, C. (2015). Effects of cyber security knowledge on attack detection. Computers in Human Behavior, 48, 51–61.
Berg, B. L. (2004). Qualitative research methods for the social sciences. Pearson.
Biegelman, M. T. (2013). Faces of fraud: Cases and lessons from a life fighting fraudsters. John Wiley & Sons Inc.
Blumer, H. (1998). Symbolic interactionism. University of California Press.
Bouffard, J., Exum, M. L., & Paternoster, R. (2000). Wither the beast? The role of emotions in a rational choice theory of crime. Of crime & criminality: The use of theory in everyday life (pp. 159–178). Sage Publications Inc.
Bullée, J. W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. (2018). On the anatomy of social engineering attacks. Journal of Investigative Psychology and Offender Profiling, 15(1), 20–45.
Caldwell, T. (2011). Ethical hackers: Putting on the white hat. Network Security, 7, 10–13.
Charmaz, K. (2002). Qualitative interviewing and grounded theory analysis. In J. F. Gubrium & J. A. Holstein (Eds.), Handbook of interview research (pp. 675–694). Sage Publications Inc.
Charmaz, K. (2006). Constructing grounded theory. Sage Publications Inc.
Clarke, A. E. (2005). Situational analysis. Sage.
Clarke, R. V. (2014). Affect and cognition in criminal decision making. In Affect and the reasoning criminal (pp. 20–41). Routledge.
Corbin, J., & Strauss, A. (1990). Grounded theory research. Qualitative Sociology, 13(1), 3–21.
Crewe, B., Warr, J., Bennett, P., & Smith, A. (2014). The emotional geography of prison life. Theoretical Criminology, 18(1), 56–74.
Cross, C. (2019). Is online fraud just fraud? Examining the efficacy of the digital divide. Journal of Criminological Research, Policy and Practice, 5(2), 120–131.
Cross, C., Dragiewicz, M., & Richards, K. (2018). Understanding romance fraud: Insights from domestic violence research. British Journal of Criminology, 58, 1303–1322.
Curtis, S. R., Rajivan, P., Jones, D. N., & Gonzalez, C. (2018). Phishing attempts among the dark triad. Computers in Human Behavior, 87, 174–182.
Doocy, J. H., Shichor, D., Sechrest, D. K., & Geis, G. (2001). Telemarketing fraud: Who are the tricksters and what makes them trick? Security Journal, 14(3), 7–26.
Duffield, G., & Grabosky, P. (2001). The psychology of fraud. Trends & Issues in Crime and Criminal Justice, 199, 1–6.
Ferrell, J. (2004). Boredom, crime and criminology. Theoretical Criminology, 8(3), 287–302.
Ferrell, J., Hayward, K., & Young, J. (2015). Cultural criminology: An invitation (2nd ed.). Sage.
Gibbs, J. P. (1975). Crime, punishment, and deterrence. Elsevier Scientific.
Glaser, B. G., & Strauss, A. L. (1967). The discovery of grounded theory. Aldine Publishing Company.
Goffman, E. (1956). The presentation of self in everyday life. Anchor Books.
Goldsmith, A., & Wall, D. S. (2019, Online First). The seductions of cybercrime: Adolescence and the thrills of digital transgression. European Journal of Criminology.
Hadnagy, C. (2018). Social engineering: The science of human hacking. Wiley.
Hochstetler, A., & Copes, H. (2003). Managing fear to commit felony theft. In their own words: Criminals on crime (pp. 87–98). Roxbury Publishing Company.
Hoeschele, M., & Rogers, M. (2006). Detecting social engineering. In IFIP International Conference on Digital Forensics (Vol. 194, pp. 67–77).
Holt, T. J. (2010). Examining the role of technology in the formation of deviant subcultures. Social Science Computer Review, 28, 466–481.
Holt, T. J. (2017). On the value of honeypots to produce policy recommendations. Criminology & Public Policy, 16(3), 739–747.
Hutchings, A. (2013). Hacking and fraud: Qualitative analysis of online offending and victimization. In K. Jaishankar & N. Ronel (Eds.), Global criminology: Crime and victimization in a globalized era. CRC Press.
Jackson, J. E. (1994). Fraud masters: Professional credit card offenders and crime. Criminal Justice Review, 19(1), 24–55.
Jacobs, B. A., & Cherbonneau, M. (2017). Nerve management and crime accomplishment. Journal of Research in Crime and Delinquency, 54(5), 617–638.
Jacobs, B. A., & Cherbonneau, M. (2019). Reconciling emotion and rational choice: Negativistic auto theft, consequence irrelevance, and the seduction of destruction. Journal of Research in Crime and Delinquency, 1–33.
Jordanoska, A. (2018). The social ecology of white-collar crime: Applying Situational Action Theory to white-collar offending. Deviant Behavior, 39(11), 1427–1449.
Katz, J. (1988). Seductions of crime. Basic Books.
Lee, C. J., & Andrade, E. B. (2015). Fear, excitement, and financial risk-taking. Cognition and Emotion, 29(1), 178–187.
Leukfeldt, E. R. (2017). The human factor of cybercrime and cybersecurity. Eleven International Publishing.
Lundquist, T., Ellingsen, T., Gribbe, E., & Johannesson, M. (2009). The aversion to lying. Journal of Economic Behavior & Organization, 70, 81–92.
Lyng, S. (1990). Edgework. American Journal of Sociology, 95(4), 851–886.
Lyng, S. (2004). Crime, edgework and corporeal transaction. Theoretical Criminology, 8(3), 359–375.
Maimon, D., Alper, M., Sobesto, B., & Cukier, M. (2014). Restrictive deterrent effects of a warning banner in an attacked computer system. Criminology, 52, 33–59.
Maurer, D. W. (1940/1999). The big con. Anchor Books.
McCarthy, B., & Hagan, J. (2005). Danger and the decision to offend. Social Forces, 83(3), 1065–1096.
McGuire, M. (2016). Cybercrime 4.0: Now what is to be done? In R. Matthews (Ed.), What is to be done about crime and punishment: Towards a ‘public criminology’ (pp. 251–279). Macmillan Publishers Ltd.
Mouton, F., Leenen, L., & Venter, H. S. (2016). Social engineering attack examples, templates and scenarios. Computers and Security, 59, 186–209.
Muhr, T. (2004). ATLAS.ti (Version 7) [Software]. Available from http://atlasti.com
Paternoster, R. (2010). How much do we really know about criminal deterrence? The Journal of Criminal Law & Criminology, 100(3), 765–823.
Paternoster, R., & Simpson, S. (1996). Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law & Society Review, 30(3), 549–584.
Paternoster, R., & Pogarsky, G. (2009). Rational choice, agency and thoughtfully reflective decision making: The short and long-term consequences of making good choices. Journal of Quantitative Criminology, 25(2), 103–127.
Powell, A., Stratton, G., & Cameron, R. (2018). Digital criminology: Crime and justice in digital society. Routledge.
Schlenker, B. R., & Leary, M. R. (1982). Social anxiety and self-presentation. Psychological Bulletin, 92(3), 641–669.
Shover, N., Coffey, G. S., & Hobbs, D. (2003). Crime on the line. British Journal of Criminology, 43, 489–505.
Smith, C. A., & Ellsworth, P. C. (1985). Patterns of cognitive appraisal in emotion. Journal of Personality and Social Psychology, 48(4), 813–838.
Steinmetz, K. F. (2016). Hacked: A radical approach to hacker culture and crime. NYU Press.
Steinmetz, K. F. (2017). Ruminations on warning banners, deterrence, and system intrusion research. Criminology & Public Policy, 16(3), 727–737.
Steinmetz, K. F., Schaefer, B. P., & Green, E. L. W. (2017). Anything but boring. Theoretical Criminology, 21(3), 342–360.
Stotland, E. (1977). White collar criminals. Journal of Social Issues, 33(4), 179–196.
Sykes, G. M., & Matza, D. (1957). Techniques of neutralization. American Sociological Review, 22(6), 664–670.
Sutherland, E. H. (1937/1989). The professional thief. The University of Chicago Press.
Taylor, P. A. (1999). Hackers: Crime in the digital sublime. Routledge.
Testa, A., Maimon, D., Sobesto, B., & Cukier, M. (2017). Illegal roaming and file manipulation on target computers. Criminology & Public Policy, 16(3), 689–726.
Thakur, K., Shan, J., & Pathan, A. S. K. (2018). Innovations of phishing defense: The mechanism, measurement and defense strategies. International Journal of Communication Networks and Information Security, 10(1), 19–27.
Thomas, D. (2002). Hacker culture. University of Minnesota Press.
Tudor, K. (2019). Symbolic survival and harm: Serious fraud and consumer capitalism’s perversion of the Causa Sui project. British Journal of Criminology, 59, 1237–1253.
Tunnell, K. D. (2002). The impulsiveness and routinization of decision-making. In A. R. Piquero & S. G. Tibbetts (Eds.), Rational Choice and Criminal Behavior: Recent Research and Future Challenges (pp. 265–278). Routledge.
Turgeman-Goldschmidt, O. (2008). Meanings that hackers assign to their being a hacker. International Journal of Cybercriminology, 2(2), 382–396.
van Onna, J. H. R. (2020). From the avalanche to the game: White-collar offenders on crime, bonds and morality. Crime, Law, and Social Change, 74, 405–431.
Whitty, M. T. (2013). The scammers persuasive techniques model. British Journal of Criminology, 53(4), 665–684.
Williams, J., & Milton, T. B. (2015). The con men. Columbia University Press.
Williams, E. J., Beardmore, A., & Joinson, A. N. (2017). Individual differences in susceptibility to online influence. Computers in Human Behavior, 72, 412–421.
Wilson, T., Maimon, D., Sobesto, B., & Cukier, M. (2015). The effect of a surveillance banner in an attacked computer system. Journal of Research in Crime and Delinquency, 52, 829–855.
Worthen, M. G. F., & Baker, S. A. (2016). Pushing up on the glass ceiling of female muscularity: Women’s bodybuilding as edgework. Deviant Behavior, 37(5), 471–495.
Yar, M., & Steinmetz, K. F. (2019). Cybercrime & Society (3rd ed.). Sage.
Young, J. (2003). Merton with energy, Katz with structure. Theoretical Criminology, 7(3), 389–414.
Acknowledgements
The authors would like to thank Dr. Richard Goe for looking over previous drafts of this manuscript. The authors would also like to thank Lynn Demyan for the many hours of interviews she transcribed for this project.
Funding
This work was supported by the US National Science Foundation [grant number SES-1616804].
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interest
The authors declare that they have no conflict of interest.
Additional information
Publisher's note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Pimentel, A., Steinmetz, K.F. Enacting social engineering: the emotional experience of information security deception. Crime Law Soc Change 77, 341–361 (2022). https://doi.org/10.1007/s10611-021-09993-8
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10611-021-09993-8