Skip to main content

Social engineering: assessing vulnerabilities in practice

Buy Article:

$54.08 plus tax (Refund Policy)


Purpose ‐ The purpose of this paper is to investigate the level of susceptibility to social engineering amongst staff within a cooperating organisation. Design/methodology/approach ‐ An e-mail-based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link to an external web site and install a claimed software update. The message utilised a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security-aware users. The external web site, to which the link was pointing, was intentionally badly designed in the hope of raising the users' suspicions and preventing them from proceeding with the software installation. Findings ‐ In spite of a short window of operation for the experiment, the results revealed that 23 per-cent of recipients were fooled by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online. Research limitations/implications ‐ After running for approximately 3.5?h, the experiment was ceased, after a request from the organisation's IT department. Thus, the correct percentage of unique visits is likely to have been higher. Also, the mailings were sent towards the end of a working day, thus limiting the number of people who got to read and respond to the message before the experiment was ended. Practical implications ‐ Despite its limitations, the experiment clearly revealed a significant level of vulnerability to social engineering attacks. As a consequence, the need to raise user awareness of social engineering and the related techniques is crucial. Originality/value ‐ This paper provides further evidence of users' susceptibility to the problems, by presenting the results of an e-mail-based social engineering study that was conducted amongst staff within a cooperating organisation.

Keywords: Computer crimes; Data security; Electronic mail

Document Type: Research Article


Publication date: March 20, 2009


Access Key

Free Content
Free content
New Content
New content
Open Access Content
Open access content
Subscribed Content
Subscribed content
Free Trial Content
Free trial content
Cookie Policy
Cookie Policy
Ingenta Connect website makes use of cookies so as to keep track of data that you have filled in. I am Happy with this Find out more