The Role of Social Media in Social Engineering Attacks: A Qualitative Study on Technical-, Individual-, and Organizational Measures to Mitigate Social Engineering Attacks in Social Media

Abstract

It is estimated that 98 % of all cyberattacks include some form of social engineering (Rebeca, 2023). The continued relentless cyber-related threats to organizations are ever-growing and important to address to mitigate the risks of being attacked. Social media platforms could be considered as the perfect hunting ground for social engineers to scour user profiles for personal and exploitable information to either deceive users directly or use this information to plan for a future attack.

This research focuses on the role of social media in social engineering attacks, more specifically how social engineering can be mitigated from three perspectives: 1) Technical measures that the social media platforms are responsible for implementing, 2) User-related responsibilities, 3) How organizations could facilitate the education and awareness training of their employees on the use of social media.

With this research being deductive-based, a systematic literature review (SLR) was conducted to build a foundation of literature of the relevant topics. For the empirical data collection, ten respondents from various international organizations were interviewed, including professionals and researchers in the field of cybersecurity and communication. The interviews were conducted with a semi-structured format. The Cybersecurity Culture Framework from (Gioulekas et al., 2022) was adopted throughout this master thesis, with it also being the foundation for the data analysis. As a result of the empirical findings and the Cybersecurity Culture Framework, it has emerged an inductive conceptual framework with new concepts.

Combining the results from both the literature review and the empirical findings, it is apparent that there are several measures, in all three perspectives, that are viable. From the platform and technical perspective, the use of some form of unique identification to remedy the risks of fake accounts and fraud, in addition to the use of AI to predict and prevent potential social engineering attacks is advised. Both from the individual- and organizational aspect, the common denominators are the high focus of training and awareness, both privately and professionally. This includes that users of social media have to familiarize themselves with the terms of use, and realize the consequences of sharing content and information on such platforms.