[Twitter for Phishing: Charting the Discourse About Social Engineering and Ethics]

[Twitter for Phishing: Charting the Discourse about Social Engineering and Ethics]

MASTER THESIS to obtain the Erasmus Mundus Joint Master Degree

in Digital Communication Leadership (DCLead)

Faculty of Cultural and Social Sciences Paris Lodron University of Salzburg

Faculty of Economic and Social Sciences and Solvay Business School Vrije Universiteit Brussel

Submitted by Oyinkansola, AWOLO S1061289 OyinkansViews@gmail.com Tervuursestraat 27, Leuven Belgium

Internal Supervisor: Prof. Laurence Claeys External Supervisor: Ursula Meier Rabler Tutor: Prof. Prof. Ezer Osei Yeboah-Boateng

Department of Communication Studies

Salzburg, 11/2/2021

EXECUTIVE SUMMARY Keywords: Twitter, Phishing, Social Engineering, Cybersecurity and Ethics Subject: More than 90% of all social engineering attacks are as a result of Phishing. The trend of using Twitter to exploit the deeply curious nature of humans is on the rise as social engineering techniques such as phishing are increasingly employed to psychologically maneuver unsuspicious people in a bid to divulge personal data (i.e. passwords); an effect of huge dissemination of information on the platform. Twitter is renowned for relevant conversations and discussions even though it is not the biggest social media platform. Due to COVID-19 crisis, Phishing attacks via emails and social media increased by over 667 per cent. Today, there are increased ethical concerns as a result of the ever-changing phishing tactics employed to lure victims. This research largely focuses on user behavior and non-technical aspect of social engineering (i.e. Hacking into humans) on Twitter. The findings are expected to contribute to further research on the concept of phishing on Twitter.

Research Questions Main research question: How are phishing attacks performed on Twitter (especially during the pandemic)? R2: How knowledgeable are users on Social Engineering attacks and Twitter phishing (focus on the prevalent persuasion techniques used in Twitter attacks)?

Other questions for discussion in Literature review include: R3: How effective is Twitter in addressing the fast-rising problem of Phishing on the platform? R4: What are the patterns and trends within the Phishing Landscape?

Aim and methods: This explorative research examines the current debates and trends on Social Engineering (SE), labels within SE and ethics (Black, White and Grey Hats) and users’ perspective on Twitter Phishing. The research focuses on textual analysis of security events that include data breaches, security incidents, privacy violations, and phishing on Twitter and found themes/patterns. It also investigates how phishing attacks are performed on Twitter (especially in the light of the current pandemic), the prevalent persuasion techniques employed (Cialdini’s principles) and user’s susceptibility to Phishing based on their personality traits (Big 5 model). This research employs digital methods to gather and analyze data from Twitter combined with qualitative approaches; textual analysis and survey method (method triangulation) to unveil important insights about the online discourse on social engineering, ethics and the stakeholders(users) participating in the discourse. Special attention is given to the online discussion on Twitter Phishing.

Findings: 1) Most of the most malicious links in our dataset were from India 2) Twitter is neither proactive nor effective in raising awareness on Phishing to protect its end users 3) YouTube, Twitter and Facebook are the most targeted brands with a high number of incidences 4) Malicious tweets were mainly on the principle of reciprocity which Cialdini refers to as “the honoured network of obligation”. Next was the principle of liking or similarity; used in a specific combination in this case. 5) Close reading revealed the particular trends in bitcoin and enticement using free items thus increasing malicious websites visits or providing sensitive details (scarcity principle in play here). Recommendation: Based on the review of Twitter’s Financial Scam Policy it recommends the practical application of the heuristic steps of Contextual Integrity to educate users; employees and mitigate threats.

TABLE OF CONTENTS

Contents

EXECUTIVE SUMMARY ...... 2 TABLE OF CONTENTS ...... 4 LIST OF GRAPHS, TABLES, FIGURES AND APPENDIXES ...... 7 Graphs: ...... 7 Tables: ...... 8 Figures: ...... 9 ABBREVIATIONS ...... 10 1. INTRODUCTION ...... 11 2. THEORETICAL FRAMEWORK ...... 15 2.1. Stakeholder’s Theory ...... 15 2.1.1. The Psychology behind Phishing: Theory of Social Proof ...... 18 2.1.2. The Big 5 Model ...... 26 2.2. Cyber Security ...... 30 2.3. Social Engineering: The Rise of a Concept ...... 31 2.3.1. Social Engineering: A Technical or Social Problem? ...... 32 2.3.2. Labels within Social Engineering and Ethics: White, Grey and Black Hat ...... 34 2.3.3. Charting the Discourse between SocialEngineering and Ethics ...... 34 2.3.4. Types of Social Engineering ...... 37 2.4. Phishing ...... 39 2.4.1. Defining Phishing in the context of Current Debates: Twitter for Phishing ...... 42 2.4.2. Covid19 Blues: A New Level to Phishing ...... 44 2.4. Twitter for Phishing Incidences ...... 45 2.5.1. Incident 1: The Epic PayPal Phishing ...... 46 2.5.2. Incidence 2: Twitter Spear Phishing Case...... 47 2.5.3. Incidence 3: Covid19 Password Dump ...... 48 2.6. Role of Language and other semiotic resources in the formation of pretext to establish Trust...... 49 2.7. Towards a people-centric approach to Cyber security Awareness ...... 50 2.8. Informational Privacy and Data Literacy ...... 51 2.9. Policy Review: Twitter Financial Scam Policy ...... 51 3. METHODOLOGY ...... 54 3.1. Quantitative Survey Research ...... 54 3.1.1 Survey Sample ...... 56 4

3.1.2. Gathering Survey data and Responses ...... 56 3.2. Digital Methods as a research practice ...... 57 3.2.1 Gathering twitter data and metadata ...... 59 3.2.1 Analysis ...... 60 3.3.1 Data cleaning and editing ...... 61 3.3. Qualitative Analysis- Textual/Close Reading...... 62 3.4. Quantitative Analysis – Digital Methods & Survey Research ...... 63 (1) Textual Analysis ...... 63 (2) Sentiment Analysis ...... 64 (3) Descriptive Analysis ...... 64 3.5. Visualization ...... 65 4.0. RESULTS ...... 65 4.1. General Overview and Description of the Datasets ...... 65 4.2. Sentiment Analysis Findings ...... 67 4.2.1. “Cybersecurity” Hashtags ...... 67 4.2.2. “Hacked” Hashtags ...... 69 4.2.3. “Phishing” Hashtags ...... 70 4.2.4. “Social Engineering” Hashtags ...... 72 4.2.5. Similarities and Patterns ...... 73 4.2.6. The Second Criteria: Corona Related Tweets ...... 73 4.3. In-depth Analysis: Twitter Spear Phishing Incidence ...... 75 4.3.1. Twitter Spear Phishing Incidence: #Hacked ...... 75 4.3.2. Twitter Spear Phishing Incidence: #Phishing ...... 76 4.3.3. Twitter Spear Phishing Incidence: #SocialEngineering...... 77 4.3.4. Twitter Spear Phishing Incidence: #Phishing ...... 78 4.3.5. Twitter Spear Phishing Incidence: #TwitterHacked ...... 79 4.4. Cialdini’s Principles; Data Validation ...... 81 4.4.1. Word Frequency Approach ...... 82 4.5. Descriptive Survey Analysis ...... 83 4.5.1. Respondents- Gender Distribution ...... 83 4.5.2. Respondents - Age Distribution ...... 84 4.5.3. Respondents - Nationality ...... 84 4.5.4. Respondents- Country of Residence ...... 85 4.5.5. Respondents- Current Job Status ...... 85 4.5.6. Respondents- Level of Education ...... 86 4.5.7. Respondents- Time on Twitter ...... 87 5

4.5.8. Knowledge-Based Questions (KBQ)...... 87 5. CONCLUSION ...... 97 6. REFERENCES ...... 99 SCIENTIFIC LITERATURE:...... 99 NON-ACADEMIC SOURCES ...... 108 7. APPENDIXES: ...... 113 APPENDIX NO 1: SURVEY QUESTIONNAIRE ...... 113 APPENDIX NO 2: GENERAL DATA CHARACTERIZATION ...... 118 APPENDIX NO 3: TWITTER GLOSSARY ...... 119 APPENDIX NO 4: CONSENT FOR PARTICIPATION IN THIS STUDY ...... 120

LIST OF GRAPHS, TABLES, FIGURES AND APPENDIXES Graphs:

Graph 1: Spikes of Phishing attacks in several companies with Italy being the highest...... 44

Graph 2: Distribution of Twitter users worldwide as of July 2020, sorted by age group...... 56

Graph 3: Overview of sentiment analysis based on all 4 themes ...... 66

Graph 4: breakdown of sentiment analysis based on the theme “Cybersecurity” ...... 67

Graph 5: breakdown of sentiment analysis based on the theme “Hacked” ...... 69

Graph 6: breakdown of sentiment analysis based on the theme “Phishing” ...... 70

Graph 7: breakdown of sentiment analysis based on the theme “Social Engineering” ...... 72

Graph 8: breakdown of sentiment analysis of COVID19 tweets ...... 74

Graph 9: Analysis of the Twitter Phishing Case ...... 75

Graph 10: Analysis of Twitter Spear Phishing case #SocialEngineering ...... 77

Graph 11: Analysis of Twitter Spear Phishing case #Phishing ...... 78

Graph 12: Analysis of Twitter Spear Phishing case #TwitterHacked ...... 80

Graph 13: Questionnaire results regarding sex ...... 83

Graph 14: Questionnaire results regarding Age ...... 84

Graph 15: Questionnaire results regarding Nationalities ...... 85

Graph 16: Questionnaire results regarding the country of residence ...... 85

Graph 17: Questionnaire results regarding Job Status ...... 86

Graph 18: Questionnaire results regarding Level of Education ...... 86

Graph 19: Questionnaire results regarding Time on Twitter ...... 87

Graph 20: How did you learn about Phishing? ...... 88

Graph 21: Question on link clicking experience ...... 88

Graph 22: Questionnaire results regarding Black Hat Link...... 89

Graph 23: Questionnaire results regarding Twitter’s Proactiveness ...... 90

Graph 24: Scenario 1 ...... 91

Graph 25: Scenario 2 ...... 91

Graph 26: Scenerio 3 ...... 92

Graph 27: Result on Extroversion ...... 93 7

Graph 28: Result on Conscientiousness ...... 94

Graph 29: Result on Agreeableness ...... 95

Graph 30: Result on Openness to Experience ...... 95

Graph 31: Openness to Experience ...... 96

Tables:

Table 1:Twitter Stakeholder Categories adapted from (Alexander & Viardot, 2016) ...... 17

Table 2: The Number of Personality Traits in Different Models Adapted from (Najm, 2019) ...... 27

Table 3 different facets within dimensions adapted from (Lim, 2020)...... 30

Table 4 – Ethical concerns in public communication, adapted from Mouton et al., 2015...... 36

Table 5 – Ethical concerns in penetration testing, adapted from Mouton et al., 2015...... 36

Table 6 – Ethical concerns in social engineering research, adapted from Mouton et al., 2015 ...... 37

Table 7 - Two common Phishing Lures, adapted from (The Ultimate Guide to Social Engineering, n.d.) 41

Table 8 - A summary of some of the prominent phishing attacks so far in 2020. Compiled from (Irwin, 2020)...... 41

Table 9.Summary of Paypal case ...... 46

Table 10. Twitter Spear Phishing Case ...... 48

Table 11. Covid19 Password Dump ...... 49

Table 12. Of the 3 media articles/Twitter cases, these were common the common elements...... 62

Table 13 :Sentiment by users ...... 68

Table 14: Sentiment by users ...... 70

Table 15: Sentiment by users ...... 71

Table 16: Sentiment by users ...... 73

Table 17: Sentiment by users ...... 75

Table 18: Sentiment by users ...... 76

Table 19: Sentiment by users ...... 77

Table 20: Sentiment by users ...... 78

Table 21: Sentiment by users ...... 79

Table 22: :Sentiment by users ...... 81

Table 23: Overview of Survey Analysis ...... Error! Bookmark not defined.

Table 24: Scores basedson Scaled ...... 92

Table 25: Big 5 test results ...... 93

Figures:

Figure 1:Principle of Reciprocity applied to Twitter DMs ...... 19

Figure 2: Principle of Commitment applied to posts on Twitter TLs...... 20

Figure 3: Fake Profile ‘Robin Sage’ to establish trust and authority. Source:medium.com ...... 21

Figure 4: Verified Twitter hacked to send phishing tweets ...... 22

Figure 5: a COVID 19 scam based on the principle of Liking ...... 23

Figure 6: Principle of Scarcity with the urgency in play here...... 24

Figure 7: With Social Proof in focus ...... 25

Figure 8: Steps within a social engineering life cycle...... 32

Figure 9:Conceptual Model by (Janczewski & Fu, 2010)...... 49

Figure 10: Twitter being called out on its ineffectiveness...... 53

Figure 11: The release post in September 2019 ...... 52

ABBREVIATIONS

API Application Programming Interface BFT Big Five Factors CTA Call to Action FOMO Fear of Missing Out GDPR General Data Protection Regulation SE Social Engineering NGO Non-Governmental Organizations SE Social Engineering SNSs Social Networking Sites

1. INTRODUCTION

Problem statement Connections, digital intimacies and data privacy are in crisis. Phishing attacks via emails and social media increased by over 667 per cent as a result of the COVID-19 crisis in March 2020 (Indiana University of Pennsylvania, 2020). Each day, Phishers come up with new social engineering tactics to manipulate users to click/take actions via black hat links. However, a cursory search on the inherent problems shows that most users are not aware that they can be scammed while on social media platforms. 2018 not only witnessed Twitter allowing a fake Paypal account run a promoted tweet which led to users inputting their details but also saw the loss of £120,000 after Phishers hacked the Twitter accounts of two companies (Matalan and Pathé UK) while claiming to be Elon Musk doing giveaway campaigns. Twitter’s use for phishing attacks lacks adequate and in-depth research especially given the current pandemic. This thesis reviews and analysed Twitter discourse on #TwitterPhishing, media articles on the subject matter and Twitter’s Financial Scam policy. This master thesis aims to map the current discourse on Twitter phishing, sensitize users on cybersecurity and social engineering threats.

“Cyberspace touches practically everything and everyone. It provides a platform for innovation and prosperity and the means to improve general welfare around the globe. But with the broad reach of a loose and lightly regulated digital infrastructure, great risks threaten nations, private enterprises, and individual rights. The government has a responsibility to address these strategic vulnerabilities to ensure that the United States and its citizens, together with the larger community of nations, can realize the full potential of the information technology revolution.” - (Cyberspace policy review: assuring a trusted and resilient information and communications infrastructure, 2009).

It’s no longer news that the Internet; Cyberspace has been both a blessing and a curse. A lot has changed dating from the 90s when the World Wide Web was invented and utopian plans of the internet were shared (Aggarwal, Rajadesingan & Kumaraguru, 2012). Information and Communications Technology (ICT) has today become the main driver of the economic growth of most nations, industries and individuals (Cameron, n.d.). Castells (2010) opines that this evolution of the internet is presumably the best 11

technological innovation in the digital age (Castells, 2010). However, this innovation which has been of huge benefit to the society also has a dark side to it, “because it threatens the moral foundations of society, most especially the morality of young people” (Ess, 2010).

While one of the greatest strengths of platforms like Twitter is its openness and how it can be easily accessed with the internet (Benkler, 2006). Social Networking Sites (SNSs) have become viable architectures where vulnerabilities are explored using social engineering techniques (Silic & Back, 2016). There are increased ethical concerns as a result of the black hat activities on the platform i.e. the ever-changing phishing tactics employed to lure victims. 90% of data breaches and cyber-attacks begin with phishing frauds making it a major security concern (knowbe4, 2020).

Social Engineering (SE) via Phishing remains a major issue as it continues to ‘threaten financial institutions, retail companies, and consumers daily and phishers remain successful by researching anti-phishing countermeasures and adapting their attack methods to the countermeasures, either to exploit them or completely circumvent them’ (Barnes, 2006). March 2020 witnessed an increase of phishing attacks via emails and social media by over 667 per cent as a result of the COVID-19 crisis (Indiana University of Pennsylvania, 2020). Recently, social media (Twitter) stakeholders are becoming more aware of the fact that phishers exploit the weakest connection in the security chain: people; with the result most exploitation likely being financial loss as a result of sensitive information and mistrust (Bosworth, Kabay, & Whyne 2014; Xiong, Proctor, Yang & Li, 2018).

Establishing Trust and Digital Intimacies in Online Media

Social Engineering is the act of employing "influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology."( Mitnick & Simon, 2011). Social engineering not only exploits the natural human tendency to trust (Salahdine & Kaabouch, 2019) but also appeal to/leverage on 5 human emotions;

1. Fear (Gupta & Sharman, 2009).

2. Greed (Broadhurst & Chantler, 2008).

3. Urgency (Workman, 2007).

4. Helpfulness (Jewkes & Yar, 2013).

5. Curiosity (Rader & M. Rahman, 2013).

This master thesis aims to study users’ perspective of the phishing landscape on Twitter and also do a vast analysis of the current landscape on phishing: Twitter Phishing and COVID 19 themed phishing scams. Furthermore, this master thesis investigates how phishing attacks are performed on Twitter (especially in the light of the current pandemic) and also seeks to examine the link between Twitter stakeholders, Cialdini’s 6 principles of persuasion and the Big Five personality traits as well as stakeholders responses to Twitter phishing tactics. Finally, this exploratory research aims to explore and address Twitter’s effectiveness or a lack thereof in addressing the fast-rising problem of Phishing on the platform. The researcher seeks to contribute to this budding field of research by increasing awareness and educating potential victims from a user’s point of view to block these ever-changing tactics upfront.

The research questions of this study are the following:

Main research question: How are phishing attacks performed on Twitter (especially during the pandemic)? R2: How knowledgeable are users on Social Engineering attacks and Twitter phishing (focus on the prevalent persuasion techniques used in Twitter attacks)?

This master thesis is structured in several sections. In the introduction, we present the problem/subject of the research, its social and scientific relevance, aims and objectives of the research. Chapter 2 introduces the theoretical framework based on the

stakeholders' theory, Cialdini’s principles of Persuasion and the Big 5 model. Also, a literature review of the concepts of Social Engineering. Chapter 3 introduces the research methodology. Chapter 4 introduces the results and findings of the research. Chapter 5 concludes the thesis by reiterating the subject of the research and findings and provides a framework (Contextual Integrity) for mitigating user/employee susceptibility to social engineering attacks.

Clarifications of Terminologies

The six terms below are the most crucial term within this body of research: 1. Attack: Destructive unauthorized access with the sole intent of exploiting, gaining, stealing or destroying information within an information system (Gehem, Usanov, Frinking & Rademaker, 2015) 2. Breach: According to Art 4 of the General Data Protection Regulation (GDPR), ‘personal data breach’ is accidental/illegal/unauthorized disclosure of stored or transmitted information leading to lose and destruction ("Art. 4 GDPR – Definitions | General Data Protection Regulation (GDPR)", 2020). 3. Disclosure: Verified breach/exposure of data to an unauthorized party (Gehem, Usanov, Frinking & Rademaker, 2015). 4. Incident: Security happening or occurrence that potentially leads to data loss or causes a hiccup in the operations of an organization or the broader frame, harm an information system with security implications (National Initiative for Cybersecurity Careers and Studies). 5. Privacy: ‘Privacy is the rightful claim of the individual to determine the extent to which he wishes to share himself with others and his control over the time, place and circumstances to communicate with others. It means his right to withdraw or to participate as he sees fit. It is also the individual's right to control the dissemination of information about himself; it is his own personal possession’ (Breckenridge, 1971, as cited in Sharma, 1994). 6. Spoof: the act of creating the replica of a company’s/trusted website with the malicious intent of phishing data or money

2. THEORETICAL FRAMEWORK

This chapter first highlights the various theories (Freeman’s Stakeholder Theory, Cialdini’s Theory of Influence and the OCEAN theory) framing the analysis of this study. The theoretical aspect of this thesis lays the groundwork for the empirical review which gives a panoramic perspective of the major concepts underpinning the topic. Against the backdrop of Cybersecurity, the tensions, discussion and contemplation of ethics in social engineering in the cyberspace are critically examined. Underlying issues are discussed regarding social engineering, phishing and ethics along with the need for cyber awareness/user education and literacy. Next in line is a critical overview of the role language play in the above concepts.

2.1. Stakeholder’s Theory

Freeman (1984) traditionally defines a stakeholder as ‘any group or individual who can influence or depend on the achievement of an organization’s objectives’. The basis of this concept is to strategically guide an organization on how to maximize relationships amongst its stakeholders (Freeman, 1984). Friedman (2006) however argues that an organization’s priority should be their interests, needs, and points of view. Also, an organization is in itself a group of stakeholders (Friedman, 2006). In his 2004 publication, Freeman reviews. ‘The principle of stakeholder recourse’ which states that stakeholders may bring an action against the directors for failure to perform the required duty of care” (Freeman, 2004 as cited in Fontaine, Haarman, & Schmid, 2006).

As a result of continuous research and the abundance of literature on the subject matter, several definitions have continued to evolve and with it tensions and criticism on its ambiguous nature. A critique of Freeman (1984) definition of a stakeholder can agreeably include terrorist groups as it fails to capture the legitimacy of these groups. However, it is acceptable from a strategic viewpoint:

“Some groups may have as an objective simply to interfere with the smooth operations of our business. For instance, some corporations must count ‘terrorist groups’ as stakeholders. As unsavoury as it is to admit that such ‘illegitimate’ groups have a stake in our business, from the standpoint of strategic management, it must be done. 15

Strategies must be put in place to deal with terrorists if they can substantially affect the operations of the business.” (Freeman, 1984, p.53).

Furthermore, in their study of 125 accounting research materials with the use of the language of stakeholders Roberts and Mahoney (2004) found that roughly 65 per cent "use the term" stakeholders "without reference to any version of the stakeholders' theory" (Roberts & Mahoney, 2004).

Donaldson and Preston (1995), introduced three major types of theories within the stakeholder Theory: instrumental, descriptive and normative (Donaldson & Preston, 1995). The theory also enables an analysis of the relationship between stakeholders and is capable of illuminating why and how stakeholder relations change over time. Thus, the stakeholder theory is congruent to this research as it explores the business ethics of Twitter and the cause-effect of the Twitter phishing incidences and the ensuing policy.

The main groups of stakeholders of any organization are typically the: ● Customers ● Employees ● Local communities ● Suppliers and distributors ● Shareholders (Fontaine, Haarman, Schmid, 2006). A stakeholder analysis was conducted to identify Twitter stakeholders and they are grouped into 6 categories; Public institutions and political parties, Mass Media, Firms, CEOs and entrepreneurs Consultant firms, Brand Influencers/evangelists, Users- Individuals- General Public. The categories are shown in table 2.1 below.

Table 1: Twitter Stakeholder Categories adapted from (Alexander & Viardot, 2016)

Stakeholder group Stakeholder G Interaction Mechanism Description type Offical accounts in Twitter of Governments, any organisation at a global, Ministries, Public institutions and national or local level and the Commissions, 1 political parties Formal political parties. NGOs Official accounts of radio, newspapers, magazines, TV, radio, Public institutions and Influencing public opinion at bloggers and 2 political parties Formal all levels on Twitter. so on. The powerhouse of the organization with vested interest and lending support 3 Employees Internal to business transactions Corporate accounts in Twitter Internet enterprises, managers and platforms, entrepreneurs as creators of retail Firms, CEOs and content on innovation-related companies, 4 entrepreneurs Semi-Formal issues. multinationals All firms of experts providing Semi- professional services in 5 Consultant firms formal/Formal innovation-related aspect A growing body of individuals connecting with other academics and using the Academics-Scholars- platform for pure research 6 Researchers Formal purposes

Passionate individuals/actors-the link between brands and audiences social media influencer partners with a Brand brand to create sponsored 7 Influencers/evangelists Informal content. Groups & individuals with Users-Individuals- General ideological beliefs, using, 8 Public Informal shaping

As mentioned earlier in this study(introduction), humans(including all of the above stakeholders) are the weakest links in Social engineering attacks thus the research in the next section explore the motivation and the psychology behind Phishing.

2.1.1. The Psychology behind Phishing: Theory of Social Proof

For over 35 years, Robert Cialdini and other scientists have studied the science of influencing users to a required action; Gragg’s seven psychological triggers and Stajano et al., seven principles of scams. However, this research utilizes Cialdini’s principles for its framework. In his revolutionary book, Cialdini (2007) introduces six major principles of persuasion; reciprocity, commitment or consistency, social proof or conformity, authority, liking, and scarcity (Cialdini, 2007, p. vii). These strategies are actively employed on Social Networking Sites (Algarni, Xu, Chan & Tian, 2014). The following images are real-time cases sourced by the researcher to explain the 6 persuasion principles with emphasis on Social Proof Theory.

The first principle of reciprocity is grounded on the rule that a small favour begets an even bigger favour due to humans’ social systems creating a tendency to feel unrest and obligation to pay back (Cialdini, 2007). Other studies explore this principle citing everyday examples such as granting a favour after being cajoled with a cup of coffee or a bottle of soda (Regan, 1971). In regards to twitter phishing, a direct message (DM) filled with concern instigates a return in favour (link opening).

Figure 1: Principle of Reciprocity applied to Twitter DMs

The principle of commitment or consistency: According to Cialdini 2007, notable theorists such as Leon Festinger, Fritz Hieder, and Theodore Newcomb assert that the inclination for consistency as a central motivator of our behaviour. Furthermore, he demonstrates that the strong need ‘to be and look consistent constitutes a highly potent weapon of social influence, often causing us to act in ways that are clearly contrary to our own best interests’.

“Once we realize that the power of consistency is formidable in directing human action, an important practical question immediately arises: How is that force engaged? What produces the click that activates the whirr of the powerful consistency tape? Social psychologists think they know the answer: commitment. If I can get you to commit (that is, to take a stand, to go on record), I will have set the stage for your automatic and ill- considered consistency with that earlier commitment. Once a stand is taken, there is a natural tendency to behave in ways that are Applying this to this study, users tend to be more sure of their decision and abide by them when they post about it (Ferreira, Coventry & Lenzini, 2015). Thus making social media platforms a viable platform to encounter interpersonal pressure to commit. stubbornly consistent with the stand” (Cialdini, 2007).

Figure 2: Principle of Commitment applied to posts on Twitter TLs.

Authority: There has been a power shift the internet was created; from only a few monopolies having voices to enabling anyone to be a voice of authority in political matters or their various industries (Benkler, 2006). According to Akbar (2014), in phishing, the most prevalent technique employed is the principle of authority (Akbar, 2014) since everyone has links with one form of authority or the other since birth. According to Cialdini’s book, this is also because humans look up to higher figures and body of authority to determine how to behave (Cialdini, 2007). Previous research on obedience to authority (Milgram Experiments) showed that utilizing authority potentially let people us act against their beliefs and ethics (Milgram, 1965). McChesney is also of the view that individuals can indeed become different as a result of digital interactions (McChesney, 2013).

A famous case of establishing trust through authority and how the principle of authority has much potential to mislead people is the “robin sage” experiment (where a white hat hacker, was able to con individuals victims based on how she was perceived to be highly skilled knowledgeable and have a strong network (discussed in details 2.6.). Figure 3 is

a screenshot of Robin sage’s Linkedin profile created by Thomas Ryan.

Figure 3: Fake Profile ‘Robin Sage’ to establish trust and authority. Source:medium.com

Phishers hack into accounts of credible individuals (voices of authority), using these accounts to propagate phishing scams. Case in point, verified News Reporter (Chandler Rogers) account that’s was hacked in June 2020 to spam political figures. See Figure 4.

Figure 4: Verified Twitter hacked to send phishing tweets

Liking- According to Bujold (2002), ‘If you make it plain you like people, it's hard for them to resist liking you back’. This is because there is a higher tendency for people to approve or accept requests of people they like or know. This fact is exploited in several ways by phishers to get their victims to acquiesce to their wants. In his book on Influence, Cialdini demonstrates the principle of liking with the illustration of a Tupperware party.

“Despite the entertaining and persuasive salesmanship of the Tupperware demonstrator, the true request to purchase the product does not come from this stranger; it comes from a friend to every woman in the room. Oh, the Tupperware representative may physically ask for each partygoer’s order, all right, but the more psychologically compelling requester is a housewife sitting off to the side, smiling, chatting, and serving refreshments. She is the party hostess, who has called her friends together for the demonstration in her home and who, everyone knows, makes a profit from each piece sold at her party”- (Cialdini, 2007, pg. 125-126).

In the context of Twitter, it is standard procedure to check a new follower’s profile, 22

however before he or she follows they check to see if they like the nature of content by the new follower. There is a higher tendency to follow back if they are inspired or can identify with the new follower’s tweets. Phishers leverage on trending issues (i.e. COVID 19), controversial news and are usually up to date on current affairs to present potential victims with what they like and want to see at each point in time. Fig. 5 is a typical example of a COVID 19 scam based on helping people in times of economic crisis.

Figure 5: a COVID 19 scam based on the principle of Liking

Scarcity: Often referred to as the deadline tactic. A weapon of influence used in the sales industry. Accroding Cialdini (2007), this is largely due to the potential unavailability factor (Cialdini, 2007). In their research Ferreira, A. et al. found that the scarcity principle is driven by urgency. That is, products/money to be won or lost and the limited time available is emphasized on (Ferreira, A., Coventry, L., & Lenzini, G., 2015). Figure 6 shows how the fear of missing out(FOMO) comes into play and how the principle of scarcity is leveraged on thereby urging and coercing tweeps 1 to take quick action(s).

1 A user-created conjunction from Twitter and Peeps usually referring to the followers of the person using the word. Part of the various lingo resulting from Twitter. See https://www.urbandictionary.com/define.php?term=Tweeps for more information. 23

Figure 6: Principle of Scarcity with the urgency in play here.

Social Proof Theory also called Informational Social Influence Theory states that to find out what is right we have to determine what others think is right (Cialdini, 2007). This principle relates to a large extent with the principle of authority as people look to others to decide what is ‘correct behaviour’. There are a few notable social experiments that prove this theory: Milgram, Bickman, and Berkowitz (1969) conducted a social contagion study on 42nd Street, New York City. Varying numbers of passersby (all confederates) were staring at a sixth-floor window. The dependent variable was the percentage of persons who stopped to stare. As the number of sources increased, the percentage of persons who stopped to stare also increased. Forty-five per cent of passersby stopped if one confederate was looking up, 85% of the passersby stopped if 15 confederates were looking up (Milgram, 1965). Similarly, Craig and Prkachin (1978) found that people felt less shock (on both the verbal and physiological indices) if they were in the presence of another subject who was apparently experiencing little or no pain after administrating shock to one subject. Thomas Ryan’s ‘Robin Sage’ experiment further proved that the Social Influence Theory isn’t random generalizations. The more Cyber-Security experts connected to her the more influence she gathered with other people across SNSs thereby establishing trust and digital intimacies based on mutual friends’ factor (Ryan T., & Mauch. G., 2010).

Figure 7 shows the principle of social proof works despite the offer not being ‘believable’.

Figure 7: With Social Proof in focus

While several subsequent authors and researchers in the field of persuasion recognize and build on Cialdini’s work, there has however been notable criticisms i.e. Chater, who opines that generalizing the principles of persuasion is problematic and counters this approach with suggestions that ‘attempts of persuasion should be tested more before providing these general principles in hopes of persuading’ (Jacobs, 2014). Quiel & Uebelacker (2014) argue that while Cialdini’s principles can be well applied in social engineering, different personality traits of victims ensure the success of other principles (Quiel & Uebelacker, 2014, as cited in Ferreira, A., Coventry, L., & Lenzini, G., 2015). Similarly, Krombholz et al. (2015) are of the view that “curiosity” linked to personality traits should have made the 7th principle (Krombholz et al. 2015).

Furthermore, many users ignore safety precautions and go out of their way to forge new connections and are more likely to communicate with strangers online than offline. Studies show that people (both young and elderly) use Social Media to forget their worries, avoid loneliness and combat depression (Aaron, 2011). Brandtzæg and Heim

in their 2009 study on ‘Why People Use Social Networking Sites’ found that 66% of their 1200 research participants used Social Networking Sites (SNS) because it is ‘an efficient tool to keep in contact with several friends at the same time’. They also use it because of the opportunities it provides to make new friends and provides reassurance. One participant mentioned in their study that SNS was the place to get to share problems and get moral support ‘when she is depressed and wants to commit suicide’ (Brandtzæg & Heim, 2009). Similarly, in a study by Pew Research Center, 66% of adults use Twitter and they primarily use the platforms and others alike to interact, keep in touch with friends and family members. While others say reconnecting with lost friends is why they use social media (Aaron, 2011).

Understanding these motivations lends credence to how humans’ heuristics and biases can be exploited as highlighted in Cialdini (2007). He also presents the “Click-Whirr”2 analogy using the animal, Turkey for illustration. ‘They (Turkey) can involve intricate sequences of behaviour [...] Click and the appropriate tape is activated; whirr and out rolls’ the standard sequence of behaviours’. The theoretical literature so far based on Cialdini’s 6 principles of persuasion is incomplete without an exploration of personality traits in the susceptibility angle earlier discussed in the introduction. That is, people being the weakest links in Social engineering (Bosworth, Kabay, & Whyne 2014). “I was so successful in that line of attack that I rarely had to resort to a technical attack. Companies spend millions of dollars toward technological protections, and that's wasted if somebody can basically call someone on the telephone and either convince them to do something on the computer that lowers the computer's defences or reveals the information they were seeking” - Convicted Hacker, Kevin Mitnick (Schneier, 2006).

2.1.2. The Big 5 Model

An extensive body of research from several notable scholars in the field of psychology (Correa et al., 2010; Lee et al., 2014; Marshall et al., 2015; Moore and McElroy, 2012)

2 This connotes ‘Fixed-action patterns’ typically instigated by a sound (in the turkey context) or a certain characteristic of an important information in a scenario. See more in Chapter 1 of Influence: The Psychology of Persuasion by Robert Cialdini. 26

are all of the views that ‘personality factors differentiate users of SNSs from one another’ (Jiang, Naqvi & Abbas Naqvi, 2020). The Big Five Factors (BFT) is most often used in the study and exploration of the dimensions within personality traits. They are Openness, Conscientiousness, Extraversion, Neuroticism (also known as emotional instability) and Agreeableness (Lang, John, Lüdtke, Schupp & Wagner, 2011). They are often referred to as OCEAN or CANOE. The Five-Factor Model (FFM) is a theory hinged on these big five domains. The Big 5 Model was originally developed by Fiske (1949) and has since adapted from a lexical standpoint (dictionary terms, and adjectives) to traits standpoint where traits are focal points that represent the common characteristics of personality. However, there is criticism due to its lexical origins. For instance, Block (1995) condemned its use based on the fact that personality description is only used by laymen. Similarly, McCrae (1990) asserts that the acclaimed elementary factor “Open to Experience” has few adjectives in English that can be linked to it. Saucier (1992b) however challenged this reasonings (Saucier, G., & Goldberg, L., 1996). These five traits were acclaimed in the 80s as one of the crucial theories of personality (Cloninger, 2004 as cited in Najm, 2019).

Today, there are a plethora of personality scales which evolved from upgrades, and furtherance in this field of research which have led to a wide array of personality scales (see table 3 for some examples). Lopes & Yu (2017) in their research also examined a similar dimension of research using the “Dark Triad” personality traits which consist of Machiavellianism, psychopathy, and narcissism and its influence on Facebook user behaviour (Lopes & Yu, 2017).

Table 2: The Number of Personality Traits in Different Models Adapted from (Najm, 2019) Model and Author Big Traits Notes The transition Extraversion, agreeableness, from the lexical conscientiousness, neuroticism, hypothesis to Big five traits, Fiske (1949) conscientiousness, neuroticism, the practical openness hypothesis led to the BFT.

Culture is wider Agreeableness, neuroticism as it is a

Norman (1963) (emotional stability) super-trait while conscientiousness, and culture openness intellect to experience is a trait.

Two big personality Many studies traits Wiggins (1968) Extraversion and Anxiety have confirmed both traits These three traits can

Three big traits, predict Cloninger et al. (1991); Self-directedness, Cooperativeness interpersonal Cloninger et al. (1993) and Self-transcendence differences in responsiveness to experimental pain. These clusters illustrate that the five traits are not Religious; deceptive; comprehensive, Ten clusters beyond BFT, ethical,masculine-feminine; and some traits Paunonen and Jackson (2000) egotistical;humorous; risk taking. such as religiosity, ethics are important pillars of personality The HEXACO is Big six traits (HEXACO Model), an Ashton et al. 2004; Ashon and Big five traits plus the sixth factor: attempt to Lee 2005; Ashton and honesty–humility provide Lee(2008); Lee and Ashton a broader view (2004); Leeb and Ashton(2014) of personality

by expanding the five personality traits to include religiosity.

The five personality traits are described as follows:

Openness to Experience constitutes of extremely receptive individuals who are great thinkers; thoughtful and intellectually curious. They are also typically art and beauty enthusiasts. In contrast, individuals with close minds hardly are curious or intrigued by creativity (Soto, 2018). Extraversion (or extroversion) connotes being decisive, amiable, outgoing, generally positive and being able to express emotions. (Power & Pluess, 2015, Gupta & Gupta, 2020). In agreement with the former, Cherry (2020) also claims that individuals with a high level in extraversion draw energy and are usually excited when they are out or placed in social settings. Alternatively, introverted (low in extraversion) tend to feel drained in social settings and routinely take time off to “recharge” (Cherry, 2020). Neuroticism is regarded by experts as one of the most crucial dimensions of personality with each person scoring in between the range of perfect emotional stability and complete emotional chaos. Research on this factor dates back to (460-370 B.C.E.) when the Greek doctor, Hippocrates proposed a biological rationale for personality ("Neuroticism: A 'Big Five' Personality Factor", n.d.). A neurotic personality is usually characterised by negativity; anxiety, self-doubt, depression. Weed, C., & Kwon, S. (2007) stated in their study people with a high neurotic range tend to be constantly uneasy and withdrawn while people with a low score band are rather bold and at ease (Weed, C., & Kwon, S.2007). Conscientiousness comprises of a high level of discipline and individuals here are usually goal-oriented and thoughtful. Furthermore, highly conscientious people are visionaries who plan and considerate of other people. (Cherry, 2020). Agreeableness individuals are charitable and altruistic people. They are kind and believe the best in others too. On the side of the spectrum are individuals who don’t care about others, questions everyone’s motives and are ‘rather than co-operative’ (Rothmann & Coetzer, 2003).Table 3 shows the different facets within the

dimensions based on high-low score rates.

Table 3 different facets within dimensions adapted from (Lim, 2020). Big 5 Factors Facets Prefers routine, practical vs. imaginative, Openness spontaneous

Conscientiousness Impulsive, disorganized vs. disciplined, careful

Extraversion Reserved, thoughtful vs. sociable, fun-loving

Agreeableness Suspicious, uncooperative vs. trusting, helpful.

Neuroticism Calm, confident vs. anxious, pessimistic

2.2. Cyber Security

History (1834-date) explicitly shows that perfect security is all pipes and dreams as cybercrimes occur in iterative circles (Herjavec, 2020). “Cyber-dependent crimes are offences that can only be committed by using a computer, computer networks, or other forms of ICT. These acts include the spread of viruses and other malicious software, hacking, and distributed denial of service (DDoS) attacks, i.e. the flooding of internet servers to take down network infrastructure or websites. Cyber-dependent crimes are primarily acts directed against computers or network resources, although there may be secondary outcomes from the attacks, such as fraud” – (Home Office Research Report, 2013). Globally, 1.76 billion records were leaked from various data breaches in January,2019 alone (Morgan, 2019). Harmful attacks being solely responsible for 48% of data breaches with human error being 27%, and system snag, 25%. (Cost of a Data Breach Study, 2019).The most challenging areas and functions to defend are mobile devices at 57%, public cloud data 56%, and user behaviour 56% (Cisco, 2018). Cornish et al. (2009, p. 3) introduced the “four cyber-threat domains: state-sponsored cyber-attacks; ideological and political extremism; serious and organized crime; and lower- level/individual crime (Cornish et al. 2009). Social Engineering (the human element 30

within cyber security) has increasingly become too huge of a menace to ignore hence it will be discussed at length alongside other related concepts to identify which of the above domains they fall under.

2.3. Social Engineering: The Rise of a Concept

“Nice weather we’re having,” Mark said with a grin as he flicked his lighter to the cigarette in his mouth while struggling to hold his umbrella. “Yeah, just great,” agreed Jerry as he blew out a cloud of smoke toward the windows of an office building. Taking another drag, Jerry asked, “Did you catch the game last night?” Mark flicked some ashes to the ground, “Nah, the wife wanted to check out some new tapas place. Spent 70 bucks and I’m still hungry.” Jerry smirked as the two men extinguished their smokes. “Yeah, I know how that goes,” he said with a nod as Mark swiped his access card and held the door as Jerry shook the rain from his jacket and then stepped inside the building. The men went opposite ways in the hallway. Mark returned to his desk to take an incoming call. Jerry found an empty conference room to set up his laptop and then began stealing the company’s data.

You see, Jerry wasn’t an employee; he was an attacker. – Culled from (Thomas, 2014).

According to Cyber Edge reports, social engineering attacks rose from 62% in 2014 to 79% in 2017 (CyberEdge group, 2019). Social engineering is an all-encompassing term for human psychology and computer-based exploitation using dark tactics to influence and persuade users (Sadiku, Shadare and Musa, 2016). The term sociale ingenieurs ("social engineers") was first used in 1894 by The Dutch industrialist J.C. Van Marken in an essay. Its sole purpose was for human challenges to be resolved by experts sort by modern employers. "Social engineering" became the role of the social engineer on its conception in America in 1889 (Conley, 2015). According to The Ultimate Guide to Social Engineering (n.d.), social engineers aim to obtain personal data with the end goal being financial scams, identity theft or an attack on a grand scale. Furthermore, the use of malware is employed to gain unobstructed access to more accounts, systems and personal data. Below are some of what scammers seek from potential victims:

 Passwords  Account numbers  Keys  Any personal information  Access cards and identity badges  Phone lists  Details of your computer system  The name of someone with access privileges  Information about servers, networks, non-public URLs,

Figure 8 shows the steps taken by a social attacker to gain these items.

Figure 8: Steps within a social engineering life cycle (Wassemz, 2019)

Social engineering is entrenched in both computer science and social psychology. Knowledge of both disciples is needed to perform research in social engineering (Sadiku, Shadare and Musa, 2016). However, there are arguments/speculations that SE is more a technical issue than a social issue hence that claim will be reviewed subsequently.

2.3.1. Social Engineering: A Technical or Social Problem?

“The part of social engineering that most people get wrong is that it is founded 32

in science, in engineering. It is not a methodology for lying. The fundamental pieces of engineering that create the space for something like reframing in a conversation, or anchoring, or the ability to use [neuro]linguistic programming to get an anticipated response are concepts that a social engineer has a foundational understanding of.”- Chris Nickerson (Mike, 2019).

Social engineering can be traced to the beginning of time. The fall of Adam and Eve is due to the power of persuasion used on Eve by the serpent and Eve on Adam (Skouras, 2016). Hatfield (2018) assets that while the origin of SE can also be traced to the political field with it gaining usage in the field of cybersecurity much later, similar underlying principles are applied: epistemic asymmetry, technocratic dominance, and teleological replacement. Hatfield (2018) further maintains that these principles are “conceptually and semantically” used (Hatfield, 2018).

Similarly, Greavu Serban & Serban (2014), agree that there is a convergence of social engineering and social science at the policy level. This link enabled the study of social construct and patterns in order to establish ‘the initial state of a society and to predict the effects of decisions that might be taken’ (Greavu Serban & Serban, 2014).

On the other hand, experts opine that a social engineering “epidemic” is imminent (“a new layer of hacking that’s way deeper and more three dimensional.”) as artificial intelligence increases in intelligence, there is a tendency for it to outsmart humans. Morawietz cites a scenario “Imagine AI set loose on a human that says, "Hi, this is Gregory from your phone company and I’ve kidnapped your husband, Jerry. Pay this ransom." Or, "Hi, Grandma, I need 500 bucks. My car broke down." It’ll be so convincing, Morawietz says, that Grandma will ask only one question: “Where do I send the money?”

Sadiku, M., Shadare, A. and Musa, S., (2016) agree that technology may have increased the level of difficulty in some fraudulent activities, it has also created an abundance of opportunities for it has created new opportunities for adaptable fraudsters hence, it is crucial to grasp fully the problems within the more technical and social dimensions of SE (Sadiku, Shadare and Musa, 2016). Social engineering is rooted in computer science

and social psychology discipline. Fruhlinger (2019) defines SE as the ‘art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data’. Within these lie the different types of hacking; from human hacking to computer hacking (Fruhlinger, 2020).

2.3.2. Labels within Social Engineering and Ethics: White, Grey and Black Hat

Hackers can be classified into different categories such as white hat, black hat and grey hat. There are other non-major tiers of hackers namely; Script kiddie, Neophyte, Elite hacker, Hacktivist and Blue hat ("Types of Hackers and What They Do: White, Black, and Grey | EC-Council Official Blog", 2019). The three major types are thus explained below:

White hat hacker – This operates within the strand of ethics. It is hinged based on “To catch a thief you have to think like a thief”. A white-hat hacker cracks security for ‘non- malicious reasons’. It’s employed in two ways: either a company in-house ethical hacker tests their system or on the client-side; an ethical hacker hired by a company to find loopholes in security. Today there are several certifications within this label of Social engineering. Black hat hacker – The question of ethics is of no import to a black hat hacker. Moore, (2005) states that a black hat hacker “violates computer security for little reason beyond maliciousness or personal gain”. Also referred to as “crackers”, the end goal of black hat hackers is to steal passwords, destroy or weaken secure networks. In between white hat hacker is a grey hat hacker. A grey hat hacker constantly seeks for loopholes and weaknesses within firewalls with the motive of informing the management in question about the flaw in their security (Sova, 2016). A good example of grey hackers is Botnet researchers who are first to discover botnets and manage it. As botnets are not attacker computers that are being manipulated by threat actors. There is a pertinent debate as to the legitimacy of this type of ethical behaviour (Edgar and Manz, 2020).

2.3.3. Charting the Discourse between SocialEngineering and Ethics

Although social engineering attacks are regarded as non-technical attacks it becomes lethal when combined with technical type of attacks like spyware and Trojan (Abass,

2018). The same psychological, physiological, and technological principles that are used darkly are also used positively when ethics are applied.

How ethic is applied is often not discernable (Edgar & Manz, 2017). Mouton, Malan, Kimppa, & Venter, 2015 discusses at length some ethical concerns that a researcher needs to reflect on in terms of non-malicious social engineering alongside and the corresponding normative perspectives that tackle these issues. Further clarifying by grouping non-malicious attacks into three separate territories in which attacks can occur; public communications (such as radio and television), penetration testing and social engineering research (Mouton et al., 2015). It is worthy of note that, social engineering techniques employed here are not to harm the victims or malevolently use information gathered (Mouton et al., 2015).

The three main normative approaches to ethics (virtue ethics, utilitarianism and deontology) seek to discern the “rightness” and the “wrongness” of delineated social behaviour (Gowdy, 2013 as cited in Mouton et al., 2015; Harman, 1999). The contrast between these three approaches rest on how one acts when in a moral predicament, and ‘not necessarily in its consequences’ (Mouton et al., 2015).

1. Virtue ethics: Ethical theories provide guides to action. Virtue ethics, on the other hand distinctly emphasize the personality of the person experiencing ethical issues. It states that resolution problems/crisis largely depends on the individual making decisions (Morris & Morris, 2016). 2. Utilitarianism: This ethical theory is based on consequences. The consequentialist belief that the fairness or unfairness of a deed is highly depended and can only be measured by the outcome. However, a popular critique of this ethical theory is the simple issue of the measurement of the outcome of a utilitarian choice (Robertson & Walter, 2007). 3. Deontology: This focal point of Deontology is morals and ethical act. This school of thought are of the view that right and wrong behaviour is governed by universal guiding rules (Knights and O’Leary, 2006 as cited in Mouton et al., 2015).

The following tables highlight various ethical concerns in social engineering and the stance of each normative approach.

Table 4 – Ethical concerns in public communication, adapted from Mouton et al., 2015. Virtue Ethics Utilitarianism Deontology Is it ethical to use social engineering to gain the trust of an individual? No No No Is it ethical when delegated permission is used to perform social engineering techniques for public comical relief? No Yes No Is it ethical to use information-gathering techniques to provide participants with false information and to exploit them for either financial gain or fame? No Yes No

Table 5 – Ethical concerns in penetration testing, adapted from Mouton et al., 2015. Virtue Ethics Utilitarianism Deontology

Is it ethical for the employee to bear the consequences of the successful infiltration when the actual reason for the successful infiltration is not due to the employee’s negligence? No No No Is it ethical to exploit the personal weakness of an employee when it is known to be common human nature to fall prey to this type of attack? No Yes No Is it ethical to provide the names of employees who were susceptible to penetration tests in a report to an authoritative figure even though this may have consequences for the employees? Yes Yes Yes

Is it ethical to report a social engineering penetration test as successful when the incident occurred because the employee was correctly performing his or her duty? Yes Yes Yes

Table 6 – Ethical concerns in social engineering research, adapted from Mouton et al., 2015 Virtue Ethics Utilitarianism Deontology Is it ethical to conduct social engineering awareness research and how should the participant be debriefed? Yes Yes No Is it ethical to mislead a participant about informed consent when such consent is required to gain accurate results from the social engineering research experiment? No Yes No

Is it ethical during a social engineering research experiment to utilise information about the participant that may be harmful or sensitive to the participant? No Yes No

Notably; the next section further enunciates the difference between a grey hat and black hat SE. According to Schaefer (2009), the use of offensive methods however increases the risks of escalation and also an erosion of ethics.

2.3.4. Types of Social Engineering

Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best 37

practices to gain access to systems, networks or physical locations, or for financial gain ("What is social engineering? - Definition from WhatIs.com", 2019). One of the several techniques of Social Engineering is Phishing (see 2.4).

The types of Social Engineering are divided into two segments; the social approach and the socio-technical approach.

Social Approach 1. Tailgating aka piggybacking involves an attacker entering a building; a company’s physical structure without legitimate identifying. He or she simply waits for an employee with a pass or any authorized agent and follow them in (Yasin, Fatima, Liu, Yasin & Wang, 2019). See section 2.3 of this study for example). 2. Pretexting: Unlike tailgating, physical presence is not involved in this type of attack as it’s usually conducted over the phone with the scammer pretending to be someone familiar (i.e. the client). Pretexting makes use of stories and scenario to spur potential victims into action. The end goal here is to get organisations such as credit card companies, utilities and transportation industry to disclose retained client data (Wilhelm, 2013). 3. Quid pro quo: Another social engineering method Quid pro quo involves people posing as technical support. They make random calls to a company’s employees claiming that they’re contacting them regarding an issue. Sometimes, such people get the chance to make the victim do things they want. It can be used for everyday people also (Tiwari, 2020). It typically involves some form of gift as a reward. Research reveals that over ‘70% of people would reveal their computer password in exchange for a bar of chocolate’ ("BBC NEWS | Technology | Passwords revealed by sweet deal", 2004).

Socio-technical approach

1. Spear Phishing: The typically involves the personalisation of emails to gain information. It may or may not be grouped under phishing and this depends on the scalability in the personalisation in the tailored email sent received. That is, targets are not randomly selected. (Lastdrager, 2014). This year (2020), a New York TV

judge, Barbara Corcoran was phished of almost USD 400,000. A scammer sent an email requesting an investment renewal to the bookkeeper while pretending to be her assistant (Jordan, 2020). Similarly, Twitter itself was attacked using this technique in July 2020 (Greenberg, 2020) 2. Whaling attack - This is a type of spear-phishing attack but here, only top management level individuals are targeted. The end goal is to deceive CEO, COO, Presidents and other ‘too busy’ people into revealing personal or company data via website or email or website spoofing ("Spear Phishing & Whaling Attacks | Information Technology", 2019). 3. Watering Hole: Commonly utilised by cybercriminals or hacker for state-sponsored attacks or espionage operations. A watering hole attack involves strategically placing viruses and malicious code on a public domain with the target being all website visitors. A backdoor Trojan is installed on this victims computer once visited(Paganini, 2018). The type of attack is often well thought out in stages as involves the study of the potential victim's persona and plans on what organisations or industry to exploit (Revathi, Ramya & Gayathri, 2018). 4. Baiting: This type of attack may involve a physical medium (i.e. the attacker strategically placing USB drive within the vicinity of an organisation. Once the drive is used, the hacker gains access into the victim's software via malicious software introduced (Yasin, Fatima, Liu, Yasin & Wang, 2019). 5. Smishing and Vishing: These are quite similar as they consist of using emotional appeals and are designed to fill the victim with a sense of urgency. The difference in two techniques is that former is via Short Message Service (SMS) message and the later via voice calls (Drolet, 2020). Also, vishing utilizes IP-based voice messaging technologies (Voice over Internet Protocol, or VoIP) while SMiShing was coined from its use of SMSderived its name from SMS (Osei Yeboah-Boateng & Mateko Amanor, 2020).The concept of Phishing, a type of advanced social approach is further explored in subsequent sections due to the focus of research topic.

2.4. Phishing

The number one type of social engineering attack, accounting for more than 80 per cent of reported incidents, is phishing—the end goal of which is often to convince users to install malware. Phishing has been defined as a “social engineering attack that uses e-

mail, social network webpages, and other media to communicate messages intended to persuade potential victims to perform certain actions [e.g. entering login credentials in a cloned webpage, downloading an attachment embedded with malware or opening an infective hyperlink] or divulge confidential information for the attacker’s benefit in the context of cybersecurity” (Xiong, Proctor, Yang & Li, 2018).

Yeboah-Boateng and Amanor (2014) also define Phishing as a socially engineered attack that involves scammers strategically luring random users with spoofed websites of popular brands. The end game is to gain access to passwords and other sensitive data which can ruin the user (Yeboah-Boateng & Amanor, 2014). The concept of “phishing” spelt and pronounced “fishing” is an analogy of the angler fish which uses it glowing lure that dazzles due to bacteria residing on it to draw its next meal nearer (Fruhlinger, 2020). The "ph" is a play on words that are often associated with mischievous hackers and is supposedly inspired by the term "phreaking," coined from "phone phreaking," an early form of hacking that comprised of playing sound tones into mobile phones secure free phone calls. The term “phishing” can be traced the mid-1990s with persuasive tricks used by hackers to lure AOL users into handing over login credentials. (Fruhlinger, 2019). According to 2019 State of the Phish report, over 83% of info security respondents word wide were victims of phishing in 2018, an increase from 76% in 2017 (Proof Point, 2019). There are 6 types of widespread Phishing attacks to look out for; Deceptive Phishing (PayPal Scams are under this category), Spear Phishing, CEO Fraud, Vishing, Smishing and Pharming (Tripwire, 2019). The researcher intends to provide more details in the thesis research.

According to Zvelo, a cyber-security company that categorizes the web, phishing attacks often have the following in common: 1. The utilization of URL shorteners and link redirects. 2. There’s usually a tone of urgency to their communication and the call to action (CTA) often includes a discount, promo with a limited time offer to win prizes etc. 3. Spoof and engineer engagements on the page to look like the platform i.e retweets, likes, mentions, shared posts and so on. 4. Use other people to spread the phishing attack by convincing people to increase their chances of winning by sharing. 5. URLs are either misspelt (like the PayPal case), hyphenated and in the case of

Twitter ‘ask’ added to the account to make it seem like the legitimate customer care account for a reputable brand ("Messaging Apps and Social Media Platforms Enable Phishing Scams", 2019).

Table 7 Two common Phishing Lures, adapted from (The Ultimate Guide to Social Engineering, n.d.) Phishing Lures How it Works Users receive emails impersonating companies like eBay, claiming they have not yet paid for a winning bid. When they click on the provided link, it leads to a phishing site. The ploy plays to people’s concerns about “You have not paid for a negative impact on their eBay store. Rather than the item you recently clicking on this type of email, experts recommend that won on eBay. Please users go directly to the Web site of the business click here to pay.” involved by typing the URL into the browser bar

How it works: Criminals take advantage of economic uncertainty and increased digitization by sending an email to employees with a malicious link that appears to “You’ve been let go. relay news that requires a quick response, such as, “We Click here to register for are sending out W-2 forms electronically this year.” (The severance pay.” Ultimate Guide to Social Engineering, n.d.) Two common Phishing Lures, adapted from (The Ultimate Guide to Social Engineering, n.d.)

Table 8 A summary of some of the prominent phishing attacks so far in 2020. Compiled from (Irwin, 2020). Organisation Month of Financial/data attacked Industry Country Exposure loss Manor February Independent Education Texas, USA 2020 $2.3 million

School District Puerto Rico March government Government Puerto Rico 2020 $2.6 million Personal Data; Names, dates of birth and Social United March Security Altice USA Cable TV States 2020 numbers. Personal Data and Bank Ordnance Government March Account Survey Mapping Agency Britain 2020 comprised The financial sector, legal, information Multiple 150 security, consulting, Different organisations manufacturing, retail companies targeted by and distribution, across the April PerSwaysion energy and other world 2020 Personal Data Social Networking £116,000 in Twitter Site Global July 2020 Bitcoin

After the cursory look into the concept of Phishing due to the focus of research topic, it is of uttermost importance to map out the current debates within the Phishing landscape on Twitter.

2.4.1. Defining Phishing in the context of Current Debates: Twitter for Phishing

Our technological powers increase, but the side effects and potential hazards also escalate. — Arthur C, Clarke

Twitter defines Phishing as “a deceitful process by which an attempt is made to acquire sensitive information such as Twitter usernames and passwords” (Stone, 2010).

Furthermore, hacking is illicit access to an account via phishing, password guessing3, or session stealing4. Usually, this is followed by unauthorized posts from the account. Hacked accounts are sometimes referred to as "compromised." There have been several, crucial debates and controversies trailing Twitter since its inception in 2006. From the problem of automated bots to privacy concerns to the hot topic of this year; Phishing vis-à-vis spear phishing. Before the crackdown of Twitter bots and inactive accounts, Chhabra et al. (2011) cite the platform as a ‘phisher’s paradise’. Their findings revealed that 89% of the engaging users were automated phishing on Twitter were accounts (Chhabra et al., 2011).

According to Bossetta (2018), apart from the issue of chatbots, five other existing features enable spear-phishing within Twitter’s digital architecture:

1. Twitter’s Use of Hyperlinks: Twitter’s architecture enables hyperlinking to external sites which are often created with the uses of link shorteners such as https://bitly.com to hide the dark/malicious link (Nepali and Wang, 2016). Link shorteners are heavily used because of Twitter’s 280 character limit. 2. Twitter is the platform where ‘immediacy of news’ is king (“The Purpose of Social Media,” n.d.). A lot of journalists, media stakeholders and practitioners alike prefer to use Twitter because news break on the platform almost as it happens offline and because it is one-to-many network advantages (Dijck, 2012). This is also due to 280 character limit. 3. Twitter’s API: The feature provides a window for proper targeting and profiling of potential victims via harvesting of user data (Bossetta, 2018). These modern phishing attacks often employ data mining approach, a method called Open Source Intelligence (OSINT) (Ariu et al., 2017 as cited in Bossetta, 2018). 4. Targeted tweets: Using the mention(@) feature, phishers can target a user with a black hat link included. Furthermore, the inclusion of @mention ensures that the attack goes unseen by the public. 5. Twitter’s privacy setting: Users’ privacy settings on Twitter are set to open by

3 An online technique that involves attempting to authenticate a particular user to a system. See https://www.sciencedirect.com/topics/computer-science/password- guessing#:~:text=Password%20guessing%20is%20an%20online,particular%20user%20to%20the%20system.&text=Account%20lockouts %20are%20used%20to,large%20number%20of%20potential%20passwords. more information. 4 A session commences when a user logs into a service. The crime occurs when said session is hijacked by a hacker. See https://www.netsparker.com/blog/web-security/session-hijacking/ for more information. 43

default. Phishers can therefore @mention a targeted user without establishing prior contact.

In the following section,

2.4.2. Covid19 Blues: A New Level to Phishing

Responding to current issues is a well-known tactic of cybercriminals. Especially when those themes are accompanied by uncertainty and fear. Then that keeps people busy and it is easier to entice them to click on unsafe links.

Dynamism/keeping abreast of trends has always been an integral tactic of scammers. Research reveals that users ignore security concerns especially when are online with mobile devices (Yeboah-Boateng & Amanor, 2014). According to Kemp (2020), search behaviours keeping evolving and internet usage increased by 30% this year (Kemp, 2020). Additionally, from February phishing scams peaked by over 600% as a result of pandemic anxiety within individuals online (Irwin, 2020). Susceptibility rates increased considerably as a result of remote workers (Irwin, 2020). Graph 1 shows the spike in phishing attacks between February and March of 2020.

Source: ("Recent Escalations in Cyberattacks in Italy Prove the Coronavirus Impact on Cybersecurity - Acting as a Warning for CISOs Worldwide - Cynet", 2020).

Graph 1: Spikes of Phishing attacks in several countries with Italy being the highest.

According to the Indiana University of Pennsylvania (2020), the below were some of the most prevalent phishing tactics utilized in scamming victims during the pandemic: 1. Email scam propagating remote jobs due to the COVID-19 outbreak. This email maliciously offers students to research for $250. 2. No health agency or government department will email you asking for health details or try to sell you a COVID-19 test or vaccine. 3. The Red Cross, the World Health Organization, and your government health department will never ask for your confidential information via email or text message. 4. Do not trust social media posts or ads promising COVID-19 cures, tests, or vaccines or selling masks and gloves (Indiana University of Pennsylvania, 2020).

Cybercriminals continue to capitalize on pandemic anxiety and fear of the future to launch malicious campaigns with one set objective – to get individuals to click. The next section looks at some Twitter for Phishing incidences while section 3.4.1 shows the analysis.

2.4. Twitter for Phishing Incidences

This research examines security events that include data breaches, security incidents, privacy violations, and phishing crimes. This research analyzes the characteristics of 45

these breaches (such as causes, types of information compromised and patterns within them).

2.5.1. Incident 1: The Epic PayPal Phishing

Threat Overview

 Summary: An end-of-year raffle draw campaign to win undisclosed prizes with a fake Paypal account.  Tactics and Tools:

i) Spoofed Paypal website. Phishing URL had an extra “L” to“PayPal” as “Paypall.

ii) The tweet was promoted.

 Volume: Viral Campain, however, the KPI remains undisclosed as only

the promoter and Twitter would

know. (Hughes, 2019)

Table 9.Summary of Paypal case

As discussed in the previous sections of this research, the concept of Phishing is not new but it is however new for one to be a promoted tweet that got past Twitter. A twitter account (@PaypalChristm) that has since been deleted claimed to be real the PayPal’s brand account and promoted an end-of-year raffle draw campaign. Although it didn’t outrightly state what the prizes were, it dangled the prospect of a winning iPhones and a new car to lure in the unsuspecting. To win all they needed to do was verify their details only that clicking and verifying was the catch.

Lots of tweeps missed the fact that it was fake despite the clues. For instance, phishing URL had an extra “L” to“PayPal” as “Paypall.” What’s more alerting was the fact that the tweet was from an unverified account with less than 100 followers and the image used

to run the promoted tweet just was consistent with PayPal’s distinctive branding.

“It looked like something someone knocked up in MS Paint in less than ten minutes. Clicking through on the phishing link, you get to a page that – at least superficially – looks like the legitimate PayPal login site. The scammers had very clearly gone to great efforts to make it look like the real deal. The most obvious clues that it was a scam were in the lack of HTTPS and the URL” (Hughes, 2019). 2.5.2. Incidence 2: Twitter Spear Phishing Case

 Summary: Twitter was breached via a Phone spear-phishing attack. This major security breach targeted over 130 accounts, hijacked and tweeted from 45, used the directed message function of 36, and downloaded data of seven tweeps.  Tactics and Tools:

i) Phishers called up Twitter staffers and, using false identities, tricked them into

giving up credentials that gave the attackers access (Suciu, 2020) to an internal company tool that let them reset the passwords and two-factor authentication setups of targeted user accounts. ii) Pretexting and using some of Cialdini’s principles of Persuasion such as Liking and Authority.

 Volume: Unprecedented attack in the history of Social Media targeting celebrities and people of influence. Federal Bureau of Investigation (FBI) got involved as people lost over £116,000 in bitcoin.

Table 10. Twitter Spear Phishing Case

2.5.3. Incidence 3: Covid19 Password Dump

 Summary: Threat actor claims to help individuals discover whether their passwords have been published online without their permission, for a fee. Phisher  Tactics and Tools: i) Coronavirus is mentioned to add legitimacy as well as

online visibility to the post. The victim can assume that because the threat actor is (Ellis, 2020). providing services due

to the pandemic, it is either out of empathy for those affected or because account data, in general, may now be more prone to a breach.

ii) Credential dumping  Volume: Personal data; user authentication data such as usernames and passwords.

Table 11. Covid19 Password Dump

There are some notable research that further analyses social engineering attacks. Figure 10 is a conceptual model provided by Janczewski & Fu (2010) to understand SEAs impacts on individuals and businesses and present a defensive approach to mitigate the risks.

Figure 9: Conceptual Model by (Janczewski & Fu, 2010).

2.6. Role of Language and other semiotic resources in the formation of pretext to establish Trust.

Research typically focuses on comprehending the strands that influence user behaviour due to the fact that Phishing is a behavioural problem (Wright & Marett, 2010). According to Guo et al (2011), several works of literature indicates that user’s propensity to be security conscious vary from their real security behaviour(Guo et al., 2011). Persuasion principles are usually embodied in the words and language of the message to influence emotions (as discussed in the introduction) and sway cognitive capacities (Bullée et al., 2015). Also, visual signals are employed by spoofing company pay-offs and logos to foster users' trust in communication (Moreno- Fernández et al., 2017).

Model Trust Case-Robin Sage experiment

“A security consultant created a fictional persona, Robin Sage, who was purportedly a cyber threat analyst for the U.S. Department of Defense. Robin had accounts on LinkedIn, Twitter, and Facebook, and those were used to create a network of professional “targets.” Most of her new connections worked for the U.S. military, government, or affiliated organizations. Despite the lack of hard evidence to corroborate Robin’s clearance, credentials, or even existence, the contacts shared information that revealed their email addresses, bank accounts, and even the location of secret military units. Robin was sent documents to review and offered speaking slots at conferences.” (Poulin, 2020)

2.7. Towards a people-centric approach to Cyber security Awareness

As earlier discussed in this research the major weakness in social engineering is we the people. Each day cybercriminals up their ante on utilizing the different principles of persuasion as they realise that exploiting human emotions and susceptibility is the best to pilfer data or/and finances.

A consistent number of study used in this literature all reiterated on the need for companies to better train their staff and for top-level management individuals to be more aware. However, a plethora of Twitter Phishing cases (the recent ones especially) was targeted at individuals- Hijacked celebrity accounts to phish their

“social proof frenzied” followers hence, this calls for a more people-centric approach to cyber security awareness.

Research proves that Phishing education goes a long way in drastically reducing susceptibility to social attacks. Hadnagy (2018) reports as a result of Phishing awareness on an individual level, an organisation witnessed 87% reduction of malware on their network (Hadnagy, 2018).

Furthermore, all accessed SE cases show that no matter how security conscious an organisation may be or how advanced their technology is, the “Human” factor needs to be taken into consideration. Thus there’s a need for more awareness and knowledge assessment on a case by case basis.

2.8. Informational Privacy and Data Literacy

The empowerment from data is Data Literacy. Several years (20) after its coinage, data literacy is still an unclear concept (Guler, 2019). We live in a “move fast and break things” world and in this era of digitalisation, the need for data literacy and awareness is very crucial. Most SNSs and Silicon Valley companies still have a culture/business model that puts the privacy of individuals at risk (For instance, the Twitter spear- phishing case) (Lohani, 2018). As a result of these, there has been increasing concern amongst stakeholders (business leaders, privacy activists, scholars, government regulators, and users informational privacy. Currently, the plethora of scams on Twitter and the unprecedented spear-phishing attack in July 2020 has the integrity of Twitter questioned by stakeholders(Greenberg, 2020). The next section reviews Twitter Financial scam Policy.

2.9. Policy Review: Twitter Financial Scam Policy

“You may not use Twitter’s services in a manner intended to artificially amplify or suppress information or engage in behaviour that manipulates or disrupts people’s experience on Twitter”- (Twitter, 2019).

Chebab (2017) states that “Policies are made to clarify functions and responsibilities, promote consistency, meet standards and make decision-making transparent. Policy development offers an opportunity to engage with the community on matters of importance to that community” (Chebab, 2017). Figure 10 shows the release post of September 2019.

Twitter’s Financial Scam policy was first enacted in September 2019 after the initial rise of scams such as the Elon Musk, PayPal and Pathé UK scams. It highlights what exactly is considered scam on the platform i.e. relationship/trust-building scams, money-flipping schemes, fraudulent discounts and phishing scams. It was rather reactive than proactive. It has since been reviewed and updated following the huge spear-phishing case of July 10. However, findings point to a lack of comprehensive policy yet and several media article and reports argue on its lack of comprehensiveness.

Figure 11: Twitter being called out on its ineffectiveness.

“The new policy arrives at a time when Twitter has been criticized for allowing crypto scams to proliferate on its service. Many of these involve impersonation, using the reply function to spam and general promises to make victims lots of money. Twitter also this year allowed an obvious PayPal phishing attempt to run as a promoted tweet, which spoke to the need for stronger oversight in this area” – Tech Crunch (Perez, 2019).

On the other hand, while this policy is an upgrade of its manipulation and spam policy (It categorises what scam is on the platform) and Twitter has since October 2019 reduced cryptospam from 1 million per day to less than 5,000 per day (Chaturvedi, 2020; Hutchinson & Hutchinson, 2020). The general loophole is the absence of an awareness campaign in its overall strategy. The researcher proposes the practical application of Contextual Integrity framework of privacy by Helen Nissenbaum to mitigate these (See section 5 for more).

3. METHODOLOGY

This chapter highlights the research methods design and techniques used to answer the research questions of this master thesis. Firstly, the quantitative survey method and then we present digital methods (textual analysis) as research practice and its limitations. Afterwards, there is a general description of four simple procedures on which the analysis is based: (1) data collection, (2) data cleaning, (3) analysis, and (4) visualization.

3.1. Quantitative Survey Research

Survey research is employed:

“to answer questions that have been raised, to solve problems that have been posed or observed, to assess needs and set goals, to determine whether or not specific objectives have been met, to establish baselines against which future comparisons can be made, to analyze trends across time, and generally, to describe what exists, in what amount, and in what context.” (Isaac & Michael, 1997, p. 136).

This form of research enables methods such as data collection, the recruitment of participants, and the use of various methods of instrumentation. Qualitative research approaches (i.e. open-ended questions), quantitative research approaches (i.e. questionnaires with statistically evaluated instruments) or using both approaches (i.e. mixed methods) can be used in a research survey. Surveys are commonly used in social and psychological research as it affords the grounds to describe and explore human behaviour through data (Singleton & Straits, 2009).

The empowerment from data is Data Literacy. Twenty years after its coinage, data literacy is still an unclear concept (Guler, 2019). We live in a “move fast and break things” world and in this era of digitalisation, the need for data literacy and awareness is very crucial. Most SNSs and Silicon Valley companies still have a culture/business model that puts the privacy of individuals at risk (For instance, the Twitter spear- phishing case) (Lohani, 2018). As a result of these, there has been increasing concern amongst stakeholders (business leaders, privacy activists, scholars, government regulators, and users’ informational privacy). Currently, the plethora of scams on 54

Twitter and the unprecedented spear-phishing attack in July 2020 has the integrity of Twitter questioned by users (Greenberg, 2020).

Phillips (2008) stated that a questionnaire may contain any or all of these types of questions:

1) Open-ended questions allow unlimited answers. Questions are followed by ample blank space for the responses.

2) Checklists provide a list of items, and the participant is asked to check those that apply in the situation.

3) Two-way questions limit answers to a pair of alternative responses (yes and no).

4) Multiple-choice questions provide several possible answers, and the participant is asked to select the most applicable one.

5) Ranking scales require the participant to rank a list of items. This research survey had 18 general questions and BIG5 Ten Item Personality Inventory (TIPI). Being explorative research it was designed to capture user perception and how much is known on the problem of phishing on Twitter (R1 and R2). The questions are centred around three main themes. First, questions in the section were to help determine participants’ susceptibility to phishing based on the assumption that people often think they can spot attempts at persuasion and social engineering attacks (Sagarin, Cialdini, Rice & Serna, 2004). Secondly, the stance/opinions of users on Twitter Phishing and users perception of Twitter’s effectiveness (policy). The question in the third section looks into phishing tactics and scenarios while linking it to Cialdini’s 6 principles of Influence. Also, it aims to establish plausible relations between the personality traits of the Big 5 Model and Cialdini’s principles of influence. The questionnaire encompassed open-ended questions, Likert scale (Big 5 test) and multiple-choice questions with responses predetermined for ease of selection and the ranking questions offering the chance to score on a very low to very high scale. For these questions, a voluntary segment coded as ‘Other’ was included for extra answers.

3.1.1 Survey Sample

To conduct the Survey, the convenience sampling method was employed. Male and female active Twitter users between the ages of 18-34 were selected. This is due to the fact that while cyber security awareness is important in the digital age, data indicates that 57.9% of global twitter users within the above age range (see graph) were the most active users. An invite to participate was sent out. Criteria for selecting the participants included geographical distribution, the field of knowledge and gender representation. Stratified sampling was used as it highlights Twitter users within the entire population. According to recent statistics, it was found that globally the most active Twitter users (30.9 per cent) were aged between 25 and 34 years. Next to this demographic group were users between the ages of 18-24 at 27 per cent (DataReportal, We Are Social & Hootsuite, 2020).

Graph 2: Distribution of Twitter users worldwide as of July 2020, sorted by age group.

3.1.2. Gathering Survey data and Responses

Using PsyToolkit, a free web-based service designed for framing, running, and analysing online surveys and reaction time (RT) experiments, a survey was designed. ‘ The behaviour experiment software includes a top scripting language, a library for the programming language C, and a questionnaire presenter’ (Stoet, 2010). Asides the PsyToolkit, there are other tools which can be deployed to run psychological experiments. These include E-Prime, Inquisit, Superlab, and DirectRT (Stahl, 2006).

A total of 85 survey data was collected, with 65 of them (over 70%) completed and the other 20 uncompleted. 100% of the people that took part in the survey consented to participate in it. In collecting emails for the survey, a total of 74 emails were collected but after cleaning of repetitive email it dropped down to 70 emails. Completed surveys 65 Uncompleted surveys 20 Total surveys (complete or 85 incomplete) Overview of Survey Analysis

Participants first responded to questionnaires to demographic questions and questions testing for user knowledge; on Twitter-Phishing; and personality traits. Finally, participants were thanked for their participation. The survey highlighted confidentiality and voluntary participation. This online-based survey was filled in not more than 10mins. All participants gave informed consent before starting the study. Association between big five personality traits and Cialdini's principles were analysed.

3.2. Digital Methods as a research practice

Unlike the inflexibility that traditional media offers, new media are interactive, ‘in the sense that they allow individuals to tailor the mediated environments based on their own needs’ and one can decide to tweet just text, or alongside pictures, GIF and videos. One can also add hyperlinks to direct followers or potential followers to other shared posts on the internet (Schejter & Tirosh, 2016; “The Purpose of Social Media,” n.d.). Jenkins (2006) describes this content flow in multiple directions’ as merging through ‘individual and social interaction’ (Jenkins, 2006). Twitter’s pervasive nature and its compatibility with different operating systems are one of its several advantages (Dijck, 2012, pg 4). On the other hand, Ess (2010) believes that digital tools of

communication disregard informational privacy and it is blurring the lines between what is “Public” and what should be “Private” (Ess, 2010). This has driven the need for Digital Humanities to understand the social dimensions of the web and the relevance of web material as a source for social research (Brügger & Finneman, 2013). Although Twitter is not the biggest social media platform it is however a very popular platform for social science research (McCormick, Lee, Cesare, Shojaie & Spiro, 2017). Also compared to other platforms, Highfield & Leaver state that Twitter provides a researcher with certain advantages: • Standardised capture and analytics methods • Public data as tweets can be accessed by anyone, anywhere in the world • Consistent data (280 character limit) • Primarily textual data (processing and analysis) • Methods for large-scale tracking and analysis of Twitter are well-established (Highfield & Leaver, 2014).

According to Rogers (2013), by “repurposing Web-native techniques for research into cultural change and societal conditions. We can learn to reapply such “methods of the medium” as crawling and crowdsourcing, PageRank and similar algorithms, tag clouds and other visualizations; we can learn how they handle hits, likes, tags, date stamps, and other Web-native objects. By “thinking along” with devices and the objects they handle, digital research methods can follow the evolving methods of the medium.” Due to the collection, analysis, and visualization of online data, Digital methods can be defined as approaches that enable the analysis of social behaviour changes and cultural aspects (Rogers, 2015). Since the research subject of this master thesis addresses native digital objects, digital methods will be used for gathering and analyzing Twitter data together with qualitative research approaches. One of the most common approaches for the data collection on Twitter is the collection of tweets, using keywords or hashtags. The first step for the data collection is to define a query: a series of words or combinations of words. Once the query is defined, the tool stores those tweets in which one or more of the keywords defined in the query appear.

3.2.1 Gathering twitter data and metadata

Twitter APIs were utilized for data extraction to answer RQ2 and RQ4 mostly. Twitter APIs are the computerized middlemen between two software (on the user’s device and Twitter’s software). The API provides a list of methods that enable i) the retrieving of data(GET) ii) creating data(POST). DMI-TCAT (Twitter Capture and Analysis Toolset), a tool by the Digital Methods Initiative of the University of Amsterdam is one of the tools used for data collection and analysis. Developed by Erik Borra and Bernhard Rieder, the DMI-TCAT is an open-source tool that helps to accumulate and analyse tweets to execute social and human sciences research (Borra & Rieder, 2014).

The strategy of collecting tweets based on hashtags and keywords is one of the frequent methods for data extraction on Twitter. As an initial step, a query (word clusters) are defined. Following the definition of the query, tweets are pulling based on the defined keywords. There are legal and ethical consequences of using social media data (Ahmed et al., 2017).

Williams, Burnap and Sloan (2017) report on the fact that several studies reiterate on the need for ethical awareness when gathering, mining and publishing Twitter data. On the other hand, technically tweets gathered using Twitter API are publicly accessible hence gathering data has no legal complications (Williams, Burnap & Sloan, 2017).

However, it is crucial to comprehend that tweets are ways users show their stance on issues and express their identity thus reflecting vulnerabilities and other semiotic deductions; emotions, or feelings that these users may find too invasive when gathering data for academic research. It is also worthy of note that stakeholders(users) to an extent understand that their tweets become publicly accessible after the inclusion of keywords and hashtags.

In the course of gathering data, the emphasis was placed on tweets on themes related to the discourse on social engineering and the ethical concerns therein. Thus, the likelihood of this research being detrimental to the studies users is minimal. With ethic

and technical limits are taken into consideration, Data is collected in the next (Woodford, Walker, & Paul, 2013).

Asides tweets, DMI-TCAT also retrieves Twitter metadata (links, mentions, replies, retweets etc) and other indicators of the users, such as published tweets, followers, followed accounts and so on(see Appendix 2).

There are two limits to how DMI- TCAT retrieves Twitter data from the Search API: Historical data cannot be obtained (Collection starts when a query is keyed in). Secondly, spellings and typographical errors in tweets prevent the tool from collecting some tweets that may prove other useful.

As a result of the above-stated limitation and the fact that the query “Twitter Phishing” was too narrowed down (too few ‘100’ search results), the researcher used the Future Digital Work tool, a web scraper implemented alongside twitter’s developer API which allows collection of data from Twitter to gather historical tweets based on new themes within the topic of research and current discourse/debates on Twitter (i.e. COVID 19). They are “Phishing”, “Cybersecurity”, “Social Engineering”, “Hacked”. With the aim of further understanding, these 4 concepts proven to be of considerable importance in the literature review and to fully obtain the discourse on the concept of phishing and ethical concern within, data was collected for a longer time frame (1st November 2019 to July 2020). A total of 117000 tweets was collected based on these themes; 56000 with the keyword “Phishing”, 21000 with the keyword “Cybersecurity”, 34000 with the keyword “Social Engineering”, 66,000 with the keyword “Hacked”.

3.2.1 Analysis

Method triangulation is used to unveil important insights about the online discourse on social engineering, ethics and the stakeholders participating in the discourse. According to Salkind (2010),“triangulation refers to the practice of using multiple sources of data or multiple approaches to analyzing data to enhance the credibility of a research study". Similarly, a variety of other factors such as ‘theoretical frameworks, several data sources, different methods of data gathering and analysis’ are used to glean findings and conclusions (Tiainen & Koivunen, 2006). Method triangulation is often used to analyse interviews, focus groups, written archives, or other sources

(Salkind, 2010). We went further by using the mixed method approach to ensure our research’s reliability and validity.

Combining both methods of quantitative and qualitative research data reduces the like of bias or weaknesses within each method. Mix methods also provide the researcher with “breadth and depth of understanding and corroboration” (FoodRisk, 2020). Atieno (2009) opines that findings in a qualitative approach “cannot be extended to wider populations with the same degree of certainty that quantitative analyses can” (Atieno, 2009, p.17).

Several books discuss in detail the methodological nature of. the mixed-method paradigm (Brewer & Hunter, 1989; Creswell, 2003; Greene, Caracelli,& Graham,1989; Johnson&Christensen, 2004; Newman & Benz, 1998; Reichardt& Rallis, 1994; Tashakkori & Teddlie, 1998, 2003 as cited in Johnson & Onwuegbuzie, 2004). It is noteworthy that the focus of this thesis is to provide a rich and contextualised understanding of human behaviour in a specific period hence it does not generalise it’s findings to all Twitter discussions on these topics. It is also notable that this research will likely yield a different result if replicated in a different time and context.

For analysis, statistics and activity parameters ( several tables with information about the frequency of tweets and other objects, such as URLs, hashtags, mentions, retweets, replies, etc). On the other hand, PsyTool kit was used for first-level analysis (see initial tables in the Survey section of findings). Following the use of R, a data analysis tool for visualisation.

The findings of the quantitative analysis will be combined with the insights gleaned from the close reading analysis of texts and tweets (see 3.4.1.). Patterns can be identified by the researcher to identify in a quantitative approach (Manovich, 2011).

3.3.1 Data cleaning and editing

80% of today’s data is unstructured due to the variety of components in today’s data. Thus cleaning and editing data is a crucial step in the analytical process. Especially given the fact that content on Twitter is sent out in organized and often unambiguous ways.

According to Van den Broeck et al., (2005), “Data cleaning is emblematic of the historical lower status of data quality issues and has long been viewed as a suspicious activity, bordering on data manipulation” (Van den Broeck, Argeseanu Cunningham, Eeckels & Herbst, 2005). However, it a necessary process that ensures sufficient data quality for analysis (Tamraparni & Johnson, 2004).

For the creation of the actual dataset used for final analysis, only “unique tweets” that did not present a language barrier were included. This means that retweets and duplicates tweets were excluded from this dataset.

3.3. Qualitative Analysis- Textual/Close Reading

Close reading involves the critical reading of texts with the aim of identifying patterns and themes (Beth, 2020). Persuasion in Social Engineering in Tweets The researcher further validated Cialdini's 6 principles of persuasion in Twitter Phishing by analyzing which of them are used in a subset of the Twitter phishing data collected and in the 3 media articles (reports on phishing incidences). The researcher used three Twitter phishing incidences; 1) The Paypal Case 2) Covid19 case 3) Twitter Spear Phishing Case case. The next section shows common themes and patterns within these three events.

Table 12. Of the 3 media articles/Twitter cases, these were common the common elements.

3.4. Quantitative Analysis – Digital Methods & Survey Research (1) Textual Analysis

Text analytics and Natural Language Processing (NLP) techniques were applied to understand the concept of the tweets. Text analytics is the process of extracting information and uncovering actionable insights from unstructured text (in this case, twitter data). Text analytics helps us to evaluate the content and determine its relevance based on the research topic. For this analysis, text analytics employed the methodology of natural language processing which is a component of text analytics that helps machines “read” text by simulating the human ability to understand a natural language. The NLP uses a variety of methodologies to decipher the ambiguities in the human language while analyzing data in a consistent and unbiased manner.

In applying this technique, we made use of;  Topic Modelling to fetch the top words used in all the tweets, as topic models automatically discover the topics occurring in the data collected.  Regular Expression, which is a sequence of characters that define a search pattern. The regular expression helped to detect the top brands that were mentioned in the tweets collected, and as well extract the link in the tweets.

(2) Sentiment Analysis

Customarily, the only and dependable way to gauge the mood of the general public is to interview them on their feelings and determine public opinion. The purpose of Sentiment Analysis was used to answer the main research question; What is the stance of different stakeholders on Twitter Phishing? According to Asaf (2020), “Sentiment Analysis is the process of computationally identifying and categorizing stakeholder opinions expressed in a piece of text, especially in order to determine whether the stakeholder's attitude towards a critical success factor is positive, negative, or neutral.

Sentiment analysis (SA) is an intellectual process of extricating users’ feelings and emotions. It is one of the pursued fields of Natural Language Processing (NLP) (Devika, Sunitha & Ganesh, 2016). We used Sentiment Analysis to identify, classify, and interpret the emotions and perspectives of users whose tweets were collected. In detecting the various sentiments, the NRC Emotion Lexicon was used. This categorizes sentiments in binary fashions (Positive or Negative), and Emotions (Anger, Fear, Anticipation, Trust, Surprise, Sadness, Joy, and Disgust).

(3) Descriptive Analysis

According to Tony (2011), the description analysis is often employed in exploratory research. Also, it is the ‘go-to’ methodology to interpret the result of a survey. It is generally accepted that, for inductive and exploratory research, qualitative methods are most suitable, as they can lead us to hypothesis building and explanations (Tony, 2011).

3.5. Visualization This section highlights the types of graphs and illustrations within our methodology. Visualising data is a crucial part of the analysis of research. Visualisation not only help puts statistics into context but also generates insights at a level that that descriptive data cannot.

More importantly, the data visualization aids perception and cognition of distinct patterns by the researcher to make smart observations, identify patterns and trends within datasets.

For the overview, Microsoft excel sheet was used to illustrate frequency tables and create pie charts, linear graphs and so on. For the visualization of the survey data from Psytoolkit and files from Twitter, we used R, programming software for visualizing and presenting data. In general, for the frequency tables and other numerical variables, Excel spreadsheet software has been used to produce linear graphs, pie charts, etc.

4.0. RESULTS

This section is divided into two parts: Sentiment analysis findings and descriptive survey analysis. The findings from the sentiment analysis reflect the ethical concern of Twitter stakeholders (users etc) the concepts reviewed in literature; Cybersecurity, Social Engineering, Phishing and Hacked. It also attempts to answers R1: What is the stance of users on Twitter Phishing?

While the second part, descriptive survey analysis provides hypothesis into how personality traits intersect with said ethical concerns (users) and Cialdini’s principles of Influence by answering R2: How knowledgeable are users on Social Engineering attacks and Twitter phishing (focus on the prevalent persuasion techniques used in Twitter attacks)? 4.1. General Overview and Description of the Datasets

Presented here is an overview of the first criteria of data collection (Data collected based

on spec ific hashtags). A total of 177000 tweets spanning from 22nd November 2019 to 10th August 2020 was collected based on these themes. Also, the data collected were grouped based on the 4 most used words into Cybersecurity, Hacked, Phishing, and Social Engineering groups. Graph 3: Overview of sentiment analysis based on all 4 themes

We observed the highest number of tweets in February 2020 with a total of 24,852 tweets, and next to it being December 2019 with a total of 21,818 tweets. The least number of tweets for this group was observed in May with 3,579 tweets.

The spike in the number of tweets in February can be considered an effect of the pandemic anxiety that was uncovered with the onset of the coronavirus pandemic across the world, as the pandemic posed a risk of increased cyber-attacks.

Generally, the emotions of users evident in most of the tweets collected are mostly negative than positive, except in May where the opposite is observed. A larger portion (49,000) of the users responded positively in the tweets collected based on the different hashtags given, followed closely by users who responded with anger (30,000), anticipation (29,000), negativity (15,000), and Joy (10,000).

However, users that expressed their sadness in the tweets on the hashtags given were very few (1,000).

The most used words from the 177000 data collected are “Hacked”, “Phishing”, “Social Engineering”, and “Cyber Security”. 66

The most targeted brands are the brands that are mostly associated with the criteria cited for data collection (In this case, the “hashtag” criteria).

Generally, the most targeted brands are @Youtube, @teamyoutube, @Twitter, @realdonaldtrump, and @Facebook. Other brands that are associated with these criteria include: @Google, @youtubeindia, @Instagram etc

4.2. Sentiment Analysis Findings

4.2.1. “Cybersecurity” Hashtags

In the first group of the criteria “hashtag” (Cybersecurity group), we collected a total of 21000 tweets from December 2019 to August 2020 from 9,338 users. The highest number of tweets associated with this group (4,967 tweets) was observed in December 2019 as there was an escalation in cyber-attacks at this time. Similarly, there were significant cyber incidents in June 2020 which is why a large number of tweets (4,753 tweets) associated with the hashtag “cybersecurity” was collected in both months. Lastly, the least number of tweets for this group was observed in August 2020. This means that there was a diminution in the cases of cybersecurity in August compared to the other months considered in this group.

Graph 4: breakdown of sentiment analysis based on the theme “Cybersecurity”

Interestingly, most users expressed a positive reaction in the tweets that were grouped by cybersecurity, which is mostly because users were optimistic about news on cybersecurity. Also, due to an increase in cyber threats in the months considered in this group, a good number of users were anticipating a new measure to cybersecurity to defend them from malicious attacks. The sentiment expressed by the users in the tweets collected for this category, together with the number of reactions for each sentiment category is shown below. Sentiment Number of Reactions Positive 6,239 Anticipation 4,734 Anger 2,686 Negative 1,141 Trust 973 Fear 881 Joy 805 Disgust 304 Surprise 295 Sadness 49 Table 13 : Sentiment by users

The five most used terms in these groups are “Cybersecurity”, “Business”, “Data”, and “Ransomware”, hence the group name “Cybersecurity”.Similar to the former, @youtube,

@Twitter, @Teamyoutube, @Facebook, and @realdonaldtrump are the most targeted brands for cybersecurity attacks.

Similar to the former, @youtube, @Twitter, @Teamyoutube, @Facebook, and @realdonaldtrump are the most targeted brands for cybersecurity attacks.

4.2.2. “Hacked” Hashtags In the second group “Hacked” of the hashtag criteria, we collected a total of 66000 tweets between December 2019 and August 2020 from 53,817 users.

The highest number of tweets that correlates with the hashtag in this group (10,000 tweets) was noted in July following the famous July 15 hack that will be discussed later in our analysis. Likewise, in April, there were a couple of hacking activities that correlated with the hashtag in this group. Graph 5: breakdown of sentiment analysis based on the theme “Hacked”

The reactions expressed in the tweets connected with the happenings in this group were once again mostly positive and the most likely reason for the positive emotions shown is the same as in the previous group.

The table below shows the sentiments expressed by the users in the tweets collected for

this category, together with the number of people reacting in each category of the sentiment.

Sentiment Number of Reactions Positive 23,387 Anger 11,607 Anticipation 8,250 Negative 5,321 Joy 2,958 Fear 2,116 Trust 2,010 Disgust 1,920 Surprise 1,511 Sadness 245 Table 14: Sentiment by users

“Hacked”, “Accounts”, “Twitter”, “Password”, and “Trump” are the most used words in this group, hence the group name hacked. The most targeted brands in this group are the same as the previous groups.

4.2.3. “Phishing” Hashtags

In this group “Phishing” of this category, we collected 56000 tweets between December 2019 and July 2020 from 28,106 users.

From December, the number of tweets related to the group rose slowly from a little over 1,100 tweets and got to a peak in June. The steady rise in the number of tweets associated with this group “Phishing” from December to June could be as a result of an increase in cyber-attacks in June.

Graph 6: breakdown of sentiment analysis based on the theme “Phishing”

The highest number of tweets in this group was recorded in June with 13,895 tweets while the least number of tweets was recorded in December with 1,180 tweets.

Similar to the previous groups, most users expressed positive reactions in the tweets associated with this group, while the emotions of the other users varied as indicated shown in the table below. However, similar to the previous pages, very few people expressed sadness. Sentiments Number of Reactions Positive 10,889 Anticipation 7,343 Anger 6,776 Joy 4,964 Negative 4,020 Fear 2,853 Trust 1,266 Disgust 1,064 Surprise 579 Sadness 108 Table 15: Sentiment by users “Phishing” is the most popular word in this group. Other popular words used in this group 71

are “Malware”, “Email”, “COVID”, “Attacks” and “Scam”. The most targeted brands remain the same as discussed in previous groups.

4.2.4. “Social Engineering” Hashtags

The final group for this hashtag category is the “Social Engineering” group. In this context, social engineering is the psychological manipulation of users to divulge sensitive information. A total of 34000 tweets was collected between November 2019 and August 2020 from 21,122 users for this group. The trend in the number of tweets collected for this group shows that the number of tweets rose gradually in November, got to a peak in December, began to fall gradually, then rose again. The difference in trend in the months considered in this group shows that happenings related to social engineering rose and fell across this month. The highest number of tweets for this group was recorded in March with 8,323 tweets followed closely by February with a total of 7,708 tweets and lastly, the least number of tweets which was recorded early July. Graph 7: breakdown of sentiment analysis based on the theme “Social Engineering”

In an interesting turn of events, most people (9,200) responded to the tweets in this group with Anger which is only rational. Other reactions in the tweets however were Positivity, anticipation, negativity, and fear. However, very few people (174) responded with sadness. The table below shows the emotions expressed and the number reaction for each sentiment type. 72

Sentiment Number of Reaction Anger 9,213 Positive 8,843 Anticipation 8,537 Negative 4,643 Fear 2,942 Trust 2,000 Joy 1,514 Disgust 1,324 Surprise 564 Sadness 174 Table 16: Sentiment by users

As expected, based on the group name, the most used word is “Social Engineering”. Other popular words used in this group include “Society”, “World”, “Human”, and “People”. The same brands as in the previous pages were targeted.

4.2.5. Similarities and Patterns

After analysing the data collected for the hashtag category, a couple of similarities can be seen between the four groups in this category:

1. The sentiment “Sad” was the least expressed emotion in the tweets across the groups, followed closely by the sentiment “Surprise”. Cyber-attacks are bound to happen, this explains why users are hardly ever sad or surprised in the case of a cyber-attack. 2. The targeted brands based on the tweets collated across the groups are the same, and this shows that no brand, however large, is immune to phishing attacks and big brands might even be more susceptible to phishing since their information is widely available to the public (case in point, Twitter).

4.2.6. The Second Criteria: Corona Related Tweets 73

A total of 3,295 tweets was extracted from the 177000 collected tweets that had the word “COVID” or “Corona” in them. For the group “Cybersecurity”, most of the tweets were recorded between March and May 2020 where we observed a very high spike in phishing attacks, as attackers were using Covid-19 as a bait.

Graph 8: breakdown of sentiment analysis of COVID19 tweets

Globally, companies were downsizing their workforce to cope with the effects of COVID-19. Some people have also lost their means of livelihood due to the various restrictions of movement by governments across the world. This move likely encouraged the growth of cybercriminals as idle people with internet access who have lost their jobs from the effects of COVID-19 may have seen an opportunity to make a living out of the pandemic. Data, therefore, validate that COVID 19 had a huge impact on phishing attacks across the world.

There was a lot of optimism in the tweets collected in this category, as most people were positive in their tweets, possibly hoping that a cure to the virus would be found soon, and then with the resumption of busy activities by people, there would be an ease of cyber- attacks. The table below shows the number of reactions for the different sentiments. Sentiment Number of

Reactions Positive 3,518 Anger 2,675 Anticipation 2.530 Fear 2,350 Negative 1,805 Joy 466 Surprise 326 Disgust 173 Sadness 32 Table 17: Sentiment by users

“COVID”, “Cybersecurity”, “Coronavirus” and “Hackers” are some of the most used words in this group, hence the group name, and the category name. The most targeted brands in this group are @crowdstrike, @akamai @forbes, @securityblvd, and @rlbarranco.

4.3. In-depth Analysis: Twitter Spear Phishing Incidence

4.3.1. Twitter Spear Phishing Incidence: #Hacked About 300 tweets were collated from the “hacked” group with most of them coming from July 2020, after a massive twitter spear-phishing attack was orchestrated by a 17-year-old who had reportedly built a reputation as a frequent online scammer. Graph 9: Analysis of the Twitter Phishing Case

This didn’t go down well with most people and they made their anger known in their tweets. 75

Other Sentiments associated with this event are shown in the table below. Sentiment Number of Reactions Anger 205 Positive 183 Anticipation 125 Negative 113 Fear 100 Trust 53 Joy 44 Surprise 35 Disgust 23 Sadness 15 Table 18: Sentiment by users

“COVID”, “Attack”, “Information”, “Engineering”, and “Ransomware” were the most popular words, while @akamai @rlbarranco, @comptia and @insurancetimes gave out the highest number of tweets related to this group.

4.3.2. Twitter Spear Phishing Incidence: #Phishing

For the Phishing group under this category, about 2,198 tweets were collected, and most of them were made between March and May 2020, peaking in late April. The reactions to the happenings associated with this group were mostly positive. The table below shows how the other users reacted. Sentiment Number of Reactions Positive 1,346 Anticipation 984 Anger 967 Fear 686 Negative 668 Trust 319 Joy 173 Surprise 135 76

Disgust 114 Sadness 32 Table 19: Sentiment by users

“Coronavirus” was by far the most popular word, next to it was “Malware” and “Scam”. The most targeted brands based on the tweets collated for this group are @Crowdstrike @Securityblvd and @microsoftteams.

4.3.3. Twitter Spear Phishing Incidence: #SocialEngineering

797 tweets were collected in the social engineering group of this category, with most of them gotten between March and April 2020, after which there was a drastic decline in the number of tweets in early July.

Graph 10: Analysis of Twitter Spear Phishing case #SocialEngineering

The reactions associated with the tweets collected for this group were mostly positive, and the number of reactions for each sentiment is shown in the table below.

Sentiment Number of

Reactions Positive 639 Anticipation 547 Anger 504 Negative 399 Fear 378 Trust 148 Disgust 82 Joy 74 Surprise 29 Sadness 7 Table 20: Sentiment by users.

“Cybersecurity”, “Social”, “Email”, “Hacker” were some of the most used words, while @forbes, @shirasweet and @ncsc were the most targeted brands.

4.3.4. Twitter Spear Phishing Incidence: #Phishing

14K phishing tweets were collected for this group, between July and August 2020. Graph 11: Analysis of Twitter Spear Phishing case #Phishing

Looking at the sentiment analysis of users in this group in the table below, we see that a lot 78

more users responded positively at first, but towards the end of July, the reactions were more negative than positive. This turn in the sentiment of users makes a lot of sense following the massive hack in the month. Sentiment Number of Reactions Positive 11,138 Anger 9,632 Anticipation 8,871 Negative 5,637 Fear 3,432 Trust 2,955 Joy 2,727 Surprise 1,371 Disgust 922 Sadness 200 Table 21:Sentiment by users.

The most used words with phishing are “Hacked”, “Cybersecurity”, “Accounts”, and “Twitter”.

4.3.5. Twitter Spear Phishing Incidence: #TwitterHacked

About 99k tweets were collected between July 15th and 10th of August from 106,604 users following the July twitter hack that compromised several accounts, including the accounts of high profile individuals. The hashtag “twitterhacked” was used in the collation of these tweets. These accounts were hacked through a series of phishing emails.

Graph 12: Analysis of Twitter Spear Phishing case #TwitterHacked

The hack happened in the late hours of July 15 which is a major reason why we see a spike on July 16 rather than the actual day of the hack. The negative tweets can be seen spiralling up in this group after this event due to twitter users expressing their anger over the cyberattack on the platform.

Sentiment Number of Reactions

Positive 25,089

Anger 19,528

Anticipation 17,932

Negative 14,042

Fear 6,418

Joy 5,894

Trust 5,576

Surprise 3,749

Disgust 3,579

Sadness 1,348

Table 22 :Sentiment by users

The most used words associated with this hack are “Hacked”, “Twitter”, “Bitcoin”, “Accounts”. While the targeted brands associated with this July hack are @youtubeindia, @ytcreatorsindia, @ytcreators, @youtube, @Googleindia.

One major similarity that can be seen across all the categories of this analysis is the similarity in all the targeted brands. Since we used data gotten from Twitter for our analysis, it makes sense that targeted brands across all categories are mainly social media brands. Also, @youtubeindia popped in the majority of the targeted brands, and this might be because most malicious links were from India and can also be linked to the latest scam of exploiting YouTube redirect links whitelisted by security firewalls to avoid being spotted when a user hovers their mouse. @Realdonald trump also appeared a couple of times as a targeted brand, and this can be attributed to the United States November election coming up.

4.4. Cialdini’s Principles; Data Validation

Social Engineering involves persuasion techniques to manipulate people into divulging confidential information. Research has shown that the principles of persuasion influence the decisions of humans. In phishing likewise, this principle could help to determine why a user does what he does. Cialdini identifies six principles (reciprocity, commitment or consistency, social proof or conformity, authority, liking or similarity, and scarcity employed by social engineers to successfully phish. As much as the 6 Cialdini's principle works in social Engineering, some of the principles work better than others depending on the victim's personality traits.

In linking the different categories from our analysis with Cialdini’s principles, about 11k tweets were collected (from the total 117000 tweets collected via hashtag based scraping) and labelled as suspicious tweets. To better narrow down the search, we stripped only tweets containing links to malicious websites. We then did a word pattern search using a defined corpus of texts that are associated with phishing which further narrowed down the

search. In doing all of this, certain things were discovered; 1. Due to the brevity of tweets, malicious tweets were mainly on reciprocity, where the users are obliged to give back a form of service they might have received, or scarcity where a perceived scarcity of the content stated in the link might influence the user’s decision to click on the link or not. 2. A lot of malicious tweets tried to appeal to pressing political concerns on global issues. This, therefore, raised a sense of urgency in users to click on the tweets. The principle of liking or similarity is used in a specific combination in this case. 3. We saw particular trends in bitcoin and other free items, which led to malicious websites or providing sensitive details. This follows the influence of the principle of scarcity, where users want more of the things they have less of, the principle of authority where users follow the lead of credible people or authority figures, and the principle of liking where users tend to say yes to tweets from those that they like not acknowledging the fact that the tweet might be malicious (for example, the July 15 hack). We can also see the influence of the other principles of Cialdini's in our analysis so far.

For example, the principle of authority could have been an influence in cases where users get links from tweets that contains words like names of authority figures, as society has trained people not to question authority so they are conditioned to respond to tweets like this, the influence of the principle of social proof in tweets that shows off what other people are doing as people tend to mimics what majority of people do or seem to be doing, the influence of the principle of liking or similarity where people prefer to abide by who they know or have a likeness for (From our analysis, this influence can be noted in the July 15 bitcoin scam where the phisher hacked the accounts of authority figures/celebrities that a lot of people were familiar with).

4.4.1. Word Frequency Approach

The word pattern search done on the collected tweets(see 3.2.1) show tweets that contain the following words: "click","here","free","bitcoin","link","xxx","dirty","flirty","congrats","congratulations","winner"," win","won","award","selected","bonus","urgent","update","immediately","pay","payment","ca sh","toget","update","send","login","label","invoice","post","document","postal","calculations ","copy", "statement", "financial", "burnt", "gun", "missiles", "terrorist", "terrorism", "rape", "few", "fast".

4.5. Descriptive Survey Analysis

This following section introduces the respondents and the different factors that were considered important in providing answers to the survey questions.

4.5.1. Respondents- Gender Distribution

There was an even distribution of gender in the survey, with 49.3% of the respondents being females and an equal 49.3% being males. However, 1.3% of the respondents chose to not divulge their gender. This even distribution in the gender of the respondents gives integrity to our report.

Graph 13: Questionnaire results regarding sex

4.5.2. Respondents - Age Distribution

As earlier stated in section (3.0.1), stratified sampling( was used to select respondents who are between the ages of 18-34. Going forward we would determine if the age distribution of respondents has anything to do with the insights garnered from this survey. However, the majority of the respondents were between their mid-twenties and their early thirties.

Graph 14: Questionnaire results regarding Age

4.5.3. Respondents - Nationality Looking at the nationality of the respondents, 60 of the 85 respondents that participated in

the survey are Nigerians, 10 were of other nationality, while data for the 15 other respondents were missing.

Graph 15: Questionnaire results regarding Nationalities

4.5.4. Respondents- Country of Residence The place of residence of the respondents that took part in the survey shows that the survey has a good sample size, as it is not tilted towards any geographical location. This sort of gives integrity to the report. Graph 16: Questionnaire results regarding the country of residence

4.5.5. Respondents- Current Job Status

A greater percentage of the respondents are employed, with only about 11% unemployed.

Graph 17: Questionnaire results regarding Job Status

4.5.6. Respondents- Level of Education

The level of education of the respondents showed that over 38 of them own a bachelor's degree, over 27 own a masters degree, 4 have doctoral degrees, and just 1 of them have a high school. Graph 18: Questionnaire results regarding Level of Education

4.5.7. Respondents- Time on Twitter

About 89.9% of the respondents have been on twitter for less than a year, while the remaining 10.1% had accounts between 1years and 3years on twitter. However, this does not necessarily mean the number of years the respondent has spent on twitter, but rather how old their current twitter account is.

Graph 19: Questionnaire results regarding Time on Twitter

4.5.8. Knowledge-Based Questions (KBQ)

In response to the question “How did you learn about Phishing?”, only 10 of them had the first-hand experience with phishing. However, 31 of them have read up the concept of phishing, 19 of them read of a phishing case online, 7 of the respondents got their information about phishing somewhere else, and 18 of them had this data missing. The difference in ratio between the number of respondents that have the first-hand experience with phishing and those that read up the concept shows that although Twitter might not be doing enough to educate its users about phishing since the majority of the respondents are well educated, a good number of them make efforts to read up about phishing, which in some ways can reduce the chances of a user falling for this crime.

Graph 20: How did you learn about Phishing?

KBQ 2

For a different scenario question in the survey, respondents were asked if they ever considered not clicking a link on twitter thinking it would be harmful, and 83.6% of them responded in the affirmative. This means that correspondents are well aware of the fact that clicking on certain links could lead them to malicious websites that would require them to provide sensitive information. Graph 21: Question on link clicking experience

KB3

In response to the question “How do you spot a malicious/black hat link?”, only 33 of them said they can spot a malicious link by close reading the text, language/tone or greeting of the sender, 14 of

them can spot a malicious link by hovering over the link, 12 of them by opening the link, 8 of them by giving the details requested like card information, while 18 of them had their response missing. As much as a greater percentage of the respondents are careful enough to spot malicious links, a certain percentage of them still ended up giving sensitive information to these malicious websites. The reasons for the corresponding actions can be attributed to the fact that a lot of malicious tweets tend to appeal to pressing concerns of the users and this, therefore, raises a sense of urgency in users to click on the links. Graph 22: Questionnaire results regarding Black Hat Link

KB4

The respondents were also asked the question “what do you think twitter is doing to protect its users from phishing attacks?”, and the responses that followed this question varied from Slightly proactive (26 of them), Not proactive (20 of them), proactive (11 of them), Effective (7 of them), and very proactive (3 of them). However, 18 of them had this response missing. The fact that a very small percentage of the respondents think that twitter is very proactive shows that twitter might not be doing a good enough job to protect its users from phishing attacks.

Graph 23: Questionnaire results regarding Twitter’s Proactiveness

KB5

The scenario questions that follow help to understand what influences user behaviour on twitter. The responses provided to these questions are either “Phishing” or “Not phishing”, and a total of 66 respondents participated in this.

The first scenario question for this group states: “You received a DM from the CEO of Twitter, Jack Dorsey, telling you that he thinks that your account has been compromised and being the CEO, he feels responsible for every twitter account holder. At the end of the message is a website URL asking you to reset password and better still check if your account is still safe. Do you consider this a Phishing scenario of not?”

72 of the respondents, in this case, considered this a phishing scenario. The other percentage of the respondents that did not consider this scenario a phishing scenario could have been influenced by Cialdini’s principle of liking or the principle of authority.

Graph 24: Scenario 1

The next scenario question says: “You got a Twitter mention from an unknown account asking you to quickly click a link (within the tweet) for hot summer deals as a lot of popular influencers and celebrities are taking advantage of those deals already. At the end of the message is ‘Hurry now! Don’t be left out of the loop! Sales are about to end’.

A majority (65) of the respondents considered this a Phishing attack. However, few of the respondents did not consider this a phishing scenario, and this could have been an influence of the Cialdini’s of social proof or conformity since the tweets stated that a lot of popular celebrities were also taking advantage of the opportunity. Like in the other cases, some of the responses were also missing here. Graph 25: Scenario 2

Lastly, the respondents were asked if they would consider a scenario where they got a mail stating; “Congratulations! You have won a car and an all-expense-paid trip to the Bahamas. Click this link to redeem these grand prizes if you are pleased to read this news” as Phishing or not. This scenario appeals to the interests

of users. But from the result gotten from the survey, a lot of respondents considered this a phishing attack. Meaning that in as much as a tweet might appeal to the needs of a user, some other factors like the ones mentioned earlier, (language/tone of the sender etc) could still help in spotting malicious links. Graph 26: Scenario 3

Link with Big 5 In relating all the information gathered in this survey to better understand how the behaviour of the users determines their susceptibility to phishing, some questions were asked about how the respondents see themselves. The scores attached to the different scale items are shown in the table below. Scale item Score Disagree strongly 1 Disagree moderately 2 Disagree a little 3 Neither agree nor disagree 4 Agree a little 5 Agree moderately 6 Agree strongly 7 Table 23: Scores based on Scaled Based on the scores in the table above, respondents gave responses to how they see themselves.

Scale item Score Number of respondents Extroverted, enthusiastic 4.46 65 Critical, quarrelsome 5.45 65 Dependable, self-disciplined 6.22 65

Anxious, easily upset 5.25 65 Open to new experiences, 6.08 65 complex Reserved, quiet 3.23 65 Sympathetic, warm 5.82 65 Disorganized, careless 5.88 65 Calm, emotionally stable 5.78 65 Conventional, uncreative 5.98 65 Table 24: Big 5 test results

The big 5 personality traits (Extroversion, Agreeableness, Conscientiousness, Emotional Stability, and openness to experience) will be applied in our analysis, as it will serve as a measuring system used to understand the susceptibility nature of humans to Phishing. Like how and why users made certain decisions. Since the big 5 model asserts that each personality trait is a spectrum, and respondents can fall anywhere on the spectrum, individuals are ranked on a scale between two extreme ends.

Unlike other personality trait theories, when measuring personality traits with the big 5 model, we would not sort the respondents' traits into binary categories (i.e either True or False). Instead, they are placed on a scale between two extreme ends.

From the table above, we see that no respondent disagreed in any way to the questions asked.

The respondents that agreed to being reserved, critical, enthusiastic and extroverted are most likely to have extroversion as their personality trait, and it only makes sense that a critical user is less susceptible to phishing attacks. Graph 27: Result on Extroversion

Conscientiousness Respondents also either agreed moderately or agreed a little to being self-disciplined, disorganized,and warm. Respondents with these traits are likely to be conscientious as these labels are contained in the conscientious category. Also, those that agree to the traits are likely to engage in more impulsive and careless behaviours making them more susceptible to phishing attacks. Graph 28: Result on Conscientiousness

Respondents also either agreed moderately or agreed to be a little to self-disciplined, disorganized, and warm. Respondents with these traits are likely to be conscientious as these labels are contained in the conscientious category. Also, those that agree to the traits are likely to engage in more impulsive and careless behaviours making them more susceptible to phishing attacks.

Agreeableness

Respondents high in the agreeableness trait can be described as those that agreed to being a little to sympathetic and calm. Personalities with these traits are mostly regarded as trusting and altruistic (helping others) therefore, they might be more susceptible to an attack. Respondents with these traits are those that would go as far as opening a malicious link or giving sensitive details requested before realizing that the website is malicious.

Graph 29: Result on Agreeableness

Openness to Experience

Openness to experience refers to one’s willingness to try new things as well as engage in intellectual activities. The facets of these traits are creativity, and enthusiasm. Respondents that agree to these traits are likely to be led on to a malicious website due to their openness to try out new things.

Graph 30: Result on Openness to Experience

Neuroticism

The overall emotional stability of an individual describes how they perceive the world. It takes into account how likely a person is to interpret events as threatening or difficult. It also includes one’s tendency to experience negative emotions. Those who are not so emotionally stable often feel anxious and insecure and are most likely to interpret ordinary situations as threatening. This personality trait is also associated with resisting a smaller but more immediate reward to receive a larger or lasting reward later (Delayed Gratification). Because of this, respondents with these traits are less likely to fall for tweets that require them to quickly click on a link for hot summer deals (phishing attack).

Graph 31: Openness to Experience

5. CONCLUSION

“In law, a man is guilty when he violates the rights of another. In ethics, he is guilty if he only thinks of doing so”. Immanuel Kant (1724 - 1804)

This master thesis mapped the current discourse on Twitter Phishing. 117000 tweets collected from 1st November 2019 to July 2020 from over 134000 users to determine the stance of users on Twitter Phishing using the sentiment analysis based on the following moods ‘Positive’, ‘Anger’, ‘Anticipation’, ‘Negative’, ‘Fear’, ‘Trust’, ‘Joy’, ‘Surprise’, ‘Disgust’, ‘Sadness’.

Findings of this research (qualitative and quantitative) have brought major conclusions to the discussion of Social Engineering and Ethics on Twitter Phishing: 1. Most of the most malicious links in our dataset were from India 2. Twitter is neither proactive nor effective in raising awareness on Phishing to protect its end- users 3. YouTube, Twitter and Facebook are the most targeted brands with a high number of incidences. 4. Malicious tweets were mainly on the principle of reciprocity which Cialdini refers to as “the honoured network of obligation”. Next was the principle of liking or similarity; used in a specific combination in this case. 5. Close reading revealed the particular trends in bitcoin and enticement using free items thus increasing malicious websites visits or providing sensitive details (scarcity principle in play here). 6. We observed the highest number of tweets in February 2020 with a total of 24,852 tweets, and next to it being December 2019 with a total of 21,818 tweets. The least number of tweets for this group was observed in May with 3,579 tweets.

Even though debates on social engineering; phishing and other financial scams has been a recurring phenomenon, the emotions of users evident in most of the tweets collected are mostly negative than positive, except in May where the opposite is observed. A larger portion (49,000) of the users responded positively in the tweets collected based on the different hashtags given, followed closely by users who responded with anger (30,000), anticipation (29,000), negativity (15,000), and Joy (10,000). Evidence suggests that this debate is diverse (as the most targeted brand indicates).

Trends observed include and are not limited to the following: 97

1. Dynamism continues: Aligning Phishing campaigns with current trends i.e Covid19. 2. Increased Personalisation: authentic-looking information purportedly from known and trusted sources. 3. Pretexting impersonates higher-ups or IT administrators with staggering effectiveness. 4. HTTPS ‘safe status' comprised: HTTPS in links used to be an indicator of security however '58% of all phishing campaigns use HTTPS to elicit trust now'. 5. To craft sophisticated phishing campaigns that are camouflaged with authentic-looking information purportedly from known and trusted sources. 6. Spoof and engineered engagements on the hijacked page to look like the platform i.e retweets, likes, mentions, shared posts and so on.

Overall, this master thesis argues that although Phishing on Twitter has been on the rise Twitter failed to put in adequate measures as results of the survey indicate. It was rather reactive than proactive. However, findings point to a lack of comprehensive policy yet and several media article and reports argue on its lack of comprehensiveness. The general loophole is the absence of an awareness campaign in its overall strategy.

Due to lack of adequate user awareness, the boundless architecture (information dissemination) and the new trends of masking malicious URLs, Twitter will continue to be the “Phishers’ Paradise”. Previous studies have shown that the crux of the problem lies in the exploitation of relationship and trust-building using insider information (i.e. the Twitter Spear Phishing Case). Also based on the study so far, it only takes one person in an organization to bring it down. Future work can address these loopholes by focusing on how the practical application of Contextual Integrity and its 9 step heuristic framework in work environments (vis- à-vis security awareness trainings) can change the discourse thus reducing the critical issue within the dichotomy of what is private vs. what is public and the proper informational flow on social media platforms ought to be.

6. REFERENCES The section is divided into two parts. The academic publications on social engineering; phishing and ethical concerns therein is combined with a selection of distinguished non-academic publications have been incorporated for gaining a wider perspective of the researched topic.

SCIENTIFIC LITERATURE:

Abass, I. (2018). Social Engineering Threat and Defense: A Literature Survey. Journal of Information Security, 09(04), 257-264. doi: 10.4236/jis.2018.94018

Aggarwal, A., Rajadesingan, A., & Kumaraguru, P. (2012). PhishAri: Automatic realtime phishing detection on twitter. 2012 Ecrime Researchers Summit. doi: 10.1109/ecrime.2012.6489521

Ahmed, W., Bath, P. and Demartini, G. (2017) Chapter 4 Using Twitter as a Data Source: An Overview of Ethical, Legal, and Methodological Challenges. In: Woodfield, K., (ed.) The Ethics of Online Research. Advances in Research Ethics and Integrity (2). Emerald, pp. 79-107. ISBN 978-1-78714-486-6

Alexander, B., & Viardot, E. (Eds.). (2016). Revolution of Innovation Management: Volume 1 The Digital Breakthrough, Volume 1 (1st ed., p. 118). London: Palgrave Macmillan.

Algarni, A., Xu, Y., Chan, T., & Tian, Y. (2014). Social engineering in social networking sites: how good becomes evil. Presentation, 18th Pacific Asia Conference on Information Systems (PACIS 2014); Chengdu; China: Association for Information Systems.

Banach, Z. (2020). What Is Session Hijacking: Your Quick Guide to Session Hijacking Attacks. Retrieved from https://www.netsparker.com/blog/web-security/session-hijacking/

Barnes, D. (2006). A Defense-In-Depth Approach to Phishing. (Master’s thesis, Naval Postgraduate School). Retrieved from https://faculty.nps.edu/ncrowe/oldstudents/barnesthesis.htm

Barrick, M., & Mount, M. (1991). THE BIG FIVE PERSONALITY DIMENSIONS AND JOB PERFORMANCE: A META-ANALYSIS. Personnel Psychology, 44(1), 1-26. doi: 10.1111/j.1744- 6570.1991.tb00688.x

Benkler, Y. (2006). The Wealth of Networks: How Social Production Transforms Markets and Freedom. Yale University Press. 99

Bossetta, M. (2018). A Simulated Cyberattack on Twitter: Assessing Partisan Vulnerability to Spear Phishing and Disinformation ahead of the 2018 U.S. Midterm Elections. Retrieved from https://arxiv.org/abs/1811.05900

Bosgbworth, S., Kabay, M., & Whyne, E. (2014). Computer security handbook (6th ed.). New York: Wiley.

Brandtzæg, P. B., & Heim, J. (2009). Why People Use Social Networking Sites. In A. A. Ozok & P. Zaphiris (Eds.), Online Communities and Social Computing (Vol. 5621, pp. 143–152). Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-642-02774-1_16

Broadhurst, R., & Chantler, N. (2008). Social Engineering and Crime Prevention in Cyberspace. SSRN Electronic Journal. doi: 10.2139/ssrn.2138714

Brügger, N. & Finnemann, N. O. (2013): The Web and Digital Humanities: Theoretical and Methodological Concerns. In Journal of Broadcasting & Electronic Media. 57(1), 66-80. https://doi.org/10.1080/08838151.2012.761699

Bujold, L. (2002). Diplomatic immunity. Riverdale, N.Y: Baen.

Bullée, J., Montoya, L., Pieters, W., Junger, M., & Hartel, P. (2015). The persuasion and security awareness experiment: reducing the success of social engineering attacks. Journal Of Experimental Criminology, 11(1), 97-115. doi: 10.1007/s11292-014-9222-7

Cameron, A. (undated). Cyber Security: A Global Concern. Retrieved from https://www.academia.edu/4736892/_Cyber_Security_A_Global_Concern

Castells, M. (2010). The Rise of the Network Society. Second Edition. Wiley-Blackwell.

Chhabra. S., Aggarwal. A., Benevenuto. F., & Kumaraguru P., (2011). Phi.sh/$oCiaL:The phishing landscape through short URLs. In Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti Abuse and Spam Conference, pp. 92-101, at https://dl.acm.org/citation.cfm?id=2030387

Chebab (2017). How to Conduct a Policy Review, [Slide].Retrieved from 10.13140/RG.2.2.33840.15363, Community Medicine Training Program https://www.researchgate.net/publication/317358264_How_to_conduct_a_policy_review 100

Cialdini, R. (2007). Influence : the psychology of persuasion (1st ed.). New York: Collins Business.

Cisco. (2018). Cisco 2018 Annual Cyber Security Report. Cisco. Retrieved from https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2018.html

Conley, P. (2015). Social Engineering 101 or The Art of How You Got Owned by That Random Stranger. In NTX ISSA Cyber Security Conference (p. 8). North Texas: Silo.Tips. Retrieved from https://silo.tips/download/social-engineering-101-or-the-art-of-how-you-got-owned-by-that- random-stranger

Conrad, E., Misenar, S., & Feldman, J. (2016). Domain 5: Identity and Access Management (Controlling Access and Managing Identity). CISSP Study Guide, 293-327. doi: 10.1016/b978-0- 12-802437-9.00006-0

Deuze, M. (2012). Media life. Cambridge, UK: Polity Press.

Devika, M., Sunitha, C., & Ganesh, A. (2016). Sentiment Analysis: A Comparative Study on Different Approaches. Procedia Computer Science, 87, 44-49. doi: 10.1016/j.procs.2016.05.124

Dijck, J. (2012). Tracing Twitter: The Rise of a Microblogging platform. International Journal of Media and Cultural Politics 7 (3): 333-348

Donaldson, T., & Preston, L. (1995). The Stakeholder Theory of the Corporation: Concepts, Evidence, and Implications. The Academy Of Management Review, 20(1), 65. doi: 10.2307/258887

Edgar, T., & Manz, D. (2020). Research methods for cyber security [Ebook] (p. 369). Cambridge, United States: Syngress. Retrieved from https://books.google.be/books?id=aRl2DQAAQBAJ&pg=PA367&lpg=PA367&dq=Cyber+Attack+s cientific+meaning&source=bl&ots=Sk-QZEICB3&sig=ACfU3U102JgD8- w74RDLy7X9PrwFXK_IJw&hl=en&sa=X&ved=2ahUKEwiV1f3QqMvqAhWFyKQKHdjQCKQQ6A EwEnoECAkQAQ#v=onepage&q=Cyber%20Attack%20scientific%20meaning&f=false

Ess, C. (2010). Digital media ethics (reprinted). Cambridge: Polity.

Ferreira, A., Coventry, L., & Lenzini, G. (2015). Principles of Persuasion in Social Engineering and Their Use in Phishing. Lecture Notes In Computer Science, 36-47. doi: 10.1007/978-3-319-20376- 101

8_4

Freeman, R. (1984). Strategic Management: A Stakeholder Approach. Boston: Pitman

Friedman, A., & Miles, S. (2006). Stakeholders: Theory and Practice. Oxford University Press.

Gehem, M., Usanov, A., Frinking, E., & Rademaker, M. (2015). ASSESSING CYBER SECURITY A META-ANALYSIS OF THREATS, TRENDS, AND RESPONSES TO CYBER ATTACKS (p. 16). The Hague , The Netherlands: Hoffman. Retrieved from https://www.academia.edu/18926269/Assessing_Cyber_Security_A_Meta Analysis_of_Threats_Trends_and_Responses_to_Cyber_Attacks?email_work_card=title

Greavu-Serban, V., & Serban, O. (2014). Social Engineering A General Approach. Informatica Economica, 18 (2/2014), 5-14. Doi: 10.12948/Issn14531305/18.2.2014.01

Guler, G. (2019). Data literacy from theory to reality: How does it look?. Retrieved from https://www.researchgate.net/publication/335620777_Data_literacy_from_theory_to_reality_How _does_it_look

Gupta, N., & Gupta, A. (2020). Big Five Personality Traits and Their Impact on Job Performance of Managers in FMCG Sector. International Journal Of Recent Technology And Engineering, 8(5), 3104-3109. doi: 10.35940/ijrte.e6406.018520

Gosling, S., Rentfrow, P., & Swann, W. (2003). A very brief measure of the Big-Five personality domains. Journal Of Research In Personality, 37(6), 504-528. doi: 10.1016/s0092-6566(03)00046- 1 Guo, K., Yuan, Y., Archer, N., & Connelly, C. (2011). Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model. Journal Of Management Information Systems, 28(2), 203-236. doi: 10.2753/mis0742-1222280208

Gupta, M., & Sharman, R. (2009). Handbook of research on social and organizational liabilities in information security. Hershey, PA: Information Science Reference.

Gutierrez-Zotes, A., Labad, J., Martorell, L., Gaviria, A., Bayón, C., Vilella, E., & Cloninger, C. (2015). The revised Temperament and Character Inventory: normative data by sex and age from a Spanish normal randomized sample. Peerj, 3, 8-15. doi: 10.7717/peerj.1481

Hadnagy, C. (2018). Social Engineering: The Science of Human Hacking [Ebook] (p. 285). 102

Indianapolis, Indiana: John Wiley & Sons. Retrieved from https://books.google.be/books?id=_BtiDwAAQBAJ&pg=PA289&lpg=PA289&dq=emotions+social +engineering+phishing+academic&source=bl&ots=o1m6DbLJ0C&sig=ACfU3U378Z3ol5d9vKKQ Q5AnTYELCvSI8Q&hl=en&sa=X&ved=2ahUKEwixuLuOkb7qAhVJhRoKHQ2cBVQQ6AEwEHoE CA8QAQ#v=onepage&q=emotions%20social%20engineering%20phishing%20academic&f=false

Harman, G. (1999). Moral philosophy meets social psychology: virtue ethics and the fundamental attribution error. In Proceedings of the Aristotelian Society, vol. 99.; 1999. (pp. p. 315–31.). JSTOR, Wiley on behalf of The Aristotelian Society.

Hatfield, J. (2018). Social engineering in cybersecurity: The evolution of a concept. Computers & Security, 73, 102-113. doi: 10.1016/j.cose.2017.10.008

Herjavec, R. (2020). Cybersecurity CEO: The History Of Cybercrime, From 1834 To Present. Retrieved from https://cybersecurityventures.com/cybersecurity-ceo-the-history-of-cybercrime- from-1834-to-present/

Highfield, T., & Leaver, T. (2014). A methodology for mapping Instagram hashtags. First Monday, 20(1). doi: 10.5210/fm.v20i1.5563

Isaac, S., & Michael, W. (1997). Handbook in research and evaluation (3rd ed., p. 136). San Diego, Calif.: EdITS.

Janczewski, L. & Fu, L. (2010). Social Engineering-Based attacks: Model and New Zealand Perspective. Computer Science and Information Technology, 847-853.

Jenkins, H. (2006). Convergence culture: Where old and new media collide. New York, NY: NYU press.

Jewkes, Y., & Yar, M. (Eds.). (2013). Handbook of Internet Crime (p. 182). Hoboken: Taylor and Francis.

Johnson, R., & Onwuegbuzie, A. (2004). Mixed Methods Research: A Research Paradigm Whose Time Has Come. Educational Researcher, 33(7), 14-26. doi: 10.3102/0013189x033007014

Jiang, Y., Naqvi, M., & Abbas Naqvi, M. (2020). Psychological Predictors of Facebook Use: A Literature Review. International Journal Of Management, Economics And Social Sciences, 9(2). doi: 10.32327/ijmess/9.2.2020.7 103

Lang, F., John, D., Lüdtke, O., Schupp, J., & Wagner, G. (2011). Short assessment of the Big Five: robust across survey methods except telephone interviewing. Behavior Research Methods, 43(2), 548-567. doi: 10.3758/s13428-011-0066-z

Lastdrager, E. (2014). Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Science, 3(1). doi: 10.1186/s40163-014-0009-y

Lohani, S. (2018). Social Engineering: Hacking into Humans. In Special Issue based on proceedings of 4th International Conference on Cyber Security (ICCS) (p. 1). S, Birla Institute of Applied Sciences, Bhimtal. Retrieved from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3329391#

Lopes, B., & Yu, H. (2017). Who do you troll and Why: An investigation into the relationship between the Dark Triad Personalities and online trolling behaviours towards popular and less popular Facebook profiles. Computers In Human Behavior, 77, 69-76. doi: 10.1016/j.chb.2017.08.036

McChesney, R. W. (2013). Digital Disconnect: How Capitalism is turning the Internet against Democracy. New Press. McCormick, T. H., Lee, H., Cesare, N., Shojaie, A., & Spiro, E. S. (2017). Using Twitter for demographic and social science research: Tools for data collection and processing. In s o c i o l o g i c a l m e t h o d s & r e s e a r c h , 4 6 ( 3 ) , 3 9 0 - 4 2 1 . h t t p s : / / d o i . o r g / 10.1177/0049124115605339

Milgram, S. (1965). Some Conditions of Obedience and Disobedience to Authority. Human Relations, 18(1), 57-76. doi: 10.1177/001872676501800105

Moreno-Fernández, M., Blanco, F., Garaizar, P., & Matute, H. (2017). Fishing for phishers. Improving Internet users' sensitivity to visual deception cues to prevent electronic fraud. Computers In Human Behavior, 69, 421-436. doi: 10.1016/j.chb.2016.12.044

Morris, M. C., & Morris, J. Z. (2016). The importance of virtue ethics in the IRB. Research Ethics, 12(4), 201–216. https://doi.org/10.1177/1747016116656023

Mouton, F., Malan, M., Kimppa, K. and Venter, H., 2015. Necessity for ethics in social engineering research. Computers & Security, 55, pp.114-127.

Najm, N. (2019). Big Five Trails: A Critical Review. Gadjah Mada International Journal Of 104

Business, 21(2), 162-164. doi: 10.22146/gamaijb.34931

Nepali, R., & Wang, Y. (2016). You Look Suspicious!!: Leveraging Visible Attributes to Classify Malicious Short URLs on Twitter. 2016 49Th Hawaii International Conference On System Sciences (HICSS). doi: 10.1109/hicss.2016.332

Osei Yeboah-Boateng, E., & Mateko Amanor, P. (2020). Phishing, SMiShing & Vishing: An Assessment of Threats against Mobile Devices. Journal Of Emerging Trends In Computing And Information Sciences, Vol. 5, No. 4(ISSN 2079-8407), 298.

Paganini, P. (2018). The Most Common Social Engineering Attacks [Updated 2020]. Retrieved from https://resources.infosecinstitute.com/common-social-engineering-attacks/#gref

Phillips, P. (2008). Data Collection : Planning for and Collecting All Types of Data. Hoboken: John Wiley & Sons.

Power, R., & Pluess, M. (2015). Heritability estimates of the Big Five personality traits based on common genetic variants. Translational Psychiatry, 5(7), e604-e604. doi: 10.1038/tp.2015.96

Quiel, S., & Uebelacker, S. (2014). The social engineering personality framework. In Proceedings of 4th Workshop on Socio-Technical Aspects in Security and Trust (STAST 2014) (pp. pp. 24–30 (2014). Vienna, Austria.

Rader, M., & Rahman, S. (2013). Phishing Techniques and Mitigating the Associated Security Risks. International Journal Of Network Security & Its Applications, 5(4), 23-41. doi: 10.5121/ijnsa.2013.5402

Regan, D. (1971). Effects of a favor and liking on compliance. Journal Of Experimental Social Psychology, 7(6), 627-639. doi: 10.1016/0022-1031(71)90025-4

Revathi, V., Ramya, P., & Gayathri, P. (2018). An Overview: Watering Hole Attack. IJSRD - International Journal For Scientific Research & Development, 6(1), 1.

Roberts, R., & Mahoney, L. (2004). Stakeholder Concept of the Corporation: Their Meaning and Influence in Accounting Research. Business Ethics Quarterly, 14(3), 399-431.

Robertson, M., & Walter, G. (2007). A Critical Reflection on Utilitarianism as the Basis for Psychiatric Ethics Part I: Utilitarianism as an Ethical Theory [Ebook] (p. 2). NSW, Australia. 105

Retrieved from https://jemh.ca/issues/v2n1/documents/JEMH_V2N1_Article1_UtilitarianismAsAnEthicalTheory.p df

Rogers, R. (2013). Digital methods. Cambridge, Mass., London: The MIT Press.

Rogers, R. (2015). Digital methods for web research. In Emerging trends in the social and behavioral sciences: An interdisciplinary, searchable, and linkable resource, 1-22. https:// doi.org/10.1002/9781118900772.etrds0076

Rothmann, S., & Coetzer, E. (2003). The big five personality dimensions and job performance. SA Journal Of Industrial Psychology, 29(1), 69. doi: 10.4102/sajip.v29i1.88

Sadiku, M., Shadare, A. and Musa, S., 2016. Social Engineering: An Introduction. Journal of Scientific and Engineering Research, 2016, 3(3):64-66, July 2016The Journal of Scientific and Engineering Research(3(3), pp.64-66.

Sagarin, B., Cialdini, R., Rice, W., & Serna, S. (2004). "Dispelling the illusion of invulnerability: The motivations and mechanisms of resistance to persuasion": Correction to Sagarin et al. (2002). Journal Of Personality And Social Psychology, 87(4), 493-493. doi: 10.1037/h0087893

Salahdine, F., & Kaabouch, N. (2019). Social Engineering Attacks: A Survey. Future Internet, 11(4), 89. doi: 10.3390/fi11040089

Salkind, N. J. (2010). Encyclopedia of research design (Vols. 1-0). Thousand Oaks, CA: SAGE Publications, Inc. doi: 10.4135/9781412961288

Saucier, G., & Goldberg, L. (1996). The Language af Personality: Lexica/ Perspectives on the Five- Factor Model. In J. S. Wiggins (Ed.). The Five-Factor Model of Personality: THEORETICAL PERSPECTIVES (pp. 24-32). Retrieved from https://projects.ori.org/lrg/PDFs_papers/Big.Five.Wiggins.Chapter.pdf

Schaefer, R. (2009). The epistemology of computer security. ACM SIGSOFT Software Engineering Notes, 34(6), 8-10. doi: 10.1145/1640162.1655274

Schejter, A. M., & Tirosh, N. (2016). A Justice-Based Approach for New Media Policy. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-319-41510-9

106

Schneier, B. (2006). Beyond fear: Thinking Sensibly About Security in an Uncertain World (p. 144). New York, N.Y.: Springer.

Sharma, S. (1994). Privacy law (p. 333). New Delhi: Atlantic Publishers & Distributors.

Silic, M., & Back, A. (2016). The dark side of social networking sites: Understanding phishing risks. Computers In Human Behavior, 60, 35-43 doi: 10.1016/j.chb.2016.02.050

Singleton, R., & Straits, B. (Eds.). (2009). Approaches to social research (5th ed.). New York: Oxford University Press.

Soto, C. (2018). Big Five personality traits. In M. H. Bornstein, M. E. Arterberry, K. L.Fingerman, & J. E. Lansford (Eds.), The SAGE encyclopedia of lifespan human development (pp. 240-241). Thousand Oaks, CA: Sage.

Sova, P. (2016). Overview of Hacking. IOSR Journal Of Computer Engineering, 18(04), 90-91. doi: 10.9790/0661-1804049092

Spear Phishing & Whaling Attacks | Information Technology. (2019). Retrieved https://it.eku.edu/spearphishingandwhaling

Stoet, G. (2010). PsyToolkit: A software package for programming psychological experiments using Linux. Behavior Research Methods, 42(4), 1096-1104. doi: 10.3758/brm.42.4.1096

Stoet, G. (2016). PsyToolkit. PsyToolkit: A Novel Web-Based Method for Running Online Questionnaires and Reaction-Time Experiments. Teaching Of Psychology, 44(1), 24-31. doi: 10.1177/0098628316677643

Thomas, V. (2014). Social Engineering.In Gardner, B., & Thomas, V. (1st ed., p. 45). Retrieved from https://www.academia.edu/11699131/Social_EngineeringUnited States. Executive Office of the President. (2009). Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, Executive Office of the President of the United States

Van den Broeck, J., Argeseanu Cunningham, S., Eeckels, R., & Herbst, K. (2005). Data Cleaning: Detecting, Diagnosing, and Editing Data Abnormalities. Plos Medicine, 2(10), e267. doi: 10.1371/journal.pmed.0020267

Weed, C., & Kwon, S.(2007). Neuroticism. In Roy F. , & Kathleen D. (Ed.). Encyclopedia of Social 107

Psychology (pp. 1). Retrieved from https://www.researchgate.net/publication/317170729_Neuroticism

Wilhelm, T. (2013). Privilege Escalation. Professional Penetration Testing, 271-306. doi: 10.1016/b978-1-59749-993-4.00010-0

Workman, M. (2007). Gaining Access with Social Engineering: An Empirical Study of the Threat. Information Systems Security, 16(6), 315-331. doi: 10.1080/10658980701788165

Wright, R., & Marett, K. (2010). The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived. Journal Of Management Information Systems, 27(1), 273-303. doi: 10.2753/mis0742-1222270111

Xiong, A., Proctor, R., Yang, W., & Li, N. (2018). Embedding Training Within Warnings Improves Skills of Identifying Phishing Webpages. Human Factors: The Journal Of The Human Factors And Ergonomics Society, 61(4), 577-595. doi: 10.1177/001872081881094

Yasin, A., Fatima, R., Liu, L., Yasin, A., & Wang, J. (2019). Contemplating social engineering studies and attack scenarios: A review study, 5. doi: https://doi.org/10.1002/spy2.73

NON-ACADEMIC SOURCES

AARON, S. (2011). Why Americans use social media. Retrieved from https://www.pewresearch.org/internet/2011/11/15/why-americans-use-social-media/

Art. 4 GDPR – Definitions | General Data Protection Regulation (GDPR). (2020). Retrieved from https://gdpr-info.eu/art-4-gdpr/

Beth, B. (2020). A Close Look at Close Reading: Scaffolding Students with Complex Texts [Ebook] (p. 2). Retrieved from https://nieonline.com/tbtimes/downloads/CCSS_reading.pdf

Corbet, D. (2011). Why Twitter Is One of the Most Powerful Communications Tools Available. Retrieved from https://www.business2community.com/twitter/why-twitter-is-one-of-the-most- powerful-communications-tools-available-096744

Cherry, K. (2020). What Are the Big 5 Personality Traits?. Retrieved from https://www.verywellmind.com/the-big-five-personality-dimensions-2795422#citation-1

108

Chaturvedi, A. (2020). Twitter announces new financial scams policy. Retrieved from https://economictimes.indiatimes.com/tech/internet/twitter-announces-new-financial-scams- policy/articleshow/71265932.cms?from=mdr

Cornish et al. (2009). Cyberspace and the National Security of the United Kingdom. Threats and Responses, Chatham House Report.

CSO Magazine. The Ultimate Guide to Social Engineering [Ebook] (p. 2). Retrieved from https://www.academia.edu/35859733/The_Ultimate_Guide_to_Social_Engineering

Cyberedge group. (2019). Retrieved from https://cyber-edge.com/wp- content/uploads/2017/06/CyberEdge-2017-CDR- Report.pdf?utm_source=datafloq&utm_medium=ref&utm_campaign=datafloq

DataReportal, We are Social & Hootsuite. (2020). Digital 2020: July Global Statshot Report (p. 121). DataReportal. Retrieved from https://datareportal.com/reports/digital-2020-july-global- statshot

Drolet, M. (2020). Smishing and vishing: How these cyber attacks work and how to prevent them. Retrieved from https://www.google.be/amp/s/www.csoonline.com/article/3411439/smishing-and- vishing-how-these-cyber-attacks-work-and-how-to-prevent-them.amp.html

Encyclopedia.com. 2020. Social Engineering | Encyclopedia.Com. [online] Available at:

Fontaine, C., Haarman, A., & Schmid, S. (2006). The Stakeholder Theory. Retrieved from https://pdfs.semanticscholar.org/606a/828294dafd62aeda92a77bd7e5d0a39af56f.pdf

Fruhlinger, J. (2019). Social engineering explained: How criminals exploit human behavior. Retrieved from https://www.csoonline.com/article/2124681/what-is-social-engineering.html

Glossary. (2020). Retrieved from https://help.twitter.com/en/glossary

Greenberg, A. (2020). The Attack That Broke Twitter Is Hitting Dozens of Companies. Retrieved from https://www.wired.com/story/phone-spear-phishing-twitter-crime-wave/

109

Government of USA. The Office of the President of USA. (2011). International Strategy for Cyberspace Retrieved from https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cy berspace.pdf

Hughes, M. (2019). Twitter let someone promote an obvious PayPal phishing scam. Retrieved from https://thenextweb.com/security/2019/01/01/twitter-let-someone-promote-an-obvious-paypal- phishing-scam/

Hutchinson, A., & Hutchinson, A. (2020). Twitter Outlines New Financial Scam Policy, Adding to Existing Spam Reporting Process. Retrieved from https://www.socialmediatoday.com/news/twitter- outlines-new-financial-scam-policy-adding-to-existing-spam-reporti/563560/

Indiana University of Pennsylvania. (2020). Cybersecurity and Covid-19. Retrieved from https://www.iup.edu/news-item.aspx?id=285840&blogid=589

Irwin, L. (2020). Catches of the month: Phishing scams for August 2020 - IT Governance UK Blog. from https://www.itgovernance.co.uk/blog/catches-of-the-month-phishing-scams-august-2020

Jacobs, E. (2014). Persuasion guru Robert Cialdini’s advice for time-pressed executives. Retrieved from https://www.ft.com/content/bcbc5924-399e-11e4-83c4-00144feabdc0

Jordan Valinsky, C. (2020). Shark Tank host loses $400,000 in a scam. Retrieved from https://www.google.be/amp/s/amp.cnn.com/cnn/2020/02/27/business/barbara-corcoran-email- hack-trnd/index.html

Kemp, S. (2020). Digital 2020: July Global Statshot — DataReportal – Global Digital Insights. Retrieved from https://datareportal.com/reports/digital-2020-july-global-statshot

Knowbe4. (2020). 2020 Phishing benchmarking report. Retrieved from https://info.knowbe4.com/phishing-by-industry-benchmarking-report?hsCtaTracking=376cb4e5- c383-447f-b97c- 7a9858fd4c64%7C0ad8dc86-9ea1-4a8c-b0e0-49d4d2b723ca

Lim, A. (2020). Big Five Personality Traits | Simply Psychology. Retrieved from https://www.simplypsychology.org/big-five- personality.html#:~:text=The%20Big%20Five%20personality%20traits%20are%20extraversion% 20(also%20often%20spelled,throughout%20most%20of%20one's%20lifetime

110

Morgan, L. (2019). List of data breaches and cyber-attacks in January 2019 - 1,170,983,728 records leaked. Retrieved from https://www.itgovernance.co.uk/blog/list-of-data-breaches-and- cyber-attacks-in-january-2019-1769185063-records-leaked

Mitnick,K. & Simon, W. (2011). The Art of Deception: Controlling the Human Element of Security (pg. 2). Hoboken, NJ, USA: Wiley.

National Initiative for Cybersecurity Careers and Studies. (n.d). Cybersecurity Glossary. Retrieved from https://niccs.us-cert.gov/about-niccs/cybersecurity-glossary#I

Neuroticism: A 'Big Five' Personality Factor. (n.d). Retrieved from https://www.psychologistworld.com/personality/neuroticism-personality-trait

Perez, S. (2019). Twitter details new policies designed to crack down on financial scams. Retrieved from https://techcrunch.com/2019/09/23/twitter-details-new-policies-designed-to-crack-down-on- financial-scams/

Poulin, C. (2020). 6 Psychological Elements Behind Sophisticated Cyber Attacks - Security Intelligence. Retrieved from https://securityintelligence.com/sophisticated-cyber-attacks-6- psychological-elements/

Proof Point. (2019). 2019 State of The Phish Report (p. 23). United States: Proof Point. Retrieved from https://info.wombatsecurity.com/hubfs/Wombat_Proofpoint_2019%20State%20of%20the%20Phis h%20Report_Final.pdf

Recent Escalations in Cyberattacks in Italy Prove the Coronavirus Impact on Cybersecurity - Acting as a Warning for CISOs Worldwide - Cynet. (2020). Retrieved from https://www.cynet.com/blog/recent-escalation-in-cyberattacks-in-italy-prove-the-coronavirus- impact-on-cybersecurity-acting-as-a-warning-for-cisos-worldwide/

Skouras, S. (2016). The story of Adam and Eve with a cyber security twist. Retrieved from https://www.aspectusgroup.com/blog/2016-12-07/the-story-of-adam-and-eve-with-a-cybersecurity-twist/

Stone, B. (2010). Avoid 'Phishing' Scams. Retrieved from https://blog.twitter.com/en_us/a/2010/avoid-phishing- scams.html#:~:text=Phishing%20is%20a%20deceitful%20process,(DM)%20with%20a%20link. 111

Suciu, P. (2020). Twitter Spear Phishing Attack Highlights Security Weaknesses Of Social Media. Retrieved from https://www.forbes.com/sites/petersuciu/2020/08/01/twitter-spear-phishing-attack-highlights-security- weaknesses-of-social-media/#5b3d44e07a29 Thomas, M. (2020). What Is Social Engineering? A Look Into the Sophisticated World of Psychological Cyber Crime. Retrieved from https://builtin.com/cybersecurity/what-is-socialengineering

Tiwari, A. (2020). What Is Social Engineering? What Are Different Types Of Social Engineering Attacks?Retrieved from https://www.google.be/amp/s/fossbytes.com/what-is-social-engineering- types-techniques/amp/

Types of Hackers and What They Do: White, Black, and Grey | EC-Council Official Blog. (2019). Retrieved from https://blog.eccouncil.org/types-of-hackers-and-what-they-do-white-black-and- grey/

Waseemz. (2019). "Social Engineering" Demystified. GW Information Security Blog. Retrieved from https://blogs.gwu.edu/gwinfosec/2019/06/03/social-engineering-demystified/

What is Social Engineering | Attack Techniques & Prevention Methods | Imperva. Retrieved from https://www.imperva.com/learn/application-security/social-engineering-attack/

112

7. APPENDIXES: Datasets are available on request: please contact [email protected]

APPENDIX NO 1: SURVEY QUESTIONNAIRE Below are the 18 questions encoded into Psytool Kit using Language C programming. l: MyQuestion1 t: radio q: Do you agree and consent to participate in this survey? - Yes - No l: MyQuestion2 t: textline q: What is your email address? - {email} Please enter a valid email address l: MyQuestion3 t: radio q: What is your gender? - Female - Male - Other l: MyQuestion4 t: textline q: What is your age? - {min=18,max=34} Enter your age l: MyQuestion5 t: textline q: What is your nationality? l: MyQuestion6 t: textline q: What country do you reside in? l: MyQuestion7 t: radio q: What is your current job status? - Employed - Unemployed - Remote worker - Manager - Social Media Influencer 113

- Entrepreneur - Volunteer - Intern - {other} Other (fill in) l: MyQuestion8 t: radio q: What is your current level of education? - High School - Bachelor's Degree - Master's Degree - Doctoral Degree l: MyQuestion9 t: textline q: What is your major? l: MyQuestion10 t: radio q: About how many years have you been on Twitter? - {score=1} Less than 1 year - {score=2} At least 1 year but less than 3 years - {score=1} At least 3 years but less than 5 years l: MyQuestion11 t: radio q: If you picked from options 1-3, how did you learn about Phishing? - By experiencing phishing first-hand - By reading a phishing case online - By reading up on the concept - {other} Some where else (fill in) l: MyQuestion12 t: radio q: Phishing has been defined as a “social engineering attack that uses e-mail, social network webpages, and other media to communicate messages intended to persuade potential victims to perform certain actions [e.g. entering login credentials in a cloned webpage, downloading an attachment embedded with a malware or opening an infective hyperlink. Have you ever considered not clicking a link on Twitter thinking it may be harmful? - Yes - No l: MyQuestion13 t: radio 114

q: You can spot a malicious/black hat link on Twitter: - By opening the link - By hovering over the link - By giving the details requested i.e your card information - By close reading the text, language/tone or greeting of the sender l: MyQuestion14 t: radio q: How would you describe the level of awareness on Phishing on Twitter? That is, How would you describe what Twitter is doing to protect you from Phishing on the platform (Awareness Creation)? - {score=1} Very sufficient - {score=2} Sufficient - {score=3} Hardly sufficient - {score=3} Non existent l: MyQuestion15 t: radio q: On a scale of 0 to 4, where 0 is the not proactive answer and 4 being very proactive, what number would you use to rate the proactiveness of Twitter in protecting you from Phishing attacks? - 4 Very proactive - 3 proactive - 2 Slightly proactive - 1 Effective - 0 Not proactive l: Subheading t: radio q: Questions 16 - 18 are scenarios to help the researcher understand what influences user behaviour on Twitter. In each case, you are to select ‘Phishing or Not Phishing’. - Okay l: MyQuestion16 t: radio q: You received a DM from the CEO of Twitter, Jack Dorsey, telling you that he thinks that your account has been compromised and being the CEO he feels responsible for every twitter account holder. At the end of the message is website URL asking you to reset password and better still check if your account is still safe. [Researcher note: To test for Principle of commitment and authority] Please select one of the below options if you consider it a Phishing scenario or not: - Phishing - Not Phishing l: MyQuestion17 115

t: radio q: You got a Twitter mention from an unknown account asking you to quickly click a link (within tweet) for hot summer deals as a lot of popular influencers and celebrities are taking advantage of those deals already. At the end of the message is ‘Hurry now! Don’t be left out of the loop! Sales are about to end’. [Researcher note: To test for Social Proof/Conformity and scarcity] - Phishing - Not Phishing l: MyQuestion18 t: radio q: Congratulations! You have won a car and an all-expense-paid trip to the Bahamas. Click this link to redeem these grand prizes if you are pleased to read this news. [Researcher note: To test for Reciprocity and liking] - Phishing - Not Phishing Big 5 Model using Likert Scale scale: agree - Disagree strongly - Disagree moderately - Disagree a little - Neither agree nor disagree - Agree a little - Agree moderately - Agree strongly l: tipi t: scale agree o: width 20% q: Now you see a number of statements about how you see yourself. For each statement, you need to select one of seven statements. Select the option that fits best. I see myself as ... - Extroverted, enthusiastic - {reverse} Critical, quarrelsome - Dependable, self-disciplined - {reverse} Anxious, easily upset - Open to new experiences, complex - {reverse} Reserved, quiet - Sympathetic, warm - {reverse} Disorganized, careless - Calm, emotionally stable 116

- {reverse} Conventional, uncreative l: extraversion t: set - mean $tipi.1 $tipi.6 l: agreeableness t: set - mean $tipi.2 $tipi.7 l: conscientiousness t: set - mean $tipi.3 $tipi.8 l: emotionally_stable t: set - mean $tipi.4 $tipi.9 l: openness t: set - mean $tipi.5 $tipi.10 l: feedback t: info q: Your BIG5 dimensions are as follows (on a 1-7 scale):

Extraversion: {$extraversion}
Agreeableness: {$agreeableness}
Conscientiousness: {$conscientiousness}
Emotional stability: {$emotionally_stable}
Openness to experience: {$openness}

117

APPENDIX NO 2: GENERAL DATA CHARACTERIZATION

While this research is to a large extent based on the content of tweets, highlighting the technical aspects of tweets and users can assist in understanding the functioning of Twitter and the results of the this research. The software DMI-TCAT retrieves from each tweet using the following metadata:

Data point Descriptio n

text The actual tweet. It contents of the tweet itself, in 280 characters or less to_user_id Numerical ID of the tweet recipient

from_user Screen name of the tweet sender

id Specific Twitter identification number for the associated tweet

from_user_id Specific Twitter identification number for the associated Twitter user name that sent tweet iso_language_code Identified language of the tweet

source Twitter platform used to send tweet

profile_image_url URL of the tweet sender’s profile picture

geo_type Either “point” if geolocation was used with tweet or blank if not

geo_coordinates_0 Latitude of the location where the tweet was sent

geo_coordinates_1 Longitude of the location where the tweet was sent

created_at Tweet timestamp in human-readable format

time Tweet timestamp as a numerical Unix timestamp

possibly_sensitive This field only surfaces when a Tweet contains a link. The meaning of the field doesn’t refer to the Tweet content itself, but to the URL

retweet_count Number of times this Tweet has been retweeted.

favorite_count Indicates approximately how many times this Tweet has been liked by Twitter users. from_user_realname Twitter user name of the person that sent the tweet

from_user_description Profile description of the person that sent the tweet

from_user_url URL of profile description of the person that sent the tweet

urls URL of the tweet

media_urls URL of the media embedded in the tweet

media_type Type of media embedded in the tweet (e.g. photo)

118

APPENDIX NO 3: TWITTER GLOSSARY

Tweet A tweet is a status update on Twitter. To post an update a user has to have first created an account. Tweets have the 280 characters long limitation and can typically contain URLs, image, smileys and hashtags. Depending on the user’s preference, any language supported by the device used can be tweeted in. Tweets can be embedded on websites and blogs to promote shareability.

Unique tweet A unique tweet used to contain 140 characters long message but today users take advantage of the 280 character limit in several ways to express their opinions.

Retweet (RT) Reposting or sharing other users tweet is called a retweet. Retweets can either be one’s property or opinion of others. Furthermore, it is used to share news updates and break stories.

Replies (@) Replies are a response to a users tweet or mention. This works by simply tapping on the tweets you would like to respond to.

Mention (@) Adding the @ prefix before a Twitter username in a tweet enable the other account see a notification called a ‘mention’.

Hashtag (#) Hashtags are words preceded by the # symbol. It’s a form of labelling and categorisation of information into themes for easy access and reference. This feature enables the cutting through of digital clusters

URL A URL (Uniform Resource Locator) is a unique address that leads users to a specific website.

Media Feature enabling the upload of picture (4 per tweet) videos and GIFs (Graphic Interchange Format).

User Profile A user profile is the unique identifier of a user on Twitter. It consists of displayed information about the account holder. A profile can be set to either public or private. Also, user profiles can be created for bots (spam purposes).

119

APPENDIX NO 4: CONSENT FOR PARTICIPATION IN THIS STUDY

Your participation in this research study is voluntary. You may choose not to participate. If you decide to participate in this research survey, you may withdraw at any time before data analysis commences. The procedure involves filling this online questionnaire that will take approximately 10 minutes. All data is stored in a password protected electronic format. To help protect your confidentiality. The results of this study will be used for scholarly purposes only and may be shared with the University of Salzburg, Austria and Vrije Universiteit Brussels, Belgium.

Clicking on the "agree" button below indicates that: • You have read the description of the study, are over the age of 18, and that you agree to the terms enclosed within and that you confirm that you understand the information mentioned about the above study and that you have had the opportunity to consider the information, ask questions and have had these answered satisfactorily.

• Participation in this study is completely voluntary. If for any reason you wish to withdraw before the data analysis stage has started, you are free to do so without providing any reason.

• You understand that your participation in this questionnaire will be part of the data collected for this study and your anonymity will be ensured.

• You give consent for all your contributions to the questionnaire to be included and/or quoted in this study.

• You understand that the information you provide will be used for a Master’s Thesis and the combined results of the project may be published. You understand that you have the right to review and comment on the information you have provided.

• You agree to take part in the above study.

• You are at least 18 years of age If you do not wish to participate in the research study, please decline participation by clicking on the "disagree" button. If you have any questions, or would like a copy of this consent letter, please contact me at ---. Thank you in advance for your participation! [Oyinkansola Awolo]

120