Detecting Telephone-based Social Engineering Attacks using Scam Signatures
Pages 67 - 73
Abstract
As social engineering attacks have become prevalent, people are increasingly convinced to give their important personal or financial information to attackers. Telephone scams are common and less well-studied than phishing emails. We have found that social engineering attacks can be characterized by a set of speech acts which are performed as part of the scam. A speech act is statements or utterances expressed by an individual that not only conveys information but also performs an action. Although attackers adjust their delivery and wording on the phone to match the victim, scams can be grouped into classes that all share common speech acts. Each scam type is identified by a set of speech acts that are collectively referred to as a scam signature. We present a social engineering detection approach called the Anti-Social Engineering Tool ASsET, which detects attacks based on the semantic content of the conversation. Our approach uses word embedding techniques from natural language processing to determine if the meaning of a scam signature is contained in a conversation. In order to evaluate our approach, a dataset of telephone scams has been gathered which are written by volunteers based on examples of real scams from official websites. This dataset is the first telephone-based scam dataset, to the best of our knowledge. Our detection method was able to distinguish scam and non-scam calls with high accuracy.
References
[1]
[n.d.]. TAX SCAMS THAT TARGET MILLIONS OF AMERICANS. https://www.lawforseniors.org/topics/consumer-scams/305-tax-scams-that-target-millions-of-americans
[2]
2020. Exposing Voicemail Call-Back Scams. https://www.fcc.gov/news-events/blog/2019/08/28/exposing-voicemail-call-back-scams
[3]
2020. Investment Fraud Script. https://ag.ny.gov/sites/default/files/pdfs/bureaus/investor_protection/exhibit_k.pdf
[4]
2020. IRS Scam phone Transcript Tax Resolution Institute. https://www.taxresolutioninstitute.com/irs-scam-phone-transcript/
[5]
2020. This is what a Social Security scam sounds like. https://www.consumer.ftc.gov/blog/2018/12/what-social-security-scam-sounds?page=1
[6]
Saeed Abu-Nimeh, Dario Nappa, Xinlei Wang, and Suku Nair. 2007. A comparison of machine learning techniques for phishing detection. In Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit. 60--69.
[7]
Kent Bach and Robert M Harnish. 1979. Linguistic communication and speech acts. (1979).
[8]
Ram Basnet, Srinivas Mukkamala, and Andrew H Sung. 2008. Detection of phishing attacks: A machine learning approach. In Soft Computing Applications in Industry. Springer, 373--383.
[9]
Daniel Cer, Yinfei Yang, Sheng-yi Kong, Nan Hua, Nicole Limtiaco, Rhomni StJohn, Noah Constant, Mario Guajardo-Cespedes, Steve Yuan, Chris Tar, et al.2018. Universal sentence encoder. arXiv preprint arXiv:1803.11175(2018).
[10]
Daniel Cer, Yinfei Yang, Sheng-yi Kong, Nan Hua, Nicole Limtiaco, RhomniSt. John, Noah Constant, Mario Guajardo-Cespedes, Steve Yuan, Chris Tar, Brian Strope, and Ray Kurzweil. 2018. Universal Sentence Encoder for English. InProceedings of the 2018 Conference on Empirical Methods in Natural Language Processing: System Demonstrations.
[11]
Daniel Cer, Yinfei Yang, Sheng-yi Kong, Nan Hua, Nicole Limtiaco, Rhomni St. John, Noah Constant, Mario Guajardo-Cespedes, Steve Yuan, Chris Tar, Brian Strope, and Ray Kurzweil. 2018. Universal Sentence Encoder for English. In Proceedings of the 2018 Conference on Empirical Methods in Natural Language Processing: System Demonstrations.
[12]
Neil Chou, Robert Ledesma, Yuka Teraguchi, Dan Boneh, and John C. Mitchell. 2004. Client-Side Defense against Web-Based Identity Theft. In Network and Distributed Systems Security Symposium (NDSS).
[13]
A. Das, S. Baki, A. El Aassal, R. Verma, and A. Dunbar. 2020. SoK: A Comprehensive Reexamination of Phishing Research From the Security Perspective. IEEE Communications Surveys Tutorials 22, 1 (2020), 671--708.
[14]
Robin Dreeke. 2013. It's not all about "me", the top ten techniques for building quick rapport with anyone. People Formula.
[15]
S. Duman, K. Kalkan-Cakmakci, M. Egele, W. Robertson, and E. Kirda. 2016. Email Profiler: Spearphishing Filtering with Header and Stylometric Features of Emails. In 2016 IEEE 40th Annual Computer Software and Applications Conference(COMPSAC), Vol. 1.
[16]
Gal Egozi and Rakesh Verma. 2018. Phishing email detection using robust nlp techniques. In 2018 IEEE International Conference on Data Mining Workshops(ICDMW). IEEE, 7--12.
[17]
Ian Fette, Norman Sadeh, and Anthony Tomasic. 2007. Learning to Detect Phishing Emails. In Proceedings of the 16th International Conference on World Wide Web.
[18]
ftc 2020. Federal Trade Commission, Scams. Federal Trade Commission. https://www.consumer.ftc.gov/features/scam-alerts
[19]
ftc2 2016 (accessed June 11, 2020). Federal Trade Commission, Scams. Federal Trade Commission. https://www.consumer.ftc.gov/blog/2016/05/scammers-can-fake-caller-id-info
[20]
Christopher Hadnagy. 2011. Social Engineering The Art of Human Hacking. Wiley Publishing Inc.
[21]
C. Hadnagy and P. Wilson. 2010. Social Engineering: The Art of Human Hacking. Wiley.
[22]
Grant Ho, Aashish Sharma, Mobin Javed, Vern Paxson, and David Wagner. 2017.Detecting Credential Spear phishing in Enterprise Settings. In 26th USENIX Security Symposium (USENIX Security 17).
[23]
Tom N. Jagatic, Nathaniel A. Johnson, Markus Jakobsson, and Filippo Menczer. 2007. Social phishing. Commun. ACM50, 10 (2007), 94--100.
[24]
Martin Kaste. 2019 (accessed June 11, 2020). Cybercrime Booms As Scammers Hack Human Nature To Steal Billions. National Public Radio. https://www.npr.org/2019/11/18/778894491/cybercrime-booms-as-scammers-hack-human-nature-to-steal-billions
[25]
Allen Kim. [n.d.]. A scam targeting Americans over the phone has resulted in millions of dollars lost to hackers. Don't be the next victim. https://www.cnn.com/2019/10/27/business/phishing-bank-scam-trnd/index.html
[26]
Merton Lansley, Francois Mouton, Stelios Kapetanakis, and Nikolaos Polatidis. 2020. SEADer++: social engineering attack detection in online environments using machine learning. Journal of Information and Telecommunication(2020).
[27]
Yang Li and Tao Yang. 2018. Word Embedding for Understanding Natural Language: A Survey. Springer International Publishing.
[28]
Brian MacWhinney and Johannes Wagner. 2010. Transcribing, searching and data sharing: The CLAN software and the Talk Bank data repository. Gesprachs-forschung: Online-Zeitschrift zur verbalen Interaktion11 (2010), 154.
[29]
Tomas Mikolov, Kai Chen, Greg S. Corrado, and Jeffrey Dean. 2013. Efficient Estimation of Word Representations in Vector Space. http://arxiv.org/abs/1301.3781
[30]
K.D. Mitnick and W.L. Simon. 2009. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers. Wiley.
[31]
Ying Pan and Xuhua Ding. 2006. Anomaly Based Web Phishing Page Detection. In Computer Security Applications Conference, 2006. ACSAC '06. 22nd Annual.
[32]
Jeffrey Pennington, Richard Socher, and Christopher Manning. 2014. GloVe: Global Vectors for Word Representation. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP).
[33]
Matthew Peters, Mark Neumann, Mohit Iyyer, Matt Gardner, Christopher Clark, Kenton Lee, and Luke Zettlemoyer. 2018. Deep Contextualized Word Representations. In Proceedings of the 2018 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume1 (Long Papers).
[34]
Venkatesh Ramanathan and Harry Wechsler. 2012. phish GILLNET-phishing detection methodology using probabilistic latent semantic analysis, Ada Boost, and co-training. EURASIP Journal on Information Security(2012).
[35]
H. Sandouka, A. J. Cullen, and I. Mann. 2009. Social Engineering Detection Using Neural Networks. In 2009 International Conference on Cyber Worlds. 273--278.
[36]
Gianluca Stringhini and Olivier Thonnard. 2015. That Ain't You: Blocking Spear phishing Through Behavioral Modelling. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148 (DIMVA 2015).
[37]
Verizon. 2019. 2019 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/dbir/.
[38]
Rakesh Verma and Nabil Hossain. 2013. Semantic feature selection for text with application to phishing email detection. In International Conference on Information Security and Cryptology. Springer, 455--468.
[39]
Rakesh Verma and Nirmala Rai. 2015. Phish-I Detector: Message-ID based automatic phishing detection. In 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE), Vol. 4. IEEE, 427--434.
[40]
Rakesh Verma, Narasimha Shashidhar, and Nabil Hossain. 2012. Detecting Phishing Emails the Natural Language Way. In Computer Security -- ESORICS 2012, Sara Foresti, Moti Yung, and Fabio Martinelli (Eds.).
[41]
Patrick Webre. 2019. Exposing Voicemail Call-Back Scams. Federal Communications Commission Blog. https://www.fcc.gov/news-events/blog/2019/08/28/exposing-voicemail-call-back-scams
[42]
Patrick Webre. 2020. UPDATED FRAUD ADVISORY (March 2020). U.S. Marshals Service. https://www.usmarshals.gov/news/chron/2019/scam-alerts.htm
[43]
Yue Zhang, Jason I. Hong, and Lorrie F. Cranor. 2007. Cantina: A Content-based Approach to Detecting Phishing Web Sites. In Proceedings of the 16th International Conference on World Wide Web.
Index Terms
- Detecting Telephone-based Social Engineering Attacks using Scam Signatures
Recommendations
How Experts Detect Phishing Scam Emails
CSCWPhishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails ...
A Comparative Analysis of Phishing Tools: Features and Countermeasures
Information Security Practice and ExperienceAbstractPhishing is a form of social engineering attack in which targets are contacted by email by someone posing as a legitimate sender to lure the target into sending them sensitive information, such as login information, credit card details, or other ...
Design of Security Training System for Individual Users
A technique to induce access to a website falsely made through a message figured out as being sent by a trustworthy person or a simple spam, circulate a malicious code and cause additional security damage is called Phishing. According to security ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2021 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 April 2021
Check for updates
Author Tags
Qualifiers
- Short-paper
Funding Sources
- National Science Foundation
Conference
CODASPY '21
Sponsor:
CODASPY '21: Eleventh ACM Conference on Data and Application Security and Privacy
April 28, 2021
Virtual Event, USA
Acceptance Rates
Overall Acceptance Rate 18 of 58 submissions, 31%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 1,588Total Downloads
- Downloads (Last 12 months)550
- Downloads (Last 6 weeks)80
Reflects downloads up to 18 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in