Report: Psychology-Based
Awareness Approach to
Address Vishing and
Smishing Scam
Introduction:
Social engineering continues to be a common attack type used as a foundation for many
scams. Although there are technological elements to the attacks, many of the attacks rely
on exploiting a human. People continue to unwittingly fall for these attacks, which
consequently have a negative impact upon victims and the wider society. One such attack
that could be avoided in the future relates to Vishing and Smishing. As a Security
Consultant working with an IT (Information Technology) Communications company, the
aim of this report is to investigate the Vishing and Smishing scam to identify elements of
the attack and the consequential impacts. The report is also intended to devise a
psychology-based awareness approach using psychological theory that could be applied
towards reducing risks of this attack type by promoting and raising awareness towards this
attack type.
Anatomy of the Attack:
Vishing and Smishing are two techniques of social engineering attacks that exploit human
vulnerabilities to steal sensitive information. Vishing is a phone-based attack that
impersonates a trusted entity, whereas Smishing is a text message-based attack that
impersonates a bank or other financial institution. The attacker aims to trick the victim into
providing sensitive information, such as bank account details or login credentials, by
posing as a trustworthy entity.
In the scenario presented, the attacker first sends a text message to the victim from their
bank. The message informs the victim that there is a problem with their account and
provides a phone number to call. When the victim calls the number, the attacker
impersonates a bank employee and convinces the victim to provide sensitive information.
The attacker then uses this information to carry out fraudulent transactions.
The attack can be analyzed using the Cyber Kill Chain framework. The attacker’s goals in
the scenario are to gain access to the victim’s sensitive information and carry out
fraudulent transactions. The attacker’s motivations are financial gain. The attacker’s skill
level seems high, as they can convincingly impersonate a bank employee.
The psychological tactics used in the attack include authority, urgency, and scarcity. The
attacker impersonates a bank employee to establish authority and creates a sense of
urgency by informing the victim that there is a problem with their account. The attacker
also creates a sense of scarcity by implying that the victim’s account will be closed if they
do not provide the requested information.
Impact Analysis:
The impact of the Vishing and Smishing attack can be significant for both individuals and
organizations. The victim may suffer pecuniary loss or have their sensitive information
compromised. The organization may suffer reputational damage or legal consequences.
The wider society may also be impacted by these types of attacks, as they can contribute
to a lack of trust in financial institutions and the internet.
Recommended Approach and Conclusion:
To reduce the risk of Vishing and Smishing attacks, a psychology-based awareness
approach could be used, incorporating elements of the Fogg Behavior Model, the Cialdini
Principles of Influence, and the MINDSPACE Model.
1. Fogg Behavior Model: The Fogg Behavior Model can be used to create a behavior
change strategy to reduce the risk of falling for Vishing and Smishing scams. To
increase motivation, individuals should be educated on the potential negative
impacts of falling for these scams, such as pecuniary loss and compromised
personal information. To improve ability, individuals should be provided with
practical advice on how to identify and avoid these scams, such as checking the
legitimacy of the request and never sharing sensitive information over the phone or
text message. Finally, to create triggers, organizations could use messaging that
reminds individuals to be vigilant when it comes to requests for sensitive
information, such as using pop-up notifications on mobile banking apps or sending
periodic emails reminding customers to protect their personal information.
2. Cialdini Principles of Influence: The Cialdini Principles of Influence can be used to
create persuasive messages that are more likely to be heeded by individuals. The
principles include authority, social proof, liking, scarcity, commitment, and
consistency. In the context of Vishing and Smishing, messages could be framed
around authority by emphasizing the importance of verifying the identity of anyone
requesting sensitive information, such as asking for a callback number or extension
to verify the caller’s legitimacy. Social proof could be used by highlighting the
prevalence of these scams and the number of individuals who have been impacted,
such as including statistics in educational materials or social media posts. Liking
could be used by using positive language and emphasizing the importance of
protecting one’s financial security, such as reminding individuals that their personal
information is valuable and worth protecting. Scarcity could be used to create
urgency, reminding individuals of the potential consequences of falling for these
scams, such as implying that the account will be closed if the requested information
is not provided. Commitment and consistency could be used to encourage
individuals to adopt safe online practices, such as reminding individuals to never
share sensitive information over the phone or text message and encouraging them
to report suspicious activity.
3. MINDSPACE Model: The MINDSPACE Model can be used to create messaging that
influences an individual’s decision-making. The model includes nine elements:
Messenger, Incentives, Norms, Defaults, Salience, Priming, Affect, Commitment,
and Ego. For Vishing and Smishing, messaging should be focused on the
messenger, emphasizing the importance of verifying the identity of anyone
requesting sensitive information. Incentives could be used to encourage individuals
to report any suspicious activity, such as offering a reward for reporting attempted
scams. Norms could be used to reinforce the importance of safe online practices,
such as highlighting examples of individuals who have avoided falling for these
scams. Defaults could be set to limit the amount of personal information that is
shared, such as encouraging individuals to opt out of sharing personal information
by default. Salience could be used to create attention-grabbing messaging that
reminds individuals of the potential negative consequences, such as using bold text
or images to emphasize the importance of protecting personal information. Priming
could be used to encourage individuals to think critically about requests for
sensitive information, such as including educational materials or prompts that
encourage individuals to verify the legitimacy of the request. Affect could be used to
create emotional messaging that emphasizes the potential harm caused by falling
for these scams, such as highlighting the emotional distress that victims often
experience. Commitment could be used to encourage individuals to commit to safe
online practices, such as reminding individuals to never share sensitive information
over the phone or text message. Finally, Ego could be used to encourage individuals
to feel proud of their ability to identify and avoid these scams, such as rewarding
individuals who report attempted scams or officially recognizing individuals who
have avoided falling for these scams.
4. Cognitive Theory: Cognitive theories suggest that behavior change can be
facilitated by altering cognitive processes such as attention, memory, and decisionmaking. Therefore, the Fogg Behavior Model (FBM) can be used as a framework to
develop an effective awareness approach for Vishing and Smishing scams. The FBM
suggests that behavior change occurs when three elements converge: motivation,
ability, and trigger.
In terms of motivation, it is important to raise awareness about the risks and consequences
of falling victim to Vishing and Smishing attacks. This can be achieved by using persuasive
communication techniques that appeal to emotions and highlight the personal relevance of
the threat. For example, emphasizing the financial losses or reputational damage that can
result from falling for these scams.
Regarding ability, individuals must be provided with the necessary knowledge and skills to
identify and avoid Vishing and Smishing attacks. This can be achieved through educational
materials such as training sessions, videos, or interactive simulations that provide practical
guidance on how to recognize and respond to these scams.
Finally, the trigger element refers to the prompt or cue that initiates a behavior change. To
create an effective trigger, it is important to make the awareness approach salient and
memorable. This can be achieved by leveraging the principles of the MINDSPACE model,
which identifies nine factors that influence behavior: Messenger, Incentives, Norms,
Defaults, Salience, Priming, Affect, Commitment, and Ego.
For instance, the Messenger factor involves selecting a credible and trustworthy source to
deliver the awareness message, such as a respected industry expert or a law enforcement
agency. Incentives could be offered to encourage individuals to engage with the awareness
approach, such as a discount or reward for completing the training program. Norms could
be leveraged by emphasizing the social norm of responsible online behavior and portraying
it as a positive attribute. Defaults could be set up to ensure that individuals are
automatically enrolled in the awareness program, making it easier for them to participate.
Furthermore, the principles of the Cialdini Influence Model can be applied to the
awareness approach. The model outlines six principles of persuasion: Reciprocity,
Scarcity, Authority, Consistency, Liking, and Consensus. These principles can be used to
shape awareness messages persuasively and effectively. For example, emphasizing the
principle of Scarcity by highlighting the limited availability of the training program or
emphasizing the principle of Authority by using a well-known expert to deliver the message.
In conclusion, the effective prevention of Vishing and Smishing scams requires a
comprehensive awareness approach that leverages psychological theories and
frameworks. By using the Fogg Behavior Model, the MINDSPACE model, and the Cialdini
Influence Model, individuals can be motivated, provided with the necessary abilities, and
prompted to avoid falling victim to these attacks.
References:
Jones, K.S., Armstrong, M.E., Tornblad, M.K. and Siami Namin, A., 2021. How social engineers use
persuasion principles during vishing attacks. Information & Computer Security, 29(2), pp.314-331.
Griffin, S.E. and Rackley, C.C., 2008, September. Vishing. In Proceedings of the 5th annual conference on
Information security curriculum development (pp. 33-35).
Ulfath, R.E., Sarker, I.H., Chowdhury, M.J.M. and Hammoudeh, M., 2022. Detecting Smishing Attacks Using
Feature Extraction and Classification Techniques. In Proceedings of the International Conference on Big Data,
IoT, and Machine Learning: BIM 2021 (pp. 677-689). Springer Singapore.
Yeboah-Boateng, E.O. and Amanor, P.M., 2014. Phishing, SMiShing & Vishing: an assessment of threats
against mobile devices. Journal of Emerging Trends in Computing and Information Sciences, 5(4), pp.297-307.
Ustundag Soykan, E. and Bagriyanik, M., 2020. The effect of SMiShing attack on security of demand response
programs. Energies, 13(17), p.4542.
Soykan Üstündağ, E., A risk management framework for smart distribution systems (Doctoral dissertation,
Graduate School).
Fogg, B.J., 2019. Fogg behavior model. URL: https://behaviormodel. org (visited on 12/14/2020).
Shah, P.R. and Agarwal, A., 2020, April. Cybersecurity behaviour of smartphone users through the lens of fogg
behaviour model. In 2020 3rd International Conference on Communication System, Computing and IT
Applications (CSCITA) (pp. 79-82). IEEE.
Maennel, K., Mäses, S. and Maennel, O., 2018. Cyber hygiene: The big picture. In Secure IT Systems: 23rd
Nordic Conference, NordSec 2018, Oslo, Norway, November 28-30, 2018, Proceedings 23 (pp. 291-305).
Springer International Publishing.
Maalem Lahcen, R.A., Caulkins, B., Mohapatra, R. and Kumar, M., 2020. Review and insight on the behavioral
aspects of cybersecurity. Cybersecurity, 3(1), pp.1-18.
Faklaris, C., 2018. Social Cybersecurity and the Help Desk: New Ideas for IT Professionals to Foster Secure
Workgroup Behaviors. In Baltimore, MD: USENIX Symposium on Usable Privacy and Security.
Briggs, P., Jeske, D. and Coventry, L., 2017. Behavior change interventions for cybersecurity. In Behavior
change research and theory (pp. 115-136). Academic Press.
Coventry, L., Briggs, P., Jeske, D. and Van Moorsel, A., 2014. SCENE: A structured means for creating and
evaluating behavioral nudges in a cyber security environment. In Design, User Experience, and Usability.
Theories, Methods, and Tools for Designing the User Experience: Third International Conference, DUXU 2014,
Held as Part of HCI International 2014, Heraklion, Crete, Greece, June 22-27, 2014, Proceedings, Part I 3 (pp.
229-239). Springer International Publishing.
Blythe, J.M., 2014. Using behavioural insights to improve the public’s use of cyber security best practices.
Andrade, R.O., Fuertes, W., Cazares, M., Ortiz-Garcés, I. and Navas, G., 2022. An Exploratory Study of
Cognitive Sciences Applied to Cybersecurity. Electronics, 11(11), p.1692.
Huang, K. and Pearlson, K., 2019. For what technology can’t fix: Building a model of organizational
cybersecurity culture.
Hasan, M., Prajapati, N. and Vohara, S., 2010. Case study on social engineering techniques for persuasion.
arXiv preprint arXiv:1006.3848.
Sawyer, S., 2021. Potential threats and mitigation tools for network attacks. Australian Journal of Wireless
Technologies, Mobility and Security, 1.
McAlaney, J., Taylor, J. and Faily, S., 2016. The social psychology of cybersecurity. Psychologist, 29(9),
pp.686-689.
Moustafa, A.A., Bello, A. and Maurushat, A., 2021. The role of user behaviour in improving cyber security
management. Frontiers in Psychology, 12, p.561011.