UT researcher attacks colleagues

In the field of online security, time and again human beings are the weakest link. PhD candidate Jan-Willem Bullee conducted several 'social attacks' at the University of Twente and examined the effectiveness of the countermeasures. He obtained a number of remarkable results: a personalized phishing e-mail is 50% more effective. Forty percent of employees installed potentially malicious software following a fake phone call. And education works, provided that not too much time passes between providing the information and the attack itself.

In social engineering, perpetrators use manipulation and psychological tricks in order to get the victim to cooperate in the attack. Well-known examples of this are phishing e-mails and telephone fraud. In his PhD research, cybercrime expert Jan Willem Bullee carried out three ‘social attacks’ on hundreds of subjects to investigate how effective the attacks would be and, more importantly, how to minimize the number of victims.

Three attacks

Bullee sent a phishing e-mail to almost 600 employees at the University of Twente requesting personal details. Half the e-mails were addressed generically, and the other half were addressed to the recipient by name. 19.3 percent of the colleagues who received a generic e-mail responded to the attacker, compared with 28.9 percent of those who received a personalized email. In short, adding the recipient's name makes an attack 50% more likely to succeed.

In addition, Bullee conducted an experiment in which he tricked almost 200 employees into handing over their office key to a complete stranger. No fewer than 59 percent of the subjects agreed to do this. ‘We were often given a whole set of keys, including the keys to their home and car,’ says Bullee.

In the third experiment, he approached 162 employees by telephone and asked them to download malicious software (although in practice the software was harmless). Forty percent of the employees approached installed the software.

Unexpected results

What was striking was that people are often convinced that these things will never happen to them. Before the experiments took place, all the interviewed employees indicated that they would never install software and 97 percent said that they would never hand over their key to a stranger.

The three studies also showed that men, women, older people and younger people all responded in a similar way. One factor that appeared to make a difference with phishing e-mails was how long the recipient has been employed. Staff members who had been employed for less than four years were more likely to become victims.


The most important question is, of course, how best to prevent this kind of fraud. Bullee’s research reveals that information and education are effective, up to a point. The subjects were divided into groups before the study began. The group that had received information about how to spot fraud scored much better, both on giving away keys (37 versus 59 percent) and installing software (17 versus 40 percent percent). However, if too much time elapses between when the information is provided and the attack itself, this learning effect decreases. According to Bullee, it is therefore vital to continue repeating the message in order to keep people alert.

PhD defence

Jan-Willem recently defended his dissertation, entitled Experimental Social Engineering, at the University of Twente. His thesis supervisors were Professor Pieter Hartel and Professor Marianne Junger.

Joost Bruysters
Press relations (available Mon-Thu)