Daniel Timko,Daniel Hernandez Castillo,Muhammad Lutfor Rahman

2024-05-30

Abstract:With the booming popularity of smartphones, threats related to these devices are increasingly on the rise. Smishing, a combination of SMS (Short Message Service) and phishing has emerged as a treacherous cyber threat used by malicious actors to deceive users, aiming to steal sensitive information, money or install malware on their mobile devices. Despite the increase in smishing attacks in recent years, there are very few studies aimed at understanding the factors that contribute to a user's ability to differentiate real from fake messages. To address this gap in knowledge, we have conducted an online survey on smishing detection with 187 participants. In this study, we presented them with 16 SMS screenshots and evaluated how different factors affect their decision making process in smishing detection. Next, we conducted a post-survey to garner information on the participants' security attitudes, behavior and knowledge. Our results highlighted that attention and security behavioral scores had a significant impact on participants' accuracy in identifying smishing messages. We found that participants had more difficulty identifying real messages from fake ones, with an accuracy of 67.1% with fake messages and 43.6% with real messages. Our study is crucial in developing proactive strategies to encounter and mitigate smishing attacks. By understanding what factors influence smishing detection, we aim to bolster users' resilience against such threats and create a safer digital environment for all.

Cryptography and Security,Human-Computer Interaction

Jae Woo Seo,Jong Sung Lee,Hyunwoo Kim,Joonghwan Lee,Seongwon Han,Jungil Cho,Choong-Hoon Lee

DOI: https://doi.org/10.1109/access.2024.3349577

IF: 3.9

2024-01-01

IEEE Access

Abstract:Smishing (SMS phishing) is a cybercrime in which criminals send fraudulent messages, including malicious links, to steal the victims’ private data or cause financial losses. The damage caused by smishing has become more severe, particularly with the proliferation of mobile devices. In smishing, a major difficulty faced by victims is discrimination between normal and smishing messages. To resolve this problem, we present an on-device smishing classifier based on a deep-learning model. In real-world scenarios, access to a substantial, authentic dataset is crucial. We trained and evaluated the classifier using real SMS datasets containing approximately 250,000 smishing messages and 950,000 normal messages obtained from victims in Korea. To ensure privacy, the classifier operates solely on mobile devices without externally transmitting any data. It utilizes a lightweight method that does not require significant computing power on mobile devices. We explored several models to determine a suitable model for mobile devices and optimized it using real datasets. Furthermore, our statistical analysis of actual smishing messages revealed that 98% of smishing messages are variants of previously sent messages. To address the prevalence of variant smishing messages, we propose a text evasion attack tool called EVA that is capable of generating pseudo-variant messages from a given message using an adversarial attack approach. We used this tool to evaluate and enhance the robustness of our classifier against various messages. Our classifier exhibited exceptional classification accuracy (0.99) while being lightweight (at 127 kB) and robust against variant smishing messages (attack success rate of 0.41).

computer science, information systems,telecommunications,engineering, electrical & electronic

Alejandra Diaz,Alan T. Sherman,Anupam Joshi

DOI: https://doi.org/10.48550/arXiv.1811.06078

2018-11-15

Abstract:We present an observational study on the relationship between demographic factors and phishing susceptibility at the University of Maryland, Baltimore County (UMBC). In spring 2018, we delivered phishing attacks to 450 randomly-selected students on three different days (1,350 students total) to examine user click rates and demographics among UMBC's undergraduates. Participants were initially unaware of the study. Experiment 1 claimed to bill students; Experiment 2 enticed users with monetary rewards; and Experiment 3 threatened users with account cancellation. We found correlations resulting in lowered susceptibility based on college affiliation, academic year progression, cyber training, involvement in cyber clubs or cyber scholarship programs, time spent on the computer, and age demographics. We found no significant correlation between gender and susceptibility. Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness. Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing. Approximately 59% of subjects who opened the phishing email clicked on its phishing link, and approximately 70% of those subjects who additionally answered a demographic survey clicked.

Cryptography and Security

Daniel Timko,Muhammad Lutfor Rahman

DOI: https://doi.org/10.1145/3558482.3590173

2024-04-29

Abstract:Smishing, also known as SMS phishing, is a type of fraudulent communication in which an attacker disguises SMS communications to deceive a target into providing their sensitive data. Smishing attacks use a variety of tactics; however, they have a similar goal of stealing money or personally identifying information (PII) from a victim. In response to these attacks, a wide variety of anti-smishing tools have been developed to block or filter these communications. Despite this, the number of phishing attacks continue to rise. In this paper, we developed a test bed for measuring the effectiveness of popular anti-smishing tools against fresh smishing attacks. To collect fresh smishing data, we introduce

Cryptography and Security

Cori Faklaris

2024-01-26

Abstract:This paper describes three principal challenges in smishing mitigation - limitations of device affordances, complexity of infrastructure, and cognitive and contextual factors of mobile device use. We give a high-level overview of ideas that can mitigate smishing and work around these challenges.

Cryptography and Security,Computers and Society,Human-Computer Interaction

F. Ley Sylvester

DOI: https://doi.org/10.5121/ijcsit.2022.14101

2022-03-03

Abstract:The mobile device is one of the fasted growing technologies that is widely used in a diversifying sector. Mobile devices are used for everyday life, such as personal information exchange - chatting, email, shopping, and mobile banking, contributing to information security threats. Users' behavior can influence information security threats. More research is needed to understand users' threat avoidance behavior and motivation. Using Technology threat avoidance theory (TTAT), this study assessed factors that influenced mobile device users' threat avoidance motivations and behaviors as it relates to phishing attacks. From the data collected from 137 mobile device users using a questionnaire, the findings indicate that (1) mobile device users' perceived susceptibility and severity of phishing attacks have a significant correlation with a users' perception of the threat; (2) mobile device users' motivation to avoid a threat is correlated to a users' behavior in avoiding threat; and (3) a mobile device user's susceptibility to phishing attacks can be reduced by their perception of the threat. These findings reveal that a user's perception of threat increases if they perceive that the consequence of such threat to their mobile devices will be severe, thereby increasing a user's motivation and behavior to avoid phishing attack threats. This study is beneficial to mobile device users in personal and organizational settings.

Cryptography and Security

Jerson Francia,Derek Hansen,Ben Schooley,Matthew Taylor,Shydra Murray,Greg Snow

2024-06-19

Abstract:This paper explores the rising concern of utilizing Large Language Models (LLMs) in spear phishing message generation, and their performance compared to human-authored counterparts. Our pilot study compares the effectiveness of smishing (SMS phishing) messages created by GPT-4 and human authors, which have been personalized to willing targets. The targets assessed the messages in a modified ranked-order experiment using a novel methodology we call TRAPD (Threshold Ranking Approach for Personalized Deception). Specifically, targets provide personal information (job title and location, hobby, item purchased online), spear smishing messages are created using this information by humans and GPT-4, targets are invited back to rank-order 12 messages from most to least convincing (and identify which they would click on), and then asked questions about why they ranked messages the way they did. They also guess which messages are created by an LLM and their reasoning. Results from 25 targets show that LLM-generated messages are most often perceived as more convincing than those authored by humans, with messages related to jobs being the most convincing. We characterize different criteria used when assessing the authenticity of messages including word choice, style, and personal relevance. Results also show that targets were unable to identify whether the messages was AI-generated or human-authored and struggled to identify criteria to use in order to make this distinction. This study aims to highlight the urgent need for further research and improved countermeasures against personalized AI-enabled social engineering attacks.

Computers and Society,Artificial Intelligence

Daniel Timko,Muhammad Lutfor Rahman

DOI: https://doi.org/10.1145/3626232.3653282

2024-04-29

Abstract:While smishing (SMS Phishing) attacks have risen to become one of the most common types of social engineering attacks, there is a lack of relevant smishing datasets. One of the biggest challenges in the domain of smishing prevention is the availability of fresh smishing datasets. Additionally, as time persists, smishing campaigns are shut down and the crucial information related to the attack are lost. With the changing nature of smishing attacks, a consistent flow of new smishing examples is needed by both researchers and engineers to create effective defenses. In this paper, we present the community-sourced smishing datasets from the

Cryptography and Security

Alexander Prokhorov,Karen Sue Calabro,Ashish Arya,Sophia Russell,Katarzyna W. Czerniak,Gabrielle C. Botello,Minxing Chen,Ying Yuan,Adriana Perez,Damon J. Vidrine,Cheryl L. Perry,Georges Elias Khalil

DOI: https://doi.org/10.2196/25618

2021-01-01

JMIR mhealth and uhealth

Abstract:Background: The use of new and emerging tobacco products (NETPs) and conventional tobacco products (CTPs) has been linked to several alarming medical conditions among young adults (YAs). Considering that 96% of YAs own mobile phones, SMS text messaging may be an effective strategy for tobacco risk communication. Objective: Project Debunk is a community-based randomized trial aiming to identify specific types of messages that effectively improve perceived NETP and CTP risk among YAs in community colleges. Methods: With YAs recruited offline from 3 campuses at the Houston Community College (September 2016 to July 2017), we conducted a 6-month randomized trial with 8 arms based on the combination of 3 message categories: framing (gain-framed vs loss-framed), depth (simple vs complex), and appeal (emotional vs rational). Participants received fully automated web-based SMS text messages in two 30-day campaigns (2 messages per day). We conducted repeated-measures mixed-effect models stratified by message type received, predicting perceived CTP and NETP risks. Owing to multiple testing with 7 models, an association was deemed significant for P<.007 (.05 divided by 7). Results: A total of 636 participants completed the baseline survey, were randomized to 1 of 8 conditions (between 73 and 86 participants per condition), and received messages from both campaigns. By the 2-month post campaign 2 assessment point, 70.1% (446/636) completed all outcome measures. By the end of both campaigns, participants had a significant increase in perceived NETP risk over time (P<.001); however, participants had a marginal increase in perceived CTP risk (P=.008). Separately for each group, there was a significant increase in perceived NETP risk among participants who received rational messages (P=.005), those who received emotional messages (P=.006), those who received simple messages (P=.003), and those who received gain-framed messages (P=.003). Conclusions: In this trial, YAs had an increase in perceived NETP risk. However, with stratification, we observed a significant increase in perceived NETP risk upon exposure to rational, emotional, simple, and gain-framed messages. In addition, YAs generally had an increase in perceived CTP risk and presented nonsignificant but observable improvement upon exposure to emotional, complex, and loss-framed messages. With the results of this study, researchers and practitioners implementing mobile health programs may take advantage of our tailored messages through larger technology-based programs such as smartphone apps and social media campaigns. Trial Registration: ClinicalTrials.gov NCT03457480; https://clinicaltrials.gov/ct2/show/NCT03457480 International Registered Report Identifier (IRRID): RR2-10.2196/10977

Mingxuan Liu,Yiming Zhang,Baojun Liu,Zhou Li,Haixin Duan,Donghong Sun

DOI: https://doi.org/10.1145/3485832.3488012

2021-01-01

Abstract:Although spearphishing is a well-known security issue and has been widely researched, it is still an evolving threat with emerging forms. In recent years, Short Message Service (SMS) has been revealed as a new distribution channel for spearphishing messages, which already has caused a serious impact in the real world, but has not yet attracted enough attention from the academic community. In this paper, we report the first systemic study to spotlight this emerging threat, SMS spearphishing attack. Through cooperating with a leading security vendor, we obtain 31.96M real-world spam messages that span three months. We design and implement a novel NLP-based detection algorithm, and uncover 90,801 spearphishing messages on the entire dataset. And then, a large-scale measurement was performed on the detected messages to reveal and understand the characteristics of SMS spearphishing attack. Our findings are multi-fold. We discover that SMS spearphishing has a significant negative impact on the real-world, and a large number of victims have been affected. And the distribution of active illicit types between spearphishing message and common spam is quite inconsistent. At the micro-level, to evade detection and increase the probability of success, adversary campaigns have evolved a set of sophisticated strategies. Our research highlights the impact of SMS spearphishing attack is prominent. We call on different communities to work together to mitigate this emerging security threat.

Muhammad Salman,Muhammad Ikram,Mohamed Ali Kaafar

DOI: https://doi.org/10.48550/arXiv.2210.10451

2022-10-19

Abstract:The short message service (SMS) was introduced a generation ago to the mobile phone users. They make up the world's oldest large-scale network, with billions of users and therefore attracts a lot of fraud. Due to the convergence of mobile network with internet, SMS based scams can potentially compromise the security of internet services as well. In this study, we present a new SMS scam dataset consisting of 153,551 SMSes. This dataset that we will release publicly for research purposes represents the largest publicly-available SMS scam dataset. We evaluate and compare the performance achieved by several established machine learning methods on the new dataset, ranging from shallow machine learning approaches to deep neural networks to syntactic and semantic feature models. We then study the existing models from an adversarial viewpoint by assessing its robustness against different level of adversarial manipulation. This perspective consolidates the current state of the art in SMS Spam filtering, highlights the limitations and the opportunities to improve the existing approaches.

Cryptography and Security

Ploy Unchit,Sanchari Das,Andrew Kim,L. Jean Camp

DOI: https://doi.org/10.48550/arXiv.2006.16380

2020-07-08

Abstract:Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on students. In contrast, here, we report on an evaluation of a high school community. We engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research utilizing signal detection theory (SDT). Through scenario-based analysis, participants tasked with distinguishing phishing emails from authentic emails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background. These findings are critical for evaluating the decision-making of underrepresented populations and protecting people from potential spear phishing attacks by examining human susceptibility.

Cryptography and Security,Computers and Society

Belal Amro

DOI: https://doi.org/10.4236/jcc.2018.62003

2018-02-13

Abstract:The rapid evolution in mobile devices and communication technology has increased the number of mobile device users dramatically. The mobile device has replaced many other devices and is used to perform many tasks ranging from establishing a phone call to performing critical and sensitive tasks like money payments. Since the mobile device is accompanying a person most of his time, it is highly probably that it includes personal and sensitive data for that person. The increased use of mobile devices in daily life made mobile systems an excellent target for attacks. One of the most important attacks is phishing attack in which an attacker tries to get the credential of the victim and impersonate him. In this paper, analysis of different types of phishing attacks on mobile devices is provided. Mitigation techniques - anti-phishing techniques - are also analyzed. Assessment of each technique and a summary of its advantages and disadvantages is provided. At the end, important steps to guard against phishing attacks are provided. The aim of the work is to put phishing attacks on mobile systems in light, and to make people aware of these attacks and how to avoid them

Cryptography and Security

Ran Wei,Xun (Sunny) Liu,Xinchuan Liu

DOI: https://doi.org/10.1016/j.tele.2019.04.002

IF: 9.14

2019-01-01

Telematics and Informatics

Abstract:Informed by the growing third-person effect research of social and online media, the present study examines the perceived negative impact of increasing mobile Internet fraud on user's social ties and their likely response to cope with the rising fraud. A probability sample of 816 respondents in China was used in collecting data regarding the beliefs of their own and other's vulnerability to fraud online. Key findings show that their negative perceptions of mobile Internet fraud vary significantly by the strength of their social relationships and network homogeneity the closer the ties, the greater perceived vulnerability to mobile Internet fraud; the more homogenous their social networks, the more pronounced the pattern. In addition, awareness of the fraud was found to enhance the self-other perceptual gap. Finally, the perceived negative impact of the fraud on self leads to protective actions in terms of verifying suspicious messages. On the other hand, the negatively perceived impact on weak ties is related to staying alert and reducing the use of mobile Internet, suggesting that respondents viewed fraud victims in their social network as warnings.

Tian Lin,Daniel E. Capecci,Donovan M. Ellis,Harold A. Rocha,Sandeep Dommaraju,Daniela S. Oliveira,Natalie C. Ebner

DOI: https://doi.org/10.1145/3336141

2019-10-31

Abstract:Phishing is fundamental to cyber attacks. This research determined the effect of Internet user age and email content such as weapons of influence (persuasive techniques that attackers can use to lure individuals to fall for an attack) and life domains (a specific topic or aspect of an individual's life that attackers can focus an email on) on spear-phishing (targeted phishing) susceptibility. In total, 100 young and 58 older users received, without their knowledge, daily simulated phishing emails over 21 days. A browser plugin recorded their clicking on links in the emails as an indicator of their susceptibility. Forty-three percent of users fell for the simulated phishing emails, with older women showing the highest susceptibility. While susceptibility in young users declined across the study, susceptibility in older users remained stable. The relative effectiveness of the attacks differed by weapons of influence and life domains with age-group variability. In addition, older compared to young users reported lower susceptibility awareness. These findings support effects of Internet user demographics and email content on susceptibility to phishing and emphasize the need for personalization of the next generation of security solutions.

computer science, information systems, cybernetics

Claudio Marforio,Ramya Jayaram Masti,Claudio Soriente,Kari Kostiainen,Srdjan Capkun

DOI: https://doi.org/10.48550/arXiv.1502.06824

2015-02-24

Cryptography and Security

Abstract:Phishing in mobile applications is a relevant threat with successful attacks reported in the wild. In such attacks, malicious mobile applications masquerade as legitimate ones to steal user credentials. In this paper we categorize application phishing attacks in mobile platforms and possible countermeasures. We show that personalized security indicators can help users to detect phishing attacks and have very little deployment cost. Personalized security indicators, however, rely on the user alertness to detect phishing attacks. Previous work in the context of website phishing has shown that users tend to ignore the absence of security indicators and fall victim of the attacker. Consequently, the research community has deemed personalized security indicators as an ineffective phishing detection mechanism. We evaluate personalized security indicators as a phishing detection solution in the context of mobile applications. We conducted a large-scale user study where a significant amount of participants that used personalized security indicators were able to detect phishing. All participants that did not use indicators could not detect the attack and entered their credentials to a phishing application. We found the difference in the attack detection ratio to be statistically significant. Personalized security indicators can, therefore, help phishing detection in mobile applications and their reputation as an anti-phishing mechanism should be reconsidered. We also propose a novel protocol to setup personalized security indicators under a strong adversarial model and provide details on its performance and usability.

Guan-Hua Tu,Yuanjie Li,Chunyi Peng,Chi-Yu Li,Muhammad Taqi Raza,Hsiao-Yun Tseng,Songwu Lu

DOI: https://doi.org/10.48550/arXiv.1510.08531

2015-10-29

Cryptography and Security

Abstract:Mobile Internet is becoming the norm. With more personalized mobile devices in hand, many services choose to offer alternative, usually more convenient, approaches to authenticating and delivering the content between mobile users and service providers. One main option is to use SMS (i.e., short messaging service). Such carrier-grade text service has been widely used to assist versatile mobile services, including social networking, banking, to name a few. Though the text service can be spoofed via certain Internet text service providers which cooperated with carriers, such attacks haven well studied and defended by industry due to the efforts of research community. However, as cellular network technology advances to the latest IP-based 4G LTE, we find that these mobile services are somehow exposed to new threats raised by this change, particularly on 4G LTE Text service (via brand-new distributed Mobile-Initiated Spoofed SMS attack which is not available in legacy 2G/3G systems). The reason is that messaging service over LTE shifts from the circuit-switched (CS) design to the packet-switched (PS) paradigm as 4G LTE supports PS only. Due to this change, 4G LTE Text Service becomes open to access. However, its shields to messaging integrity and user authentication are not in place. As a consequence, such weaknesses can be exploited to launch attacks (e.g., hijack Facebook accounts) against a targeted individual, a large scale of mobile users and even service providers, from mobile devices. Current defenses for Internet-Initiated Spoofed SMS attacks cannot defend the unprecedented attack. Our study shows that 53 of 64 mobile services over 27 industries are vulnerable to at least one threat. We validate these proof-of-concept attacks in one major US carrier which supports more than 100 million users. We finally propose quick fixes and discuss security insights and lessons we have learnt.

Ashfak Md Shibli,Mir Mehedi A. Pritom,Maanak Gupta

2024-02-15

Abstract:SMS phishing, also known as "smishing", is a growing threat that tricks users into disclosing private information or clicking into URLs with malicious content through fraudulent mobile text messages. In recent past, we have also observed a rapid advancement of conversational generative AI chatbot services (e.g., OpenAI's ChatGPT, Google's BARD), which are powered by pre-trained large language models (LLMs). These AI chatbots certainly have a lot of utilities but it is not systematically understood how they can play a role in creating threats and attacks. In this paper, we propose AbuseGPT method to show how the existing generative AI-based chatbot services can be exploited by attackers in real world to create smishing texts and eventually lead to craftier smishing campaigns. To the best of our knowledge, there is no pre-existing work that evidently shows the impacts of these generative text-based models on creating SMS phishing. Thus, we believe this study is the first of its kind to shed light on this emerging cybersecurity threat. We have found strong empirical evidences to show that attackers can exploit ethical standards in the existing generative AI-based chatbot services by crafting prompt injection attacks to create newer smishing campaigns. We also discuss some future research directions and guidelines to protect the abuse of generative AI-based services and safeguard users from smishing attacks.

Cryptography and Security,Artificial Intelligence

Muhammad Salman,Muhammad Ikram,Mohamed Ali Kaafar

DOI: https://doi.org/10.1109/access.2024.3364671

IF: 3.9

2024-02-20

IEEE Access

Abstract:The persistence of SMS spam remains a significant challenge, highlighting the need for research aimed at developing systems capable of effectively handling the evasive strategies used by spammers. Such research efforts are important for safeguarding the general public from the detrimental impact of SMS spam. In this study, we aim to highlight the challenges encountered in the current landscape of SMS spam detection and filtering. To address these challenges, we present a new SMS dataset comprising more than 68K SMS messages with 61% legitimate (ham) SMS and 39% spam messages. Notably, this dataset, we release for further research, represents the largest publicly available SMS spam dataset to date. To characterize the dataset, we perform a longitudinal analysis of spam evolution. We then extract semantic and syntactic features to evaluate and compare the performance of well-known machine learning based SMS spam detection methods, ranging from shallow machine learning approaches to advanced deep neural networks. We investigate the robustness of existing SMS spam detection models and popular anti-spam services against spammers' evasion techniques. Our findings reveal that the majority of shallow machine learning based techniques and anti-spam services exhibit inadequate performance when it comes to accurately classifying SMS spam messages. We observe that all of the machine learning approaches and anti-spam services are susceptible to various evasive strategies employed by spammers. To address the identified limitations, our study advocates for researchers to delve into these areas to advance the field of SMS spam detection and anti-spam services.

computer science, information systems,telecommunications,engineering, electrical & electronic

Devendra Sambhaji Hapase,Lalit Vasantrao Patil,Hapase, Devendra Sambhaji,Patil, Lalit Vasantrao

DOI: https://doi.org/10.1007/s11042-024-19020-2

IF: 2.577

2024-03-29

Multimedia Tools and Applications

Abstract:One of the telecommunications' most popular forms of fraud is the short message service (SMS). Mobile users have a valid fear about SMS spam, which disturbs telecoms network operators since it impacts their clients and costs them money. For that, the existing research utilized an artificial intelligence approach to detect SMS phishing in telecommunication. Since SMS text data is unstructured and contains complicated, nonlinear relationships, this process could be difficult. Therefore, this research developed a Fraud Resilient Framework using Enhanced CNN-based SMS Phishing detection. Telecommunication fraud-related datasets are collected. Firstly, the data are preprocessed and cleaned using stemming, tokenization, and the TF-IDF approach. Moreover, to extract the features, the existing research utilized the information gain technique, which is time-consuming. So to overcome these flaws, this research introduces Assimilated Pearson Correlation Coefficient Principal Component Analysis (PCC-PCA) for feature extraction. This research introduces an enhanced Convolutional Neural Network (Enhanced CNN) in which, overcome the exploding gradients, this research introduces Parameterized ReLU which minimizes architecture complexity, regularizing, and early stopping. Then, the retrieved features are used in Enhanced CNN to categorize the ham and spam in the telecommunication network. As a result, when matched to cutting-edge techniques, this proposed solution offers great accuracy and efficiency.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering