Tian Lin,Daniel E. Capecci,Donovan M. Ellis,Harold A. Rocha,Sandeep Dommaraju,Daniela S. Oliveira,Natalie C. Ebner

DOI: https://doi.org/10.1145/3336141

2019-10-31

Abstract:Phishing is fundamental to cyber attacks. This research determined the effect of Internet user age and email content such as weapons of influence (persuasive techniques that attackers can use to lure individuals to fall for an attack) and life domains (a specific topic or aspect of an individual's life that attackers can focus an email on) on spear-phishing (targeted phishing) susceptibility. In total, 100 young and 58 older users received, without their knowledge, daily simulated phishing emails over 21 days. A browser plugin recorded their clicking on links in the emails as an indicator of their susceptibility. Forty-three percent of users fell for the simulated phishing emails, with older women showing the highest susceptibility. While susceptibility in young users declined across the study, susceptibility in older users remained stable. The relative effectiveness of the attacks differed by weapons of influence and life domains with age-group variability. In addition, older compared to young users reported lower susceptibility awareness. These findings support effects of Internet user demographics and email content on susceptibility to phishing and emphasize the need for personalization of the next generation of security solutions.

computer science, information systems, cybernetics

Marcus Butavicius,Kathryn Parsons,Malcolm Pattinson,Agata McCormac

DOI: https://doi.org/10.48550/arXiv.1606.00887

2016-05-28

Abstract:We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.

Computers and Society,Cryptography and Security

Sijie Zhuo,Robert Biddle,Yun Sing Koh,Danielle Lottridge,Giovanni Russello

DOI: https://doi.org/10.48550/arXiv.2202.07905

2022-02-16

Abstract:Phishing is recognised as a serious threat to organisations and individuals. While there have been significant technical advances in blocking phishing attacks, people remain the last line of defence after phishing emails reach their email client. Most of the existing literature on this subject has focused on the technical aspects related to phishing. However, the factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature and we propose a three-stage Phishing Susceptibility Model (PSM) for explaining how humans are involved in phishing detection and prevention, and we systematically investigate the phishing susceptibility variables studied in the literature and taxonomize them using our model. This model reveals several research gaps that need to be addressed to improve users' detection performance. We also propose a practical impact assessment of the value of studying the phishing susceptibility variables, and quality of evidence criteria. These can serve as guidelines for future research to improve experiment design, result quality, and increase the reliability and generalizability of findings.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Rundong Yang,Kangfeng Zheng,Bin Wu,Di Li,Zhe Wang,Xiujuan Wang

DOI: https://doi.org/10.1155/2022/7058972

IF: 3.12

2022-01-17

Computational Intelligence and Neuroscience

Abstract:While antiphishing techniques have evolved over the years, phishing remains one of the most threatening attacks on current network security. This is because phishing exploits one of the weakest links in a network system—people. The purpose of this research is to predict the possible phishing victims. In this study, we propose the multidimensional phishing susceptibility prediction model (MPSPM) to implement the prediction of user phishing susceptibility. We constructed two types of emails: legitimate emails and phishing emails. We gathered 1105 volunteers to join our experiment by recruiting volunteers. We sent these emails to volunteers and collected their demographic, personality, knowledge experience, security behavior, and cognitive processes by means of a questionnaire. We then applied 7 supervised learning methods to classify these volunteers into two categories using multidimensional features: susceptible and nonsusceptible. The experimental results indicated that some machine learning methods have high accuracy in predicting user phishing susceptibility, with a maximum accuracy rate of 89.04%. We conclude our study with a discussion of our findings and their future implications.

mathematical & computational biology,neurosciences

Dawn M Sarno,Mark B Neider

DOI: https://doi.org/10.1177/0018720821999174

Abstract:Objective: The present studies examine how task factors (e.g., email load, phishing prevalence) influence email performance. Background: Phishing emails are a paramount cybersecurity threat for the modern email user. Research attempting to understand how users are susceptible to phishing attacks has been limited and has not fully explored how task factors (e.g., prevalence, email load) influence accurate detection. Method: In three experiments, participants classified emails as either legitimate or not legitimate and reported on a variety of other categorizations. The first two experiments examined how email load and phishing prevalence influence phishing detection independently. The third experiment examined the interaction of these two factors to determine whether they have compounding effects. All three experiments utilized individual difference variables to examine how cognitive, behavioral, and personality factors may influence classifications. Results: Experiment 1 suggests that high email load can make the task appear more challenging. Experiment 2 indicates that low phishing prevalence can decrease sensitivity for phishing emails. Experiment 3 demonstrates that high levels of email load can decrease classification accuracy under 50/50 prevalence rates. Notably, performance was poor across all experiments, with phishing detection near chance levels and low discriminability for emails. Participants demonstrated poor metacognition with over confidence, low self-reported difficulty, and low perceived threat for the emails. Conclusion: Overall, the present studies suggest that high email load and low phishing prevalence can influence email classifications. Application: Organizations and researchers should consider the influences of both email load and phishing prevalence when implementing phishing interventions.

Yan Ge,Li Lu,Xinyue Cui,Zhe Chen,Weina Qu

DOI: https://doi.org/10.1016/j.apergo.2021.103526

IF: 3.94

2021-11-01

Applied Ergonomics

Abstract:<p>In the phishing email literature, recent researchers have given much attention to individual differences in phishing susceptibility from the perspective of the Big Five personality traits. Although the effectiveness and advantages of the phishing susceptibility measures in the signal detection theory (SDT) framework have been verified, the cognitive mechanisms that lead to individual differences in these measures remain unknown. The current study proposed and examined a theoretical path model to explore how the Big Five personality traits, related knowledge and experience and the cognitive processing of emails (i.e., mail elaboration) influence users' susceptibility to phishing emails. A sample of 414 Chinese participants completed the 44-item Big Five Personality Inventory (BFI-44), Mail Elaboration Scale (MES), Web Experience Questionnaire, Experience with Electronic Mail Scale, Knowledge and Technical Background Test and a demographic questionnaire. The phishing susceptibility measures were calculated after the participants finished an email legitimacy task in a role-playing scenario. The results showed that the general profile of the "victim personality" included low conscientiousness, low openness and high neuroticism, and Internet experience and computer and web knowledge played an important role. All of these factors have significant indirect effects on phishing susceptibility by influencing mail elaboration. Moreover, the probabilities of checking for further information or deleting the email reflect the sensitivity of email judgment. These findings reveal the mediating role of cognitive processing between individual factors and phishing susceptibility. The theoretical implications of this study for the phishing susceptibility literature and its applications to phishing risk interventions or training programs are discussed.</p>

engineering, industrial,ergonomics,psychology, applied

Alejandra Diaz,Alan T. Sherman,Anupam Joshi

DOI: https://doi.org/10.48550/arXiv.1811.06078

2018-11-15

Abstract:We present an observational study on the relationship between demographic factors and phishing susceptibility at the University of Maryland, Baltimore County (UMBC). In spring 2018, we delivered phishing attacks to 450 randomly-selected students on three different days (1,350 students total) to examine user click rates and demographics among UMBC's undergraduates. Participants were initially unaware of the study. Experiment 1 claimed to bill students; Experiment 2 enticed users with monetary rewards; and Experiment 3 threatened users with account cancellation. We found correlations resulting in lowered susceptibility based on college affiliation, academic year progression, cyber training, involvement in cyber clubs or cyber scholarship programs, time spent on the computer, and age demographics. We found no significant correlation between gender and susceptibility. Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness. Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing. Approximately 59% of subjects who opened the phishing email clicked on its phishing link, and approximately 70% of those subjects who additionally answered a demographic survey clicked.

Cryptography and Security

Ziad M Hakim,Natalie C Ebner,Daniela S Oliveira,Sarah J Getz,Bonnie E Levin,Tian Lin,Kaitlin Lloyd,Vicky T Lai,Matthew D Grilli,Robert C Wilson

DOI: https://doi.org/10.3758/s13428-020-01495-0

Abstract:Phishing emails constitute a major problem, linked to fraud and exploitation as well as subsequent negative health outcomes including depression and suicide. Because of their sheer volume, and because phishing emails are designed to deceive, purely technological solutions can only go so far, leaving human judgment as the last line of defense. However, because it is difficult to phish people in the lab, little is known about the cognitive and neural mechanisms underlying phishing susceptibility. There is therefore a critical need to develop an ecologically valid lab-based measure of phishing susceptibility that will allow evaluation of the cognitive mechanisms involved in phishing detection. Here we present such a measure based on a task, the Phishing Email Suspicion Test (PEST), and a cognitive model to quantify behavior. In PEST, participants rate a series of phishing and non-phishing emails according to their level of suspicion. By comparing suspicion scores for each email to its real-world efficacy, we find initial support for the ecological validity of PEST - phishing emails that were more effective in the real world were more effective at deceiving people in the lab. In the proposed computational model, we quantify behavior in terms of participants' overall level of suspicion of emails, their ability to distinguish phishing from non-phishing emails, and the extent to which emails from the recent past bias their current decision. Together, our task and model provide a framework for studying the cognitive neuroscience of phishing detection.

Ploy Unchit,Sanchari Das,Andrew Kim,L. Jean Camp

DOI: https://doi.org/10.48550/arXiv.2006.16380

2020-07-08

Abstract:Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on students. In contrast, here, we report on an evaluation of a high school community. We engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research utilizing signal detection theory (SDT). Through scenario-based analysis, participants tasked with distinguishing phishing emails from authentic emails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background. These findings are critical for evaluating the decision-making of underrepresented populations and protecting people from potential spear phishing attacks by examining human susceptibility.

Cryptography and Security,Computers and Society

Casey Inez Canfield,Baruch Fischhoff

DOI: https://doi.org/10.1111/risa.12917

Abstract:Phishing risk is a growing area of concern for corporations, governments, and individuals. Given the evidence that users vary widely in their vulnerability to phishing attacks, we demonstrate an approach for assessing the benefits and costs of interventions that target the most vulnerable users. Our approach uses Monte Carlo simulation to (1) identify which users were most vulnerable, in signal detection theory terms; (2) assess the proportion of system-level risk attributable to the most vulnerable users; (3) estimate the monetary benefit and cost of behavioral interventions targeting different vulnerability levels; and (4) evaluate the sensitivity of these results to whether the attacks involve random or spear phishing. Using parameter estimates from previous research, we find that the most vulnerable users were less cautious and less able to distinguish between phishing and legitimate emails (positive response bias and low sensitivity, in signal detection theory terms). They also accounted for a large share of phishing risk for both random and spear phishing attacks. Under these conditions, our analysis estimates much greater net benefit for behavioral interventions that target these vulnerable users. Within the range of the model's assumptions, there was generally net benefit even for the least vulnerable users. However, the differences in the return on investment for interventions with users with different degrees of vulnerability indicate the importance of measuring that performance, and letting it guide interventions. This study suggests that interventions to reduce response bias, rather than to increase sensitivity, have greater net benefit.

Yan Chen,Iman YeckehZaare,Ark Fangzhou Zhang

DOI: https://doi.org/10.1371/journal.pone.0198213

IF: 3.7

2018-01-01

PLoS ONE

Abstract:We present a lab-in-the-field experiment to demonstrate how individual behavior in the lab predicts their ability to identify phishing attempts. Using the business and finance staff members from a large public university in the U.S., we find that participants who are intolerant of risk, more curious, and less trusting commit significantly more errors when evaluating interfaces. We also replicate prior results on demographic correlates of phishing vulnerability, including age, gender, and education level. Our results suggest that behavioral characteristics such as intolerance of risk, curiosity, and trust can be used to predict individual ability to identify phishing interfaces.

Matthew Shonman,Xiaoyu Shi,Mingqing Kang,Zuo Wang,Xiangyang Li,Anton Dahbura

DOI: https://doi.org/10.1093/iwc/iwad054

2024-02-10

Interacting with Computers

Abstract:Abstract Numerous studies of human user behaviours in cybersecurity tasks have used traditional research methods, such as self-reported surveys or empirical experiments, to identify relationships between various factors of interest and user security performance. This work takes a different approach, applying computational cognitive modelling to research the decision-making of cybersecurity users. The model described here relies on cognitive memory chunk activation to analytically simulate the decision-making process of a user classifying legitimate and phishing emails. Suspicious-seeming cues in each email are processed by examining similar, past classifications in long-term memory. We manipulate five parameters (Suspicion Threshold, Maximum Cues Processed, Weight of Similarity, Flawed Perception Level, Legitimate-to-Phishing Email Ratio in long-term memory) to examine their effects on accuracy, email processing time and decision confidence. Furthermore, we have conducted an empirical, unattended study of US participants performing the same task. Analyses on the empirical study data and simulation output, especially clustering analysis, show that these two research approaches complement each other for more insightful understanding of this phishing detection task. The analyses also demonstrate several limitations of this computational model that cannot easily capture certain user types and phishing detection strategies, calling for a more dynamic and sophisticated model construction.

computer science, cybernetics,ergonomics

Sijie Zhuo,Robert Biddle,Jared Daniel Recomendable,Giovanni Russello,Danielle Lottridge

DOI: https://doi.org/10.1145/3688459.3688465

2024-09-12

Abstract:Phishing emails typically masquerade themselves as reputable identities to trick people into providing sensitive information and credentials. Despite advancements in cybersecurity, attackers continuously adapt, posing ongoing threats to individuals and organisations. While email users are the last line of defence, they are not always well-prepared to detect phishing emails. This study examines how workload affects susceptibility to phishing, using eye-tracking technology to observe participants' reading patterns and interactions with tailored phishing emails. Incorporating both quantitative and qualitative analysis, we investigate users' attention to two phishing indicators, email sender and hyperlink URLs, and their reasons for assessing the trustworthiness of emails and falling for phishing emails. Our results provide concrete evidence that attention to the email sender can reduce phishing susceptibility. While we found no evidence that attention to the actual URL in the browser influences phishing detection, attention to the text masking links can increase phishing susceptibility. We also highlight how email relevance, familiarity, and visual presentation impact first impressions of email trustworthiness and phishing susceptibility.

Human-Computer Interaction,Cryptography and Security

Daniel Sturman,Elliot A Bell,Jaime C Auton,Georgia R Breakey,Mark W Wiggins

DOI: https://doi.org/10.1016/j.apergo.2024.104309

Abstract:This study investigated the roles of phishing knowledge, cue utilization, and decision styles in contributing to phishing email detection. Participants (N = 145) completed an online email sorting task, and measures of phishing knowledge, email decision styles, cue utilization, and email security awareness. Cue utilization was the only factor that uniquely predicted the capacity to discriminate phishing from genuine emails. Phishing knowledge was associated with greater phishing detection and a bias towards classifying all emails as phishing. A preference for intuitive decision making predicted lower detection of phishing emails, driven by a greater tendency to classify emails as genuine. These findings support the proposition that cue utilization is a distinct cognitive process that enables expert performance. The outcomes indicate that, in addition to increasing phishing knowledge and developing safe behavioral patterns, anti-phishing training needs to provide opportunities for trainees to develop meaningful cue associations.

Shahryar Baki,Rakesh M. Verma,Arjun Mukherjee,Omprakash Gnawali

DOI: https://doi.org/10.48550/arXiv.2006.13499

2020-06-24

Abstract:Cyber attacks such as phishing, IRS scams, etc., still are successful in fooling Internet users. Users are the last line of defense against these attacks since attackers seem to always find a way to bypass security systems. Understanding users' reason about the scams and frauds can help security providers to improve users security hygiene practices. In this work, we study the users' reasoning and the effectiveness of several variables within the context of the company representative fraud. Some of the variables that we study are: 1) the effect of using LinkedIn as a medium for delivering the phishing message instead of using email, 2) the effectiveness of natural language generation techniques in generating phishing emails, and 3) how some simple customizations, e.g., adding sender's contact info to the email, affect participants perception. The results obtained from the within-subject study show that participants are not prepared even for a well-known attack - company representative fraud. Findings include: approximately 65% mean detection rate and insights into how the success rate changes with the facade and correspondent (sender/receiver) information. A significant finding is that a smaller set of well-chosen strategies is better than a large `mess' of strategies. We also find significant differences in how males and females approach the same company representative fraud. Insights from our work could help defenders in developing better strategies to evaluate their defenses and in devising better training strategies.

Cryptography and Security,Human-Computer Interaction,Social and Information Networks

Sijie Zhuo,Robert Biddle,Lucas Betts,Nalin Asanka Gamagedara Arachchilage,Yun Sing Koh,Danielle Lottridge,Giovanni Russello

2023-04-03

Abstract:Phishing is one of the most prevalent social engineering attacks that targets both organizations and individuals. It is crucial to understand how email presentation impacts users' reactions to phishing attacks. We speculated that the device and email presentation may play a role, and, in particular, that how links are shown might influence susceptibility. Collaborating with the IT Services unit of a large organization doing a phishing training exercise, we conducted a study to explore the effects of the device and the presentation of links. Our findings indicate that mobile device and computer users were equally likely to click on unmasked links, however mobile device users were more likely to click on masked links compared to computer users. These findings suggest that link presentation plays a significant role in users' susceptibility to phishing attacks.

Human-Computer Interaction,Cryptography and Security

Ying Zhou,Xinyue Cui,Weina Qu,Yan Ge

DOI: https://doi.org/10.1016/j.apergo.2022.103754

Abstract:As a new intrusion method in the security field, phishing poses an enormous threat to network security and personal privacy. Thus, improving the level of network security and preventing phishing are a matter of great concern to both the state and researchers. A 2 (automation trust tendency) *2 (system reliability level) *2 (feedback) between-subjects design was adopted to study the impact of individual characteristics and system features on phishing detection. Three hundred ninety-eight participants completed a phishing email task to identify whether 40 emails were legitimate or fraudulent. The results showed that systems with feedback and high reliability improve users' performance in email identification. Users with a high tendency towards automation trust have a higher risk of phishing. However, feedback from the system helps calibrate a high automation trust tendency. These research results can promote an understanding of phishing prevention mechanisms and provide support for the design of email defence systems.

Asangi Jayatilaka,Nalin Asanka Gamagedara Arachchilage,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2108.04766

2021-10-07

Abstract:Despite sophisticated phishing email detection systems, and training and awareness programs, humans continue to be tricked by phishing emails. In an attempt to better understand why phishing email attacks still work and how best to mitigate them, we have carried out an empirical study to investigate people's thought processes when reading their emails. We used a scenario-based role-play "think aloud" method and follow-up interviews to collect data from 19 participants. The experiment was conducted using a simulated web email client, and real phishing and legitimate emails adapted to the given scenario. The analysis of the collected data has enabled us to identify eleven factors that influence people's response decisions to both phishing and legitimate emails. Furthermore, based on the user study findings, we discuss novel insights into flaws in the general email decision-making behaviors that could make people susceptible to phishing attacks.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Asangi Jayatilaka,Nalin Asanka Gamagedara Arachchilage,Muhammad Ali Babar

2024-01-24

Abstract:Despite technical and non-technical countermeasures, humans continue to be tricked by phishing emails. How users make email response decisions is a missing piece in the puzzle to identifying why people still fall for phishing emails. We conducted an empirical study using a think-aloud method to investigate how people make 'response decisions' while reading emails. The grounded theory analysis of the in-depth qualitative data has enabled us to identify different elements of email users' decision-making that influence their email response decisions. Furthermore, we developed a theoretical model that explains how people could be driven to respond to emails based on the identified elements of users' email decision-making processes and the relationships uncovered from the data. The findings provide deeper insights into phishing email susceptibility due to people's email response decision-making behavior. We also discuss the implications of our findings for designers and researchers working in anti-phishing training, education, and awareness interventions

Cryptography and Security,Computers and Society,Human-Computer Interaction

Zhengyang Fan,Wanru Li,Kathryn Blackmond Laskey,Kuo-Chu Chang

DOI: https://doi.org/10.3390/fi16010031

2024-01-18

Future Internet

Abstract:Phishing attacks represent a significant and growing threat in the digital world, affecting individuals and organizations globally. Understanding the various factors that influence susceptibility to phishing is essential for developing more effective strategies to combat this pervasive cybersecurity challenge. Machine learning has become a prevalent method in the study of phishing susceptibility. Most studies in this area have taken one of two approaches: either they explore statistical associations between various factors and susceptibility, or they use complex models such as deep neural networks to predict phishing behavior. However, these approaches have limitations in terms of providing practical insights for individuals to avoid future phishing attacks and delivering personalized explanations regarding their susceptibility to phishing. In this paper, we propose a machine-learning approach that leverages explainable artificial intelligence techniques to examine the influence of human and demographic factors on susceptibility to phishing attacks. The machine learning model yielded an accuracy of 78%, with a recall of 71%, and a precision of 57%. Our analysis reveals that psychological factors such as impulsivity and conscientiousness, as well as appropriate online security habits, significantly affect an individual's susceptibility to phishing attacks. Furthermore, our individualized case-by-case approach offers personalized recommendations on mitigating the risk of falling prey to phishing exploits, considering the specific circumstances of each individual.