Daniel Timko,Daniel Hernandez Castillo,Muhammad Lutfor Rahman

2024-05-30

Abstract:With the booming popularity of smartphones, threats related to these devices are increasingly on the rise. Smishing, a combination of SMS (Short Message Service) and phishing has emerged as a treacherous cyber threat used by malicious actors to deceive users, aiming to steal sensitive information, money or install malware on their mobile devices. Despite the increase in smishing attacks in recent years, there are very few studies aimed at understanding the factors that contribute to a user's ability to differentiate real from fake messages. To address this gap in knowledge, we have conducted an online survey on smishing detection with 187 participants. In this study, we presented them with 16 SMS screenshots and evaluated how different factors affect their decision making process in smishing detection. Next, we conducted a post-survey to garner information on the participants' security attitudes, behavior and knowledge. Our results highlighted that attention and security behavioral scores had a significant impact on participants' accuracy in identifying smishing messages. We found that participants had more difficulty identifying real messages from fake ones, with an accuracy of 67.1% with fake messages and 43.6% with real messages. Our study is crucial in developing proactive strategies to encounter and mitigate smishing attacks. By understanding what factors influence smishing detection, we aim to bolster users' resilience against such threats and create a safer digital environment for all.

Cryptography and Security,Human-Computer Interaction

Cori Faklaris,Heather Richter Lipford,Sarah Tabassum

DOI: https://doi.org/10.48550/arXiv.2309.06322

IF: 6.4588

2023-09-12

Human-Computer Interaction

Abstract:As adoption of mobile phones has skyrocketed, so have scams involving them. The text method is called SMiShing, (aka SMShing, or smishing) in which a fraudster sends a phishing link via Short Message Service (SMS) text to a phone. However, no data exists on who is most vulnerable to SMiShing. Prior work in phishing (its e-mail cousin) indicates that this is likely to vary by demographic and contextual factors. In our study, we collect this data from N=1007 U.S. adult mobile phone users. Younger people and college students emerge in this sample as the most vulnerable. Participants struggled to correctly identify legitimate messages and were easily misled when they knew they had an account with the faked message entity. Counterintuitively, participants with higher levels of security training and awareness were less correct in rating possible SMiSH. We recommend next steps for researchers, regulators and telecom providers.

Sijie Zhuo,Robert Biddle,Jared Daniel Recomendable,Giovanni Russello,Danielle Lottridge

DOI: https://doi.org/10.1145/3688459.3688465

2024-09-12

Abstract:Phishing emails typically masquerade themselves as reputable identities to trick people into providing sensitive information and credentials. Despite advancements in cybersecurity, attackers continuously adapt, posing ongoing threats to individuals and organisations. While email users are the last line of defence, they are not always well-prepared to detect phishing emails. This study examines how workload affects susceptibility to phishing, using eye-tracking technology to observe participants' reading patterns and interactions with tailored phishing emails. Incorporating both quantitative and qualitative analysis, we investigate users' attention to two phishing indicators, email sender and hyperlink URLs, and their reasons for assessing the trustworthiness of emails and falling for phishing emails. Our results provide concrete evidence that attention to the email sender can reduce phishing susceptibility. While we found no evidence that attention to the actual URL in the browser influences phishing detection, attention to the text masking links can increase phishing susceptibility. We also highlight how email relevance, familiarity, and visual presentation impact first impressions of email trustworthiness and phishing susceptibility.

Human-Computer Interaction,Cryptography and Security

Jerson Francia,Derek Hansen,Ben Schooley,Matthew Taylor,Shydra Murray,Greg Snow

2024-06-19

Abstract:This paper explores the rising concern of utilizing Large Language Models (LLMs) in spear phishing message generation, and their performance compared to human-authored counterparts. Our pilot study compares the effectiveness of smishing (SMS phishing) messages created by GPT-4 and human authors, which have been personalized to willing targets. The targets assessed the messages in a modified ranked-order experiment using a novel methodology we call TRAPD (Threshold Ranking Approach for Personalized Deception). Specifically, targets provide personal information (job title and location, hobby, item purchased online), spear smishing messages are created using this information by humans and GPT-4, targets are invited back to rank-order 12 messages from most to least convincing (and identify which they would click on), and then asked questions about why they ranked messages the way they did. They also guess which messages are created by an LLM and their reasoning. Results from 25 targets show that LLM-generated messages are most often perceived as more convincing than those authored by humans, with messages related to jobs being the most convincing. We characterize different criteria used when assessing the authenticity of messages including word choice, style, and personal relevance. Results also show that targets were unable to identify whether the messages was AI-generated or human-authored and struggled to identify criteria to use in order to make this distinction. This study aims to highlight the urgent need for further research and improved countermeasures against personalized AI-enabled social engineering attacks.

Computers and Society,Artificial Intelligence

Jae Woo Seo,Jong Sung Lee,Hyunwoo Kim,Joonghwan Lee,Seongwon Han,Jungil Cho,Choong-Hoon Lee

DOI: https://doi.org/10.1109/access.2024.3349577

IF: 3.9

2024-01-01

IEEE Access

Abstract:Smishing (SMS phishing) is a cybercrime in which criminals send fraudulent messages, including malicious links, to steal the victims’ private data or cause financial losses. The damage caused by smishing has become more severe, particularly with the proliferation of mobile devices. In smishing, a major difficulty faced by victims is discrimination between normal and smishing messages. To resolve this problem, we present an on-device smishing classifier based on a deep-learning model. In real-world scenarios, access to a substantial, authentic dataset is crucial. We trained and evaluated the classifier using real SMS datasets containing approximately 250,000 smishing messages and 950,000 normal messages obtained from victims in Korea. To ensure privacy, the classifier operates solely on mobile devices without externally transmitting any data. It utilizes a lightweight method that does not require significant computing power on mobile devices. We explored several models to determine a suitable model for mobile devices and optimized it using real datasets. Furthermore, our statistical analysis of actual smishing messages revealed that 98% of smishing messages are variants of previously sent messages. To address the prevalence of variant smishing messages, we propose a text evasion attack tool called EVA that is capable of generating pseudo-variant messages from a given message using an adversarial attack approach. We used this tool to evaluate and enhance the robustness of our classifier against various messages. Our classifier exhibited exceptional classification accuracy (0.99) while being lightweight (at 127 kB) and robust against variant smishing messages (attack success rate of 0.41).

computer science, information systems,telecommunications,engineering, electrical & electronic

Mingxuan Liu,Yiming Zhang,Baojun Liu,Zhou Li,Haixin Duan,Donghong Sun

DOI: https://doi.org/10.1145/3485832.3488012

2021-01-01

Abstract:Although spearphishing is a well-known security issue and has been widely researched, it is still an evolving threat with emerging forms. In recent years, Short Message Service (SMS) has been revealed as a new distribution channel for spearphishing messages, which already has caused a serious impact in the real world, but has not yet attracted enough attention from the academic community. In this paper, we report the first systemic study to spotlight this emerging threat, SMS spearphishing attack. Through cooperating with a leading security vendor, we obtain 31.96M real-world spam messages that span three months. We design and implement a novel NLP-based detection algorithm, and uncover 90,801 spearphishing messages on the entire dataset. And then, a large-scale measurement was performed on the detected messages to reveal and understand the characteristics of SMS spearphishing attack. Our findings are multi-fold. We discover that SMS spearphishing has a significant negative impact on the real-world, and a large number of victims have been affected. And the distribution of active illicit types between spearphishing message and common spam is quite inconsistent. At the micro-level, to evade detection and increase the probability of success, adversary campaigns have evolved a set of sophisticated strategies. Our research highlights the impact of SMS spearphishing attack is prominent. We call on different communities to work together to mitigate this emerging security threat.

F. Ley Sylvester

DOI: https://doi.org/10.5121/ijcsit.2022.14101

2022-03-03

Abstract:The mobile device is one of the fasted growing technologies that is widely used in a diversifying sector. Mobile devices are used for everyday life, such as personal information exchange - chatting, email, shopping, and mobile banking, contributing to information security threats. Users' behavior can influence information security threats. More research is needed to understand users' threat avoidance behavior and motivation. Using Technology threat avoidance theory (TTAT), this study assessed factors that influenced mobile device users' threat avoidance motivations and behaviors as it relates to phishing attacks. From the data collected from 137 mobile device users using a questionnaire, the findings indicate that (1) mobile device users' perceived susceptibility and severity of phishing attacks have a significant correlation with a users' perception of the threat; (2) mobile device users' motivation to avoid a threat is correlated to a users' behavior in avoiding threat; and (3) a mobile device user's susceptibility to phishing attacks can be reduced by their perception of the threat. These findings reveal that a user's perception of threat increases if they perceive that the consequence of such threat to their mobile devices will be severe, thereby increasing a user's motivation and behavior to avoid phishing attack threats. This study is beneficial to mobile device users in personal and organizational settings.

Cryptography and Security

Sijie Zhuo,Robert Biddle,Lucas Betts,Nalin Asanka Gamagedara Arachchilage,Yun Sing Koh,Danielle Lottridge,Giovanni Russello

2023-04-03

Abstract:Phishing is one of the most prevalent social engineering attacks that targets both organizations and individuals. It is crucial to understand how email presentation impacts users' reactions to phishing attacks. We speculated that the device and email presentation may play a role, and, in particular, that how links are shown might influence susceptibility. Collaborating with the IT Services unit of a large organization doing a phishing training exercise, we conducted a study to explore the effects of the device and the presentation of links. Our findings indicate that mobile device and computer users were equally likely to click on unmasked links, however mobile device users were more likely to click on masked links compared to computer users. These findings suggest that link presentation plays a significant role in users' susceptibility to phishing attacks.

Human-Computer Interaction,Cryptography and Security

Anjali Shinde,Essa Q. Shahra,Shadi Basurra,Faisal Saeed,Abdulrahman A. AlSewari,Waheb A. Jabbar

DOI: https://doi.org/10.3390/s24186084

IF: 3.9

2024-09-21

Sensors

Abstract:The growing problem of unsolicited text messages (smishing) and data irregularities necessitates stronger spam detection solutions. This paper explores the development of a sophisticated model designed to identify smishing messages by understanding the complex relationships among words, images, and context-specific factors, areas that remain underexplored in existing research. To address this, we merge a UCI spam dataset of regular text messages with real-world spam data, leveraging OCR technology for comprehensive analysis. The study employs a combination of traditional machine learning models, including K-means, Non-Negative Matrix Factorization, and Gaussian Mixture Models, along with feature extraction techniques such as TF_IDF and PCA. Additionally, deep learning models like RNN-Flatten, LSTM, and Bi-LSTM are utilized. The selection of these models is driven by their complementary strengths in capturing both the linear and non-linear relationships inherent in smishing messages. Machine learning models are chosen for their efficiency in handling structured text data, while deep learning models are selected for their superior ability to capture sequential dependencies and contextual nuances. The performance of these models is rigorously evaluated using metrics like accuracy, precision, recall, and F1 score, enabling a comparative analysis between the machine learning and deep learning approaches. Notably, the K-means feature extraction with vectorizer achieved 91.01% accuracy, and the KNN-Flatten model reached 94.13% accuracy, emerging as the top performer. The rationale behind highlighting these models is their potential to significantly improve smishing detection rates. For instance, the high accuracy of the KNN-Flatten model suggests its applicability in real-time spam detection systems, but its computational complexity might limit scalability in large-scale deployments. Similarly, while K-means with vectorizer excels in accuracy, it may struggle with the dynamic and evolving nature of smishing attacks, necessitating continual retraining.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Daniel Timko,Muhammad Lutfor Rahman

DOI: https://doi.org/10.1145/3558482.3590173

2024-04-29

Abstract:Smishing, also known as SMS phishing, is a type of fraudulent communication in which an attacker disguises SMS communications to deceive a target into providing their sensitive data. Smishing attacks use a variety of tactics; however, they have a similar goal of stealing money or personally identifying information (PII) from a victim. In response to these attacks, a wide variety of anti-smishing tools have been developed to block or filter these communications. Despite this, the number of phishing attacks continue to rise. In this paper, we developed a test bed for measuring the effectiveness of popular anti-smishing tools against fresh smishing attacks. To collect fresh smishing data, we introduce

Cryptography and Security

Xi Chen,Indranil Bose,Alvin Leung,Chenhui Guo

2009-01-01

Abstract:We assess the severity of phishing attacks in terms of their risk levels and the potential loss in market value to the firms. We analyze 1,030 phishing alerts released on a public database as well as financial data related to the targeted firms using a hybrid text and data mining method that predicts the severity of the attack with high accuracy. Our research identifies the important textual and financial variables that impact the severity of the attacks and determine that different antecedents influence risk level and potential financial loss associated with phishing attacks.

Matthew Shonman,Xiaoyu Shi,Mingqing Kang,Zuo Wang,Xiangyang Li,Anton Dahbura

DOI: https://doi.org/10.1093/iwc/iwad054

2024-02-10

Interacting with Computers

Abstract:Abstract Numerous studies of human user behaviours in cybersecurity tasks have used traditional research methods, such as self-reported surveys or empirical experiments, to identify relationships between various factors of interest and user security performance. This work takes a different approach, applying computational cognitive modelling to research the decision-making of cybersecurity users. The model described here relies on cognitive memory chunk activation to analytically simulate the decision-making process of a user classifying legitimate and phishing emails. Suspicious-seeming cues in each email are processed by examining similar, past classifications in long-term memory. We manipulate five parameters (Suspicion Threshold, Maximum Cues Processed, Weight of Similarity, Flawed Perception Level, Legitimate-to-Phishing Email Ratio in long-term memory) to examine their effects on accuracy, email processing time and decision confidence. Furthermore, we have conducted an empirical, unattended study of US participants performing the same task. Analyses on the empirical study data and simulation output, especially clustering analysis, show that these two research approaches complement each other for more insightful understanding of this phishing detection task. The analyses also demonstrate several limitations of this computational model that cannot easily capture certain user types and phishing detection strategies, calling for a more dynamic and sophisticated model construction.

computer science, cybernetics,ergonomics

Claudio Marforio,Ramya Jayaram Masti,Claudio Soriente,Kari Kostiainen,Srdjan Capkun

DOI: https://doi.org/10.48550/arXiv.1502.06824

2015-02-24

Cryptography and Security

Abstract:Phishing in mobile applications is a relevant threat with successful attacks reported in the wild. In such attacks, malicious mobile applications masquerade as legitimate ones to steal user credentials. In this paper we categorize application phishing attacks in mobile platforms and possible countermeasures. We show that personalized security indicators can help users to detect phishing attacks and have very little deployment cost. Personalized security indicators, however, rely on the user alertness to detect phishing attacks. Previous work in the context of website phishing has shown that users tend to ignore the absence of security indicators and fall victim of the attacker. Consequently, the research community has deemed personalized security indicators as an ineffective phishing detection mechanism. We evaluate personalized security indicators as a phishing detection solution in the context of mobile applications. We conducted a large-scale user study where a significant amount of participants that used personalized security indicators were able to detect phishing. All participants that did not use indicators could not detect the attack and entered their credentials to a phishing application. We found the difference in the attack detection ratio to be statistically significant. Personalized security indicators can, therefore, help phishing detection in mobile applications and their reputation as an anti-phishing mechanism should be reconsidered. We also propose a novel protocol to setup personalized security indicators under a strong adversarial model and provide details on its performance and usability.

Muhammad Salman,Muhammad Ikram,Mohamed Ali Kaafar

DOI: https://doi.org/10.1109/access.2024.3364671

IF: 3.9

2024-02-20

IEEE Access

Abstract:The persistence of SMS spam remains a significant challenge, highlighting the need for research aimed at developing systems capable of effectively handling the evasive strategies used by spammers. Such research efforts are important for safeguarding the general public from the detrimental impact of SMS spam. In this study, we aim to highlight the challenges encountered in the current landscape of SMS spam detection and filtering. To address these challenges, we present a new SMS dataset comprising more than 68K SMS messages with 61% legitimate (ham) SMS and 39% spam messages. Notably, this dataset, we release for further research, represents the largest publicly available SMS spam dataset to date. To characterize the dataset, we perform a longitudinal analysis of spam evolution. We then extract semantic and syntactic features to evaluate and compare the performance of well-known machine learning based SMS spam detection methods, ranging from shallow machine learning approaches to advanced deep neural networks. We investigate the robustness of existing SMS spam detection models and popular anti-spam services against spammers' evasion techniques. Our findings reveal that the majority of shallow machine learning based techniques and anti-spam services exhibit inadequate performance when it comes to accurately classifying SMS spam messages. We observe that all of the machine learning approaches and anti-spam services are susceptible to various evasive strategies employed by spammers. To address the identified limitations, our study advocates for researchers to delve into these areas to advance the field of SMS spam detection and anti-spam services.

computer science, information systems,telecommunications,engineering, electrical & electronic

George A. Thomopoulos,Dimitrios P. Lyras,Christos A. Fidas

DOI: https://doi.org/10.1007/s00779-024-01794-9

2024-03-20

Personal and Ubiquitous Computing

Abstract:Phishing is one of the most important security threats in modern information systems causing different levels of damages to end-users and service providers such as financial and reputational losses. State-of-the-art anti-phishing research is highly fragmented and monolithic and does not address the problem from a pervasive computing perspective. In this survey, we aim to contribute to the existing literature by providing a systematic review of existing experimental phishing research that employs EEG and eye-tracking methods within multi-modal and multi-sensory interaction environments. The main research objective of this review is to examine articles that contain results of at least one EEG-based and/or eye-tracking-based experimental setup within a phishing context. The database search with specific search criteria yielded 651 articles from which, after the identification and the screening process, 42 articles were examined as per the execution of experiments using EEG or eye-tracking technologies in the context of phishing, resulting to a total of 18 distinct papers that were included in the analysis. This survey is approaching the subject across the following pillars: a) the experimental design practices with an emphasis on the applied EEG and eye-tracking acquisition protocols, b) the artificial intelligence and signal preprocessing techniques that were applied in those experiments, and finally, c) the phishing attack types examined. We also provide a roadmap for future research in the field by suggesting ideas on how to combine state-of-the-art gaze-based mechanisms with EEG technologies for advancing phishing research. This leads to a discussion on the best practices for designing EEG and gaze-based frameworks.

computer science, information systems,telecommunications

Ashfak Md Shibli,Mir Mehedi A. Pritom,Maanak Gupta

2024-02-15

Abstract:SMS phishing, also known as "smishing", is a growing threat that tricks users into disclosing private information or clicking into URLs with malicious content through fraudulent mobile text messages. In recent past, we have also observed a rapid advancement of conversational generative AI chatbot services (e.g., OpenAI's ChatGPT, Google's BARD), which are powered by pre-trained large language models (LLMs). These AI chatbots certainly have a lot of utilities but it is not systematically understood how they can play a role in creating threats and attacks. In this paper, we propose AbuseGPT method to show how the existing generative AI-based chatbot services can be exploited by attackers in real world to create smishing texts and eventually lead to craftier smishing campaigns. To the best of our knowledge, there is no pre-existing work that evidently shows the impacts of these generative text-based models on creating SMS phishing. Thus, we believe this study is the first of its kind to shed light on this emerging cybersecurity threat. We have found strong empirical evidences to show that attackers can exploit ethical standards in the existing generative AI-based chatbot services by crafting prompt injection attacks to create newer smishing campaigns. We also discuss some future research directions and guidelines to protect the abuse of generative AI-based services and safeguard users from smishing attacks.

Cryptography and Security,Artificial Intelligence

Hang Hu,Gang Wang

DOI: https://doi.org/10.48550/arXiv.1801.00853

2018-01-03

Abstract:The email system is the central battleground against phishing and social engineering attacks, and yet email providers still face key challenges to authenticate incoming emails. As a result, attackers can apply spoofing techniques to impersonate a trusted entity to conduct highly deceptive phishing attacks. In this work, we study email spoofing to answer three key questions: (1) How do email providers detect and handle forged emails? (2) Under what conditions can forged emails penetrate the defense to reach user inbox? (3) Once the forged email gets in, how email providers warn users? Is the warning truly effective? We answer these questions through end-to-end measurements on 35 popular email providers (used by billions of users), and extensive user studies (N = 913) that consist of both simulated and real-world phishing experiments. We have four key findings. First, most popular email providers have the necessary protocols to detect spoofing, but still allow forged emails to get into user inbox (e.g., Yahoo Mail, iCloud, Gmail). Second, once a forged email gets in, most email providers have no warnings for users, particularly on mobile email apps. Some providers (e.g., Gmail Inbox) even have misleading UIs that make the forged email look authentic. Third, a few email providers (9/35) have implemented visual security cues for unverified emails, which demonstrate a positive impact to reduce risky user actions. Comparing simulated experiments with realistic phishing tests, we observe that the impact of security cue is less significant when users are caught off guard in the real-world setting.

Cryptography and Security

Asangi Jayatilaka,Nalin Asanka Gamagedara Arachchilage,Muhammad Ali Babar

2024-01-24

Abstract:Despite technical and non-technical countermeasures, humans continue to be tricked by phishing emails. How users make email response decisions is a missing piece in the puzzle to identifying why people still fall for phishing emails. We conducted an empirical study using a think-aloud method to investigate how people make 'response decisions' while reading emails. The grounded theory analysis of the in-depth qualitative data has enabled us to identify different elements of email users' decision-making that influence their email response decisions. Furthermore, we developed a theoretical model that explains how people could be driven to respond to emails based on the identified elements of users' email decision-making processes and the relationships uncovered from the data. The findings provide deeper insights into phishing email susceptibility due to people's email response decision-making behavior. We also discuss the implications of our findings for designers and researchers working in anti-phishing training, education, and awareness interventions

Cryptography and Security,Computers and Society,Human-Computer Interaction

Cori Faklaris

2024-01-26

Abstract:This paper describes three principal challenges in smishing mitigation - limitations of device affordances, complexity of infrastructure, and cognitive and contextual factors of mobile device use. We give a high-level overview of ideas that can mitigate smishing and work around these challenges.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Devendra Sambhaji Hapase,Lalit Vasantrao Patil,Hapase, Devendra Sambhaji,Patil, Lalit Vasantrao

DOI: https://doi.org/10.1007/s11042-024-19020-2

IF: 2.577

2024-03-29

Multimedia Tools and Applications

Abstract:One of the telecommunications' most popular forms of fraud is the short message service (SMS). Mobile users have a valid fear about SMS spam, which disturbs telecoms network operators since it impacts their clients and costs them money. For that, the existing research utilized an artificial intelligence approach to detect SMS phishing in telecommunication. Since SMS text data is unstructured and contains complicated, nonlinear relationships, this process could be difficult. Therefore, this research developed a Fraud Resilient Framework using Enhanced CNN-based SMS Phishing detection. Telecommunication fraud-related datasets are collected. Firstly, the data are preprocessed and cleaned using stemming, tokenization, and the TF-IDF approach. Moreover, to extract the features, the existing research utilized the information gain technique, which is time-consuming. So to overcome these flaws, this research introduces Assimilated Pearson Correlation Coefficient Principal Component Analysis (PCC-PCA) for feature extraction. This research introduces an enhanced Convolutional Neural Network (Enhanced CNN) in which, overcome the exploding gradients, this research introduces Parameterized ReLU which minimizes architecture complexity, regularizing, and early stopping. Then, the retrieved features are used in Enhanced CNN to categorize the ham and spam in the telecommunication network. As a result, when matched to cutting-edge techniques, this proposed solution offers great accuracy and efficiency.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering