Yan Ge,Li Lu,Xinyue Cui,Zhe Chen,Weina Qu

DOI: https://doi.org/10.1016/j.apergo.2021.103526

IF: 3.94

2021-11-01

Applied Ergonomics

Abstract:<p>In the phishing email literature, recent researchers have given much attention to individual differences in phishing susceptibility from the perspective of the Big Five personality traits. Although the effectiveness and advantages of the phishing susceptibility measures in the signal detection theory (SDT) framework have been verified, the cognitive mechanisms that lead to individual differences in these measures remain unknown. The current study proposed and examined a theoretical path model to explore how the Big Five personality traits, related knowledge and experience and the cognitive processing of emails (i.e., mail elaboration) influence users' susceptibility to phishing emails. A sample of 414 Chinese participants completed the 44-item Big Five Personality Inventory (BFI-44), Mail Elaboration Scale (MES), Web Experience Questionnaire, Experience with Electronic Mail Scale, Knowledge and Technical Background Test and a demographic questionnaire. The phishing susceptibility measures were calculated after the participants finished an email legitimacy task in a role-playing scenario. The results showed that the general profile of the "victim personality" included low conscientiousness, low openness and high neuroticism, and Internet experience and computer and web knowledge played an important role. All of these factors have significant indirect effects on phishing susceptibility by influencing mail elaboration. Moreover, the probabilities of checking for further information or deleting the email reflect the sensitivity of email judgment. These findings reveal the mediating role of cognitive processing between individual factors and phishing susceptibility. The theoretical implications of this study for the phishing susceptibility literature and its applications to phishing risk interventions or training programs are discussed.</p>

engineering, industrial,ergonomics,psychology, applied

Shihe Pan,,Dong-Heon Kwak,Jungwon Kuem,Sung S. Kim,,,

DOI: https://doi.org/10.17705/1jais.00854

2024-01-01

Journal of the Association for Information Systems

Abstract:Because phishing attacks often exploit individuals’ inexperience in detecting them, it is important for managers to provide workers with proper feedback on their reactions to phishing scams. However, little is known about what types of feedback are more effective in facilitating antiphishing training behavior and performance. The objectives of this study are to identify (1) the determinants of decision avoidance and detection accuracy, (2) the contextual effect of type of feedback in antiphishing training, (3) the impacts of perceived detection efficacy on training outcomes, and (4) the interaction effects between feedback characteristics and perceived detection efficacy/phishing characteristics on training outcomes. Drawing upon goal-setting theory, skill acquisition theory, and antiphishing training literature, our model provides a theoretical account of how feedback characteristics (e.g., type, quantity), phishing characteristics (e.g., phishing cue saliency), and perceived detection efficacy affect antiphishing training outcomes (e.g., decision avoidance and detection accuracy). To empirically test the model, we performed four experiments with 652 subjects in the United States from three different online panels via Amazon Mechanical Turk, Esearch.com, and Clickworker.com. Our results indicate that examplebased feedback is superior to abstract feedback in teaching how to correctly discern between phishing and legitimate emails in the context of link-embedded emails. We also show that perceived detection efficacy is essential for a better understanding of antiphishing training behavior and performance. Finally, we show an interaction effect between feedback quantity and phishing cue saliency on antiphishing training behavior and performance.

information science & library science,computer science, information systems

Sijie Zhuo,Robert Biddle,Jared Daniel Recomendable,Giovanni Russello,Danielle Lottridge

DOI: https://doi.org/10.1145/3688459.3688465

2024-09-12

Abstract:Phishing emails typically masquerade themselves as reputable identities to trick people into providing sensitive information and credentials. Despite advancements in cybersecurity, attackers continuously adapt, posing ongoing threats to individuals and organisations. While email users are the last line of defence, they are not always well-prepared to detect phishing emails. This study examines how workload affects susceptibility to phishing, using eye-tracking technology to observe participants' reading patterns and interactions with tailored phishing emails. Incorporating both quantitative and qualitative analysis, we investigate users' attention to two phishing indicators, email sender and hyperlink URLs, and their reasons for assessing the trustworthiness of emails and falling for phishing emails. Our results provide concrete evidence that attention to the email sender can reduce phishing susceptibility. While we found no evidence that attention to the actual URL in the browser influences phishing detection, attention to the text masking links can increase phishing susceptibility. We also highlight how email relevance, familiarity, and visual presentation impact first impressions of email trustworthiness and phishing susceptibility.

Human-Computer Interaction,Cryptography and Security

Dawn M Sarno,Mark B Neider

DOI: https://doi.org/10.1177/0018720821999174

Abstract:Objective: The present studies examine how task factors (e.g., email load, phishing prevalence) influence email performance. Background: Phishing emails are a paramount cybersecurity threat for the modern email user. Research attempting to understand how users are susceptible to phishing attacks has been limited and has not fully explored how task factors (e.g., prevalence, email load) influence accurate detection. Method: In three experiments, participants classified emails as either legitimate or not legitimate and reported on a variety of other categorizations. The first two experiments examined how email load and phishing prevalence influence phishing detection independently. The third experiment examined the interaction of these two factors to determine whether they have compounding effects. All three experiments utilized individual difference variables to examine how cognitive, behavioral, and personality factors may influence classifications. Results: Experiment 1 suggests that high email load can make the task appear more challenging. Experiment 2 indicates that low phishing prevalence can decrease sensitivity for phishing emails. Experiment 3 demonstrates that high levels of email load can decrease classification accuracy under 50/50 prevalence rates. Notably, performance was poor across all experiments, with phishing detection near chance levels and low discriminability for emails. Participants demonstrated poor metacognition with over confidence, low self-reported difficulty, and low perceived threat for the emails. Conclusion: Overall, the present studies suggest that high email load and low phishing prevalence can influence email classifications. Application: Organizations and researchers should consider the influences of both email load and phishing prevalence when implementing phishing interventions.

Kathryn Parsons,Marcus Butavicius,Paul Delfabbro,Meredith Lillie

DOI: https://doi.org/10.1016/j.ijhcs.2019.02.007

2019-08-01

Abstract:To reduce the threat caused by phishing attacks, it is vital to investigate why some phishing attacks are successful, and why some people are more susceptible to them than others. To examine this, we used a social influence framework, and applied the Susceptibility to Persuasion Strategies scale within a dual-process model of persuasion framework. A total of 985 participants took part in a role-play scenario-based phishing study. Results indicated that phishing emails utilising scarcity and social proof principles were least successful, whereas those applying consistency and reciprocity principles were most successful. The same principles were also considered least and most persuasive according to the Susceptibility to Persuasion Strategies scale. For the majority of principles, participants who were susceptible to a specific principle were significantly more susceptible to emails containing that principle. Further results revealed that age; the percentage of time spent using a computer; susceptibility to the social proof principle; and, both dispositional and situational impulsivity, were significant predictors in people&#x27;s ability to detect phishing emails. Practical implications of these findings as well as future directions are discussed.

computer science, cybernetics,ergonomics,psychology, multidisciplinary

Xiaowei Chen,Margault Sacré,Gabriele Lenzini,Samuel Greiff,Verena Distler,Anastasia Sergeeva

DOI: https://doi.org/10.48550/arXiv.2402.11862

IF: 6.4588

2024-02-19

Human-Computer Interaction

Abstract:Organizations rely on phishing interventions to enhance employees' vigilance and safe responses to phishing emails that bypass technical solutions. While various resources are available to counteract phishing, studies emphasize the need for interactive and practical training approaches. To investigate the effectiveness of such an approach, we developed and delivered two anti-phishing trainings, group discussion and role-playing, at a European university. We conducted a pre-registered experiment (N = 105), incorporating repeated measures at three time points, a control group, and three in-situ phishing tests. Both trainings enhanced employees' anti-phishing self-efficacy and support-seeking intention in within-group analyses. Only the role-playing training significantly improved support-seeking intention when compared to the control group. Participants in both trainings reported more phishing tests and demonstrated heightened vigilance to phishing attacks compared to the control group. We discuss practical implications for evaluating and improving phishing interventions and promoting safe responses to phishing threats within organizations.

Sijie Zhuo,Robert Biddle,Yun Sing Koh,Danielle Lottridge,Giovanni Russello

DOI: https://doi.org/10.48550/arXiv.2202.07905

2022-02-16

Abstract:Phishing is recognised as a serious threat to organisations and individuals. While there have been significant technical advances in blocking phishing attacks, people remain the last line of defence after phishing emails reach their email client. Most of the existing literature on this subject has focused on the technical aspects related to phishing. However, the factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature and we propose a three-stage Phishing Susceptibility Model (PSM) for explaining how humans are involved in phishing detection and prevention, and we systematically investigate the phishing susceptibility variables studied in the literature and taxonomize them using our model. This model reveals several research gaps that need to be addressed to improve users' detection performance. We also propose a practical impact assessment of the value of studying the phishing susceptibility variables, and quality of evidence criteria. These can serve as guidelines for future research to improve experiment design, result quality, and increase the reliability and generalizability of findings.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Yi Yong Lee,Chin Lay Gan,Tze Wei Liew

DOI: https://doi.org/10.3390/ijerph20043514

2023-02-16

Abstract:Context: The cause of cybercrime phishing threats in Malaysia is a lack of knowledge and awareness of phishing. Objective: The effects of self-efficacy (the ability to gain anti-phishing knowledge) and protection motivation (attitude toward sharing personal information online) on the risk of instant messaging phishing attacks (phishing susceptibility) are investigated in this study. The protection motivation theory (PMT) was tested in the context of attitudes toward sharing personal information online with a view to improving interventions to reduce the risk of phishing victimisation. Methods: Data were collected using non-probability purposive sampling. An online survey of 328 Malaysian active instant messaging users was collected and analysed in SmartPLS version 4.0.8.6 using partial least squares structural equation modelling. Results: The results showed that a person's cognitive factor (either high or low self-efficacy) affected their chance of being a victim of instant message phishing. A higher level of self-efficacy and a negative attitude towards sharing personal information online were significant predictors of phishing susceptibility. A negative attitude towards sharing personal information online mediated the relationship between high levels of self-efficacy and phishing susceptibility. A higher level of self-efficacy led to the formation of negative attitudes among internet users. Attitudes toward the sharing of personal information online are critical because they allow phishing attempts to exist and succeed. Conclusions: The findings give government agencies more information on how to organise anti-phishing campaigns and awareness programmes; awareness and education can improve one's ability to acquire anti-phishing knowledge (self-efficacy).

Rundong Yang,Kangfeng Zheng,Bin Wu,Di Li,Zhe Wang,Xiujuan Wang

DOI: https://doi.org/10.1155/2022/7058972

IF: 3.12

2022-01-17

Computational Intelligence and Neuroscience

Abstract:While antiphishing techniques have evolved over the years, phishing remains one of the most threatening attacks on current network security. This is because phishing exploits one of the weakest links in a network system—people. The purpose of this research is to predict the possible phishing victims. In this study, we propose the multidimensional phishing susceptibility prediction model (MPSPM) to implement the prediction of user phishing susceptibility. We constructed two types of emails: legitimate emails and phishing emails. We gathered 1105 volunteers to join our experiment by recruiting volunteers. We sent these emails to volunteers and collected their demographic, personality, knowledge experience, security behavior, and cognitive processes by means of a questionnaire. We then applied 7 supervised learning methods to classify these volunteers into two categories using multidimensional features: susceptible and nonsusceptible. The experimental results indicated that some machine learning methods have high accuracy in predicting user phishing susceptibility, with a maximum accuracy rate of 89.04%. We conclude our study with a discussion of our findings and their future implications.

mathematical & computational biology,neurosciences

Anargyros Chrysanthou,Yorgos Pantis,Constantinos Patsakis

DOI: https://doi.org/10.1016/j.cose.2024.103780

IF: 5.105

2024-02-25

Computers & Security

Abstract:In an era dominated by digital interactions, phishing campaigns have evolved to exploit not just technological vulnerabilities but also human traits. This study takes an unprecedented deep dive into large-scale phishing campaigns aimed at Meta's users, offering a dual perspective on the technical mechanics and human elements involved. Analysing data from over 25,000 victims worldwide, we highlight the nuances of these campaigns, from the intricate techniques deployed by the attackers to the sentiments and behaviours of those targeted. Unlike prior research conducted in controlled environments, this investigation capitalises on the vast, diverse, and genuine data extracted directly from active phishing campaigns, allowing for a more holistic understanding of the drivers, facilitators, and human factors. Through applying advanced computational techniques, including natural language processing and machine learning, this work unveils critical insights into the psyche of victims and the evolving tactics of modern phishers. Our analysis illustrates very poor password selection choices from the victims, with 30.27% of them picking low-complexity passwords and 58.23% reusing leaked passwords. Additionally, more than 10% exhibit strong persistence in re-victimisation by posting again to the phishing platforms of the same phishers. Finally, we reveal many correlations regarding demographics and the time periods when victims are more vulnerable during the day, as well as analyse the sentiment, emotion, and tone of text responses that they submitted, illustrating how convinced they were of the scam.

computer science, information systems

Kaigui Bian,Jung-Min Park,Hsiao, M.S.,Belanger, F.

DOI: https://doi.org/10.1109/SAINT.2009.14

2009-01-01

Abstract:Phishing is an attempt to fraudulently acquire userspsila sensitive information, such as passwords or financial information, by masquerading as a trustworthy entity in online transactions. Recently, a number of researchers have proposed using external online resources like the Google Page Rank system to assist phishing detection. The advantage of such an approach is that the detection capability will gradually evolve and improve as the online resources become more sophisticated and manipulation-resistant. In this paper, we evaluate the effectiveness of three popular online resources in detecting phishing sites-viz, Google PageRank system, Yahoo! Inlink data, and Yahoo! directory service. Our results indicate that these online resources can be used to increase the accuracy of phishing site detection when used in conjunction with existing phishing countermeasures. The proposed approach involves examining the following three attributes of a target site (site being examined): (1) the credibility of the target sitepsilas hosting domain, (2) the credibility of in-neighbor sites that link to the hosting domain, and (3) the correlation between the target sitepsilas web category and its hosting domainpsilas web category. The aforementioned online resources by themselves are insufficient to address the phishing attack problem. We provide discussions on how each of those resources may be integrated with existing phishing detection techniques to provide a more effective solution.

Daniel Sturman,Elliot A Bell,Jaime C Auton,Georgia R Breakey,Mark W Wiggins

DOI: https://doi.org/10.1016/j.apergo.2024.104309

Abstract:This study investigated the roles of phishing knowledge, cue utilization, and decision styles in contributing to phishing email detection. Participants (N = 145) completed an online email sorting task, and measures of phishing knowledge, email decision styles, cue utilization, and email security awareness. Cue utilization was the only factor that uniquely predicted the capacity to discriminate phishing from genuine emails. Phishing knowledge was associated with greater phishing detection and a bias towards classifying all emails as phishing. A preference for intuitive decision making predicted lower detection of phishing emails, driven by a greater tendency to classify emails as genuine. These findings support the proposition that cue utilization is a distinct cognitive process that enables expert performance. The outcomes indicate that, in addition to increasing phishing knowledge and developing safe behavioral patterns, anti-phishing training needs to provide opportunities for trainees to develop meaningful cue associations.

Daniele Lain,Kari Kostiainen,Srdjan Capkun

DOI: https://doi.org/10.48550/arXiv.2112.07498

2021-12-14

Cryptography and Security

Abstract:In this paper, we present findings from a large-scale and long-term phishing experiment that we conducted in collaboration with a partner company. Our experiment ran for 15 months during which time more than 14,000 study participants (employees of the company) received different simulated phishing emails in their normal working context. We also deployed a reporting button to the company's email client which allowed the participants to report suspicious emails they received. We measured click rates for phishing emails, dangerous actions such as submitting credentials, and reported suspicious emails. The results of our experiment provide three types of contributions. First, some of our findings support previous literature with improved ecological validity. One example of such results is good effectiveness of warnings on emails. Second, some of our results contradict prior literature and common industry practices. Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing. And third, we report new findings. In particular, we are the first to demonstrate that using the employees as a collective phishing detection mechanism is practical in large organizations. Our results show that such crowd-sourcing allows fast detection of new phishing campaigns, the operational load for the organization is acceptable, and the employees remain active over long periods of time.

Dong-Jie Liu,Guang-Gang Geng,Xiao-Bo Jin,Wei Wang

DOI: https://doi.org/10.1016/j.cose.2021.102421

2021-11-01

Abstract:Phishing has become a favorite method of hackers for committing data theft and continues to evolve. As long as phishing websites continue to operate, many more people and companies will suffer privacy leaks or financial losses. Therefore, the demand for fast and accurate phishing website detection grows stronger. However, the existing phishing detection methods do not fully analyze the features of phishing, and the performance and efficiency of the models only apply to certain limited datasets and need to be improved to be applied to the real web environment. This paper fully considers the social engineering principles of phishing, proposes a comprehensive and interpretable CASE feature framework and designs a multistage phishing detection model to effectively detect phishing sites, especially in the real web environment, where high efficiency and performance and extremely low false alarm rates are required. To fully verify the proposed method, two kinds of data experiments were carried out. One was the comparative experiments among different features and different detection models on CASE, which covers both classic machine learning and deep learning algorithms based on a constructed complex dataset. The other was a one-year phishing discovery experiment in the real web environment. The proposed method achieves better detection results under the premise of significantly shortening the execution time and works well in real phishing discovery, which proves its high practicability in reality.

computer science, information systems

Alejandra Diaz,Alan T. Sherman,Anupam Joshi

DOI: https://doi.org/10.48550/arXiv.1811.06078

2018-11-15

Abstract:We present an observational study on the relationship between demographic factors and phishing susceptibility at the University of Maryland, Baltimore County (UMBC). In spring 2018, we delivered phishing attacks to 450 randomly-selected students on three different days (1,350 students total) to examine user click rates and demographics among UMBC's undergraduates. Participants were initially unaware of the study. Experiment 1 claimed to bill students; Experiment 2 enticed users with monetary rewards; and Experiment 3 threatened users with account cancellation. We found correlations resulting in lowered susceptibility based on college affiliation, academic year progression, cyber training, involvement in cyber clubs or cyber scholarship programs, time spent on the computer, and age demographics. We found no significant correlation between gender and susceptibility. Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness. Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing. Approximately 59% of subjects who opened the phishing email clicked on its phishing link, and approximately 70% of those subjects who additionally answered a demographic survey clicked.

Cryptography and Security

Zhengyang Fan,Wanru Li,Kathryn Blackmond Laskey,Kuo-Chu Chang

DOI: https://doi.org/10.3390/fi16010031

2024-01-18

Future Internet

Abstract:Phishing attacks represent a significant and growing threat in the digital world, affecting individuals and organizations globally. Understanding the various factors that influence susceptibility to phishing is essential for developing more effective strategies to combat this pervasive cybersecurity challenge. Machine learning has become a prevalent method in the study of phishing susceptibility. Most studies in this area have taken one of two approaches: either they explore statistical associations between various factors and susceptibility, or they use complex models such as deep neural networks to predict phishing behavior. However, these approaches have limitations in terms of providing practical insights for individuals to avoid future phishing attacks and delivering personalized explanations regarding their susceptibility to phishing. In this paper, we propose a machine-learning approach that leverages explainable artificial intelligence techniques to examine the influence of human and demographic factors on susceptibility to phishing attacks. The machine learning model yielded an accuracy of 78%, with a recall of 71%, and a precision of 57%. Our analysis reveals that psychological factors such as impulsivity and conscientiousness, as well as appropriate online security habits, significantly affect an individual's susceptibility to phishing attacks. Furthermore, our individualized case-by-case approach offers personalized recommendations on mitigating the risk of falling prey to phishing exploits, considering the specific circumstances of each individual.

M. Mascola,M. Schellpfeffer,T. Kruse,A. Conway,K. Kvale,M. Katcher

Abstract:BACKGROUND Although the risk of dying during childbirth or from complications afterward has been greatly reduced during the past 100 years, the current rate of approximately 1 death in 10,000 live births is still too high. The goal of the US Department of Health and Human Services is to reduce this rate by more than half by the year 2010. OBJECTIVE To present Wisconsin data regarding pregnancy-associated deaths and pregnancy-related deaths. METHODS Cases in which a woman had died during pregnancy or within 1 year of the end of her pregnancy were identified, and case-specific data were collected. The Wisconsin Maternal Mortality Review Team then conducted systematic reviews of the information, summarized issues related to maternal mortality, considered the relationship to pregnancy and factors of avoidability, and made recommendations to improve maternal health and survival. Finally, pregnancy-associated and pregnancy-related mortality ratios were calculated. RESULTS From 1998 through 2001, 23 Wisconsin women died as a result of their pregnancy or from complications up to a year later. This gives a Wisconsin pregnancy-related mortality ratio of 8.4 per 100,000 live births. This ratio was higher in African American women and in women who smoked. The primary cause of death was embolic disease. Almost half of the pregnancy-related deaths (48%) occurred during the postpartum period, and nearly one-quarter (22%) were avoidable. CONCLUSIONS The disparity in pregnancy-related mortality ratios among ethnic groups and the finding of avoidable deaths are areas that should be targeted by health care providers and public health workers. Six areas on which to focus include the following: addressing racial disparities, assuring the performance of autopsies, lifestyle changes related to obesity and smoking, and management of embolic and cardiovascular disease, as well as postpartum hemorrhage.

J. Włodyka,T. Bråmå,W. Wierzchowski,J. Skladzien

Abstract:

Asangi Jayatilaka,Nalin Asanka Gamagedara Arachchilage,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2108.04766

2021-10-07

Abstract:Despite sophisticated phishing email detection systems, and training and awareness programs, humans continue to be tricked by phishing emails. In an attempt to better understand why phishing email attacks still work and how best to mitigate them, we have carried out an empirical study to investigate people's thought processes when reading their emails. We used a scenario-based role-play "think aloud" method and follow-up interviews to collect data from 19 participants. The experiment was conducted using a simulated web email client, and real phishing and legitimate emails adapted to the given scenario. The analysis of the collected data has enabled us to identify eleven factors that influence people's response decisions to both phishing and legitimate emails. Furthermore, based on the user study findings, we discuss novel insights into flaws in the general email decision-making behaviors that could make people susceptible to phishing attacks.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Matthew Shonman,Xiaoyu Shi,Mingqing Kang,Zuo Wang,Xiangyang Li,Anton Dahbura

DOI: https://doi.org/10.1093/iwc/iwad054

2024-02-10

Interacting with Computers

Abstract:Abstract Numerous studies of human user behaviours in cybersecurity tasks have used traditional research methods, such as self-reported surveys or empirical experiments, to identify relationships between various factors of interest and user security performance. This work takes a different approach, applying computational cognitive modelling to research the decision-making of cybersecurity users. The model described here relies on cognitive memory chunk activation to analytically simulate the decision-making process of a user classifying legitimate and phishing emails. Suspicious-seeming cues in each email are processed by examining similar, past classifications in long-term memory. We manipulate five parameters (Suspicion Threshold, Maximum Cues Processed, Weight of Similarity, Flawed Perception Level, Legitimate-to-Phishing Email Ratio in long-term memory) to examine their effects on accuracy, email processing time and decision confidence. Furthermore, we have conducted an empirical, unattended study of US participants performing the same task. Analyses on the empirical study data and simulation output, especially clustering analysis, show that these two research approaches complement each other for more insightful understanding of this phishing detection task. The analyses also demonstrate several limitations of this computational model that cannot easily capture certain user types and phishing detection strategies, calling for a more dynamic and sophisticated model construction.

computer science, cybernetics,ergonomics