Gaurav Misra,Nalin Asanka Gamagedara Arachchilage,Shlomo Berkovsky

DOI: https://doi.org/10.48550/arXiv.1710.06064

2017-10-17

Abstract:Phishing is an especially challenging cyber security threat as it does not attack computer systems, but targets the user who works on that system by relying on the vulnerability of their decision-making ability. Phishing attacks can be used to gather sensitive information from victims and can have devastating impact if they are successful in deceiving the user. Several anti-phishing tools have been designed and implemented but they have been unable to solve the problem adequately. This failure is often due to security experts overlooking the human element and ignoring their fallibility in making trust decisions online. In this paper, we present Phish Phinder, a serious game designed to enhance the user's confidence in mitigating phishing attacks by providing them with both conceptual and procedural knowledge about phishing. The user is trained through a series of gamified challenges, designed to educate them about important phishing related concepts, through an interactive user interface. Key elements of the game interface were identified through an empirical study with the aim of enhancing user interaction with the game. We also adopted several persuasive design principles while designing Phish Phinder to enhance phishing avoidance behaviour among users.

Cryptography and Security,Computers and Society

Rubia Fatima,Affan Yasin,Lin Liu,Jianmin Wang

DOI: https://doi.org/10.3233/jcs-181253

2019-01-01

Journal of Computer Security

Abstract:CONTEXT: In the current era of digital technology, social engineers are using various tactics to undermine human weaknesses. Social Engineers target human psychology to achieve their target(s) which are in the form of data, account details, or IT devices etc. According to our research, one of the first methods social engineers used to target victims is Phishing/Spear Phishing. OBJECTIVE: The objective of this study is to utilize serious game to: i) educate players regarding phishing and spear-phishing attacks; ii) make aware and educate players regarding dangers associated with excessive online information disclosure. METHOD: In order to address the objectives we have: i) performed an in-depth literature review to extract insights related to social engineering, phishing, game design, learning functions, human interaction, and game-based learning etc; ii) proposed and aligned the game design with social engineering ontology concepts; iii) performed an empirical evaluation to evaluate the effectiveness of the designed board game. CONCLUSION: From this research study, we conclude that: i) PhishI game is useful in educating players regarding excessive online information disclosure and phishing awareness; ii) game-based learning is an effectivemethod for inculcating and general cyber-related awareness in players.

Franklin Tchakounté,Virgile Simé Nyassi,Kalum Priyanath Udagepola

2019-01-01

Journal of Network Security

Abstract:Phishing is a serious concern on internet. Current anti-phishing solutions identify scamming behaviour during one stage of communications between both users. They rely only on static features related to the attacker email on that stage to lure the potential victims. This paper exposes a new trend of spear-phishing attack, namely True Request–Fake Response (TR-FR), which exploits cross-communications among messaging clients as well as multi-stage interactions between the victim and the attacker. We propose theoretical approach and architecture based on email contextual parameters to identify such type of phishing. We identify a real case of TR-PR and apply the proposed method to show how this case can be detected. Keywords: Anti-Phishing Working Group (APWG), cross-communications, Phishing, spear phishing, True Request–Fake Response (TR-FR) Cite this Article: Franklin Tchakounte, Virgile Sime Nyassi, Kalum Priyanath Udagepola. True Request–Fake Response: A New Trend of Spear Phishing Attack. Journal of Network Security. 2019; 7(3): 1-17p.

Matthew Shonman,Xiaoyu Shi,Mingqing Kang,Zuo Wang,Xiangyang Li,Anton Dahbura

DOI: https://doi.org/10.1093/iwc/iwad054

2024-02-10

Interacting with Computers

Abstract:Abstract Numerous studies of human user behaviours in cybersecurity tasks have used traditional research methods, such as self-reported surveys or empirical experiments, to identify relationships between various factors of interest and user security performance. This work takes a different approach, applying computational cognitive modelling to research the decision-making of cybersecurity users. The model described here relies on cognitive memory chunk activation to analytically simulate the decision-making process of a user classifying legitimate and phishing emails. Suspicious-seeming cues in each email are processed by examining similar, past classifications in long-term memory. We manipulate five parameters (Suspicion Threshold, Maximum Cues Processed, Weight of Similarity, Flawed Perception Level, Legitimate-to-Phishing Email Ratio in long-term memory) to examine their effects on accuracy, email processing time and decision confidence. Furthermore, we have conducted an empirical, unattended study of US participants performing the same task. Analyses on the empirical study data and simulation output, especially clustering analysis, show that these two research approaches complement each other for more insightful understanding of this phishing detection task. The analyses also demonstrate several limitations of this computational model that cannot easily capture certain user types and phishing detection strategies, calling for a more dynamic and sophisticated model construction.

computer science, cybernetics,ergonomics

Usman Abdullahi Mohammed,Muhammad Sanusi,Usman n Abdullahi Mohammed,

DOI: https://doi.org/10.33564/ijeast.2023.v07i10.002

2023-02-01

International Journal of Engineering Applied Sciences and Technology

Abstract:The act of sending a fake e-mail to a user is known as phishing. It involves imitating a legitimate financial institution or organization in order to trick the recipient into providing their personal information. Due to the harmful effects of phishing emails, the development of classification models that can help identify and prevent fraudulent emails has been considered. Four of the most prominent models in the literature for analyzing phishing emails are K-Nearest Neighbor, Support Vector Machine, Random Forest and Nave Bayes. A model that combines three of the models with better performance metrics using 47 features was developed. It was tested against various existing models and performed well in comparison to them. Finally, the comparison analysis of the model is conducted to archive a realistic accuracy rate of 99 percent.

Asangi Jayatilaka,Nalin Asanka Gamagedara Arachchilage,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2108.04766

2021-10-07

Abstract:Despite sophisticated phishing email detection systems, and training and awareness programs, humans continue to be tricked by phishing emails. In an attempt to better understand why phishing email attacks still work and how best to mitigate them, we have carried out an empirical study to investigate people's thought processes when reading their emails. We used a scenario-based role-play "think aloud" method and follow-up interviews to collect data from 19 participants. The experiment was conducted using a simulated web email client, and real phishing and legitimate emails adapted to the given scenario. The analysis of the collected data has enabled us to identify eleven factors that influence people's response decisions to both phishing and legitimate emails. Furthermore, based on the user study findings, we discuss novel insights into flaws in the general email decision-making behaviors that could make people susceptible to phishing attacks.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Asangi Jayatilaka,Nalin Asanka Gamagedara Arachchilage,Muhammad Ali Babar

2024-01-24

Abstract:Despite technical and non-technical countermeasures, humans continue to be tricked by phishing emails. How users make email response decisions is a missing piece in the puzzle to identifying why people still fall for phishing emails. We conducted an empirical study using a think-aloud method to investigate how people make 'response decisions' while reading emails. The grounded theory analysis of the in-depth qualitative data has enabled us to identify different elements of email users' decision-making that influence their email response decisions. Furthermore, we developed a theoretical model that explains how people could be driven to respond to emails based on the identified elements of users' email decision-making processes and the relationships uncovered from the data. The findings provide deeper insights into phishing email susceptibility due to people's email response decision-making behavior. We also discuss the implications of our findings for designers and researchers working in anti-phishing training, education, and awareness interventions

Cryptography and Security,Computers and Society,Human-Computer Interaction

Amir Kashapov,Tingmin Wu,Alsharif Abuadbba,Carsten Rudolph

DOI: https://doi.org/10.48550/arXiv.2203.13380

2022-03-25

Abstract:Cyber-phishing attacks recently became more precise, targeted, and tailored by training data to activate only in the presence of specific information or cues. They are adaptable to a much greater extent than traditional phishing detection. Hence, automated detection systems cannot always be 100% accurate, increasing the uncertainty around expected behavior when faced with a potential phishing email. On the other hand, human-centric defence approaches focus extensively on user training but face the difficulty of keeping users up to date with continuously emerging patterns. Therefore, advances in analyzing the content of an email in novel ways along with summarizing the most pertinent content to the recipients of emails is a prospective gateway to furthering how to combat these threats. Addressing this gap, this work leverages transformer-based machine learning to (i) analyze prospective psychological triggers, to (ii) detect possible malicious intent, and (iii) create representative summaries of emails. We then amalgamate this information and present it to the user to allow them to (i) easily decide whether the email is "phishy" and (ii) self-learn advanced malicious patterns.

Cryptography and Security,Machine Learning

Affan Yasin,Rubia Fatima,Zheng JiangBin,Wasif Afzal,Shahid Raza

DOI: https://doi.org/10.1016/j.infsof.2024.107426

IF: 3.9

2024-02-25

Information and Software Technology

Abstract:Context: In the digital age, there is a notable increase in fraudulent activities perpetrated by social engineers who exploit individuals' limited knowledge of digital devices. These actors strategically manipulate human psychology, targeting IT devices to gain unauthorized access to sensitive data. Objectives: Our study is centered around two distinct objectives to be accomplished through the utilization of a serious game: (i) The primary objective entails delivering training and educational content to participants with a focus on phishing attacks; (ii) The secondary objective aims to heighten participants' awareness regarding the perils associated with divulging excessive information online. Methodology: To address these objectives, we have employed the following techniques and methods: (i) A comprehensive literature review was conducted to establish foundational knowledge in areas such as social engineering, game design, learning principles, human interaction, and game-based learning; (ii) We meticulously aligned the game design with the philosophical concept of social engineering attacks; (iii) We devised and crafted an advanced hybrid version of the game, incorporating the use of QR codes to generate game card data; (iv) We conducted an empirical evaluation encompassing surveys, observations, discussions, and URL assessments to assess the effectiveness of the proposed hybrid game version. Results: Quantitative data and qualitative observations suggest the "PhishDefend Quest" game successfully improved players' comprehension of phishing threats and how to detect them through an interactive learning experience. The results highlight the potential of serious games to educate people about social engineering risks. Conclusion: Through the evaluation, we can readily arrive at the following conclusions: (i) Game-based learning proves to be a viable approach for educating participants about phishing awareness and the associated risks tied to the unnecessary disclosure of sensitive information online; (ii) Furthermore, game-based learning serves as an effective means of disseminating awareness among participants and players concerning prevalent phishing attacks.

computer science, information systems, software engineering

Sijie Zhuo,Robert Biddle,Jared Daniel Recomendable,Giovanni Russello,Danielle Lottridge

DOI: https://doi.org/10.1145/3688459.3688465

2024-09-12

Abstract:Phishing emails typically masquerade themselves as reputable identities to trick people into providing sensitive information and credentials. Despite advancements in cybersecurity, attackers continuously adapt, posing ongoing threats to individuals and organisations. While email users are the last line of defence, they are not always well-prepared to detect phishing emails. This study examines how workload affects susceptibility to phishing, using eye-tracking technology to observe participants' reading patterns and interactions with tailored phishing emails. Incorporating both quantitative and qualitative analysis, we investigate users' attention to two phishing indicators, email sender and hyperlink URLs, and their reasons for assessing the trustworthiness of emails and falling for phishing emails. Our results provide concrete evidence that attention to the email sender can reduce phishing susceptibility. While we found no evidence that attention to the actual URL in the browser influences phishing detection, attention to the text masking links can increase phishing susceptibility. We also highlight how email relevance, familiarity, and visual presentation impact first impressions of email trustworthiness and phishing susceptibility.

Human-Computer Interaction,Cryptography and Security

Cynthia Dhinakaran,Dhinaharan Nagamalai,Jae Kwang Lee

DOI: https://doi.org/10.48550/arXiv.1108.1593

2011-08-08

Abstract:Spam messes up users inbox, consumes resources and spread attacks like DDoS, MiM, phishing etc. Phishing is a byproduct of email and causes financial loss to users and loss of reputation to financial institutions. In this paper we examine the characteristics of phishing and technology used by Phishers. In order to counter anti-phishing technology, phishers change their mode of operation; therefore a continuous evaluation of phishing only helps us combat phisher effectiveness. In our study, we collected seven hundred thousand spam from a corporate server for a period of 13 months from February 2008 to February 2009. From the collected data, we identified different kinds of phishing scams and mode of operation. Our observation shows that phishers are dynamic and depend more on social engineering techniques rather than software vulnerabilities. We believe that this study will develop more efficient anti-phishing methodologies. Based on our analysis, we developed an anti-phishing methodology and implemented in our network. The results show that this approach is highly effective to prevent phishing attacks. The proposed approach reduced more than 80% of the false negatives and more than 95% of phishing attacks in our network.

Cryptography and Security

Ploy Unchit,Sanchari Das,Andrew Kim,L. Jean Camp

DOI: https://doi.org/10.48550/arXiv.2006.16380

2020-07-08

Abstract:Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on students. In contrast, here, we report on an evaluation of a high school community. We engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research utilizing signal detection theory (SDT). Through scenario-based analysis, participants tasked with distinguishing phishing emails from authentic emails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background. These findings are critical for evaluating the decision-making of underrepresented populations and protecting people from potential spear phishing attacks by examining human susceptibility.

Cryptography and Security,Computers and Society

Kalam Khadka

2024-12-24

Abstract:This study extends the research of Ferreira and Teles (2019), who synthesized works by Cialdini (2007), Gragg (2003), and Stajano and Wilson (2011) to propose a unique list of persuasion principles in social engineering. While Ferreira and Teles focused on email subject lines, this research analyzed entire email contents to identify principles of human persuasion in phishing emails. This study also examined the goals and targets of phishing emails, providing a novel contribution to the field. Applying these findings to the ontological model by Mouton et al. (2014) reveals that when social engineers use email for phishing, individuals are the primary targets. The goals are typically unauthorized access, followed by financial gain and service disruption, with Distraction as the most commonly used compliance principle. This research highlights the importance of understanding human persuasion in technology-mediated interactions to develop methods for detecting and preventing phishing emails before they reach users. Despite previous identification of luring elements in phishing emails, empirical findings have been inconsistent. For example, Akbar (2014) found 'authority' and 'scarcity' most common, while Ferreira et al. (2015) identified 'liking' and 'similarity.' In this study, 'Distraction' was most frequently used, followed by 'Deception,' 'Integrity,' and 'Authority.' This paper offers additional insights into phishing email tactics and suggests future solutions should leverage socio-technical principles. Future work will apply this methodology to other social engineering techniques beyond phishing emails, using the ontological model to further inform the research community.

Cryptography and Security,Computers and Society,Human-Computer Interaction

wei deng,ze hui qu,li ye,zhi guang qin

DOI: https://doi.org/10.4028/www.scientific.net/AMR.433-440.5053

2012-01-01

Abstract:With the wide applications of machine learning techniques in spam filtering, malicious adversaries have been increasingly launching attacks against the filtering systems. In this paper, we model the interaction between the data miner and the adversary as Stackelberg games. Though existing algorithms for Stackelberg games efficiently find optimal solutions, they critically assume the follower plays optimally and rationally. Unfortunately, in real-world applications, because of follower's bounded rationality and limited observation of the leader's strategy, it may deviate from their expected optimal response. Considering this crucial problem, this paper solve for the Nash equilibrium. Experiments on real spam dataset demonstrate that bounded rationality and limited observation can make Stackelberg games more practical and provide interesting insights about the interaction between the data miner and the spammer in spam filtering.

Jingguo Wang,Tejaswini Herath,Rui Chen,Arun Vishwanath,H. Raghav Rao

DOI: https://doi.org/10.1109/tpc.2012.2208392

2012-01-01

IEEE Transactions on Professional Communication

Abstract:Research problem: Phishing is an email-based scam where a perpetrator camouflages emails to appear as a legitimate request for personal and sensitive information. Research question: How do individuals process a phishing email, and determine whether to respond to it? Specifically, this study examines how users' attention to “visual triggers” and “phishing deception indicators” influence their decision-making processes and consequently their decisions. Literature review: This paper draws upon the theory of deception and the literature on mediated cognition and learning, including the critical role of attention and elaboration in deception detection. From this literature, we developed a research model to suggest that overall cognitive effort expended in email processing decreases with attention to visual triggers and phishing deception indicators. The likelihood to respond to phishing emails increases with attention to visceral cues, but decreases with attention to phishing deception indicators and cognitive effort. Knowledge of email-based scams increases attention to phishing deception indicators, and directly decreases response likelihood. It also moderates the impact of attention to visceral triggers and that of phishing deception indicators on likelihood to respond. Methodology: Using a real phishing email as a stimulus, a survey of 321 members of a public university community in the Northeast US, who were intended victims of a spear phishing attack that took place, was conducted. The survey used validated measures developed in prior literature for the most part and tested results using the partial least-squares regression. Results and discussion: Our research model and hypotheses were supported by the data except that we did not find that cognitive effort significantly affects response likelihood. The implication of the study is that attention to visceral triggers, attention to phishing deception indicators, and phishing knowledge play critical roles in phishing detection. The limitations of the study were that the data were drawn from students, and the study explored one phishing attack, relied on some single-item measures, cognitive effort measure, and a one-round survey. Future research would examine the impact of a varying degree of urgency and a varying level of phishing deception indicators, and actual victims of phishing attacks.

Gianluca Stringhini,Olivier Thonnard

DOI: https://doi.org/10.48550/arXiv.1410.6629

2014-10-24

Abstract:One of the ways in which attackers try to steal sensitive information from corporations is by sending spearphishing emails. This type of emails typically appear to be sent by one of the victim's coworkers, but have instead been crafted by an attacker. A particularly insidious type of spearphishing emails are the ones that do not only claim to come from a trusted party, but were actually sent from that party's legitimate email account that was compromised in the first place. In this paper, we propose a radical change of focus in the techniques used for detecting such malicious emails: instead of looking for particular features that are indicative of attack emails, we look for possible indicators of impersonation of the legitimate owners. We present IdentityMailer, a system that validates the authorship of emails by learning the typical email-sending behavior of users over time, and comparing any subsequent email sent from their accounts against this model. Our experiments on real world e-mail datasets demonstrate that our system can effectively block advanced email attacks sent from genuine email accounts, which traditional protection systems are unable to detect. Moreover, we show that it is resilient to an attacker willing to evade the system. To the best of our knowledge, IdentityMailer is the first system able to identify spearphishing emails that are sent from within an organization, by a skilled attacker having access to a compromised email account.

Cryptography and Security

Nalin Asanka Gamagedara Arachchilage,Mumtaz Abdul Hameed

DOI: https://doi.org/10.48550/arXiv.1706.07748

2017-06-23

Abstract:Security exploits can include cyber threats such as computer programs that can disturb the normal behavior of computer systems (viruses), unsolicited e-mail (spam), malicious software (malware), monitoring software (spyware), attempting to make computer resources unavailable to their intended users (Distributed Denial-of-Service or DDoS attack), the social engineering, and online identity theft (phishing). One such cyber threat, which is particularly dangerous to computer users is phishing. Phishing is well known as online identity theft, which targets to steal victims' sensitive information such as username, password and online banking details. This paper focuses on designing an innovative and gamified approach to educate individuals about phishing attacks. The study asks how one can integrate self-efficacy, which has a co-relation with the user's knowledge, into an anti-phishing educational game to thwart phishing attacks? One of the main reasons would appear to be a lack of user knowledge to prevent from phishing attacks. Therefore, this research investigates the elements that influence (in this case, either conceptual or procedural knowledge or their interaction effect) and then integrate them into an anti-phishing educational game to enhance people's phishing prevention behaviour through their motivation.

Cryptography and Security,Computers and Society

Avisha Das,Shahryar Baki,Ayman El Aassal,Rakesh Verma,Arthur Dunbar

DOI: https://doi.org/10.48550/arXiv.1911.00953

2019-11-04

Abstract:Phishing and spear-phishing are typical examples of masquerade attacks since trust is built up through impersonation for the attack to succeed. Given the prevalence of these attacks, considerable research has been conducted on these problems along multiple dimensions. We reexamine the existing research on phishing and spear-phishing from the perspective of the unique needs of the security domain, which we call security challenges: real-time detection, active attacker, dataset quality and base-rate fallacy. We explain these challenges and then survey the existing phishing/spear phishing solutions in their light. This viewpoint consolidates the literature and illuminates several opportunities for improving existing solutions. We organize the existing literature based on detection techniques for different attack vectors (e.g., URLs, websites, emails) along with studies on user awareness. For detection techniques, we examine properties of the dataset, feature extraction, detection algorithms used, and performance evaluation metrics. This work can help guide the development of more effective defenses for phishing, spear-phishing, and email masquerade attacks of the future, as well as provide a framework for a thorough evaluation and comparison.

Cryptography and Security

Asiema Mwavali

DOI: https://doi.org/10.47604/ijts.2781

2024-07-15

International Journal of Technology and Systems

Abstract:Purpose: Phishing is a significant cybercrime threat that affects individuals and organizations globally, including the banking industry in Kenya. The sophistication of phishing attacks continues to increase, and it is increasingly challenging traditional security measures to mitigate these threats. The purpose of this thesis is to build a framework for mitigating phishing e-mail attacks in the banking industry in Kenya using artificial intelligence. Phishing emails are among the most common techniques of cyber-attacks utilized by assailants to gain unauthorized access to sensitive information such as financial details, personal information, and login credentials. These attacks can have devastating effects on the victims, leading to financial loss, reputation damage, and even identity theft. Methodology: The framework development consists of four main stages: data collection, data preprocessing, model training, and deployment. In the data collection stage, a dataset of phishing and non-phishing emails is gathered from various sources such as public databases, dark web forums, and bank employees mail. In the data preprocessing stage, the collected data is cleaned, preprocessed, and labeled. In the model training stage, machine learning algorithms and NLP techniques is used to develop a robust phishing and non-phishing emails detection model. In the deployment stage, the model is integrated into the bank's email system to detect and block phishing emails in real-time. The framework is then evaluated using a dataset of phishing and non-phishing e-mails collected from the banking industry in Kenya. Various metrics such as accuracy, precision, recall, and F1-score are used to evaluate the framework. The framework is able to detect new phishing e-mails that were not previously included in the dataset, demonstrating its ability to adapt to new threats. Findings: The framework is based on a hybrid approach that combines machine learning algorithms, natural language processing (NLP) techniques, and human expertise that identify and prevent phishing emails from reaching their targets. The four main components of this framework include e-mail filtering, feature extraction, classification, and response. The e-mail filtering component uses several algorithms to identify and filter suspicious e-mails. The feature extraction component analyzes the content of the e-mail and extracts relevant features to help classify the e-mail as either legitimate or phishing. The classification component uses machine-learning algorithms to classify the e-mail as either legitimate or phishing. Finally, the response component takes appropriate action based on the classification results. Unique Contribution to Theory, Practice and Policy: The framework provides an effective way to identify and mitigate phishing e-mail attacks, reducing the risk of data breaches and financial losses.

Fredrick Nthurima,Abraham Matheka

DOI: https://doi.org/10.32591/coas.ojit.0602.06157n

2023-12-24

Open Journal for Information Technology

Abstract:Phishing attacks usually take advantage of weaknesses in the way users behave. An attacker sends an email to the recipient that mimics a genuine email with phishing links. When the recipient clicks on the embedded links, the attacker can harvest critical information like credit card numbers, usernames or passwords as a result of entering the compromised account. Online surveys have put phishing attacks as the leading attack for web content, mostly targeting financial institutions. According to a survey conducted by Ponemon Institute LLC 2017, the loss due to phishing attacks is about $1.5 billion annually. This is a global threat to information security, and it’s on the rise due to IoT (Internet of Things) and thus requires a better phishing detection mechanism to mitigate these losses and reputation injury. This research paper explores and reports the use of multiple machine learning models by using an algorithm called Random Forest and using more phishing email features to improve the accuracy of phishing detection and prevention. This project will explore the existing phishing methods, investigate the effect of combining two machine learning algorithms to detect and prevent phishing attacks, design and develop a supervised classifier to detect and prevent phishing emails and test the model with existing data. A dataset consisting of benign and phishing emails will be used to conduct supervised learning by the model. Expected accuracy is 99.9%, with a rate of less than 0.1% for False Negatives (FN) and False Positives (FP).