Daniele Lain,Kari Kostiainen,Srdjan Capkun

DOI: https://doi.org/10.48550/arXiv.2112.07498

2021-12-14

Cryptography and Security

Abstract:In this paper, we present findings from a large-scale and long-term phishing experiment that we conducted in collaboration with a partner company. Our experiment ran for 15 months during which time more than 14,000 study participants (employees of the company) received different simulated phishing emails in their normal working context. We also deployed a reporting button to the company's email client which allowed the participants to report suspicious emails they received. We measured click rates for phishing emails, dangerous actions such as submitting credentials, and reported suspicious emails. The results of our experiment provide three types of contributions. First, some of our findings support previous literature with improved ecological validity. One example of such results is good effectiveness of warnings on emails. Second, some of our results contradict prior literature and common industry practices. Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing. And third, we report new findings. In particular, we are the first to demonstrate that using the employees as a collective phishing detection mechanism is practical in large organizations. Our results show that such crowd-sourcing allows fast detection of new phishing campaigns, the operational load for the organization is acceptable, and the employees remain active over long periods of time.

Marcus Butavicius,Kathryn Parsons,Malcolm Pattinson,Agata McCormac

DOI: https://doi.org/10.48550/arXiv.1606.00887

2016-05-28

Abstract:We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.

Computers and Society,Cryptography and Security

Daniele Lain,Tarek Jost,Sinisa Matetic,Kari Kostiainen,Srdjan Capkun

DOI: https://doi.org/10.1145/3658644.3690348

2024-09-03

Abstract:A common form of phishing training in organizations is the use of simulated phishing emails to test employees' susceptibility to phishing attacks, and the immediate delivery of training material to those who fail the test. This widespread practice is dubbed embedded training; however, its effectiveness in decreasing the likelihood of employees falling for phishing again in the future is questioned by the contradictory findings of several recent field studies. We investigate embedded phishing training in three aspects. First, we observe that the practice incorporates different components -- knowledge gains from its content, nudges and reminders from the test itself, and the deterrent effect of potential consequences -- our goal is to study which ones are more effective, if any. Second, we explore two potential improvements to training, namely its timing and the use of incentives. Third, we analyze employees' reception and perception of the practice. For this, we conducted a large-scale mixed-methods (quantitative and qualitative) study on the employees of a partner company. Our study contributes several novel findings on the training practice: in particular, its effectiveness comes from its nudging effect, i.e., the periodic reminder of the threat rather than from its content, which is rarely consumed by employees due to lack of time and perceived usefulness. Further, delaying training to ease time pressure is as effective as currently established practices, while rewards do not improve secure behavior. Finally, some of our results support previous findings with increased ecological validity, e.g., that phishing is an attention problem, rather than a knowledge one, even for the most susceptible employees, and thus enforcing training does not help.

Cryptography and Security

Prateek Dewan,Anand Kashyap,Ponnurangam Kumaraguru

DOI: https://doi.org/10.48550/arXiv.1406.3692

2014-06-14

Abstract:Spear phishing is a complex targeted attack in which, an attacker harvests information about the victim prior to the attack. This information is then used to create sophisticated, genuine-looking attack vectors, drawing the victim to compromise confidential information. What makes spear phishing different, and more powerful than normal phishing, is this contextual information about the victim. Online social media services can be one such source for gathering vital information about an individual. In this paper, we characterize and examine a true positive dataset of spear phishing, spam, and normal phishing emails from Symantec's enterprise email scanning service. We then present a model to detect spear phishing emails sent to employees of 14 international organizations, by using social features extracted from LinkedIn. Our dataset consists of 4,742 targeted attack emails sent to 2,434 victims, and 9,353 non targeted attack emails sent to 5,912 non victims; and publicly available information from their LinkedIn profiles. We applied various machine learning algorithms to this labeled data, and achieved an overall maximum accuracy of 97.76% in identifying spear phishing emails. We used a combination of social features from LinkedIn profiles, and stylometric features extracted from email subjects, bodies, and attachments. However, we achieved a slightly better accuracy of 98.28% without the social features. Our analysis revealed that social features extracted from LinkedIn do not help in identifying spear phishing emails. To the best of our knowledge, this is one of the first attempts to make use of a combination of stylometric features extracted from emails, and social features extracted from an online social network to detect targeted spear phishing emails.

Computers and Society,Machine Learning,Social and Information Networks

Nina Marshall,Daniel Sturman,Jaime C. Auton

DOI: https://doi.org/10.1016/j.cose.2023.103695

IF: 5.105

2024-01-01

Computers & Security

Abstract:Background Phishing emails are a pervasive threat to the security of confidential information. To mitigate this risk, a range of training measures have been developed to target the human factors involved in phishing email susceptibility. Despite the widespread use of anti-phishing training programs, there is no clear understanding of the extent to which these approaches have been assessed. Objective The primary aim of this scoping review was to identify and describe the nature of available training interventions and their measurable outcomes on user susceptibility, as reported in published articles. Methods Systematic searches identified 42 studies that met the inclusion criteria. Each study was critically analysed, and a standardised data extraction spreadsheet used to systemise the data that informed the descriptive narrative review. Results Findings revealed that near-term training impact is well documented, however evidence on the success of programs in driving sustained behavioral change is limited. Components of training design influencing the effectiveness of outcomes included training intensity, active approaches to learning, the provision of detailed feedback, and supplementing attentional awareness skills-based training with traditional cue-based approaches. Conclusions Improved user resilience to phishing emails confirms the utility of training as an important defensive mechanism, although current approaches continue to leave trainees at risk.

computer science, information systems

Daniel Jampen,Gürkan Gür,Thomas Sutter,Bernhard Tellenbach

DOI: https://doi.org/10.1186/s13673-020-00237-7

2020-08-09

Abstract:Abstract Email is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be designed sustainably and effectively to minimize the vulnerability of employees to phishing attacks. In this paper, we survey and categorize works that consider different elements of such programs via a clearly laid-out methodology, and identify key findings in the technical literature. Overall, we find that researchers agree on the answers to many relevant questions regarding the utility and effectiveness of anti-phishing training. However, we identified influencing factors, such as the impact of age on the success of anti-phishing training programs, for which mixed findings are available. Finally, based on our comprehensive analysis, we describe how a well-founded anti-phishing training program should be designed and parameterized with a set of proposed research directions.

computer science, information systems

Sarah Wassermann,Maxime Meyer,Sébastien Goutal,Damien Riquet

2023-09-25

Abstract:In today's digital world, cybercrime is responsible for significant damage to organizations, including financial losses, operational disruptions, or intellectual property theft. Cyberattacks often start with an email, the major means of corporate communication. Some rare, severely damaging email threats - known as spear phishing or Business Email Compromise - have emerged. However, the literature disagrees on their definition, impeding security vendors and researchers from mitigating targeted attacks. Therefore, we introduce targeted attacks. We describe targeted-attack-detection techniques as well as social-engineering methods used by fraudsters. Additionally, we present text-based attacks - with textual content as malicious payload - and compare non-targeted and targeted variants.

Cryptography and Security

Ladislav Burita,Ivo Klaban,Tomas Racil

DOI: https://doi.org/10.34190/iccws.17.1.28

2022-03-02

International Conference on Cyber Warfare and Security

Abstract:The research results published in this article are oriented toward two areas: phishing email analysis and education for defense against the threats of phishing emails. The first topic builds on previous research primarily by analyzing changes in captured phishing emails over an interval of 4 weeks, half a year after the previous experiment. In this section, a statistical survey of phishing emails from both experiments is carried out and emails are segmented into categories focused on business, charity, asset transfer, and fund offers. The results of both experiments are then compared and validated. Based on this comparison and validation, a conclusion is made on trends and development in the phishing email domain in the last half a year. The second focus of our research is analysis of the existing education and testing systems for phishing emails. Based on the results of the analysis, a suitable system for university education and training against phishing and other malicious email threats will be designed. There is also an analysis of existing systems for improving and testing users' ability to recognize and react to phishing emails. Based on our findings about these systems, our own system is proposed. An experiment is prepared on "self-service" testing of phishing email detection skills performed by students with their colleagues. Some activists were employed to assist with this experiment; they will operate and prepare the environment according to the processed scenario. All experiments must be completely safe and effective at the same time. The experiments will be evaluated and the experience used to develop the education and training system at the university.

Alessandro Ecclesie Agazzi

DOI: https://doi.org/10.48550/arXiv.2006.00577

2020-06-01

Abstract:Phishing attacks have become the most used technique in the online scams, initiating more than 91% of cyberattacks, from 2012 onwards. This study reviews how Phishing and Spear Phishing attacks are carried out by the phishers, through 5 steps which magnify the outcome, increasing the chance of success. The focus will be also given on four different layers of protection against these social engineering attacks, showing their strengths and weaknesses; the first and second layers consist of automated tools and decision-aid tools. the third one is users' knowledge and expertise to deal with potential threats. The last layer, defined as "external", will underline the importance of having a Multi-factor authentication, an effective way to provide an enhanced security, creating a further layer of protection against Phishing and Spear Phishing.

Cryptography and Security,Computers and Society

Anargyros Chrysanthou,Yorgos Pantis,Constantinos Patsakis

2023-10-05

Abstract:In an era dominated by digital interactions, phishing campaigns have evolved to exploit not just technological vulnerabilities but also human traits. This study takes an unprecedented deep dive into large-scale phishing campaigns aimed at Meta's users, offering a dual perspective on the technical mechanics and human elements involved. Analysing data from over 25,000 victims worldwide, we highlight the nuances of these campaigns, from the intricate techniques deployed by the attackers to the sentiments and behaviours of those who were targeted. Unlike prior research conducted in controlled environments, this investigation capitalises on the vast, diverse, and genuine data extracted directly from active phishing campaigns, allowing for a more holistic understanding of the drivers, facilitators, and human factors. Through the application of advanced computational techniques, including natural language processing and machine learning, this work unveils critical insights into the psyche of victims and the evolving tactics of modern phishers. Our analysis illustrates very poor password selection choices from the victims but also persistence in the revictimisation of a significant part of the users. Finally, we reveal many correlations regarding demographics, timing, sentiment, emotion, and tone of the victims' responses.

Cryptography and Security

Shahryar Baki,Rakesh M. Verma,Arjun Mukherjee,Omprakash Gnawali

DOI: https://doi.org/10.48550/arXiv.2006.13499

2020-06-24

Abstract:Cyber attacks such as phishing, IRS scams, etc., still are successful in fooling Internet users. Users are the last line of defense against these attacks since attackers seem to always find a way to bypass security systems. Understanding users' reason about the scams and frauds can help security providers to improve users security hygiene practices. In this work, we study the users' reasoning and the effectiveness of several variables within the context of the company representative fraud. Some of the variables that we study are: 1) the effect of using LinkedIn as a medium for delivering the phishing message instead of using email, 2) the effectiveness of natural language generation techniques in generating phishing emails, and 3) how some simple customizations, e.g., adding sender's contact info to the email, affect participants perception. The results obtained from the within-subject study show that participants are not prepared even for a well-known attack - company representative fraud. Findings include: approximately 65% mean detection rate and insights into how the success rate changes with the facade and correspondent (sender/receiver) information. A significant finding is that a smaller set of well-chosen strategies is better than a large `mess' of strategies. We also find significant differences in how males and females approach the same company representative fraud. Insights from our work could help defenders in developing better strategies to evaluate their defenses and in devising better training strategies.

Cryptography and Security,Human-Computer Interaction,Social and Information Networks

Anargyros Chrysanthou,Yorgos Pantis,Constantinos Patsakis

DOI: https://doi.org/10.1016/j.cose.2024.103780

IF: 5.105

2024-02-25

Computers & Security

Abstract:In an era dominated by digital interactions, phishing campaigns have evolved to exploit not just technological vulnerabilities but also human traits. This study takes an unprecedented deep dive into large-scale phishing campaigns aimed at Meta's users, offering a dual perspective on the technical mechanics and human elements involved. Analysing data from over 25,000 victims worldwide, we highlight the nuances of these campaigns, from the intricate techniques deployed by the attackers to the sentiments and behaviours of those targeted. Unlike prior research conducted in controlled environments, this investigation capitalises on the vast, diverse, and genuine data extracted directly from active phishing campaigns, allowing for a more holistic understanding of the drivers, facilitators, and human factors. Through applying advanced computational techniques, including natural language processing and machine learning, this work unveils critical insights into the psyche of victims and the evolving tactics of modern phishers. Our analysis illustrates very poor password selection choices from the victims, with 30.27% of them picking low-complexity passwords and 58.23% reusing leaked passwords. Additionally, more than 10% exhibit strong persistence in re-victimisation by posting again to the phishing platforms of the same phishers. Finally, we reveal many correlations regarding demographics and the time periods when victims are more vulnerable during the day, as well as analyse the sentiment, emotion, and tone of text responses that they submitted, illustrating how convinced they were of the scam.

computer science, information systems

Laura Gamisch,Daniela Pöhn

DOI: https://doi.org/10.1145/3600160.3605006

2023-08-29

Abstract:Phishing is a major cyber threat to organizations that can cause financial and reputational damage, threatening their existence. The technical measures against phishing should be complemented by awareness training for employees. However, there is little validation of awareness measures. Consequently, organizations have an additional burden when integrating awareness training, as there is no consensus on which method brings the best success. This paper examines how awareness concepts can be successfully implemented and validated. For this purpose, various factors, such as requirements and possible combinations of methods, are taken into account in our case study at a small- and medium-sized enterprise (SME). To measure success, phishing exercises are conducted. The study suggests that pleasant campaigns result in better performance in the simulated phishing exercise. In addition, significant improvements and differences in the target groups could be observed. The implementation of awareness training with integrated key performance indicators can be used as a basis for other organizations.

Cryptography and Security

Ploy Unchit,Sanchari Das,Andrew Kim,L. Jean Camp

DOI: https://doi.org/10.48550/arXiv.2006.16380

2020-07-08

Abstract:Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on students. In contrast, here, we report on an evaluation of a high school community. We engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research utilizing signal detection theory (SDT). Through scenario-based analysis, participants tasked with distinguishing phishing emails from authentic emails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background. These findings are critical for evaluating the decision-making of underrepresented populations and protecting people from potential spear phishing attacks by examining human susceptibility.

Cryptography and Security,Computers and Society

Xiaowei Chen,Margault Sacré,Gabriele Lenzini,Samuel Greiff,Verena Distler,Anastasia Sergeeva

DOI: https://doi.org/10.48550/arXiv.2402.11862

IF: 6.4588

2024-02-19

Human-Computer Interaction

Abstract:Organizations rely on phishing interventions to enhance employees' vigilance and safe responses to phishing emails that bypass technical solutions. While various resources are available to counteract phishing, studies emphasize the need for interactive and practical training approaches. To investigate the effectiveness of such an approach, we developed and delivered two anti-phishing trainings, group discussion and role-playing, at a European university. We conducted a pre-registered experiment (N = 105), incorporating repeated measures at three time points, a control group, and three in-situ phishing tests. Both trainings enhanced employees' anti-phishing self-efficacy and support-seeking intention in within-group analyses. Only the role-playing training significantly improved support-seeking intention when compared to the control group. Participants in both trainings reported more phishing tests and demonstrated heightened vigilance to phishing attacks compared to the control group. We discuss practical implications for evaluating and improving phishing interventions and promoting safe responses to phishing threats within organizations.

Youngsun Kwak,Seyoung Lee,Amanda Damiano,Arun Vishwanath

DOI: https://doi.org/10.1016/j.tele.2020.101343

IF: 9.14

2020-05-01

Telematics and Informatics

Abstract:Cyber security training programs encourage users to report suspicious spear phishing emails, and most antiphishing software provide interfaces to assist in the reporting. Evidence, however, suggests that reporting is scarce. This research examined why this is the case. To this end, Social Cognitive Theory (SCT) was used to examine the influence of the triadic factors of perceived self-efficacy toward antiphishing behaviors, expected negative outcomes from reporting spear phishing emails, and cyber security self-monitoring, on individuals' likelihood of reporting spear phishing emails. Based on recent research on phishing victims, the present study also incorporated cyber risk beliefs (CRBs) into the SCT framework. The model, tested using survey data (N = 386), revealed that the likelihood of reporting spear phishing emails is increased by perceived self-efficacy, expected negative outcomes, and cyber security self-monitoring. Furthermore, the CRBs directly influenced the three SCT factors and indirectly the individuals' likelihood of reporting spear phishing emails. The findings add to our understanding of SCT and the science of cyber security.

information science & library science

Gianluca Stringhini,Olivier Thonnard

DOI: https://doi.org/10.48550/arXiv.1410.6629

2014-10-24

Abstract:One of the ways in which attackers try to steal sensitive information from corporations is by sending spearphishing emails. This type of emails typically appear to be sent by one of the victim's coworkers, but have instead been crafted by an attacker. A particularly insidious type of spearphishing emails are the ones that do not only claim to come from a trusted party, but were actually sent from that party's legitimate email account that was compromised in the first place. In this paper, we propose a radical change of focus in the techniques used for detecting such malicious emails: instead of looking for particular features that are indicative of attack emails, we look for possible indicators of impersonation of the legitimate owners. We present IdentityMailer, a system that validates the authorship of emails by learning the typical email-sending behavior of users over time, and comparing any subsequent email sent from their accounts against this model. Our experiments on real world e-mail datasets demonstrate that our system can effectively block advanced email attacks sent from genuine email accounts, which traditional protection systems are unable to detect. Moreover, we show that it is resilient to an attacker willing to evade the system. To the best of our knowledge, IdentityMailer is the first system able to identify spearphishing emails that are sent from within an organization, by a skilled attacker having access to a compromised email account.

Cryptography and Security

Tian Lin,Daniel E. Capecci,Donovan M. Ellis,Harold A. Rocha,Sandeep Dommaraju,Daniela S. Oliveira,Natalie C. Ebner

DOI: https://doi.org/10.1145/3336141

2019-10-31

Abstract:Phishing is fundamental to cyber attacks. This research determined the effect of Internet user age and email content such as weapons of influence (persuasive techniques that attackers can use to lure individuals to fall for an attack) and life domains (a specific topic or aspect of an individual's life that attackers can focus an email on) on spear-phishing (targeted phishing) susceptibility. In total, 100 young and 58 older users received, without their knowledge, daily simulated phishing emails over 21 days. A browser plugin recorded their clicking on links in the emails as an indicator of their susceptibility. Forty-three percent of users fell for the simulated phishing emails, with older women showing the highest susceptibility. While susceptibility in young users declined across the study, susceptibility in older users remained stable. The relative effectiveness of the attacks differed by weapons of influence and life domains with age-group variability. In addition, older compared to young users reported lower susceptibility awareness. These findings support effects of Internet user demographics and email content on susceptibility to phishing and emphasize the need for personalization of the next generation of security solutions.

computer science, information systems, cybernetics

Asangi Jayatilaka,Nalin Asanka Gamagedara Arachchilage,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2108.04766

2021-10-07

Abstract:Despite sophisticated phishing email detection systems, and training and awareness programs, humans continue to be tricked by phishing emails. In an attempt to better understand why phishing email attacks still work and how best to mitigate them, we have carried out an empirical study to investigate people's thought processes when reading their emails. We used a scenario-based role-play "think aloud" method and follow-up interviews to collect data from 19 participants. The experiment was conducted using a simulated web email client, and real phishing and legitimate emails adapted to the given scenario. The analysis of the collected data has enabled us to identify eleven factors that influence people's response decisions to both phishing and legitimate emails. Furthermore, based on the user study findings, we discuss novel insights into flaws in the general email decision-making behaviors that could make people susceptible to phishing attacks.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Jingguo Wang,Tejaswini Herath,Rui Chen,Arun Vishwanath,H. Raghav Rao

DOI: https://doi.org/10.1109/tpc.2012.2208392

2012-01-01

IEEE Transactions on Professional Communication

Abstract:Research problem: Phishing is an email-based scam where a perpetrator camouflages emails to appear as a legitimate request for personal and sensitive information. Research question: How do individuals process a phishing email, and determine whether to respond to it? Specifically, this study examines how users' attention to “visual triggers” and “phishing deception indicators” influence their decision-making processes and consequently their decisions. Literature review: This paper draws upon the theory of deception and the literature on mediated cognition and learning, including the critical role of attention and elaboration in deception detection. From this literature, we developed a research model to suggest that overall cognitive effort expended in email processing decreases with attention to visual triggers and phishing deception indicators. The likelihood to respond to phishing emails increases with attention to visceral cues, but decreases with attention to phishing deception indicators and cognitive effort. Knowledge of email-based scams increases attention to phishing deception indicators, and directly decreases response likelihood. It also moderates the impact of attention to visceral triggers and that of phishing deception indicators on likelihood to respond. Methodology: Using a real phishing email as a stimulus, a survey of 321 members of a public university community in the Northeast US, who were intended victims of a spear phishing attack that took place, was conducted. The survey used validated measures developed in prior literature for the most part and tested results using the partial least-squares regression. Results and discussion: Our research model and hypotheses were supported by the data except that we did not find that cognitive effort significantly affects response likelihood. The implication of the study is that attention to visceral triggers, attention to phishing deception indicators, and phishing knowledge play critical roles in phishing detection. The limitations of the study were that the data were drawn from students, and the study explored one phishing attack, relied on some single-item measures, cognitive effort measure, and a one-round survey. Future research would examine the impact of a varying degree of urgency and a varying level of phishing deception indicators, and actual victims of phishing attacks.