Anargyros Chrysanthou,Yorgos Pantis,Constantinos Patsakis

DOI: https://doi.org/10.1016/j.cose.2024.103780

IF: 5.105

2024-02-25

Computers & Security

Abstract:In an era dominated by digital interactions, phishing campaigns have evolved to exploit not just technological vulnerabilities but also human traits. This study takes an unprecedented deep dive into large-scale phishing campaigns aimed at Meta's users, offering a dual perspective on the technical mechanics and human elements involved. Analysing data from over 25,000 victims worldwide, we highlight the nuances of these campaigns, from the intricate techniques deployed by the attackers to the sentiments and behaviours of those targeted. Unlike prior research conducted in controlled environments, this investigation capitalises on the vast, diverse, and genuine data extracted directly from active phishing campaigns, allowing for a more holistic understanding of the drivers, facilitators, and human factors. Through applying advanced computational techniques, including natural language processing and machine learning, this work unveils critical insights into the psyche of victims and the evolving tactics of modern phishers. Our analysis illustrates very poor password selection choices from the victims, with 30.27% of them picking low-complexity passwords and 58.23% reusing leaked passwords. Additionally, more than 10% exhibit strong persistence in re-victimisation by posting again to the phishing platforms of the same phishers. Finally, we reveal many correlations regarding demographics and the time periods when victims are more vulnerable during the day, as well as analyse the sentiment, emotion, and tone of text responses that they submitted, illustrating how convinced they were of the scam.

computer science, information systems

Daniele Lain,Tarek Jost,Sinisa Matetic,Kari Kostiainen,Srdjan Capkun

DOI: https://doi.org/10.1145/3658644.3690348

2024-09-03

Abstract:A common form of phishing training in organizations is the use of simulated phishing emails to test employees' susceptibility to phishing attacks, and the immediate delivery of training material to those who fail the test. This widespread practice is dubbed embedded training; however, its effectiveness in decreasing the likelihood of employees falling for phishing again in the future is questioned by the contradictory findings of several recent field studies. We investigate embedded phishing training in three aspects. First, we observe that the practice incorporates different components -- knowledge gains from its content, nudges and reminders from the test itself, and the deterrent effect of potential consequences -- our goal is to study which ones are more effective, if any. Second, we explore two potential improvements to training, namely its timing and the use of incentives. Third, we analyze employees' reception and perception of the practice. For this, we conducted a large-scale mixed-methods (quantitative and qualitative) study on the employees of a partner company. Our study contributes several novel findings on the training practice: in particular, its effectiveness comes from its nudging effect, i.e., the periodic reminder of the threat rather than from its content, which is rarely consumed by employees due to lack of time and perceived usefulness. Further, delaying training to ease time pressure is as effective as currently established practices, while rewards do not improve secure behavior. Finally, some of our results support previous findings with increased ecological validity, e.g., that phishing is an attention problem, rather than a knowledge one, even for the most susceptible employees, and thus enforcing training does not help.

Cryptography and Security

Fabio Rizzoni,Sabina Magalini,Alessandra Casaroli,Pasquale Mari,Matt Dixon,Lynne Coventry

DOI: https://doi.org/10.1177/20552076221081716

2022-03-16

Abstract:Background: Phishing is a major threat to the data and infrastructure of healthcare organizations and many cyberattacks utilize this socially engineered pathway. Phishing simulation is used to identify weaknesses and risks in the human defences of organizations. There are many factors influencing the difficulty of detecting a phishing email including fatigue and the nature of the deceptive message. Method: A major Italian Hospital with over 6000 healthcare staff performed a phishing simulation as part of its annual training and risk assessment. Three campaigns were launched at approx. 4-month intervals, to compare staff reaction to a general phishing email and a customized one. Results: The results show that customization of phishing emails makes them much more likely to be acted on. In the first campaign, 64% of staff did not open the general phish, significantly more than the 38% that did not open the custom phish. A significant difference was also found for the click rate, with significantly more staff clicking on the custom phish. However, the campaigns could not be run as intended, due to issues raised within the organization. Conclusions: Phishing simulation is useful but not without its limitations. It requires contextual knowledge, skill and experience to ensure that it is effective. The exercise raised many issues within the Hospital. Successful, ethical phishing simulations require coordination across the organization, precise timing and lack of staff awareness. This can be complex to coordinate. Misleading messages containing false threats or promises can cause a backlash from staff and unions. The effectiveness of the message is dependent on the personalization of the message to current, local events. The lessons learned can be useful for other hospitals.

Xiaowei Chen,Margault Sacré,Gabriele Lenzini,Samuel Greiff,Verena Distler,Anastasia Sergeeva

DOI: https://doi.org/10.48550/arXiv.2402.11862

IF: 6.4588

2024-02-19

Human-Computer Interaction

Abstract:Organizations rely on phishing interventions to enhance employees' vigilance and safe responses to phishing emails that bypass technical solutions. While various resources are available to counteract phishing, studies emphasize the need for interactive and practical training approaches. To investigate the effectiveness of such an approach, we developed and delivered two anti-phishing trainings, group discussion and role-playing, at a European university. We conducted a pre-registered experiment (N = 105), incorporating repeated measures at three time points, a control group, and three in-situ phishing tests. Both trainings enhanced employees' anti-phishing self-efficacy and support-seeking intention in within-group analyses. Only the role-playing training significantly improved support-seeking intention when compared to the control group. Participants in both trainings reported more phishing tests and demonstrated heightened vigilance to phishing attacks compared to the control group. We discuss practical implications for evaluating and improving phishing interventions and promoting safe responses to phishing threats within organizations.

Anargyros Chrysanthou,Yorgos Pantis,Constantinos Patsakis

2023-10-05

Abstract:In an era dominated by digital interactions, phishing campaigns have evolved to exploit not just technological vulnerabilities but also human traits. This study takes an unprecedented deep dive into large-scale phishing campaigns aimed at Meta's users, offering a dual perspective on the technical mechanics and human elements involved. Analysing data from over 25,000 victims worldwide, we highlight the nuances of these campaigns, from the intricate techniques deployed by the attackers to the sentiments and behaviours of those who were targeted. Unlike prior research conducted in controlled environments, this investigation capitalises on the vast, diverse, and genuine data extracted directly from active phishing campaigns, allowing for a more holistic understanding of the drivers, facilitators, and human factors. Through the application of advanced computational techniques, including natural language processing and machine learning, this work unveils critical insights into the psyche of victims and the evolving tactics of modern phishers. Our analysis illustrates very poor password selection choices from the victims but also persistence in the revictimisation of a significant part of the users. Finally, we reveal many correlations regarding demographics, timing, sentiment, emotion, and tone of the victims' responses.

Cryptography and Security

Laura Gamisch,Daniela Pöhn

DOI: https://doi.org/10.1145/3600160.3605006

2023-08-29

Abstract:Phishing is a major cyber threat to organizations that can cause financial and reputational damage, threatening their existence. The technical measures against phishing should be complemented by awareness training for employees. However, there is little validation of awareness measures. Consequently, organizations have an additional burden when integrating awareness training, as there is no consensus on which method brings the best success. This paper examines how awareness concepts can be successfully implemented and validated. For this purpose, various factors, such as requirements and possible combinations of methods, are taken into account in our case study at a small- and medium-sized enterprise (SME). To measure success, phishing exercises are conducted. The study suggests that pleasant campaigns result in better performance in the simulated phishing exercise. In addition, significant improvements and differences in the target groups could be observed. The implementation of awareness training with integrated key performance indicators can be used as a basis for other organizations.

Cryptography and Security

A. J. Burns,M. Eric Johnson,Deanna D. Caputo

DOI: https://doi.org/10.1080/10919392.2019.1552745

IF: 2.2368

2019-01-02

Journal of Organizational Computing and Electronic Commerce

Abstract:Executives in many industries have fallen prey to socially engineered attacks known as spear phishing. Using highly targeted emails, social engineers trick victims into performing unintended actions by masquerading as legitimate actors. To shed light on effective spear phishing training, we conducted a multi-round experiment. Our results indicate that training users with individual loss messaging might increase the effectiveness of the training. Additionally, we found potential evidence that organizational training can lead to increased overall spear phishing awareness, even for those not directly trained. Despite these promising results, however, individuals’ susceptibility to highly targeted spear phishing attacks remains troubling for practitioners and researchers.

computer science, information systems, interdisciplinary applications

Grant Ho,Asaf Cidon,Lior Gavish,Marco Schweighauser,Vern Paxson,Stefan Savage,Geoffrey M. Voelker,David Wagner

DOI: https://doi.org/10.48550/arXiv.1910.00790

2019-10-02

Cryptography and Security

Abstract:We present the first large-scale characterization of lateral phishing attacks, based on a dataset of 113 million employee-sent emails from 92 enterprise organizations. In a lateral phishing attack, adversaries leverage a compromised enterprise account to send phishing emails to other users, benefitting from both the implicit trust and the information in the hijacked user's account. We develop a classifier that finds hundreds of real-world lateral phishing emails, while generating under four false positives per every one-million employee-sent emails. Drawing on the attacks we detect, as well as a corpus of user-reported incidents, we quantify the scale of lateral phishing, identify several thematic content and recipient targeting strategies that attackers follow, illuminate two types of sophisticated behaviors that attackers exhibit, and estimate the success rate of these attacks. Collectively, these results expand our mental models of the 'enterprise attacker' and shed light on the current state of enterprise phishing attacks.

Asangi Jayatilaka,Nalin Asanka Gamagedara Arachchilage,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2108.04766

2021-10-07

Abstract:Despite sophisticated phishing email detection systems, and training and awareness programs, humans continue to be tricked by phishing emails. In an attempt to better understand why phishing email attacks still work and how best to mitigate them, we have carried out an empirical study to investigate people's thought processes when reading their emails. We used a scenario-based role-play "think aloud" method and follow-up interviews to collect data from 19 participants. The experiment was conducted using a simulated web email client, and real phishing and legitimate emails adapted to the given scenario. The analysis of the collected data has enabled us to identify eleven factors that influence people's response decisions to both phishing and legitimate emails. Furthermore, based on the user study findings, we discuss novel insights into flaws in the general email decision-making behaviors that could make people susceptible to phishing attacks.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Sijie Zhuo,Robert Biddle,Yun Sing Koh,Danielle Lottridge,Giovanni Russello

DOI: https://doi.org/10.48550/arXiv.2202.07905

2022-02-16

Abstract:Phishing is recognised as a serious threat to organisations and individuals. While there have been significant technical advances in blocking phishing attacks, people remain the last line of defence after phishing emails reach their email client. Most of the existing literature on this subject has focused on the technical aspects related to phishing. However, the factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature and we propose a three-stage Phishing Susceptibility Model (PSM) for explaining how humans are involved in phishing detection and prevention, and we systematically investigate the phishing susceptibility variables studied in the literature and taxonomize them using our model. This model reveals several research gaps that need to be addressed to improve users' detection performance. We also propose a practical impact assessment of the value of studying the phishing susceptibility variables, and quality of evidence criteria. These can serve as guidelines for future research to improve experiment design, result quality, and increase the reliability and generalizability of findings.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Shahryar Baki,Rakesh M. Verma,Arjun Mukherjee,Omprakash Gnawali

DOI: https://doi.org/10.48550/arXiv.2006.13499

2020-06-24

Abstract:Cyber attacks such as phishing, IRS scams, etc., still are successful in fooling Internet users. Users are the last line of defense against these attacks since attackers seem to always find a way to bypass security systems. Understanding users' reason about the scams and frauds can help security providers to improve users security hygiene practices. In this work, we study the users' reasoning and the effectiveness of several variables within the context of the company representative fraud. Some of the variables that we study are: 1) the effect of using LinkedIn as a medium for delivering the phishing message instead of using email, 2) the effectiveness of natural language generation techniques in generating phishing emails, and 3) how some simple customizations, e.g., adding sender's contact info to the email, affect participants perception. The results obtained from the within-subject study show that participants are not prepared even for a well-known attack - company representative fraud. Findings include: approximately 65% mean detection rate and insights into how the success rate changes with the facade and correspondent (sender/receiver) information. A significant finding is that a smaller set of well-chosen strategies is better than a large `mess' of strategies. We also find significant differences in how males and females approach the same company representative fraud. Insights from our work could help defenders in developing better strategies to evaluate their defenses and in devising better training strategies.

Cryptography and Security,Human-Computer Interaction,Social and Information Networks

Alejandra Diaz,Alan T. Sherman,Anupam Joshi

DOI: https://doi.org/10.48550/arXiv.1811.06078

2018-11-15

Abstract:We present an observational study on the relationship between demographic factors and phishing susceptibility at the University of Maryland, Baltimore County (UMBC). In spring 2018, we delivered phishing attacks to 450 randomly-selected students on three different days (1,350 students total) to examine user click rates and demographics among UMBC's undergraduates. Participants were initially unaware of the study. Experiment 1 claimed to bill students; Experiment 2 enticed users with monetary rewards; and Experiment 3 threatened users with account cancellation. We found correlations resulting in lowered susceptibility based on college affiliation, academic year progression, cyber training, involvement in cyber clubs or cyber scholarship programs, time spent on the computer, and age demographics. We found no significant correlation between gender and susceptibility. Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness. Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing. Approximately 59% of subjects who opened the phishing email clicked on its phishing link, and approximately 70% of those subjects who additionally answered a demographic survey clicked.

Cryptography and Security

Ziad M Hakim,Natalie C Ebner,Daniela S Oliveira,Sarah J Getz,Bonnie E Levin,Tian Lin,Kaitlin Lloyd,Vicky T Lai,Matthew D Grilli,Robert C Wilson

DOI: https://doi.org/10.3758/s13428-020-01495-0

Abstract:Phishing emails constitute a major problem, linked to fraud and exploitation as well as subsequent negative health outcomes including depression and suicide. Because of their sheer volume, and because phishing emails are designed to deceive, purely technological solutions can only go so far, leaving human judgment as the last line of defense. However, because it is difficult to phish people in the lab, little is known about the cognitive and neural mechanisms underlying phishing susceptibility. There is therefore a critical need to develop an ecologically valid lab-based measure of phishing susceptibility that will allow evaluation of the cognitive mechanisms involved in phishing detection. Here we present such a measure based on a task, the Phishing Email Suspicion Test (PEST), and a cognitive model to quantify behavior. In PEST, participants rate a series of phishing and non-phishing emails according to their level of suspicion. By comparing suspicion scores for each email to its real-world efficacy, we find initial support for the ecological validity of PEST - phishing emails that were more effective in the real world were more effective at deceiving people in the lab. In the proposed computational model, we quantify behavior in terms of participants' overall level of suspicion of emails, their ability to distinguish phishing from non-phishing emails, and the extent to which emails from the recent past bias their current decision. Together, our task and model provide a framework for studying the cognitive neuroscience of phishing detection.

Ploy Unchit,Sanchari Das,Andrew Kim,L. Jean Camp

DOI: https://doi.org/10.48550/arXiv.2006.16380

2020-07-08

Abstract:Spear phishing is a deceptive attack that uses social engineering to obtain confidential information through targeted victimization. It is distinguished by its use of social cues and personalized information to target specific victims. Previous work on resilience to spear phishing has focused on convenience samples, with a disproportionate focus on students. In contrast, here, we report on an evaluation of a high school community. We engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research utilizing signal detection theory (SDT). Through scenario-based analysis, participants tasked with distinguishing phishing emails from authentic emails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background. These findings are critical for evaluating the decision-making of underrepresented populations and protecting people from potential spear phishing attacks by examining human susceptibility.

Cryptography and Security,Computers and Society

Ladislav Burita,Ivo Klaban,Tomas Racil

DOI: https://doi.org/10.34190/iccws.17.1.28

2022-03-02

International Conference on Cyber Warfare and Security

Abstract:The research results published in this article are oriented toward two areas: phishing email analysis and education for defense against the threats of phishing emails. The first topic builds on previous research primarily by analyzing changes in captured phishing emails over an interval of 4 weeks, half a year after the previous experiment. In this section, a statistical survey of phishing emails from both experiments is carried out and emails are segmented into categories focused on business, charity, asset transfer, and fund offers. The results of both experiments are then compared and validated. Based on this comparison and validation, a conclusion is made on trends and development in the phishing email domain in the last half a year. The second focus of our research is analysis of the existing education and testing systems for phishing emails. Based on the results of the analysis, a suitable system for university education and training against phishing and other malicious email threats will be designed. There is also an analysis of existing systems for improving and testing users' ability to recognize and react to phishing emails. Based on our findings about these systems, our own system is proposed. An experiment is prepared on "self-service" testing of phishing email detection skills performed by students with their colleagues. Some activists were employed to assist with this experiment; they will operate and prepare the environment according to the processed scenario. All experiments must be completely safe and effective at the same time. The experiments will be evaluated and the experience used to develop the education and training system at the university.

Patsita Sirawongphatsara,Phisit Pornpongtechavanich,Nattapong Phanthuna,Therdpong Daengsi

2024-10-07

Abstract:Nowadays, cybersecurity is crucial. Therefore, cybersecurity awareness should be a concern for businesses, particularly critical infrastructure organizations. The results of this study, using simulated phishing attacks, indicate that in the first attempt, workers of a Thai railway firm received a phony email purporting to inform recipients of a special deal from a reputable retailer of IT equipment. The findings showed that 10.9% of the 735 workers fell for the scam. This demonstrates a good level of awareness regarding cyber dangers. The workers who were duped by the initial attack received awareness training. Next, a second attempt was carried out. This time, the strategy was for the workers to change their passwords through an email notification from the fake IT staff. According to the findings, 1.4% of the workers fell victim to both attacks (different email content), and a further 8.0% of the workers who did not fall victim to the first attack were deceived. Furthermore, after the statistical analysis, it was confirmed that there is a difference in the relationship between the workers and the two phishing attack simulations using different content. As a result, this study has demonstrated that different types of content can affect levels of awareness.

Cryptography and Security,Human-Computer Interaction

Dawn M Sarno,Mark B Neider

DOI: https://doi.org/10.1177/0018720821999174

Abstract:Objective: The present studies examine how task factors (e.g., email load, phishing prevalence) influence email performance. Background: Phishing emails are a paramount cybersecurity threat for the modern email user. Research attempting to understand how users are susceptible to phishing attacks has been limited and has not fully explored how task factors (e.g., prevalence, email load) influence accurate detection. Method: In three experiments, participants classified emails as either legitimate or not legitimate and reported on a variety of other categorizations. The first two experiments examined how email load and phishing prevalence influence phishing detection independently. The third experiment examined the interaction of these two factors to determine whether they have compounding effects. All three experiments utilized individual difference variables to examine how cognitive, behavioral, and personality factors may influence classifications. Results: Experiment 1 suggests that high email load can make the task appear more challenging. Experiment 2 indicates that low phishing prevalence can decrease sensitivity for phishing emails. Experiment 3 demonstrates that high levels of email load can decrease classification accuracy under 50/50 prevalence rates. Notably, performance was poor across all experiments, with phishing detection near chance levels and low discriminability for emails. Participants demonstrated poor metacognition with over confidence, low self-reported difficulty, and low perceived threat for the emails. Conclusion: Overall, the present studies suggest that high email load and low phishing prevalence can influence email classifications. Application: Organizations and researchers should consider the influences of both email load and phishing prevalence when implementing phishing interventions.

Sanchari Das,Andrew Kim,Zachary Tingle,Christena Nippert-Eng

DOI: https://doi.org/10.48550/arXiv.1908.05897

2019-08-16

Abstract:Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses legitimate risks to businesses, government agencies, and all users due to sensitive data breaches, subsequent financial and productivity losses, and social and personal inconvenience. Often, these attacks use social engineering techniques to deceive end-users, indicating the importance of user-focused studies to help prevent future attacks. We provide a detailed overview of phishing research that has focused on users by conducting a systematic literature review of peer-reviewed academic papers published in ACM Digital Library. Although published work on phishing appears in this data set as early as 2004, we found that of the total number of papers on phishing (N = 367) only 13.9% (n = 51) focus on users by employing user study methodologies such as interviews, surveys, and in-lab studies. Even within this small subset of papers, we note a striking lack of attention to reporting important information about methods and participants (e.g., the number and nature of participants), along with crucial recruitment biases in some of the research.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Mazal Bethany,Athanasios Galiopoulos,Emet Bethany,Mohammad Bahrami Karkevandi,Nishant Vishwamitra,Peyman Najafirad

2024-01-18

Abstract:The critical threat of phishing emails has been further exacerbated by the potential of LLMs to generate highly targeted, personalized, and automated spear phishing attacks. Two critical problems concerning LLM-facilitated phishing require further investigation: 1) Existing studies on lateral phishing lack specific examination of LLM integration for large-scale attacks targeting the entire organization, and 2) Current anti-phishing infrastructure, despite its extensive development, lacks the capability to prevent LLM-generated attacks, potentially impacting both employees and IT security incident management. However, the execution of such investigative studies necessitates a real-world environment, one that functions during regular business operations and mirrors the complexity of a large organizational infrastructure. This setting must also offer the flexibility required to facilitate a diverse array of experimental conditions, particularly the incorporation of phishing emails crafted by LLMs. This study is a pioneering exploration into the use of Large Language Models (LLMs) for the creation of targeted lateral phishing emails, targeting a large tier 1 university's operation and workforce of approximately 9,000 individuals over an 11-month period. It also evaluates the capability of email filtering infrastructure to detect such LLM-generated phishing attempts, providing insights into their effectiveness and identifying potential areas for improvement. Based on our findings, we propose machine learning-based detection techniques for such emails to detect LLM-generated phishing emails that were missed by the existing infrastructure, with an F1-score of 98.96.

Cryptography and Security,Computation and Language

William J Gordon,Adam Wright,Ranjit Aiyagari,Leslie Corbo,Robert J Glynn,Jigar Kadakia,Jack Kufahl,Christina Mazzone,James Noga,Mark Parkulo,Brad Sanford,Paul Scheib,Adam B Landman

DOI: https://doi.org/10.1001/jamanetworkopen.2019.0393

2019-03-01

Abstract:Importance: Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees. Objective: To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations. Design, setting, and participants: Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The specific institutions are anonymized herein for security and privacy concerns. Exposures: Simulated phishing emails received by employees at US health care institutions. Main outcomes and measures: Date of phishing campaign, campaign number, number of emails sent, number of emails clicked, and email content. Emails were classified into 3 categories (office related, personal, or information technology related). Results: The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2 971 945 emails, 422 062 of which were clicked (14.2%). The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%), with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions. In the regression model, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns). Conclusions and relevance: Among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness. With cyberattacks increasing against US health care systems, these click rates represent a major cybersecurity risk for hospitals.