Phishing for the Truth: A Scenario-Based Experiment of Users’ Behavioural Response to Emails (original) (raw)
Related papers
The design of phishing studies: Challenges for researchers
Computers & Security, 2015
In this paper, a role play scenario experiment of people's ability to differentiate between phishing and genuine emails demonstrated limitations in the generalisability of phishing studies. This involves issues around the priming of participants and the diversity of emails used. Only half of our 117 participants were explicitly informed that the study was assessing the ability to identify phishing emails. Results indicate that the informed participants were significantly better at discriminating between phishing and genuine emails than the uninformed participants. This has implications for the interpretation of phishing studies. Specifically, studies where participants are directly asked to identify phishing emails may not represent the performance of real world users, because people are rarely reminded about the risks of phishing emails in real life. Our study also used emails from a larger number and greater diversity of industries than previous phishing studies. Results indicate that participants' performance differs greatly in terms of category (e.g., type of sender) of emails. This demonstrates that caution should be used when interpreting the results of phishing studies that rely on only a small number of emails and/or emails of limited diversity. Hence, when designing and interpreting phishing studies, researchers should carefully consider the instructions provided to participants and the types of emails used.
Falling for Phishing: An Empirical Investigation into People's Email Response Behaviors
The 42nd International Conference on Information Systems (ICIS'21), Austin, Texas, USA, 2021, 17, 2021
Despite sophisticated phishing email detection systems, and training and awareness programs, humans continue to be tricked by phishing emails. In an attempt to better understand why phishing email attacks still work and how best to mitigate them, we have carried out an empirical study to investigate people's thought processes when reading their emails. We used a scenario-based role-play "think aloud" method and follow-up interviews to collect data from 19 participants. The experiment was conducted using a simulated web email client, and real phishing and legitimate emails adapted to the given scenario. The analysis of the collected data has enabled us to identify eleven factors that influence people's response decisions to both phishing and legitimate emails. Furthermore, based on the user study findings, we discuss novel insights into flaws in the general email decision-making behaviors that could make people susceptible to phishing attacks.
Social engineering cyber-attacks such as phishing emails pose a serious threat to the safety of many organizations. Given that the effectiveness of these attacks heavily relies on poor human decision making, an improved understanding of the individual characteristics that increase cybersecurity vulnerability could inform more targeted training. The current study aimed to identify whether several factors, including phishing email detection ability, confidence in one’s phishing identification decisions, attitudes toward one’s level of responsibility and efficacy, and employee satisfaction and loyalty to the organization, can predict behavior in a naturalistic phishing simulation in an employment setting. We followed up employees of a large organization who had been recently targeted by a phishing simulation and asked them to complete a survey that included a phishing detection task. The employee’s behavior in the phishing simulation was ranked according to its safety: reporting the su...
Phishing is a social engineering tactic that targets internet users in an attempt to trick them into divulging personal information. When opening an email, users are faced with the decision of determining if an email is legitimate or an attempt at phishing. Although software has been developed to assist the user, studies have shown they are not foolproof, leaving the user vulnerable. Multiple training programs have been developed to educate users in their efforts to make informed decisions; however, training that conveys the real world consequences of phishing or training that increases a user's fear level have not been developed. Conveying real world consequences of a situation and increasing a user's fear level have been proven to enhance the effects of training in other fields. Ninety-six participants were recruited and randomly assigned to training programs with phishing consequences, training programs designed to increase fear, or a control group. Preliminary results indicate that training helped users identify phishing emails; however, little difference was seen among the three groups. Future analysis will include a factor analysis of personality and individual differences that influence training efficacy.
Informing, simulating experience, or both: A field experiment on phishing risks
PLOS ONE, 2019
Cybersecurity cannot be ensured with mere technical solutions. Hackers often use fraudulent emails to simply ask people for their password to breach into organizations. This technique, called phishing, is a major threat for many organizations. A typical prevention measure is to inform employees but is there a better way to reduce phishing risks? Experience and feedback have often been claimed to be effective in helping people make better decisions. In a large field experiment involving more than 10,000 employees of a Dutch ministry, we tested the effect of information provision, simulated experience, and their combination to reduce the risks of falling into a phishing attack. Both approaches substantially reduced the proportion of employees giving away their password. Combining both interventions did not have a larger impact.
Training to Detect Phishing Emails: Effects of the Frequency of Experienced Phishing Emails
Proceedings of the Human Factors and Ergonomics Society Annual Meeting
We studied people’s success on the detection of phishing emails after they were trained under one of three phishing frequency conditions, where the proportion of the phishing emails during training varied as: low frequency (25% phishing emails), medium frequency (50% phishing emails) and high frequency (75% phishing emails). Individual base susceptibility to phishing emails was measured in a pre-training phase in which 20% of the emails were phishing; this performance was then compared to a post-training phase in which participants aimed at detecting new rare phishing emails (20% were phishing emails). The Hit rates, False Alarm rates, sensitivities and response criterion were analyzed. Results revealed that participants receiving higher frequency of phishing emails had a higher hit rate but also higher false alarm rate at detecting phishing emails at post-training compared to participants encountering lower frequency levels during training. These results have implications for desig...
Something Smells Phishy: Exploring Definitions, Consequences, and Reactions to Phishing
One hundred fifty-five participants completed a survey on Amazon's Mechanical Turk that assessed characteristics of phishing attacks and requested participants to describe their previous experiences and the related consequences. Results indicated almost all participants had been targets of a phishing with 22% reporting these attempts were successful. Participants reported actively engaging in efforts to protect themselves online by noticing the "padlock icon" and seeking additional information to verify the legitimacy of e-retailers. Moreover, participants indicated that phishers most frequently pose as members of organizations and that phishing typically occurs via email yet they are aware that other media might also make them susceptible to phishing scams. The reported consequences of phishing attacks go beyond financial loss, with many participants describing social ramifications such as embarrassment and of reduced trust. Implications for research in risk communication and design roles by human factors/ergonomics (HF/E) professionals are discussed.
IEEE Access, 2021
Prior studies have shown that the behaviours and attitudes of Internet users influence the likelihood of being victimised by phishing attacks. Many scammers design a step-by-step approach to phishing in order to gain the potential victim’s trust and convince them to take the desired actions. It is important to understand which behaviours and attitudes can influence following the attacker in each step of a phishing scam. This will enable us to identify the root causes of phishing and to develop specific mitigation plans for each step of the phishing process and to increase prevention points. This study investigates to what extent people’s risk-taking and decision-making styles influence the likelihood of phishing victimisation in three specific phishing steps. We asked participants to play a risk-taking game and to answer questions related to two psychological scales to measure their behaviours, and then conducted a simulated phishing campaign to assess their phishability throughout ...
Sixteen Years of Phishing User Studies: What Have We Learned?
ArXiv, 2021
Several previous studies have investigated user susceptibility to phishing attacks. A thorough meta-analysis or systematic review is required to gain a better understanding of these findings and to assess the strength of evidence for phishing susceptibility of a subpopulation, e.g., older users. We aim to determine whether an effect exists; another aim is to determine whether the effect is positive or negative and to obtain a single summary estimate of the effect. OBJECTIVES: We systematically review the results of previous user studies on phishing susceptibility and conduct a meta-analysis. METHOD: We searched four online databases for English studies on phishing. We included all user studies in phishing detection and prevention, whether they proposed new training techniques or analyzed users’ vulnerability. FINDINGS: A careful analysis reveals some discrepancies between the findings. More than half of the studies that analyzed the effect of age reported no statistically significan...
The Effectiveness of Deceptive Tactics in Phishing
2009
Phishing, or the attempt of criminals to obtain sensitive information through a variety of techniques, is still a serious problem for IT managers and Internet consumers. With over 57 million Americans exposed to phishing in 2005, a reported 5% of recipients were victimized. Some believe that one percent of all email is phishing-related, and estimates of financial losses vary from 100 million to 1 billion dollars (US) a year . Our research examines the properties in a phishing email that may or may not influence the users to give out personal and sensitive information. For this field experiment we use students to test the effect that certain types of content have on the phishing process. The study outcomes suggest that user's do not pay attention to the sender's domain in a phishing email but do respond to personalized messages and messages that demand an immediate response.