F for fake: four studies on how we fall for phish

This paper reports findings from a multi-method set of four studies that investigate why we continue to fall for phish. Current security advice suggests poor spelling and grammar in emails can be signs of phish. But a content analysis of a phishing archive indicates that many such emails contain no obvious spelling or grammar mistakes and often use convincing logos and letterheads. An online survey of 224 people finds that although phish are detected approximately 80% of the time, those with logos are significantly harder to detect. A qualitative interview study was undertaken to better understand the strategies used to identify phish. Blind users were selected because it was thought they may be more vulnerable to phishing attacks, however they demonstrated robust strategies for identifying phish based on careful reading of emails. Finally an analysis was undertaken of phish as a literary form. This identifies the main literary device employed as pastiche and draws on critical theory to consider why security based pastiche may be currently very persuasive.

[1]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[2]  J. A. Clark,et al.  Modelling user-phishing interaction , 2008, 2008 Conference on Human System Interactions.

[3]  Shaowen Bardzell,et al.  Critical dialogue: interaction, experience and cultural theory , 2010, CHI EA '10.

[4]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[5]  Jacob Cohen,et al.  Applied multiple regression/correlation analysis for the behavioral sciences , 1979 .

[6]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[7]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[8]  Norbert Braun,et al.  Storytelling & Conversation to Improve the Fun Factor in Software Applications , 2005, Funology.

[9]  Slavoj Žižek,et al.  Looking Awry: An Introduction to Jacques Lacan through Popular Culture , 1991 .

[10]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[11]  J. P. Morgan,et al.  Design and Analysis: A Researcher's Handbook , 2005, Technometrics.

[12]  Antony Easthope,et al.  A Critical and Cultural Theory Reader , 1992 .

[13]  A. Giani,et al.  Detecting Deception in the context of Web 2 . 0 , 2007 .

[14]  Peter C. Wright,et al.  Interdisciplinary criticism: Analysing the experience of riot! a location-sensitive digital narrative , 2006, Behav. Inf. Technol..

[15]  Jeffrey Bardzell,et al.  Interaction criticism and aesthetics , 2009, CHI.

[16]  Jacob Cohen,et al.  Applied multiple regression/correlation analysis for the behavioral sciences , 1979 .

[17]  Peter C. Wright,et al.  Designing culturally situated technologies for the home , 2003, CHI Extended Abstracts.

[18]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[19]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[20]  Heng Tao Shen,et al.  Principal Component Analysis , 2009, Encyclopedia of Biometrics.

[21]  Christine Satchell,et al.  Cultural theory and real world design: Dystopian and Utopian Outcomes , 2008, CHI.