Decision strategies and susceptibility to phishing

Phishing emails are semantic attacks that con people into divulging sensitive information using techniques to make the user believe that information is being requested by a legitimate source. In order to develop tools that will be effective in combating these schemes, we first must know how and why people fall for them. This study reports preliminary analysis of interviews with 20 non-expert computer users to reveal their strategies and understand their decisions when encountering possibly suspicious emails. One of the reasons that people may be vulnerable to phishing schemes is that awareness of the risks is not linked to perceived vulnerability or to useful strategies in identifying phishing emails. Rather, our data suggest that people can manage the risks that they are most familiar with, but don't appear to extrapolate to be wary of unfamiliar risks. We explore several strategies that people use, with varying degrees of success, in evaluating emails and in making sense of warnings offered by browsers attempting to help users navigate the web.

[1]  Allen Newell,et al.  Human Problem Solving. , 1973 .

[2]  N. M. Morris,et al.  On Looking into the Black Box: Prospects and Limits in the Search for Mental Models , 1986 .

[3]  B. Fischhoff,et al.  Accentuate the Relevant , 1997 .

[4]  B. Fischhoff,et al.  The effect of question format on measured HIV/AIDS knowledge: detention center teens, high school students, and adults. , 2000, AIDS education and prevention : official publication of the International Society for AIDS Education.

[5]  Helen Nissenbaum,et al.  Users' conceptions of web security: a comparative study , 2002, CHI Extended Abstracts.

[6]  B. Johnson Risk Communication: A Mental Models Approach , 2002 .

[7]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[8]  Rocky Ross,et al.  Mental models , 2004, SIGA.

[9]  Amir Herzberg,et al.  TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks , 2004 .

[10]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[11]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[12]  A. Emigh,et al.  Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures , 2005 .

[13]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[14]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[15]  Min Wu Fighting phishing at the user interface , 2006 .

[16]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.