Users Really Do Answer Telephone Scams

As telephone scams become increasingly prevalent, it is crucial to understand what causes recipients to fall victim to these scams. Armed with this knowledge, effective countermeasures can be developed to challenge the key foundations of successful telephone phishing attacks. In this paper, we present the methodology, design, execution, results, and evaluation of an ethical telephone phishing scam. The study performed 10 telephone phishing experiments on 3,000 university participants without prior awareness over the course of a workweek. Overall, we were able to identify at least one key factor—spoofed Caller ID—that had a significant effect in tricking the victims into revealing their Social Security number.

[1]  Adam Doupé,et al.  SoK: Everyone Hates Robocalls: A Survey of Techniques Against Telephone Spam , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[2]  Alessandro Acquisti,et al.  Predicting Social Security numbers from public data , 2009, Proceedings of the National Academy of Sciences.

[3]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[4]  Gianluca Stringhini,et al.  That Ain't You: Blocking Spearphishing Through Behavioral Modelling , 2015, DIMVA.

[5]  Jacob Cohen,et al.  Statistical Power Analysis For The Behavioral Sciences Revised Edition , 1987 .

[6]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[7]  Paul J. Batista Telemarketing and the Tcpa: Let the Seller Beware: Telephone Consumer Protection Act (47 U.S.C. § 227) , 2003 .

[8]  Terry Nelms Call Me: Gathering Threat Intelligence on Telephony Scams to Detect Fraud , 2017 .

[9]  Aurélien Francillon,et al.  SoK: Fraud in Telephony Networks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[10]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.

[11]  F. Wolf Meta-Analysis: Quantitative Methods for Research Synthesis , 1987 .

[12]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[13]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[14]  Matthew Tischer,et al.  Users Really Do Plug in USB Drives They Find , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[15]  Patrick Traynor,et al.  Detecting SMS Spam in the Age of Legitimate Bulk Messaging , 2016, WISEC.

[16]  Fadi A. Thabtah,et al.  Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies , 2010, Cognitive Computation.

[17]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[18]  S. Holm A Simple Sequentially Rejective Multiple Test Procedure , 1979 .

[19]  Adam Doupé,et al.  Toward authenticated caller ID transmission: The need for a standardized authentication scheme in Q.731.3 calling line identification presentation , 2016, 2016 ITU Kaleidoscope: ICTs for a Sustainable World (ITU WT).

[20]  Jon Peterson,et al.  Authenticated Identity Management in the Session Initiation Protocol (SIP) , 2018, RFC.

[21]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[22]  Cheng Zeng,et al.  QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks , 2013, Financial Cryptography Workshops.

[23]  Adam Doupé,et al.  Inside a phisher's mind: Understanding the anti-phishing ecosystem through phishing kit analysis , 2018, 2018 APWG Symposium on Electronic Crime Research (eCrime).

[24]  Patrick Traynor,et al.  AuthLoop: End-to-End Cryptographic Authentication for Telephony over Voice Channels , 2016, USENIX Security Symposium.

[25]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[26]  Nick Nikiforakis,et al.  Dial One for Scam: A Large-Scale Analysis of Technical Support Scams , 2016, NDSS.

[27]  Patrick Traynor,et al.  Sonar: Detecting SS7 Redirection Attacks with Audio-Based Distance Bounding , 2018, 2018 IEEE Symposium on Security and Privacy (SP).