Understanding Users ’ Decision of Clicking on Posts in Facebook with Implications for Phishing

Facebook, the largest social networking site (SNS) with over one billion active monthly users, has been woven into the everyday life of many people. While this platform has drastically improved how we interact with one another, it has also opened up a multitude of security and privacy issues. For example, online attackers are increasingly employing phishing attacks on Facebook, seeking to fool their victims by posing as friends using fake or compromised accounts. These attacks are hard to recognize by the Facebook defense system and users alike, and few studies give any insight into how users interact with such attacks. In this study, we take the first step to understand how users react and decide whether to click when they encounter SNS posts with links, including possibly suspicious links. We found that users decide to interact with shared contents based on their relationship with the post author (from whose account the post is shared; perhaps compromised). At the same time, they mostly ignore the location of the shared post (e.g., post author’s wall or target user’s wall), and any context pointing to a post possibly being suspicious. We also explored the potential of showing a visual warning for suspicious posts. Although our simple warning system failed to prevent users from clicking on suspicious posts altogether, it did reduce the likelihood of users clicking on such posts. Based on our findings, we identified the scope of future work to protect users against phishing attacks in SNSes.

[1]  Christopher Krügel,et al.  Protecting users against phishing attacks with AntiPhish , 2005, 29th Annual International Computer Software and Applications Conference (COMPSAC'05).

[2]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[3]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[4]  Adam N. Joinson,et al.  Looking at, looking up or keeping up with people?: motives and use of facebook , 2008, CHI.

[5]  Fabrício Benevenuto,et al.  Phi.sh/$oCiaL: the phishing landscape through short URLs , 2011, CEAS '11.

[6]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[7]  Sameer Patil,et al.  Will you be my friend?: responses to friendship requests from strangers , 2012, iConference '12.

[8]  Ponnurangam Kumaraguru,et al.  PhishAri : Automatic Realtime Phishing Detection on Twitter Anupama Aggarwal , 2012 .

[9]  Mudit Bhargava,et al.  Stylometric Analysis for Authorship Attribution on Twitter , 2013, BDA.

[10]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.

[11]  Sherali Zeadally,et al.  Online deception in social media , 2014, Commun. ACM.

[12]  Arun Vishwanath,et al.  Habitual Facebook Use and its Impact on Getting Deceived on Social Media , 2015, J. Comput. Mediat. Commun..

[13]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[14]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[15]  Soroush Vosoughi,et al.  Digital Stylometry: Linking Profiles Across Social Networks , 2015, SocInfo.

[16]  Khalil El-Khatib,et al.  Phishing Susceptibility Detection through Social Media Analytics , 2016, SIN.

[17]  Arun Vishwanath,et al.  Getting phished on social media , 2017, Decis. Support Syst..