Understanding Phishing Email Processing and Perceived Trustworthiness Through Eye Tracking

Social engineering attacks in the form of phishing emails represent one of the biggest risks to cybersecurity. There is a lack of research on how the common elements of phishing emails, such as the presence of misspellings and the use of urgency and threatening language, influences how the email is processed and judged by individuals. Eye tracking technology may provide insight into this. In this exploratory study a sample of 22 participants viewed a series of emails with or without indicators associated with phishing emails, whilst their eye movements were recorded using a SMI RED 500 eye-tracker. Participants were also asked to give a numerical rating of how trustworthy they deemed each email to be. Overall, it was found that participants looked more frequently at the indicators associated with phishing than would be expected by chance but spent less overall time viewing these elements than would be expected by chance. The emails that included indicators associated with phishing were rated as less trustworthy on average, with the presence of misspellings or threatening language being associated with the lowest trustworthiness ratings. In addition, it was noted that phishing indicators relating to threatening language or urgency were viewed before misspellings. However, there was no significant interaction between the trustworthiness ratings of the emails and the amount of scanning time for phishing indicators within the emails. These results suggest that there is a complex relationship between the presence of indicators associated with phishing within an email and how trustworthy that email is judged to be. This study also demonstrates that eye tracking technology is a feasible method with which to identify and record how phishing emails are processed visually by individuals, which may contribute toward the design of future mitigation approaches.

[1]  Shelley E. Taylor,et al.  Social Cognition, from Brains to Culture , 1984 .

[2]  John Sweller,et al.  Cognitive Load During Problem Solving: Effects on Learning , 1988, Cogn. Sci..

[3]  D. Schroeder,et al.  Blink Rate: A Possible Measure of Fatigue , 1994, Human factors.

[4]  A. Kruglanski Motivated social cognition: Principles of the interface. , 1996 .

[5]  J J Tecce,et al.  Eye movement control of computer functions. , 1998, International journal of psychophysiology : official journal of the International Organization of Psychophysiology.

[6]  Linden J. Ball,et al.  An Eye Movement Analysis of Web Page Usability , 2002 .

[7]  Linden J. Ball,et al.  Eye Tracking in Human-Computer Interaction and Usability Research : Current Status and Future Prospects , 2004 .

[8]  Robert Biddle,et al.  Exploring User Reactions to New Browser Cues for Extended Validation Certificates , 2008, ESORICS.

[9]  Gerd Gigerenzer,et al.  Homo Heuristicus: Why Biased Minds Make Better Inferences , 2009, Top. Cogn. Sci..

[10]  D. Titone,et al.  Bilingual lexical access in context: evidence from eye movements during reading. , 2009, Journal of experimental psychology. Learning, memory, and cognition.

[11]  James S. Nairne,et al.  Adaptive Memory: Evolutionary Constraints on Remembering , 2010 .

[12]  Gary Warner,et al.  Analysis of Back-Doored Phishing Kits , 2011, IFIP Int. Conf. Digital Forensics.

[13]  S. Liversedge,et al.  Oxford handbook of eye movements , 2011 .

[14]  Dawn Song,et al.  Stimuli for Gaze Based Intrusion Detection , 2012 .

[15]  A. Darwish,et al.  Eye tracking analysis of browser security indicators , 2012, 2012 International Conference on Computer Systems and Industrial Informatics.

[16]  Gahangir Hossain,et al.  Understanding Effects of Cognitive Load from Pupillary Responses Using Hilbert Analytic Phase , 2014, 2014 IEEE Conference on Computer Vision and Pattern Recognition Workshops.

[17]  Daisuke Miyamoto,et al.  EyeBit: Eye-Tracking Approach for Enforcing Phishing Prevention Habits , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[18]  Daisuke Miyamoto,et al.  Eye Can Tell: On the Correlation Between Eye Movement and Phishing Identification , 2015, ICONIP.

[19]  Malcolm Robert Pattinson,et al.  The design of phishing studies: Challenges for researchers , 2015, Comput. Secur..

[20]  Wojciech Matusik,et al.  Eye Tracking for Everyone , 2016, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[21]  Jason R. C. Nurse,et al.  Baiting the hook: factors impacting susceptibility to phishing attacks , 2016, Human-centric Computing and Information Sciences.

[22]  Matthew W. Lowder,et al.  Effects of Word Predictability and Preview Lexicality on Eye Movements During Reading: A Comparison Between Young and Older Adults , 2017, Psychology and aging.

[23]  Rakesh M. Verma,et al.  Scaling and Effectiveness of Email Masquerade Attacks: Exploiting Natural Language Generation , 2017, AsiaCCS.

[24]  Andrew T. Duchowski,et al.  Eye Movement Analysis , 2017 .

[25]  Christopher Hadnagy Social Engineering , 2018 .

[26]  Kenneth P. Camilleri,et al.  Unobtrusive and pervasive video-based eye-gaze tracking , 2018, Image Vis. Comput..

[27]  Christopher Hadnagy,et al.  Social Engineering: The Science of Human Hacking , 2018 .

[28]  Judy Kay,et al.  It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling , 2018, PloS one.

[29]  Naima Kaabouch,et al.  Social Engineering Attacks: A Survey , 2019, Future Internet.

[30]  Nicholas H. Müller,et al.  Where the User Does Look When Reading Phishing Mails - An Eye-Tracking Study , 2019, HCI.

[31]  M. Brysbaert,et al.  Bilingual Lexical Access , 2020 .

[32]  Rakesh M. Verma,et al.  SoK: A Comprehensive Reexamination of Phishing Research From the Security Perspective , 2019, IEEE Communications Surveys & Tutorials.