A Study of Preventing Email (Spear) Phishing by Enabling Human Intelligence

Cyber criminals use phishing emails in high-volume and spear phishing emails in low volume to achieve their malicious objectives. Hereby they inflict financial, reputational, and emotional damages on individuals and organizations. These (spear) phishing attacks get steadily more sophisticated as cyber criminals use social engineering tricks that combine psychological and technical deceptions to make malicious emails as trustworthy as possible. Such sophisticated (spear) phishing emails are hard for email protection systems to detect. Security researchers have studied users' ability to perceive, identify and react upon email (spear) phishing attacks. In this study we have surveyed recent works on understanding how to prevent end-users from falling for email (spear) phishing attacks. Based on the survey we design and propose a novice method that combines interaction methods of reporting, blocking, warning, and embedded education to harness the intelligence of expert and novice users in a corporate environment in detecting email (spear) phishing attacks. We evaluate the design based on a qualitative study, in three experimental steps, by using a mockup prototype, and with 24 participants. We report on the insights gained, indicating that the proposed combination of the interaction methods is promising, and on future research directions.

[1]  Jan H. P. Eloff,et al.  Security and human computer interfaces , 2003, Comput. Secur..

[2]  Ross J. Anderson,et al.  Reading this may harm your computer: The psychology of malware warnings , 2014, Comput. Hum. Behav..

[3]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[4]  Christopher Krügel,et al.  Protecting users against phishing attacks with AntiPhish , 2005, 29th Annual International Computer Software and Applications Conference (COMPSAC'05).

[5]  James Fogarty,et al.  Biases in human estimation of interruptibility: effects and implications for practice , 2007, CHI.

[6]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..

[7]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[8]  Bimal Parmar,et al.  Protecting against spear-phishing , 2012 .

[9]  Mary Ellen Zurko User-centered security: stepping up to the grand challenge , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[10]  Lorrie Faith Cranor,et al.  Can phishing be foiled? , 2008, Scientific American.

[11]  Xavier Perramon,et al.  Phishing Secrets: History, Effects, Countermeasures , 2010, Int. J. Netw. Secur..

[12]  Ali Darwish,et al.  Towards understanding phishing victims' profile , 2012, 2012 International Conference on Computer Systems and Industrial Informatics.

[13]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[14]  Bernt Schiele,et al.  Context-aware notification for wearable computing , 2003, Seventh IEEE International Symposium on Wearable Computers, 2003. Proceedings..

[15]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[16]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[17]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[18]  Balakrishnan Muniandy,et al.  Phishing: Educating the Internet users - a practical approach using email screen shots , 2013 .

[19]  L. Jean Camp,et al.  PeerSec: Towards Peer Production and Crowdsourcing for Enhanced Security , 2012, HotSec.

[20]  Tyler Moore,et al.  Evaluating the Wisdom of Crowds in Assessing Phishing Websites , 2008, Financial Cryptography.

[21]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[22]  Ingrid Mulder,et al.  Exploring a Warrior Paradigm to Design Out Cybercrime , 2012, 2012 European Intelligence and Security Informatics Conference.

[23]  Suku Nair,et al.  Bypassing Security Toolbars and Phishing Filters via DNS Poisoning , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[24]  Eugene Fink,et al.  SmartNotes: Application of crowdsourcing to the detection of web threats , 2011, 2011 IEEE International Conference on Systems, Man, and Cybernetics.

[25]  Christopher Krügel,et al.  Building Anti-Phishing Browser Plug-Ins: An Experience Report , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[26]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[27]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[28]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.