Baiting the hook: factors impacting susceptibility to phishing attacks

Over the last decade, substantial progress has been made in understanding and mitigating phishing attacks. Nonetheless, the percentage of successful attacks is still on the rise. In this article, we critically investigate why that is the case, and seek to contribute to the field by highlighting key factors that influence individuals’ susceptibility to phishing attacks. For our investigation, we conducted a web-based study with 382 participants which focused specifically on identifying factors that help or hinder Internet users in distinguishing phishing pages from legitimate pages. We considered relationships between demographic characteristics of individuals and their ability to correctly detect a phishing attack, as well as time-related factors. Moreover, participants’ cursor movement data was gathered and used to provide additional insight. In summary, our results suggest that: gender and the years of PC usage have a statistically significant impact on the detection rate of phishing; pop-up based attacks have a higher rate of success than the other tested strategies; and, the psychological anchoring effect can be observed in phishing as well. Given that only 25 % of our participants attained a detection score of over 75 %, we conclude that many people are still at a high risk of falling victim to phishing attacks but, that a careful combination of automated tools, training and more effective awareness campaigns, could significantly help towards preventing such attacks.

[1]  Ali Selamat,et al.  Survey of anti-phishing tools with detection capabilities , 2014, 2014 International Symposium on Biometrics and Security Technologies (ISBAST).

[2]  Sadie Creese,et al.  Guidelines for usable cybersecurity: Past and present , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[3]  Melanie Volkamer,et al.  NoPhish App Evaluation: Lab and Retention Study , 2015 .

[4]  A. Porter Phishing on Mobile Devices , 2011 .

[5]  Rose F. Gamble,et al.  CyberPhishing: A Game-Based Platform for Phishing Awareness Testing , 2015, 2015 48th Hawaii International Conference on System Sciences.

[6]  Konstantin Beznosov,et al.  Phishing threat avoidance behaviour: An empirical investigation , 2016, Comput. Hum. Behav..

[7]  Christopher B. Mayhorn,et al.  One Phish, Two Phish, How to Avoid the Internet Phish , 2014 .

[8]  Rossouw von Solms,et al.  Phishing for phishing awareness , 2013, Behav. Inf. Technol..

[9]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[10]  T. L. McCluskey,et al.  Tutorial and critical analysis of phishing websites methods , 2015, Comput. Sci. Rev..

[11]  Andy Gill,et al.  Above and below: measuring crime risk in and around underground mass transit systems , 2014 .

[12]  John R. Anderson,et al.  What can a mouse cursor tell us more?: correlation of eye/mouse movements on web browsing , 2001, CHI Extended Abstracts.

[13]  Stefan Savage,et al.  Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild , 2014, Internet Measurement Conference.

[14]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[15]  Elmer Lastdrager,et al.  Achieving a consensual definition of phishing based on a systematic review of the literature , 2014, Crime Science.

[16]  Ninghui Li,et al.  Effectiveness of a phishing warning in field settings , 2015, HotSoS.

[17]  Taizan Chan,et al.  What Is the Influence of Users’ Characteristics on Their Ability to Detect Phishing Emails? , 2015 .

[18]  S.T. Redwine,et al.  Processes for producing secure software , 2004, IEEE Security & Privacy Magazine.

[19]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[20]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[21]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[22]  Carolyn Penstein Rosé,et al.  CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites , 2011, TSEC.

[23]  Sonia Chiasson,et al.  Why phishing still works: User strategies for combating phishing attacks , 2015, Int. J. Hum. Comput. Stud..

[24]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[25]  Steven Furnell,et al.  Still on the hook: the persistent problem of phishing , 2013 .

[26]  Elisa Bertino,et al.  Using automated individual white-list to protect web digital identities , 2012, Expert Syst. Appl..

[27]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[28]  Jason R. C. Nurse Exploring the Risks to Identity Security and Privacy in Cyberspace , 2015, XRDS.

[29]  Sadie Creese,et al.  Trustworthy and effective communication of cybersecurity risks: A review , 2011, 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST).

[30]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[31]  Daisuke Miyamoto,et al.  An Evaluation of Machine Learning-Based Methods for Detection of Phishing Sites , 2008, ICONIP.