Unpacking Spear Phishing Susceptibility

We report the results of a field experiment where we sent to over 1200 university students an email or a Facebook message with a link to (non-existing) party pictures from a non-existing person, and later asked them about the reasons for their link clicking behavior. We registered a significant difference in clicking rates: 20% of email versus 42.5% of Facebook recipients clicked. The most frequently reported reason for clicking was curiosity (34%), followed by the explanations that the message fit recipient’s expectations (27%). Moreover, 16% thought that they might know the sender. These results show that people’s decisional heuristics are relatively easy to misuse in a targeted attack, making defense especially challenging.

[1]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[2]  M. Banerjee,et al.  Beyond kappa: A review of interrater agreement measures , 1999 .

[3]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[4]  John A. Clark,et al.  F for fake: four studies on how we fall for phish , 2011, CHI.

[5]  M. Angela Sasse,et al.  Scaring and Bullying People into Security Won't Work , 2015, IEEE Security & Privacy.

[6]  D. Kahneman Thinking, Fast and Slow , 2011 .

[7]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[8]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[9]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[10]  Calton Pu,et al.  Reverse Social Engineering Attacks in Online Social Networks , 2011, DIMVA.

[11]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[12]  Timothy D. Wilson,et al.  Strangers to Ourselves , 2004 .

[13]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[14]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[15]  Peter Mayer,et al.  Teaching Phishing-Security: Which Way is Best? , 2016, SEC.

[16]  Melanie Volkamer,et al.  Learn to Spot Phishing URLs with the Android NoPhish App , 2015, World Conference on Information Security Education.

[17]  M. Angela Sasse,et al.  Security Education against Phishing: A Modest Proposal for a Major Rethink , 2012, IEEE Security & Privacy.

[18]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[19]  Matthew Tischer,et al.  Users Really Do Plug in USB Drives They Find , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[20]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[21]  Kevin Borders,et al.  Social networks and context-aware spam , 2008, CSCW.

[22]  Gianluca Stringhini,et al.  Detecting spammers on social networks , 2010, ACSAC '10.

[23]  Margrit Schreier,et al.  Qualitative Content Analysis in Practice , 2012 .

[24]  Youssef Iraqi,et al.  Phishing Detection: A Literature Survey , 2013, IEEE Communications Surveys & Tutorials.

[25]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[26]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[27]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[28]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[29]  Cheng Zeng,et al.  QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks , 2013, Financial Cryptography Workshops.

[30]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[31]  Jacob Cohen A Coefficient of Agreement for Nominal Scales , 1960 .

[32]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[33]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[34]  Zinaida Benenson,et al.  Susceptibility to URL-based Internet attacks: Facebook vs. email , 2014, 2014 IEEE International Conference on Pervasive Computing and Communication Workshops (PERCOM WORKSHOPS).

[35]  Sonia Chiasson,et al.  Why phishing still works: User strategies for combating phishing attacks , 2015, Int. J. Hum. Comput. Stud..

[36]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[37]  Markus Jakobsson,et al.  Why and How to Perform Fraud Experiments , 2008, IEEE Security & Privacy.