Phishing Attacks Root Causes

Nowadays, many people are losing considerable wealth due to online scams. Phishing is one of the means that a scammer can use to deceitfully obtain the victim’s personal identification, bank account information, or any other sensitive data. There are a number of anti-phishing techniques and tools in place, but unfortunately phishing still works. One of the reasons is that phishers usually use human behaviour to design and then utilise a new phishing technique. Therefore, identifying the psychological and sociological factors used by scammers could help us to tackle the very root causes of fraudulent phishing attacks. This paper recognises some of those factors and creates a cause-and-effect diagram to clearly present the categories and factors which make up the root causes of phishing scams. The illustrated diagram is extendable with additional phishing causes.

[1]  Scott Dick,et al.  An Anti-Phishing System Employing Diffused Information , 2014, TSEC.

[2]  Peter Fischer,et al.  The psychology of scams: Provoking and committing errors of judgement , 2009 .

[3]  Indranil Bose,et al.  Unveiling the Mask of Phishing: Threats, Preventive Measures, and Responsibilities , 2007, Commun. Assoc. Inf. Syst..

[4]  Simon Brown,et al.  Detecting Phishing Emails Using Hybrid Features , 2009, 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing.

[5]  Juan Pablo Hourcade,et al.  B-APT: Bayesian Anti-Phishing Toolbar , 2008, 2008 IEEE International Conference on Communications.

[6]  Arun Vishwanath,et al.  Suspicion, Cognition, and Automaticity Model of Phishing Susceptibility , 2018, Commun. Res..

[7]  John A. Clark,et al.  Defending the weakest link: phishing websites detection by analysing user behaviours , 2010, Telecommun. Syst..

[8]  Niels Provos,et al.  A framework for detection and measurement of phishing attacks , 2007, WORM '07.

[9]  Yves Cherruault,et al.  A mathematical model for the human decision-making process , 1996 .

[10]  D. Klein,et al.  Knowledge and Coordination: A Liberal Interpretation , 2012 .

[11]  A. Tversky,et al.  On the psychology of prediction , 1973 .

[12]  Arnaldo Oliveira,et al.  A Discussion of Rational and Psychological Decision-Making Theories and Models : The Search for a Cultural-Ethical Decision-Making Model Decision-Making Theories and Models , 2006 .

[13]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[14]  Jemal H. Abawajy,et al.  Hybrid Feature Selection for Phishing Email Detection , 2011, ICA3PP.

[15]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[16]  Jennifer Lynch Identity Theft in Cyberspace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks , 2005 .

[17]  Anurag Jain,et al.  Phishing Detection In Selected Feature Using Modified SVM-PSO , 2016 .

[18]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[19]  Richard Lee,et al.  Fraud Act 2006 , 2015 .

[20]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[21]  Kang-Leng Chiew,et al.  Phishing Detection via Identification of Website Identity , 2013, 2013 International Conference on IT Convergence and Security (ICITCS).

[22]  Ninghui Li,et al.  Use of Phishing Training to Improve Security Warning Compliance: Evidence from a Field Experiment , 2017, HotSoS.

[23]  Amir Herzberg,et al.  DNS-based email sender authentication mechanisms: A critical review , 2009, Comput. Secur..

[24]  Terence A. Shimp,et al.  Consumer vulnerability to scams, swindles, and fraud: A new theory of visceral influences on persuasion , 2001 .

[25]  Samuel Marchal,et al.  Off-the-Hook: An Efficient and Usable Client-Side Phishing Prevention Application , 2017, IEEE Transactions on Computers.

[26]  David W. Zeitler Introduction to Quality Control , 1994 .

[27]  Weider D. Yu,et al.  PhishCatch - A Phishing Detection Tool , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[28]  Joachim Posegga,et al.  PhishSafe: leveraging modern JavaScript API's for transparent and robust protection , 2014, CODASPY '14.

[29]  J. H. Davis,et al.  An Integrative Model Of Organizational Trust , 1995 .

[30]  Chang-Tien Lu,et al.  Impersonator identification through dynamic fingerprinting , 2008, Digit. Investig..

[31]  Jonathan J. Rusch The "Social Engineering" of Internet Fraud , 2003 .

[32]  John K. Butler Toward Understanding and Measuring Conditions of Trust: Evolution of a Conditions of Trust Inventory , 1991 .

[33]  Ba Lam To,et al.  A novel approach for phishing detection using URL-based heuristic , 2014, 2014 International Conference on Computing, Management and Telecommunications (ComManTel).

[34]  Roland Neumann,et al.  “The Spirit Is Willing, but the Flesh Is Weak”: Beyond Mind–Body Interactions in Human Decision-Making , 1996 .

[35]  S. Ramamoorti,et al.  Fraud: The Human Factor , 2007 .

[36]  Arnaldo Oliveira Decision-Making Theories and Models: A Discussion of Rational and Psychological Decision-Making Theories and Models: The Search for a Cultural-Ethical Decision-Making Model , 2007 .

[37]  K.B. Bignell Authentication in an Internet Banking Environment; Towards Developing a Strategy for Fraud Detection , 2006, International Conference on Internet Surveillance and Protection (ICISP’06).

[38]  Tengke Xiong,et al.  An Intelligent Anti-phishing Strategy Model for Phishing Website Detection , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[39]  A Hybrid System to Find & Fight Phishing Attacks Actively , 2011, 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology.

[40]  Christopher Krügel,et al.  A layout-similarity-based approach for detecting phishing pages , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[41]  Weili Han,et al.  Anti-phishing based on automated individual white-list , 2008, DIM '08.

[42]  Shafique Ahmad Chaudhry,et al.  Phishing Attacks and Defenses , 2016 .

[43]  Malcolm Munro,et al.  An Evaluation of Users' Anti-Phishing Knowledge Retention , 2009, 2009 International Conference on Information Management and Engineering.

[44]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[45]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[46]  G. Loewenstein Out of control: Visceral influences on behavior , 1996 .

[47]  Martin Husák,et al.  PhiGARo: Automatic Phishing Detection and Incident Response Framework , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[48]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[49]  H. Raghav Rao,et al.  A User-Centered Approach to Phishing Susceptibility: The Role of a Suspicious Personality in Protecting Against Phishing , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[50]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[51]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.

[52]  Brian Ryner,et al.  Large-Scale Automatic Classification of Phishing Pages , 2010, NDSS.

[53]  Dean L. Gano Apollo Root Cause Analysis: A New Way of Thinking , 2003 .

[54]  P. Lalitha,et al.  New Filtering Approaches for Phishing Email , 2013 .

[55]  Scott Dick,et al.  Detecting visually similar Web pages: Application to phishing detection , 2010, TOIT.

[56]  Avinash P. Wadhe,et al.  Review Paper on Privacy Preservation through Phishing Email Filter , 2014 .

[57]  A. Alesina,et al.  Who Trusts Others? , 2000 .

[58]  Ramana Rao Kompella,et al.  PhishNet: Predictive Blacklisting to Detect Phishing Attacks , 2010, 2010 Proceedings IEEE INFOCOM.

[59]  Yu Zhou,et al.  Visual Similarity Based Anti-phishing with the Combination of Local and Global Features , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[60]  Dmitry Khodyakov Trust as a Process , 2007 .

[61]  Xiaotie Deng,et al.  An antiphishing strategy based on visual similarity assessment , 2006, IEEE Internet Computing.

[62]  Xiao Han,et al.  PhishEye: Live Monitoring of Sandboxed Phishing Kits , 2016, CCS.

[63]  Kenneth Campbell The Fraud Act 2006 , 2007 .

[64]  S. Chaiken Heuristic versus systematic information processing and the use of source versus message cues in persuasion. , 1980 .

[65]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[66]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[67]  Chun-Ying Huang,et al.  Using one-time passwords to prevent password phishing attacks , 2011, J. Netw. Comput. Appl..

[68]  Balachander Krishnamurthy,et al.  Fishing for Phishing from the Network Stream , 2008 .

[69]  A. Tversky,et al.  Rational choice and the framing of decisions , 1990 .

[70]  Shujun Li,et al.  A novel anti-phishing framework based on honeypots , 2009, 2009 eCrime Researchers Summit.

[71]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[72]  Fergus Toolan,et al.  Phishing detection using classifier ensembles , 2009, 2009 eCrime Researchers Summit.

[73]  Sung Hoon Kim,et al.  Method for Evaluating the Security Risk of a Website Against Phishing Attacks , 2008, ISI Workshops.

[74]  David M. Nicol,et al.  A Formal-Semantics-Based Calculus of Trust , 2010, IEEE Internet Computing.

[75]  R. Bolles Theory of Motivation , 1967 .

[76]  Isidore Rigoutsos,et al.  Chung-Kwei: a Pattern-discovery-based System for the Automatic Identification of Unsolicited E-mail Messages (SPAM) , 2004, CEAS.