skip to main content

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: How Non-Experts Try to Detect Phishing Scam Emails
Email remains one of the most widely used methods of communication globally. However, successful phishing email attacks and subsequent costs remain unreasonably high despite technical advances in defenses that limit phishing scams. In this paper, we examine human detection of phishing. We found that non-experts go through four different sensemaking processes to determine if an email is a phishing message; they use different knowledge and skills to become suspicious differently in each process. Additionally, non-experts rely on their social connections as an investigative tool to determine if an email is a phishing scam. We discuss the impact of our findings on phishing training and technology.  more » « less
Award ID(s):
1714126
PAR ID:
10297019
Author(s) / Creator(s):
;
Date Published:
Journal Name:
Workshop on Consumer Protection
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ( , Symposium on Usable Privacy and Security)
    null (Ed.)
    Phishing emails are scam communications that pretend to be something they are not in order to get people to take actions they otherwise would not. We surveyed a demographically matched sample of 297 people from across the United States and asked them to share their descriptions of a specific experience with a phishing email. Analyzing these experiences, we found that email users' experiences detecting phishing messages have many properties in common with how IT experts identify phishing. We also found that email users bring unique knowledge and valuable capabilities to this identification process that neither technical controls nor IT experts have. We suggest that targeting training toward how to use this uniqueness is likely to improve phishing prevention. 
    more » « less
  2. ( , Proceedings of the ACM on humancomputer interaction)
    Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. To better understand the cognitive process that end users can use to identify phishing messages, I interviewed 21 IT experts about instances where they successfully identified emails as phishing in their own inboxes. IT experts naturally follow a three-stage process for identifying phishing emails. In the first stage, the email recipient tries to make sense of the email, and understand how it relates to other things in their life. As they do this, they notice discrepancies: little things that are ``off'' about the email. As the recipient notices more discrepancies, they feel a need for an alternative explanation for the email. At some point, some feature of the email --- usually, the presence of a link requesting an action --- triggers them to recognize that phishing is a possible alternative explanation. At this point, they become suspicious (stage two) and investigate the email by looking for technical details that can conclusively identify the email as phishing. Once they find such information, then they move to stage three and deal with the email by deleting it or reporting it. I discuss ways this process can fail, and implications for improving training of end users about phishing. 
    more » « less
  3. ; ; ; ; ; ( , Interacting with Computers)
    Abstract

    Numerous studies of human user behaviours in cybersecurity tasks have used traditional research methods, such as self-reported surveys or empirical experiments, to identify relationships between various factors of interest and user security performance. This work takes a different approach, applying computational cognitive modelling to research the decision-making of cybersecurity users. The model described here relies on cognitive memory chunk activation to analytically simulate the decision-making process of a user classifying legitimate and phishing emails. Suspicious-seeming cues in each email are processed by examining similar, past classifications in long-term memory. We manipulate five parameters (Suspicion Threshold, Maximum Cues Processed, Weight of Similarity, Flawed Perception Level, Legitimate-to-Phishing Email Ratio in long-term memory) to examine their effects on accuracy, email processing time and decision confidence. Furthermore, we have conducted an empirical, unattended study of US participants performing the same task. Analyses on the empirical study data and simulation output, especially clustering analysis, show that these two research approaches complement each other for more insightful understanding of this phishing detection task. The analyses also demonstrate several limitations of this computational model that cannot easily capture certain user types and phishing detection strategies, calling for a more dynamic and sophisticated model construction.

     
    more » « less
  4. ; ; ; ; ( , Social Science Computer Review)

    To assess the efficacy of routine activity theory (RAT) for explaining phishing victimization and guide evidence-based policy, we launched two phishing attacks via a university Listserv ( N = 25,875). The first email offered access to a pdf file; the second offered free concert tickets. Several interesting findings emerged demonstrating phishing victimization results from network users’ routine behaviors. Students were significantly less likely to open the phishing email sharing a pdf but more likely to open the email offering free concert tickets. Moreover, students were mor e likely to click the malicious link embedded within the phishing email in both studies, often using mobile devices. Conversely, employees were more likely to click the link while connected to the university network, thus exposing the network to greater levels of risk. Finally, the email offering concert tickets was opened at a frequency more than double the email containing the pdf. Theoretical and policy implications are discussed.

     
    more » « less
  5. ; ( , IEEE International Conference on Data Mining Workshops)
    Even with many successful phishing email detectors, phishing emails still cost businesses and individuals millions of dollars per year. Most of these models seem to ignore features like word count, stopword count, and punctuations; they use features like n-grams and part of speech tagging. Previous phishing email research ignores or removes the stopwords, and features relating to punctuation only count as a minor part of the detector. Even with a strong unconventional focus on features like word counts, stopwords, punctuation, and uniqueness factors, an ensemble learning model based on a linear kernel SVM gave a true positive rate of 83% and a true negative rate of 96%. Moreover, these features are robustly detected even in noisy email data. It is much easier to detect our features than correct part-of-speech tags or named entities in emails. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email