Can We Fight Social Engineering Attacks By Social Means? Assessing Social Salience as a Means to Improve Phish Detection

Phishing continues to be a problem for both individuals and organisations, with billions of dollars lost every year. We propose the use of nudges – more specifically social saliency nudges that aim to highlight important information to the user when evaluating emails. We used a signal detection analysis to assess the effects of both sender saliency (highlighting important fields from the sender) and receiver saliency (showing numbers of other users in receipt of the same email). Sender saliency improved phish detection but did not introduce any unwanted response bias. Users were asked to rate their confidence in their own judgements and these confidence scores were poorly calibrated with actual performance, particularly for phishing (as opposed to genuine) emails. We also examined the role of impulsive behaviour on phish detection, concluding that those who score highly on dysfunctional impulsivity are less likely to detect the presence of phishing emails

"It may take ages":understanding human-centred lateral phishing attack detection in organisations

Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes

Checking, Nudging or Scoring? Evaluating e-Mail User Security Tools

Phishing e-mail threats are increasing in sophistication. Technical measures alone do not fully prevent users from falling for them and common e-mail interfaces provide little support for users to check an e-mail’s legitimacy. We designed three email user security tools to improve phishing detection within a common e-mail interface and provide a formative evaluation of the usability of these features: two psychological nudges to alert users of suspicious e-mails and a “check” button to enable users to verify an email’s legitimacy. Professional email users (N = 27) found the “suspicion score” nudge and “check” button the most useful. These alerted users of suspicious e-mails, without harming their productivity, and helped users assert trust in legitimate ones. The other nudge was too easily ignored or too disruptive to be effective. We also found that users arrive at erroneous judgements due to differing interpretations of e-mail details, even though two-thirds of them completed cybersecurity training before. These findings show that usable and therefore effective e-mail user security tools can be developed by leveraging cues of legitimacy that augment existing user behaviour, instead of emphasising technical security training

OSINT-based Email Analyzer for Phishing Detection

It is more and more common to receive emails asking for credentials. They usually say that there is some kind of issue that must be solved by accessing the involved service using the link inside the message text. These emails are often malicious, thought to steal users' or employees' credentials and gain access to personal or corporate areas. This scenario is commonly known as phishing, and nowadays it is the most common cause of corporate data breaches. The attacker tries to exploit human vulnerabilities like fear, concern or carelessness to obtain what would be difficult to achieve otherwise. Even if it is easy from an expert point of view to recognize such attempts, it is not so simple to automatize their detection, due to the fact that there are various techniques to elude systematic checks. Nevertheless, Würth Phoenix wants to improve their cyber defense against any possible threat, and hence they assigned me the task of working on phishing emails detection. This thesis presents a novel program that can analyze all emails delivered to a specifically set up email server without any filtering on incoming traffic, which is then called a "spam-trap-box." Additionally, it is configured with accounts registered for domains owned by failed companies that used to operate in the same industry of Würth Phoenix customers. This way it is more probable to analyze traffic similar to the one in a real case scenario. The innovative part of the analysis implemented is the use of Open Source Intelligence (OSINT) to compare the most relevant parts of an email with evidence of other phishing attempts indexed on the web, which are generally known as Indicators of Compromise (IoCs). After the inspection, if an email is categorized as malicious, new IoCs are created to feed the Würth Phoenix Security Operation Center (SOC), which is the service responsible for the protection against cyber threats offered to their customers. The new indicators include more information than the ones used during the analysis, and the findings are inherent to clients' businesses, thus the SOC has more details to use while analyzing their email traffic

Presenting Suspicious Details in User-Facing E-mail Headers Does Not Improve Phishing Detection

Phishing requires humans to fall for impersonated sources. Sender authenticity can often be inferred from e-mail header information commonly displayed by e-mail clients, such as sender and recipient details. People may be biased by convincing e-mail content and overlook these details, and subsequently fall for phishing. This study tests whether people are better at detecting phishing e-mails when they are only presented with user-facing e-mail headers, instead of full emails. Results from a representative sample show that most phishing e-mails were detected by less than 30% of the participants, regardless of which e-mail part was displayed. In fact, phishing detection was worst when only e-mail headers were provided. Thus, people still fall for phishing, because they do not recognize online impersonation tactics. No personal traits, e-mail characteristics, nor URL interactions reliably predicted phishing detection abilities. These findings highlight the need for novel approaches to help users with evaluating e-mail authenticity

Extending Ecommerce Deception Theory to Phishing

Phishing threatens the information security of Internet users and corporations. Where most research focuses on the phisher’s website, i.e., how to determine if a website is legitimate, this study examines the email that begins the phishing process. To understand why Internet consumers respond to phisher’s emails by sharing sensitive information, we draw on models of e-commerce deception to explain the efficacy of phishing strategies. To test our hypotheses, we conducted a field experiment that manipulated the content of phishing emails. Consistent with our hypotheses, we found content manipulations improved the likelihood of our subjects’ conveying sensitive information. Further, we found that cognitive processes can influence a consumer’s likelihood of being deceived. However, hypotheses about deception support mechanisms and presentation manipulations were not supported. In sum, we find support for the general theory of ecommerce deception as well as our cognitive processing explanations for phishing’s effectiveness

MARA and public user characteristics in response to phishing emails

“Social Engineering” refers to the attacks that deceive, persuade and influence an individual to provide information or perform an action that will benefit the attackers. Fraudulent and deceptive individuals use social engineering traps and tactics through Social Networking Sites (SNSs) and electronic communication forms to trick users into obeying them, accepting threats, falling victims to various silent crimes such as phishing, clickjacking, malware installation, sexual abuse, financial abuse, identity theft and physical crime. Although computers can enhance our work activities, e.g., through greater efficiency in document production and ease of communication., the reliance on its benefits has reduced with the introduction of social engineering threats. Phishing email results in significant losses, estimated at billions of dollars, to organisations and individual users every year. According to the 2019 statistics report from retruster.com, the average financial cost of a data breach is 3.8 million dollars, with 90% of it coming from phishing attacks on user accounts. To reduce users’ vulnerability to phishing emails, we need first to understand the users’ detection behaviour. Many research studies focus only on whether participants respond to phishing or not. A widely held view that we endorse is that this continuing challenge of email is not wholly technical in nature and thereby cannot be entirely resolved through technical measures. Instead, we have here a socio-technical problem whose resolution requires attention to both technical issues and end-users’ specific attitudes and behavioural characteristics. Using a sequential exploratory mixed method approach, qualitative grounded theory is used to explore and generate an in-depth understanding of what and why the phishing characteristics influence email users to judge the attacker as credible. Quantitative experiments are used to relate participants’ characteristics with their behaviour. The study was carefully designed to ensure that valid data could be collected without harm to participants, and with University Ethics Committee approval. The research output is a new model to explain the impact of users’characteristics on their detection behaviour. The model was tested through two study groups, namely Public and MARA . In addition, the final model was tested using structural equation modelling (SEM). This showed that the proposed model explains 17% and 39%, respectively, for the variance in Public and MARA participants’ tendency to respond to phishing emails. The results also explained which, and to what extent, phishing characteristics influence users’ judgement of sender credibility.“Social Engineering” refers to the attacks that deceive, persuade and influence an individual to provide information or perform an action that will benefit the attackers. Fraudulent and deceptive individuals use social engineering traps and tactics through Social Networking Sites (SNSs) and electronic communication forms to trick users into obeying them, accepting threats, falling victims to various silent crimes such as phishing, clickjacking, malware installation, sexual abuse, financial abuse, identity theft and physical crime. Although computers can enhance our work activities, e.g., through greater efficiency in document production and ease of communication., the reliance on its benefits has reduced with the introduction of social engineering threats. Phishing email results in significant losses, estimated at billions of dollars, to organisations and individual users every year. According to the 2019 statistics report from retruster.com, the average financial cost of a data breach is 3.8 million dollars, with 90% of it coming from phishing attacks on user accounts. To reduce users’ vulnerability to phishing emails, we need first to understand the users’ detection behaviour. Many research studies focus only on whether participants respond to phishing or not. A widely held view that we endorse is that this continuing challenge of email is not wholly technical in nature and thereby cannot be entirely resolved through technical measures. Instead, we have here a socio-technical problem whose resolution requires attention to both technical issues and end-users’ specific attitudes and behavioural characteristics. Using a sequential exploratory mixed method approach, qualitative grounded theory is used to explore and generate an in-depth understanding of what and why the phishing characteristics influence email users to judge the attacker as credible. Quantitative experiments are used to relate participants’ characteristics with their behaviour. The study was carefully designed to ensure that valid data could be collected without harm to participants, and with University Ethics Committee approval. The research output is a new model to explain the impact of users’characteristics on their detection behaviour. The model was tested through two study groups, namely Public and MARA . In addition, the final model was tested using structural equation modelling (SEM). This showed that the proposed model explains 17% and 39%, respectively, for the variance in Public and MARA participants’ tendency to respond to phishing emails. The results also explained which, and to what extent, phishing characteristics influence users’ judgement of sender credibility

Navigating the Phishing Landscape: A Novel Stage Model Unveiling the Journey of Individuals Exposed to Phishing Attempts

The focus of this master thesis is to understand the process and stages individuals go through when exposed to a phishing attack. To achieve this objective, we will closely examine the responses of individuals throughout the phishing process and establish connections between their cognitive processes and actions, drawing upon relevant literature. By integrating these insights, we will construct a holistic phishing stage model. Consequently, our research question, "How can we identify and understand the stages involved in the phishing process?" will guide our investigation. For this thesis, we conducted a qualitative study where we interviewed nine individuals from seven different IT consultant firms in Norway. We utilized the theoretical framework to create a holistic phishing stage model. The findings lead to the creation of a phishing stage model consisting of a pre-stage and three main stages with constituent activities that explain the flow from stage to stage. The findings reveal that individuals rely on technical solutions in more ways than we initially thought. Warnings in the delivery stage of emails affects the potential victim in the later stages, especially when they explore the content of a phishing message. Ignoring phishing attempts were found to be prevalent in the younger interview candidates. Interestingly those who reported phishing attempts were found to do so in two different ways, either officially or unofficially. The unofficial reporting consisted of altering coworkers through word of mouth or other communication channels. In contrast, official reporting was the way intended by company policies. This study offers a valuable model that effectively explains the stages individuals go through during the phishing process. This research enhances our understanding of said phenomenon by shedding light on phishing attacks from the victim’s standpoint. The insight gained from this thesis advances our understanding and offers valuable guidance for developing preventive measures, educational initiatives, training programs, and robust cybersecurity strategies. Furthermore, the model presented in this study serves as a valuable tool for identifying focal points in training efforts, thus enabling organizations to address vulnerabilities and effectively enhance their defenses against phishing attacks

Navigating the Phishing Landscape: A Novel Stage Model Unveiling the Journey of Individuals Exposed to Phishing Attempts

The focus of this master thesis is to understand the process and stages individuals go through when exposed to a phishing attack. To achieve this objective, we will closely examine the responses of individuals throughout the phishing process and establish connections between their cognitive processes and actions, drawing upon relevant literature. By integrating these insights, we will construct a holistic phishing stage model. Consequently, our research question, "How can we identify and understand the stages involved in the phishing process?" will guide our investigation. For this thesis, we conducted a qualitative study where we interviewed nine individuals from seven different IT consultant firms in Norway. We utilized the theoretical framework to create a holistic phishing stage model. The findings lead to the creation of a phishing stage model consisting of a pre-stage and three main stages with constituent activities that explain the flow from stage to stage. The findings reveal that individuals rely on technical solutions in more ways than we initially thought. Warnings in the delivery stage of emails affects the potential victim in the later stages, especially when they explore the content of a phishing message. Ignoring phishing attempts were found to be prevalent in the younger interview candidates. Interestingly those who reported phishing attempts were found to do so in two different ways, either officially or unofficially. The unofficial reporting consisted of altering coworkers through word of mouth or other communication channels. In contrast, official reporting was the way intended by company policies. This study offers a valuable model that effectively explains the stages individuals go through during the phishing process. This research enhances our understanding of said phenomenon by shedding light on phishing attacks from the victim’s standpoint. The insight gained from this thesis advances our understanding and offers valuable guidance for developing preventive measures, educational initiatives, training programs, and robust cybersecurity strategies. Furthermore, the model presented in this study serves as a valuable tool for identifying focal points in training efforts, thus enabling organizations to address vulnerabilities and effectively enhance their defenses against phishing attacks