To deceive or not to deceive! Legal implications of phishing covert research

Whilst studying mobile users' susceptibility to phishing attacks, we found ourselves subject to regulations concerning the use of deception in research. We argue that such regulations are misapplied in a way that hinders the progress of security research. Our argument analyses the existing framework and the ethical principles of conducting phishing research in light of these regulations. Building on this analysis and reflecting on real world experience; we present our view of good practice and suggest guidance on how to prepare legally compliant proposals to concerned ethics committee

Developing and evaluating a five minute phishing awareness video

Confidence tricksters have always defrauded the unwary. The computer era has merely extended their range and made it possible for them to target anyone in the world who has an email address. Nowadays, they send phishing messages that are specially crafted to deceive. Improving user awareness has the potential to reduce their effectiveness. We have previously developed and empirically-validated phishing awareness programmes. Our programmes are specifically designed to neutralize common phish-related misconceptions and teach people how to detect phishes. Many companies and individuals are already using our programmes, but a persistent niggle has been the amount of time required to complete the awareness programme. This paper reports on how we responded by developing and evaluating a condensed phishing awareness video that delivered phishing awareness more efficiently. Having watched our video, participants in our evaluation were able to detect phishing messages significantly more reliably right after watching the video (compared to before watching the video). This ability was also demonstrated after a retention period of eight weeks after first watching the video

Conceptualizing human resilience in the face of the global epidemiology of cyber attacks

Computer security is a complex global phenomenon where different populations interact, and the infection of one person creates risk for another. Given the dynamics and scope of cyber campaigns, studies of local resilience without reference to global populations are inadequate. In this paper we describe a set of minimal requirements for implementing a global epidemiological infrastructure to understand and respond to large-scale computer security outbreaks. We enumerate the relevant dimensions, the applicable measurement tools, and define a systematic approach to evaluate cyber security resilience. From the experience in conceptualizing and designing a cross-national coordinated phishing resilience evaluation we describe the cultural, logistic, and regulatory challenges to this proposed public health approach to global computer assault resilience. We conclude that mechanisms for systematic evaluations of global attacks and the resilience against those attacks exist. Coordinated global science is needed to address organised global ecrime

The Relationship Between Social Persuasion Strategies, Phishing Features and Email Exposure Time on Phishing Susceptibility

This item is only available electronically.A ‘phishing email’ aims to persuade an unsuspecting individual to reveal personal credentials and sensitive information. Currently, the global costs to businesses and individuals associated with phishing related attacks are reported in the hundreds of millions of dollars. While technological interventions capture a proportion of these phishing emails, ultimately, the human user is the last line of defence in determining the legitimacy of the email. ‘Phishers’ aim to exploit human weaknesses through the use of various persuasion strategies that create a sense of urgency and time pressure to respond to emails. Typically, individuals must also rely on subtle phishing features in an email to determine if the email is genuine or an attempted phish. Furthermore, phishers take advantage of the assumption that users determine the legitimacy of emails in a short amount of time. The present study aims to examine the impact of these email characteristics of persuasion strategies, the number of phishing features, and exposure time on phishing detection and susceptibility. Using an online survey platform, participants (N= 136) completed an email sorting task where they were required to review and sort 60 incoming emails from the inbox of ‘Professor Alex Jones’. Several significant results were obtained supporting the hypotheses. It demonstrated that individuals are better able to detect a phishing email when it utilises common persuasion strategies (authority and scarcity), and contain a greater number of phishing features. It also revealed that with increased email exposure time, individuals had a better phishing detection rate. However, the effect of identifying phishing emails with common persuasion strategies was not greater during shorter exposure time, providing a non-significant result. A greater understanding of these email factors associated with phishing susceptibility could lead to more tailored awareness campaigns and/or training programs to increase phishing detection and reduce susceptibility.Thesis (B.PsychSc(Hons)) -- University of Adelaide, School of Psychology, 202

Analyzing Social and Stylometric Features to Identify Spear phishing Emails

Spear phishing is a complex targeted attack in which, an attacker harvests information about the victim prior to the attack. This information is then used to create sophisticated, genuine-looking attack vectors, drawing the victim to compromise confidential information. What makes spear phishing different, and more powerful than normal phishing, is this contextual information about the victim. Online social media services can be one such source for gathering vital information about an individual. In this paper, we characterize and examine a true positive dataset of spear phishing, spam, and normal phishing emails from Symantec's enterprise email scanning service. We then present a model to detect spear phishing emails sent to employees of 14 international organizations, by using social features extracted from LinkedIn. Our dataset consists of 4,742 targeted attack emails sent to 2,434 victims, and 9,353 non targeted attack emails sent to 5,912 non victims; and publicly available information from their LinkedIn profiles. We applied various machine learning algorithms to this labeled data, and achieved an overall maximum accuracy of 97.76% in identifying spear phishing emails. We used a combination of social features from LinkedIn profiles, and stylometric features extracted from email subjects, bodies, and attachments. However, we achieved a slightly better accuracy of 98.28% without the social features. Our analysis revealed that social features extracted from LinkedIn do not help in identifying spear phishing emails. To the best of our knowledge, this is one of the first attempts to make use of a combination of stylometric features extracted from emails, and social features extracted from an online social network to detect targeted spear phishing emails.Comment: Detection of spear phishing using social media feature

The Role of Time Pressure, Cue Utilisation, and Information Security Awareness on Phishing Email Susceptibility

This item is only available electronically.Phishing emails are emails which attempt to solicit sensitive information from unsuspecting users. Phishing represents a major threat to information security. To develop interventions aimed at reducing phishing susceptibility, an understanding of how emails are evaluated to determine their legitimacy, and individual differences that may predict phishing email susceptibility is required. The current study aims to examine the relationship between phishing susceptibility and time pressure, along with individual differences in cue utilisation and information security awareness (ISA). In an online study, 127 participants were randomly assigned to either a 7-second or 15-second time condition and were presented with 60 emails (40 genuine and 20 phishing). Emails were presented one at a time for the duration corresponding with each participant’s time condition. Participants were required to sort each email into one of ten categories. The ‘phishing’ category was considered a hit when chosen following a phishing email, and a false alarm when following a genuine email. Participants also completed an assessment of cue utilisation in the domain of phishing, and the Human Aspects of Information Security Questionnaire (HAIS-Q). Statistical analyses revealed that a higher level of cue utilisation, a shorter email exposure duration and higher ISA resulted in reduced ability to differentiate between phishing and genuine emails. Furthermore, a positive correlation was found between cue utilisation and ISA, however, there was no interaction between time pressure and cue utilisation on phishing susceptibility. This study’s outcomes may aid in the development of training and education programs aimed at reducing phishing susceptibility.Thesis (B.PsychSc(Hons)) -- University of Adelaide, School of Psychology, 202

Think before you click: The effects of systematic processing on phishing susceptibility

This item is only available electronically.Researchers have identified the use of social influence in phishing emails and have found greater cognitive impulsivity to predict phishing susceptibility. These findings suggest that relying on predominantly heuristic (rather than systematic) information processing strategies when managing emails could be a key contributor to users’ susceptibility. Accordingly, it is proposed that the effects of systematic processing on phishing susceptibility should be investigated. Specifically, research should determine whether manipulating systematic processing affects users’ judgements of the legitimacy of phishing and genuine emails. The outcomes of this research would have potential implications for cyber security training.Thesis (M.Psych(Organisational & Human Factors)) -- University of Adelaide, School of Psychology, 201