Framework for Phishing Detection in Email under Heave Using Conceptual Similarity

Today everything is available in online. Every day so many users start their online transactions. The main reason behind thisis number of alternatives and best deals are available there. They can choose according to their taste with cost effective manner. This is one side of a coin. The other side fully dealt with security problems and frauds in the online transactions. Among most of the online transactions email is the shortcut and flexible for both communication as well as for attack. So this paper mainly focuses on detection of phishing attacks and categorizes the emails based on specified and critical properties which give more information about the source of the phishing. In general most of the existing systems focus on email classification based on header part or body part. Most of the filters available today focus mainly on mail headers only. Sometimes this is not enough to detect the fraud. Some more studies focus on body part also. But they follow document clustering with term intensive similarity. First, to identify advanced phishing attacks blind term intensive similarity is not sufficient. Second, emails system is like online stream. So the nature of the phishing behavior may change time to time. In that case online learning is also required to handle concept drifts. This paper focuses on conceptual similarity along with term intensive similarity. We introduced a novel procedure named as “Framework for Phishing detection in email under heave using conceptual similarity†to adaptively classify the emails. Simulation results shows that our proposed approach effectively detect and isolate the emails with phishing attack by comparing underlying concept

Using phishing to test social engineering awareness of financial employees

Social engineering is the biggest security threat to financial institutions because it exploits the weakest link in any security system: the human element. It is proposed here that combining specialized training on social engineering followed by repeated audit tests will be more effective at lowering employee vulnerability than standard security training alone. This research developed a training module specializing in social engineering with an extra emphasis on phishing, then used phishing trials on financial employees to audit their awareness and knowledge of social engineering to determine if it lowers the vulnerability level to phishing attacks --Document

Using phishing to test social engineering awareness of financial employees

Social engineering is the biggest security threat to financial institutions because it exploits the weakest link in any security system: the human element. It is proposed here that combining specialized training on social engineering followed by repeated audit tests will be more effective at lowering employee vulnerability than standard security training alone. This research developed a training module specializing in social engineering with an extra emphasis on phishing, then used phishing trials on financial employees to audit their awareness and knowledge of social engineering to determine if it lowers the vulnerability level to phishing attacks --Document

A study of the personalization of spam content using Facebook public information

Millions of users per day are affected by unsolicited email campaigns. Spam filters are capable of detecting and avoiding an increasing number of messages, but researchers have quantified a response rate of a 0.006% [1], still significant to turn a considerable profit sending millions of emails, as the spammers do. While research directions are addressing topics such as better spam filters, or spam detection inside online social networks, in this paper we demonstrate that a classic spam model using online social network information can harvest a 7.62% of click-through rate. We collect email addresses from the Internet, complete email owner information using their public social network profile data, and analyze response of personalized spam sent to users according to their profile using a fake website. Finally we demonstrate the effectiveness of these profile-based emails to circumvent spam detection and we compare results between typical spam and personalized spam

Got Phished? Internet Security and Human Vulnerability

A leading cause of security breaches is a basic human vulnerability: our susceptibility to deception. Hackers exploit this vulnerability by sending phishing emails that induce users to click on malicious links that then download malware or trick the victim into revealing personal confidential information to the hacker. Past research has focused on human susceptibility to generic phishing emails or individually targeted spear-phishing emails. This study addresses how contextualization of phishing emails for targeted groups impacts their susceptibility to phishing. We manipulated the framing and content of email messages and tested the effects on users’ susceptibility to phishing. We constructed phishing emails to elicit either the fear of losing something valuable (e.g., course registrations, tuition assistance) or the anticipation of gaining something desirable (e.g., iPad, gift card, social networks). We designed the emails’ context to manipulate human psychological weaknesses such as greed, social needs, and so on. We sent fictitious (benign) emails to 7,225 undergraduate students and recorded their responses. Results revealed that contextualizing messages to appeal to recipients’ psychological weaknesses increased their susceptibility to phishing. The fear of losing or anticipation of gaining something valuable increased susceptibility to deception and vulnerability to phishing. The results of our study provide important contributions to information security research, including a theoretical framework based on the heuristic-systematic processing model to study the susceptibility of users to deception. We demonstrate through our experiment that several situational factors do, in fact, alter the effectiveness of phishing attempts

Towards an Assessment of Pause Periods on User Habituation in Mitigation of Phishing Attacks

Social engineering is the technique in which the attacker sends messages to build a relationship with the victim and convinces the victim to take some actions that lead to significant damages and losses. Industry and law enforcement reports indicate that social engineering incidents costs organizations billions of dollars. Phishing is the most pervasive social engineering attack. While email filtering and warning messages have been implemented for over three decades, organizations are constantly falling for phishing attacks. Prior research indicated that attackers use phishing emails to create an urgency and fear response in their victims causing them to use quick heuristics, which leads to human errors. Humans use two types of decision-making processes: a heuristic decision, which is a quick, instinctual decision-making process known as ‘System One’, and a second, known as ‘System Two,’ that is a slow, logical process requiring attention. ‘System Two’ is often triggered by a pause in the decision-making process. Additionally, timers were found in other research fields (medicine, transportation, etc.) to affect users’ judgement and reduce human errors. Therefore, the main goal of this work-in-progress research study is to determine through experimental field study whether requiring email users to pause by displaying a phishing email warning with a timer, has any effect on users falling to simulated phishing attacks. This paper will outline the rationale and the process proposed for the validation of the field experiments with Subject Matter Experts (SMEs). Limitations of the proposed study and recommendation for further research are provided

To Deceive or not to Deceive! Ethical Questions in Phishing Research

Interest in Human factors in phishing has been growing both in HCI and security communities in the past few years. Despite this interest, conducting covert user studies is associated with a number of ethical and legal challenges for phishing researchers. This paper discusses the need for deception, the implications of deceiving and the legal restrictions in terms of phishing study in the UK. We thematically analyzed these implications from the viewpoints of three stakeholders; ethics committees, researchers and professional bodies. Then we provide a roadmap for researchers to get balanced and timely ethical assessment of their proposed research