Baiting the Hook: Factors Impacting Susceptibility to Phishing Attacks

Over the last decade, substantial progress has been made in understanding and mitigating phishing attacks. Nonetheless, the percentage of successful attacks is still on the rise. In this article, we critically investigate why that is the case, and seek to contribute to the field by highlighting key factors that influence individuals’ susceptibility to phishing attacks. For our investigation, we conducted a web-based study with 382 participants which focused specifically on identifying factors that help or hinder Internet users in distinguishing phishing pages from legitimate pages. We considered relationships between demographic characteristics of individuals and their ability to correctly detect a phishing attack, as well as time-related factors. Moreover, participants’ cursor movement data was gathered and used to provide additional insight. In summary, our results suggest that: gender and the years of PC usage have a statistically significant impact on the detection rate of phishing; pop-up based attacks have a higher rate of success than the other tested strategies; and, the psychological anchoring effect can be observed in phishing as well. Given that only 25 % of our participants attained a detection score of over 75 %, we conclude that many people are still at a high risk of falling victim to phishing attacks but, that a careful combination of automated tools, training and more effective awareness campaigns, could significantly help towards preventing such attacks

When Eye-Tracking Meets Cognitive Modeling: Applications to Cyber Security Systems

Human cognitive modeling techniques and related software tools have been widely used by researchers and practitioners to evaluate the effectiveness of user interface (UI) designs and related human performance. However, they are rarely used in the cyber security field despite the fact that human factors have been recognized as a key element for cyber security systems. For a cyber security system involving a relatively complicated UI, it could be difficult to build a cognitive model that accurately captures the different cognitive tasks involved in all user interactions. Using a moderately complicated user authentication system as an example system and CogTool as a typical cognitive modeling tool, this paper aims to provide insights into the use of eye-tracking data for facilitating human cognitive modeling of cognitive tasks more effectively and accurately. We used visual scan paths extracted from an eye-tracking user study to facilitate the design of cognitive modeling tasks. This allowed us to reproduce some insecure human behavioral patterns observed in some previous lab-based user studies on the same system, and more importantly, we also found some unexpected new results about human behavior. The comparison between human cognitive models with and without eye-tracking data suggests that eye-tracking data can provide useful information to facilitate the process of human cognitive modeling as well as to achieve a better understanding of security-related human behaviors. In addition, our results demonstrated that cyber security research can benefit from a combination of eye-tracking and cognitive modeling to study human behavior related security problems

The art of phishing

Nowadays there are many threats that a company needs to protect itself. Everyone knows someone who has fallen for a coup by using an email, message or phone. People who pass by someone they trust, to extract data and money from the victim. These three ways are used to try convince someone to deliver accounts, credit card and document data in companies and at a particular level. According to Symantec, more than 6 hundreds of companies per day are targeted for Phishing, specifically Business E-Mail Compromise (BEC). In it, criminals pass through a central figure in the company, usually the CEO, and try to extract information or get employees to transfer money. This type of attack has generated in the last years losses of billions of dollars for the businesses affected. It is urgent that all company employees and individuals know as soon as possible what Phishing is and what steps to take.info:eu-repo/semantics/publishedVersio