Developing and evaluating a five minute phishing awareness video

Confidence tricksters have always defrauded the unwary. The computer era has merely extended their range and made it possible for them to target anyone in the world who has an email address. Nowadays, they send phishing messages that are specially crafted to deceive. Improving user awareness has the potential to reduce their effectiveness. We have previously developed and empirically-validated phishing awareness programmes. Our programmes are specifically designed to neutralize common phish-related misconceptions and teach people how to detect phishes. Many companies and individuals are already using our programmes, but a persistent niggle has been the amount of time required to complete the awareness programme. This paper reports on how we responded by developing and evaluating a condensed phishing awareness video that delivered phishing awareness more efficiently. Having watched our video, participants in our evaluation were able to detect phishing messages significantly more reliably right after watching the video (compared to before watching the video). This ability was also demonstrated after a retention period of eight weeks after first watching the video

Computational fact checking from knowledge networks

Traditional fact checking by expert journalists cannot keep up with the enormous volume of information that is now generated online. Computational fact checking may significantly enhance our ability to evaluate the veracity of dubious information. Here we show that the complexities of human fact checking can be approximated quite well by finding the shortest path between concept nodes under properly defined semantic proximity metrics on knowledge graphs. Framed as a network problem this approach is feasible with efficient computational techniques. We evaluate this approach by examining tens of thousands of claims related to history, entertainment, geography, and biographical information using a public knowledge graph extracted from Wikipedia. Statements independently known to be true consistently receive higher support via our method than do false ones. These findings represent a significant step toward scalable computational fact-checking methods that may one day mitigate the spread of harmful misinformation

Effects of Recipient Information and Urgency Cues on Phishing Detection

Phishing causes significant economic damage and erodes consumer trust in business communication. To better filter phishing emails, researchers have paid a substantial amount of attention to the characteristics of phishing emails. This study focused on the effects of recipient information and urgency cues on phishing detection. A total of 518 participants performed role-playing tasks in which they needed to discriminate legitimate emails and phishing emails. The results showed that the main effects of urgency cues and recipient information were significant. Under the condition of time constraints, the likelihood of replying to the phishing emails increased, and the likelihood of searching for the relevant information decreased. When recipient information was added to the phishing emails, the likelihood of replying to the phishing emails decreased, and the likelihood of deleting the phishing emails and searching the for relevant information increased. Meanwhile, the interaction effect of recipient information and time pressure was also significant. When recipient information was added to the phishing emails, the urgency cues had a significant negative effect on the detection behaviors. Under the condition of time constraints and recipient information addition, the likelihood of replying to the phishing emails increased, and the likelihood of deleting the phishing emails and searching for the relevant information decreased. These findings showed that phishing email characteristics strongly affect phishing susceptibility. A sense of urgency resulted in stress and impulsive behavior, and thus, the participants preferred quickly respond and perform less research. By exploring the mechanism underlying phishing processing, this study deepens the understanding of detecting deception and motivates more effective strategies or assistance systems to protect individuals from online fraud.</p

Designing an Intelligent User Interface for Preventing Phishing Attacks

Part 3: Workshop on Handling Security, Usability, User Experience and Reliability in User-Centered Development ProcessesInternational audienceMost phishing sites are simply copies of real sites with slight features distorted or in some cases masqueraded. This property of phishing sites has made them difficult for humans and various anti-phishing techniques to detect. Also, the attacker community has proved itself able to quickly adapt to anti-phishing measures, mainly warning messages to help limit the effectiveness of phishing attacks and protect unsuspecting users. Despite the notable advances made in the last years by the active warning messages for phishing, this attack remains one of the most effective. In this paper we propose an intelligent warning message mechanism, that might limit the effectiveness of phishing attacks and that might increase the user awareness about related risks. It implements an intelligent behavior that, besides warning the users that a phishing attack is occurring, explains why the specific suspect site can be fraudulent

Social Engineering and Organisational Dependencies in Phishing Attacks

© IFIP International Federation for Information Processing 2019. Phishing emails are a widespread cybersecurity attack method. Their breadth and depth have been on the rise as they target individuals and organisations with increased sophistication. In particular, social engineering in phishing focuses on human vulnerabilities by exploiting established psychological and behavioural cues to increase the credibility of phishing emails. This work presents the results of a 56,000-participant phishing attack simulation carried out within a multi-national financial organisation. The overarching hypothesis was that strong cultural and contextual factors impact employee vulnerability. Thus, five phishing emails were crafted, based on three of Cialdini’s persuasion principles used in isolation and in combination. Our results showed that Social proof was the most effective attack vector, followed by Authority and Scarcity. Furthermore, we examined these results in the light of a set of demographic and organisational features. Finally, both click-through rates and reporting rates were examined, to provide rich insights to developers of cybersecurity educational solutions

TORPEDO: TOoltip-poweRed Phishing Email DetectiOn

Part 4: Phishing and Data SharingInternational audienceWe propose a concept called TORPEDO to improve phish detection by providing just-in-time and just-in-place trustworthy tooltips to help people judge links embedded in emails. TORPEDO’s tooltips contain the actual URL with the domain highlighted and delay link activation for a short period, giving the person time to inspect the URL before they click. Furthermore, TORPEDO consists of an information diagram to explain phish detection. We evaluated TORPEDO in particular with respect to its effectiveness: Compared to the worst case ‘status bar’. as used in Thunderbird and Web email clients. TORPEDO performed significantly better in detecting phishes and identifying legitimate emails (85.17 % versus 43.31 % correct answers for phish). A proof of concept implementation is available as a Thunderbird Add-On