Abstract
Humans continue to be considered as the weakest link in securing systems. While there are a variety of sophisticated system attacks, phishing emails continues to be successful in gaining users attention and leading to disastrous security consequences. In designing strategies to protect users from fraudulent phishing emails, system designers need to know which attack approaches and type of content seems to exploit human limitations and vulnerabilities. In this study, we are focusing on the attackers’ footprints (emails) and examining the phishing email content and characteristics utilizing publicly available phishing attack repository databases. We analyzed several variables to gain a better understanding of the techniques and language used in these emails to capture users’ attention. Our findings reveal that the words primarily used in these emails are targeting users’ emotional tendencies and triggers to apply their attacks. In addition, attackers employ user-targeted words and subjects that exploits certain emotional triggers such as fear and anticipation. We believe our human centered study and findings is a critical step forward towards improving detection and training programs to decrease phishing attacks and to promote the inclusion of human factors in securing systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering at tacks. J. Inf. Secur. Appl. 22, 113–122 (2015)
Ramzan, Z.: Phishing attacks and countermeasures. In: Handbook of Information and Communication Security, pp. 433–448. Springer, Heidelberg (2010)
Van der Merwe, A., Loock, M., Dabrowski, M.: Characteristics and responsibilities involved in a phishing attack. In: Proceedings of the 4th International Symposium on Information and Communication Technologies, pp. 249–254). Trinity College Dublin (January 2005)
Rekouche, K.: Early phishing. arXiv preprint arXiv:1106.4692 (2011)
Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33(3), 237–248 (2014)
Shackleford, D.: Cyber threat intelligence uses, successes and failures: the sans 2017 cti survey. SANS, Tech. rep. (2017)
Ludl, C., McAllister, S., Kirda, E., Kruegel, C.: On the effectiveness of techniques to detect phishing sites. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 20–39. Springer, Heidelberg (July 2007)
Dong, Z., Kapadia, A., Blythe, J., Camp, L.J.: Beyond the lock icon: real-time detection of phishing websites using public key certificates. In: 2015 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–12. IEEE (May 2015)
Sharma, T., Bambenek, J. C., Bashir, M.: Preserving privacy in cyber-physical social systems: an anonymity and access control approach (2020)
Rahman, S., Sharma, T., Reza, S.M., Rahman, M.M., Kaiser, M.S.: PSO-NF based vertical handoff decision for ubiquitous heterogeneous wireless network (UHWN). In: 2016 International Workshop on Computational Intelligence (IWCI), pp. 153–158. IEEE (December 2016)
Dong, Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phinding phish: evaluating anti-phishing tools (2007)
Xiang, G., Hong, J., Rose, C.P., Cranor, L.: Cantina+: A feature-rich machine learning framework for detecting phishing web sites. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(2), 21 (2011)
Mohammad, R.M., Thabtah, F., McCluskey, L.: Predicting phishing websites based on self-structuring neural network. Neural Comput. Appl. 25(2), 443–458 (2014)
Abbasi, A., Zahedi, F.M., Zeng, D., Chen, Y., Chen, H., Nunamaker Jr., J.F.: Enhancing predictive analytics for anti-phishing by exploiting website genre information. J. Manag. Inf. Syst. 31(4), 109–157 (2015)
Sharma, T., Bashir, M.: Privacy apps for smartphones: an assessment of users’ preferences and limitations. In: 22nd International Conference on Human-Computer Interaction (2020)
Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing (2010)
Cambria, E.: Affective computing and sentiment analysis. IEEE Intell. Syst. 31(2), 102–107 (2016)
Taboada, M., Brooke, J., Tofiloski, M., Voll, K., Stede, M.: Lexicon-based methods for sentiment analysis. Comput. Linguist. 37(2), 267–307 (2011)
Seyeditabari, A., Zadrozny, W.: Can word embeddings help find latent emotions in text? Preliminary results. In: The Thirtieth International Flairs Conference (May 2017)
Shovon, A.R., Roy, S., Sharma, T., Whaiduzzaman, M.: A restful e-governance application framework for people identity verification in cloud. In: International Conference on Cloud Computing, pp. 281–294. Springer, Cham (June 2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sharma, T., Bashir, M. (2020). An Analysis of Phishing Emails and How the Human Vulnerabilities are Exploited. In: Corradini, I., Nardelli, E., Ahram, T. (eds) Advances in Human Factors in Cybersecurity. AHFE 2020. Advances in Intelligent Systems and Computing, vol 1219. Springer, Cham. https://doi.org/10.1007/978-3-030-52581-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-52581-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-52580-4
Online ISBN: 978-3-030-52581-1
eBook Packages: EngineeringEngineering (R0)