Abstract
The popularity of Mobile Instant Messaging (MIM) Applications (apps) presents cybercriminals with a new venue for sending deceptive messages, known as ‘Phishing’. MIM apps often lack technical safeguards to shield users from these messages. The first step towards developing anti-phishing solutions to identify phishing messages in any attack vector is understanding the nature of the attacks. However, such understanding is lacking for MIM-enabled phishing. This study provides insights into how phishers apply persuasion principles in MIM phishing. Using the deductive content analysis method and Cialdini’s six principles of persuasion, this study identified and analysed 67 examples of real-world MIM phishing attacks from various online sources. Each phishing example was coded to identify the persuasion techniques used and how they were applied. Findings reveal that the principles of social proof, liking, and authority were most widely used in MIM phishing, followed by scarcity and reciprocity. Furthermore, most of the phishing examples contained three persuasion principles, most often a combination of authority, liking, and social proof. These findings provide insights into how phishers execute phishing in MIM apps and provide a theoretical foundation for future research on the psychological aspects of phishing in MIM apps and the development of anti-phishing solutions to identity phishing in MIM.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
NCSC. https://www.ncsc.gov.uk/guidance/phishing. Accessed 25 Jan 2021
Mendoza, M.Á.: https://www.welivesecurity.com/2022/06/30/costco-40th-anniversary-scam-targets-whatsapp-users/. Accessed 13 Mar 2023
Kaspersky. https://www.kaspersky.com/about/press-releases/2021_phishing-in-messenger-apps-whats-new. Accessed 04 Jan 2022
Stivala, G., Pellegrino, G.: Deceptive previews: a study of the link preview trustworthiness in social platforms. In: 27th Annual Conference: NDSS Network and Distributed Systems Security Symposium, San Diego (2020)
Snapchat. How Snapchat Uses Google Safe Browsing. https://help.snapchat.com/hc/en-us/articles/7012345182356-How-Snapchat-Uses-Google-Safe-Browsing. Accessed 27 May 2023
WhatsApp. https://faq.whatsapp.com/2286952358121083. Accessed 27 May 2023
Sheng, S., Wardman, B., Warner, G., Cranor, L.F., Hong, J., Zhang, C.: An empirical analysis of phishing blacklists. In: 6th Conference in Email and Anti-Spam ser. CEAS 2009 Mountain view, California (2009)
Smadi, S., Aslam, N., Zhang, L.: Detection of online phishing email using dynamic evolving neural network based on reinforcement learning. Decis. Support Syst. 107, 88–102 (2018). https://doi.org/10.1016/j.dss.2018.01.001
FTC. https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams. Accessed 16 Mar 2020
APWG. Phishing Activity Trends Report Retrieved (2019)
Albakry, S., Vaniea, K., Wolters, M.K.: What is this URL’s destination? Empirical evaluation of users’ URL reading. In: 2020 CHI Conference on Human Factors in Computing Systems, pp. 1–12. ACM, Honolulu (2020). https://doi.org/10.1145/3313831.3376168
Ahmad, R., Terzis, S.: Understanding phishing in mobile instant messaging: a study into user behaviour toward shared links. In: Clarke, F., Steven, F. (eds.) International Symposium on Human Aspects of Information Security and Assurance. HAISA 2022. IFIP Advances in Information and Communication Technology, vol. 658, pp. 197–206. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-12172-2_15
Goel, D., Jain, A.K.: Mobile phishing attacks and defence mechanisms: State of the art and open research challenges. Comput. Secur. 73, 519–544 (2018)
Agarwal, P., Raman, A., Ibosiola, D., Sastry, N., Tyson, G., Garimella, K.: Jettisoning junk messaging in the era of end-to-end encryption: a case study of WhatsApp. In: The ACM Web Conference 2022, pp. 2582–2591. ACM, Virtual Event, Lyon France (2022)
Hadnagy, C.: Social Engineering: The Science of Human Hacking, 2nd edn. Wiley, Canada (2018)
Jones, K.S., Armstrong, M.E., Tornblad, M.K., Namin, A.S: How social engineers use persuasion principles during vishing attacks. Inf. Comput. Secur. 29(2), 314–331 (2020). https://doi.org/10.1108/ICS-07-2020-0113
Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 36–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_4
Cialdini, R.B.: Influence: the psychology of persuasion, revised edition. New York, William Morrow (2006)
Uebelacker, S., Quiel, S.: The social engineering personality framework. In: 8th Workshop on Socio-Technical Aspects in Security and Trust (STAST 2014), pp. 24–30. IEEE, Australia, (2014). https://doi.org/10.1109/STAST.2014.12
Gragg, D.: A multi-level defense against social engineering. SANS Read. Room 13, 1–21 (2003)
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011). https://doi.org/10.1145/1897852.1897872
Butavicius, M., Parsons, K., Pattinson, M., McCormac, A.: Breaching the human firewall: social engineering in phishing and spear-phishing emails. In: Proceedings of the Australasian Conference on Information Systems, Adelaide (2015). arXiv Prepr. arXiv 1606.00887
The Quint. https://www.thequint.com/news/india/fraudsters-dupe-over-rs-1-crore-from-serum-institute-by-posing-as-ceo-adar-poonawalla-whatsapp. Accessed 29 Apr 2023
Boddy, M. https://nakedsecurity.sophos.com/2018/04/04/free-virgin-atlantic-tickets-no-its-a-WhatsApp-scam. Accessed 31 May 2022
Akbar, N.: Analysing persuasion principles in phishing emails. University of Twente (2014)
Zielinska, O.A., Welk, A.K., Mayhorn, C.B., Murphy-Hill, E.: A temporal analysis of persuasion principles in phishing emails. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 60, no. 1, pp. 765–769 (2016)
Akdemir, N., Yenal, S.: How phishers exploit the coronavirus pandemic: a content analysis of COVID-19 themed phishing emails. SAGE Open 11(3), 21582440211031880 (2021). https://doi.org/10.1177/21582440211031879
O’Hara, K., Massimi, M., Harper, R., Rubens, S., Morris, J.: Everyday dwelling with WhatsApp. In: 17th ACM Conference on Computer Supported Cooperative Work & Social Computing, pp. 1131–1143. ACM, Maryland USA (2014). https://doi.org/10.1145/2531602.2531679
Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing: In: Tryfonas, T., Askoxylakis, I. (eds.) Human Aspects of Information Security, Privacy, and Trust: Third International Conference, HAS 2015. Lecture Notes in Computer Science, vol. 9190, pp. 36–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_4
Ferreira, A., Jakobsson, M.: Persuasion in Scams. In: Jakobsson, M. (eds.)Understanding social Engineering Based Scams, pp. 29–47, Springer, New York (2016). https://doi.org/10.1007/978-1-4939-6457-4_4
Windels, J. https://www.wandera.com/malware-family-whatsapp/. Accessed 20 Nov 2020
McHugh, M.L.: Interrater reliability: the kappa statistic. Biochem. Medica 22(3), 276–282 (2012)
ActionFraud. https://www.facebook.com/actionfraud/posts/this-latest-adidas-whatsapp-scam-is-another-example-of-a-clever-homograph-attack/2021054694578900/. Accessed 30 May 2023
iRadio. https://m.facebook.com/thisisiradio/posts/1927459280648472/?comment_id=1927565900637810. Accessed 30 May 2023
Mossano, M., Vaniea, K., Aldag, L., Düzgün, R., Mayer, P., Volkamer, M.: Analysis of publicly available anti-phishing webpages: contradicting information, lack of concrete advice and very narrow attack vector. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 130–139 (2020)
Valecha, R., Mandaokar, P., Rao, H.R.: Phishing email detection using persuasion cues. IEEE Trans. Dependable Secur. Comput. 19(2), 747–756 (2021)
Acknowledgement
This work is part of a PhD research sponsored by the Petroleum Technology Development Fund (PTDF)-Nigeria. There were no conflicts of interest in this study.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Ahmad, R., Terzis, S., Renaud, K. (2023). Content Analysis of Persuasion Principles in Mobile Instant Message Phishing. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-38530-8_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38529-2
Online ISBN: 978-3-031-38530-8
eBook Packages: Computer ScienceComputer Science (R0)