Assessing the severity of phishing attacks: A hybrid data mining approach

doi:10.1016/j.dss.2010.08.020

Decision Support Systems

Volume 50, Issue 4, March 2011, Pages 662-672

https://doi.org/10.1016/j.dss.2010.08.020 Get rights and content

Abstract

Phishing is an online crime that increasingly plagues firms and their consumers. We assess the severity of phishing attacks in terms of their risk levels and the potential loss in market value suffered by the targeted firms. We analyze 1030 phishing alerts released on a public database as well as financial data related to the targeted firms using a hybrid method that predicts the severity of the attack with up to 89% accuracy using text phrase extraction and supervised classification. Our research identifies some important textual and financial variables that impact the severity of the attacks and potential financial loss.

Research highlights

► Risk level and CAR level were complementary severity measures for phishing attacks. ► Using textual data and financial data make the severity prediction more accurate. ► Data mining techniques are effective to assess severity of phishing attacks.

Introduction

Phishing is a major security threat to the online community. It is a kind of identity theft that makes use of social engineering skills and technical subterfuge to entice the unsuspecting online consumer to give away their personal information and financial credentials [5]. A typical phishing attack consists of four phases, namely, preparation, mass broadcast, mature, and account hijack [8]. The tremendous financial impact of phishing is borne by the fact that phishing caused an estimated financial loss of US $3.2 billion affecting 3.6 million people from September 2006 to August 2007 [40]. The number of reported phishing incidents grew exponentially, and increased by 293.7% from 8829 in December 2004 to 34,758 in October 2008 [4], [5]. Not only do phishing attacks cause financial loss, but they also shatter the confidence of customers in conducting e-commerce. Managers of some of the US super regional banks have indicated that the deteriorating customer trust is a major concern with respect to phishing [46]. A recent survey found that most customers of European banks only use online banking to check their account balances instead of conducting online transactions due to the fear of getting phished [15]. Another study also reported that the customer fear psychosis has resulted in a 20% decrease in the rate of opening of genuine emails [10].

To make customers aware of latest phishing attacks, some international organizations and government statutory bodies, such as the Anti-phishing Working Group (APWG), have published phishing alerts on their websites. To assess the risk level of each phishing attack, some firms have sought help from information security experts who evaluated reported phishing incidents based on the contents of the phishing email and the phishing websites. However, as phishing incidents continue to increase at a tremendous rate, the manual risk assessment method involving experts may be too slow. Data mining techniques can improve the assessment of phishing attacks. They can discover the knowledge embedded in the traits of prior phishing attacks and identify the inherent characteristics that contribute to the different risk levels of a phishing attack. This can help predict the associated risk level of a new phishing incident in a short period of time with a reasonable accuracy. Furthermore, the risk level, which is based on the technical sophistication of phishing attacks, may not be directly related to financial loss caused by an attack. Past research has shown that the impact of sophisticated phishing alerts on stock markets is not as significant as phishing alerts whose risk level is considered to be moderate [33]. However, the financial loss resulting from a phishing attack is always of great concern to security administrators as well as consumers of an organization. Therefore, a warning mechanism that can identify the phishing incidents that are either very risky or likely to cause a large financial loss will be of great interest to shareholders and senior managers of the targeted companies.

In this research we use supervised classification techniques, which is a major stream of data mining, to assess the severity of phishing attacks. At the same time, we identify the key antecedents that contribute to a high risk level or a high financial loss generation by a phishing attack. We use a hybrid approach which combines key phrase extraction and supervised classification methods that makes use of the textual data description of the phishing attack as well as financial data of the targeted company to assess the severity of a phishing attack according to its risk level or financial loss generating potential. The three classifiers used for this purpose result in a classification accuracy of up to 89%. Our results also show that the key identifying variables for risk level and potential financial loss of phishing attacks are different from each other. High risk level is associated with phishing emails that ask customers of large firms to update their accounts whereas high financial loss is characterized by phishing attacks targeted to customers of large firms that have high total liabilities.

Section snippets

Literature review

Phishing has aroused great interest among information security researchers. Understanding the critical success factors of phishing and determining methods that can prevent or detect such a crime has been a popular area of research. We can roughly split current research on phishing into three streams, namely, phenomenal studies, economic analysis, and technical research.

As an example of a phenomenal study related to phishing, Jagatic et al. found that the social engineering skill of the

Theoretical framework

A theoretical model showing the impact of any type of threat on corporate performance was proposed by Crockford [13] and called the risk-components model. In this model, it was proposed that threats may compromise corporate resources, and thus negatively affect firm performance. This impact may be reflected as drop in earnings or market value of the firm. We adopted this model for assessment of the impact of security threats. Loch et al. categorized security threats according to their potential

Data collection and analysis

In this section we describe how we collect, prepare, and analyze phishing alerts to assess their severity, and determine important antecedents that influence the classification.

Results

In this section, the results obtained by applying the trained classification models on the validation data are presented. We evaluated the classification accuracy of the models, and then identified the important variables discovered by the models for the two classification tasks.

Discussion

Information security analysts generally assess the severity of phishing attacks on the basis of technical sophistication. The financial loss that is likely to result from phishing attacks is rarely estimated. However, senior managers and shareholders of companies are quite interested to know the economic impact of phishing attacks. Keeping in mind that it is important to evaluate the technical sophistication as well as the potential financial impact of phishing attacks, we conducted this

Conclusion

Phishing has become one of the biggest threats to the online community. Many researchers have explored ways to deter such crime. Information security specialists and anti-phishing organizations have set up phishing alerts databases that assess each reported phishing incident in terms of its risk level. In the view of increasing number of reported phishing incidents, we believe that such a manual assessment approach is not efficient enough to provide a timely report, and is also not complete as

References (55)

F.K. Andoh-Baidoo et al.
Exploring the characteristics of internet security breaches that impact the market value of breached firms
Expert Systems with Applications
(2007)
B. Baesens et al.
Bayesian neural network learning for repeat purchase modeling in direct marketing
European Journal of Operational Research
(2002)
I. Bose et al.
Business data mining—a machine learning perspective
Information & Management
(2001)
K. Ha et al.
Response models based on bagging neural networks
Journal of Interactive Marketing
(2005)
C.M. Heilman et al.
Determining the appropriate amount of data for classifying consumers for direct marketing purposes
Journal of Interactive Marketing
(2003)
S. Hinde
ID theft: the US legal fight back
Computer Fraud & Security
(2004)
C. Holton
Identifying disgruntled employee systems fraud risk through text mining: a simple solution for a multi-billion dollar problem
Decision Support Systems
(2009)
F. Kaefer et al.
A neural network application to consumer classification to improve the timing of direct marketing activities
Computers & Operations Research
(2005)
A. Kankanhalli et al.
An integrative study of information systems security effectiveness
International Journal of Information Management
(2003)
A.G. Kotulic et al.
Why there aren't more information security research studies?
Information & Management
(2004)

Z. Ma et al.

Discovering company revenue relations from news: a network approach

Decision Support Systems

(2009)

E. Airoldi et al.

Data mining challenges for electronic safety: the case of fraudulent intent detection in e-mails

A.Q. Ansari et al.

Integrated fuzzy logic and data mining: impact on cyber security

APWG

H. Berghel

Phishing mongers, and posers

Communications of the ACM

(2006)

I. Bose et al.

Unveiling the mask of phishing: threats, preventive measures, and responsibilities

Communications of the Association for Information Systems

(2007)

A. Brandt

Phishing anxiety may make you miss messages

PC World

(2005)

C.J.C. Burges

A tutorial on support vector machines for pattern recognition

Data Mining and Knowledge Discovery

(1998)

M. Chandrasekaran et al.

Phishing e-mail detection based on structural properties

N. Crockford

An Introduction to Risk Management

(1986)

R. Dhamija et al.

Phish, and HIPs: human interactive proofs to detect phishing attacks

B. Ensor et al.

R. Feldman et al.

The Text Mining Handbook: Advanced Approaches in Analyzing Unstructured Data

(2007)

C. Fellbaum

WordNet: An Electronic Lexical Database

(1998)

I. Fette et al.

Learning to detect phishing emails

W.N. Gansterer et al.

E-mail classification for phishing defense, advances in information retrieval

Cited by (67)

To alert or alleviate? A natural experiment on the effect of anti-phishing laws on corporate IT and security investments
2024, Decision Support Systems
In the United States, between 2005 and 2017, 23 states enacted anti-phishing laws to prosecute those suspected of phishing. As the primary targets of phishing attacks, firms' interpretations and reactions toward these laws are worth investigating. Utilizing a unique dataset in a natural experimental setting, this study employed the difference-in-differences method to contrast firms' investment decisions related to IT and cybersecurity in states in which such laws had been enacted and those in states without such laws, both before and after their enactment. We found that firms with different operational experiences react to the enactment of the anti-phishing laws in different ways. We further demonstrate the moderating roles of the industry risk landscape and IT capability. Specifically, firms with high-IT increased investments in both IT and cybersecurity while the risk landscape stimulated investments in cybersecurity only. This suggests that the risk landscape facilitates sensitivity to the immediate risk signaled by enactment of the laws, and IT capability further enables the alignment between IT investments and security objectives. This study also discusses the policy implications of our findings.
Towards a thematic dimensional framework of online fraud: An exploration of fraudulent email attack tactics and intentions
2023, Decision Support Systems
Despite anti-phishing filters, social engineering-based cyber-attacks still result in billions of dollars lost annually, significant personal identity theft, loss of corporate secrets, and espionage. We review the phishing literature on psychological attacks and design tactics employed for deception by attackers. The result reveals the need to continuously identify tactics embedded in fraudulent email content to understand why users still fall prey to phishing attacks. Using the literature as a backdrop, we identify and conceptualize a thematic dimensional framework of fraudulent phishing attacks. This study uses benchmark datasets of fraudulent email to empirically validate the proposed dimensional framework. Specifically, a combination of machine learning-based content analysis and topic modeling found a majority of the discovered topics were labeled against the proposed dimensions. Statistical analysis was employed to provide empirical evidence of the thematic dimensions of fraudulent email attacks. This study thus, not only extends the cybersecurity literature by identifying and validating eight dimensions that enrich our understanding of phishing and attack identification but stimulates cumulative research endeavors to develop yet more comprehensive dimensional frameworks of phishing email attacks.
Does privacy breach affect firm performance? An analysis incorporating event-induced changes and event clustering
2022, Information and Management
Previous studies have analyzed the impact of cybersecurity breaches on firm performance, but the impact of the privacy breach on firm performance is less explored. Needless to say, the privacy of the individual's personal information has been a rising concern for organizations over the years. Previous studies, primarily focused on cybersecurity breaches, have used a simple market model (MM) to observe the impact of these breaches on firm performance. Our study has used an advanced market model (AMM), which observes the event-induced changes in the variance of stock returns and changes in MM parameters, which are ignored by the MM. The ignorance of this may lead to a biased cumulative abnormal return (CAR) computation. We have also included the event clustering observation (events that are very close to each other) in our study and evaluated AMM with seemingly unrelated regression (SUR), i.e., AMM-SUR. We have used data of 193 privacy breaches related to the US firms listed on NYSE (USA), NASDAQ (USA) for the years 2012 (43 breaches), 2013 (37 breaches), 2014 (51 breaches), and 2018 (62 breaches). Abnormal returns for the firms are found negative due to these privacy breaches, but AMM consistently reports more negative abnormal returns than MM for all the years. The AMM-SUR, observing event clustering, consistently reports slightly lower negative abnormal returns than the AMM for all the years. We have also calculated the average financial loss due to a privacy breach for these years and for three different models, i.e., MM, AMM, and AMM-SUR.
A model fusion strategy for identifying aircraft risk using CNN and Att-BiLSTM
2022, Reliability Engineering and System Safety
The Aviation Safety Reporting System (ASRS) data is an important information source for risk identification in civil aviation. However, ASRS data has the characteristics of high dimensionality, unstructured and data imbalance. This brings great challenges for risk identification. In this paper, a model fusion strategy is proposed for identifying the aircraft risk by using convolutional neural network (CNN) and bidirectional long short-term memory neural network with attention mechanism (Att-BiLSTM). Firstly, all obtained ASRS data are reasonably divided into five risk levels. Secondly, the CNN is utilized to deeply mine the relationship between risk levels and structured data. Meanwhile, the Att-BiLSTM is adopted to deeply mine the relationship between risk levels and unstructured event narratives. Finally, a model fusion strategy is proposed to fuse the preliminary identifications of CNN and Att-BiLSTM to obtain the final identifications. The adopted CNN and Att-BiLSTM are compared with two individual models respectively. The experimental results show that the CNN and Att-BiLSTM have superior identification performance. Furthermore, by comparing the performance of the proposed model fusion strategy against the effect of using the individual model, the proposed model fusion strategy is effective in improving identification accuracy and reducing the influence of data imbalance in civil aviation.
Contextual drivers of employees' phishing susceptibility: Insights from a field study
2022, Decision Support Systems
Phishing attacks rate as one of the most prevalent security threats to contemporary organizations. Hence, managers strive heavily to apply security measures that keep their employees safe from these risks, thereby relying on insights from security researchers who have predominantly focused on recipient characteristics, message attributes, and interventions to explicate the phishing susceptibility of individuals. A theoretical lens yet to be explored is the discrete context in which individuals encounter phishing attacks. This paper presents a multi-dimensional model – comprising the three contextual components social, task, and physical – that explains why an employee is likely to fall for phishing emails or not. To empirically validate our model, we conducted a field study among 2302 employees of an internationally operating pharmaceutical company in the United States. By combining employees' behavioral responses to a phishing email, training data, and contextual data, like help desk reliance, job status or workspace, we find that context is key to a more thorough understanding of phishing susceptibility. Moreover, our study provides practical insights on how organizations can identify and support employees prone to phishing as well as tailor training programs to prevent their workforce from falling prey to cybercriminals.
Stock market reactions to favorable and unfavorable information security events: A systematic literature review
2021, Computers and Security
The rapid digital transformations across every industry sector, accelerated partly due to the COVID-19 pandemic, have increased organizations’ use of information systems for operational and strategic purposes. These organizational responses have led to a confluence of digital, biological, and physical technologies that are revolutionizing business practices and workflows. But accompanying the pervasive use of digital technologies and the evolutionary nature of digital assets, is a shifting world of cyberattacks and information security (ISec) cybercrimes. Dynamic cybercrimes make it increasingly difficult for managers and researchers to anticipate the types, magnitude, and severity of future information security (ISec) breaches. Thus, we perform a systematic literature review (SLR) that explores, gathers, and categorizes event studies to examine the influence of favorable and unfavorable ISec events on stock markets. We extend the research conducted by Spanos and Angelis (2016) and provide a comprehensive understanding of the market’s efficiency to process public information released about ISec events, ISec contingency factors, and the influence of ISec events on stock prices and factors other than price. Our systematic search reveals 58 relevant papers that include 80 studies. We find that in 75% of the studies ISec events can significantly affect a company’s stock market performance, and that such effects are primarily exhibited within two days before and after the event day. Further, the magnitude of abnormal returns is higher in studies examining unfavorable ISec events, such as ISec breaches, compared to abnormal returns from favorable events, such as ISec investments and ISec certifications. In the end, our SLR serves as a foundation for ISec and management communities to build upon to keep industry and academia apprised of continually developing trends, new attack vectors and types of data breaches, protective ISec behaviors and programs, and their subsequent influences on stock market values and returns.

View all citing articles on Scopus

Xi Chen is a lecturer of Information Systems at the School of Management, Zhejiang University, China. He obtained his BS (Management Information Systems) from Fudan University, MS (Information Systems) from the National University of Singapore, and Ph.D. (Information Systems) from the University of Hong Kong. His research interests are in the areas of data mining, mobile services, and churn management. His research has appeared or is forthcoming in Decision Support Systems, European Journal of Operational Research, Journal of Organizational Computing and Electronic Commerce, Journal of the American Society for Information Science and Technology, Electronic Commerce Research and Applications, and in the proceedings of several international conferences.

Indranil Bose is an associate professor of Information Systems at the School of Business, The University of Hong Kong. He holds a B. Tech. from the Indian Institute of Technology, MS from the University of Iowa, MS and Ph.D. from Purdue University. His research interests are in telecommunications, data mining, information security, and supply chain management. His publications have appeared in Communications of the ACM, Communications of AIS, Computers and Operations Research, Decision Support Systems, Ergonomics, European Journal of Operational Research, Information & Management, Journal of Organizational Computing and Electronic Commerce, Journal of the American Society for Information Science and Technology, and Operations Research Letters. He is listed in the International Who's Who of Professionals 2005–2006, Marquis Who's Who in the World 2006, Marquis Who's Who in Asia 2007, Marquis Who's Who in Science and Engineering 2007, and Marquis Who's Who of Emerging Leaders 2007. He serves on the editorial board of Information & Management, Communications of AIS, and several other IS journals.

Alvin Chung Man Leung is currently a Ph.D. student of McCombs School of Business, The University of Texas at Austin specializing in Information Systems. He has obtained his MPhil, BBA(IS), and BEng(SE) degrees from The University of Hong Kong. His research interests include social network, information security, and data mining. His publications have appeared in various international journals and conference proceedings such as Decision Support Systems, Communications of the ACM, Communications of the AIS, and International Conference on Information Systems (ICIS). He was also the recipient of Best Student Paper Award in International MultiConference of Engineers and Computer Scientists 2008.

(Julian) Chenhui Guo studies as a Ph.D. student in the Department of MIS, Eller College of Management, The University of Arizona. He obtained his Bachelor of Business Administration degree from Zhejiang University, Hangzhou, China. His current research interests include data/text mining, business intelligence, and behavioral science in IS usage.

View full text

Assessing the severity of phishing attacks: A hybrid data mining approach

Abstract

Research highlights

Introduction

Section snippets

Literature review

Theoretical framework

Data collection and analysis

Results

Discussion

Conclusion

Expert Systems with Applications

European Journal of Operational Research

Information & Management

Journal of Interactive Marketing

Journal of Interactive Marketing

Computer Fraud & Security

Decision Support Systems

Computers & Operations Research

International Journal of Information Management

Information & Management

Decision Support Systems

Data mining challenges for electronic safety: the case of fraudulent intent detection in e-mails

Integrated fuzzy logic and data mining: impact on cyber security

Phishing mongers, and posers

Communications of the ACM

Unveiling the mask of phishing: threats, preventive measures, and responsibilities

Communications of the Association for Information Systems

Phishing anxiety may make you miss messages

PC World

A tutorial on support vector machines for pattern recognition

Data Mining and Knowledge Discovery

Phishing e-mail detection based on structural properties

An Introduction to Risk Management

Phish, and HIPs: human interactive proofs to detect phishing attacks

The Text Mining Handbook: Advanced Approaches in Analyzing Unstructured Data

WordNet: An Electronic Lexical Database

Learning to detect phishing emails

E-mail classification for phishing defense, advances in information retrieval