ABSTRACT
This paper reports findings from a multi-method set of four studies that investigate why we continue to fall for phish. Current security advice suggests poor spelling and grammar in emails can be signs of phish. But a content analysis of a phishing archive indicates that many such emails contain no obvious spelling or grammar mistakes and often use convincing logos and letterheads. An online survey of 224 people finds that although phish are detected approximately 80% of the time, those with logos are significantly harder to detect. A qualitative interview study was undertaken to better understand the strategies used to identify phish. Blind users were selected because it was thought they may be more vulnerable to phishing attacks, however they demonstrated robust strategies for identifying phish based on careful reading of emails. Finally an analysis was undertaken of phish as a literary form. This identifies the main literary device employed as pastiche and draws on critical theory to consider why security based pastiche may be currently very persuasive.
- Anti-Phishing Working Group (APWG). http://antiphishing.org/.Google Scholar
- Bank Safe Online: Protecting Yourself. http://www.banksafeonline.org.uk/protecting_yourself.html.Google Scholar
- Bardzell, J. (2009). Interaction criticism and aesthetics. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '09). New York: ACM Press. Google ScholarDigital Library
- Bell, G., Blythe, M., Gaver, B., Sengers, P. & Wright, P. (2003). Designing culturally situated technologies for the home. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '03) Extended Abstracts. New York: ACM Press. Google ScholarDigital Library
- Blythe, M., Reid, J., Wright, P. & Geelhoed, E. (2006). Interdisciplinary Criticism: Analysing The Experience Of Riot! A Location Sensitive Digital Narrative. Behaviour and Information Technology, 25(2), 127--139.Google ScholarCross Ref
- Blythe, M., McCarthy, J., Light, A., Bardzell, S., Wright, P., Bardzell, J. & Blackwell, A. (2010). Critical dialogue: interaction, experience and cultural theory. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI 2010). New York: ACM Press. Google ScholarDigital Library
- Braun, N. (2004). Storytelling and Conversation to Improve the Fun Factor in Software Applications. In M. Blythe, K. Overbeeke, A. F. Monk, & P. C. Wright (Eds.), Funology: From Usability to Enjoyment. Dordecht, NL: Kluwer. Google ScholarDigital Library
- Cohen, J., Cohen, P., West, S. G. and Aiken, L. S. (2003). Applied multiple regression/correlation analysis for the behavioural sciences. Hillsdale, NJ: Lawrence Erlbaum.Google Scholar
- Dhamija, R., Tygar, D. & Hearst, M. (2006). Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '06). New York: ACM Press. Google ScholarDigital Library
- Dong, X., Clark, J. A. & Jacob, J. (2008). Modelling user-phishing interaction. Proceedings of Human-System Interaction, May 25--27, 2008, Kraków, Poland.Google Scholar
- Dourish, P., Grinter, E., Delgado de la Flor, J. & Joseph, M. (2004). Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8(6), 391--401. Google ScholarCross Ref
- Downs, J. S., Holbrook, M. B. & Cranor, L. F. (2006). Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12 - 14, 2006) (SOUPS '06). New York: ACM Press. Google ScholarDigital Library
- Eagleton T. (2003). After theory. London: Penguin Books.Google Scholar
- Easthope, A. & McGowan, K. (1992). A Critical and Cultural Theory Reader. Milton Keynes: Open University Press.Google Scholar
- Giani, A. & Thompson, P. (2007). Detecting deception in the context of Web 2.0. In Proceedings of Web 2.0 Security and Privacy 2007. http://w2spconf.com/2007/.Google Scholar
- HSBC Phishing Scams. http://www.hsbc.com/1/2/online-security/phishing.Google Scholar
- Jakobsson, M. (2007). The human factor in phishing. In Proceedings of Privacy & Security of Consumer Information '07. http://markus-jakobsson.com/papers/jakobsson-psci07.pdf.Google Scholar
- Jolliffe, I. T. (1986). Principal Component Analysis. Berlin: Springer Verlag.Google ScholarCross Ref
- Keppel, G. & Wickens, T. D. (2004). Design and analysis: a researcher's handbook. Upper Saddle River, NJ: Pearson Prentice-Hall.Google Scholar
- Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J. & Nunge, E. (2007). Protecting people from phishing: the design and evaluation of an embedded training email system. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '07). New York: ACM Press. Google ScholarDigital Library
- Mayring P. (2004). Qualitative Content Analysis in Flickr. In Kardorff, U. & Steinke, E. (Eds.), A Companion to Qualitative Research. London: Sage.Google Scholar
- MillerSmiles.co.uk 419 scams. http://419.millersmiles.co.uk/.Google Scholar
- Propp, V. (1968). Morphology of the Folk Tale. Texas: University of Texas Press.Google Scholar
- Satchell C. (2008) Cultural Theory and Real World Design: Dystopian and Utopian Outcomes. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '08). New York: ACM Press. Google ScholarDigital Library
- Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., and Downs, J. 2010. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. New York: ACM Press. Google ScholarDigital Library
- Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., and Furlong, M. 2007. Password sharing: implications for security design based on social practice. In Proceedings of the Conference on Human Factors in Computing Systems (CHI '07). New York: ACM Press. Google ScholarDigital Library
- The One Show: Phishing in Your Bank Account? http://www.bbc.co.uk/blogs/theoneshow/consumer/2008/10/30/phishing.html.Google Scholar
- Wickens, T. D. (2002). Elementary signal detection. New York: Oxford University Press.Google Scholar
- Wu, M., Miller, R. C. and Garfinkel, S. L. (2006). Do security toolbars actually prevent phishing attacks? In Proceedings of the Conference on Human Factors in Computing Systems. New York: ACM Press. Google ScholarDigital Library
- Zizek S. (1992). Looking Awry: an introduction to Jacques Lacan through popular culture. Cambridge, MA: October Books.Google Scholar
Index Terms
- F for fake: four studies on how we fall for phish
Recommendations
How Good Are We at Detecting a Phishing Attack? Investigating the Evolving Phishing Attack Email and Why It Continues to Successfully Deceive Society
AbstractPhishing attacks are on the increase. The fact that our ways of living, studying and working have drastically changed as a result of the COVID pandemic (i.e., almost everything being done online) has created many new cyber security concerns. In ...
An Anatomy of Phishing Messages as Deceiving Persuasion: A Categorical Content and Semantic Network Study
Previous research on phishing has focused on the extent to which their presentation (e.g., logo, interface, and email address) resembled legitimate emails from well-known companies. Although the message content is an important factor of phishing, it has ...
The persuasive phish: examining the social psychological principles hidden in phishing emails
HotSos '16: Proceedings of the Symposium and Bootcamp on the Science of SecurityPhishing is a social engineering tactic used to trick people into revealing personal information [Zielinska, Tembe, Hong, Ge, Murphy-Hill, & Mayhorn 2014]. As phishing emails continue to infiltrate users' mailboxes, what social engineering techniques ...
Comments