skip to main content
10.1145/3320269.3384753acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article
Public Access

Scam Augmentation and Customization: Identifying Vulnerable Users and Arming Defenders

Published: 05 October 2020 Publication History

Abstract

Why do "classical" attacks such as phishing, IRS scams, etc., still succeed? How do attackers increase their chances of success? How do people reason about scams and frauds they face daily? More research is needed on these questions, which is the focus of this paper. We take a well-known attack, viz. company representative fraud, and study several parameters that bear on its effectiveness with a between-subjects study. We also study the effectiveness of a coherent language generation technique in producing phishing emails. We give ample room for the participants to demonstrate their reasoning and strategies.
Unfortunately, our experiment indicates that participants are inadequately prepared for dealing with even the company representative fraud. Participants also could not differentiate between offers written by human or generated semi-automatically. Moreover, our results show attackers can easily increase their success rate by adding some basic information about the sender, so defenders should focus more on such attacks. We also observed that participants who paid attention to more clues were better in distinguishing legitimate messages from phishing, hence training regimes should check for reasoning strategies, not just who did not click on a link or download an attachment. Thus, insights from our work can help defenders in developing better strategies to evaluate their defenses and also in devising more effective training strategies.

Supplementary Material

MP4 File (3320269.3384753.mp4)
We take a well-known attack, viz. company representative fraud, and study several parameters that bear on its effectiveness with a between-subjects study. We also study the effectiveness of a coherent language generation technique in producing phishing emails. Unfortunately, our experiment indicates that participants are inadequately prepared for dealing with even the company representative fraud. Participants also could not differentiate between offers written by humans or generated semi-automatically. Moreover, our results show attackers can easily increase their success rate by adding some basic information about the sender, so defenders should focus more on such attacks. Insights from our work can help defenders in developing better strategies to evaluate their defenses and also in devising more effective training strategies.

References

[1]
Ayman El Aassal, Shahryar Baki, Avisha Das, and Rakesh M. Verma. 2020. An In-Depth Benchmarking and Evaluation of Phishing Detection Research for Security Needs. IEEE Access 8 (2020), 22170--22192.
[2]
Tahani Albalawi, Kambiz Ghazinour, and Austin Melton. 2019. That's how I feel: A Study of User's Security Mental Model. In Proc. of the Int'l Conf. on Security and Management (SAM). The Steering Committee of The World Congress in Computer Science, Computer, Springer, Las Vegas, USA, 115--122.
[3]
Zafer Alqarni, Abdullah Algarni, and Yue Xu. 2016. Toward Predicting Susceptibility to Phishing Victimization on Facebook. In 2016 IEEE International Conference on Services Computing (SCC). IEEE, San Francisco, CA, USA, 419--426.
[4]
Leila Bahri, Barbara Carminati, and Elena Ferrari. 2016. Coip--continuous, operable, impartial, and privacy-aware identity validity estimation for osn profiles. ACM Trans. Web 10, 4, Article 23 (Dec. 2016), 41 pages.https://doi.org/10.1145/3014338
[5]
Shahryar Baki, Rakesh Verma, Arjun Mukherjee, and Omprakash Gnawali. 2017. Scaling and Effectiveness of Email Masquerade Attacks: Exploiting Natural Language Generation. In Proceedings of the 2017 ACM on Asia CCS. ACM, New York, NY, USA, 469--482.
[6]
Shahryar Baki, Rakesh M. Verma, Arjun Mukherjee, and Omprakash Gnawali. 2020. Less is More: Exploiting Social Trust to Increase the Effectiveness of a Deception Attack. arXiv:cs.CR/2006.13499
[7]
Zinaida Benenson, Freya Gassmann, and Robert Landwirth. 2017. Unpacking Spear Phishing Susceptibility. In Financial Cryptography and Data Security, Michael Brenner, Kurt Rohloff, Joseph Bonneau, Andrew Miller, Peter Y.A. Ryan, Vanessa Teague, Andrea Bracciali, Massimiliano Sala, Federico Pintore, and Markus Jakobsson (Eds.). Springer International Publishing, Cham, 610--627.
[8]
Zinaida Benenson, Anna Girard, Nadina Hintz, and Andreas Luder. 2014. Susceptibility to URL-based Internet attacks: Facebook vs. email. In2014 IEEE Int'l Conf. on Pervasive Computing & Communication Workshops (PERCOM WORKSHOPS). IEEE, Budapest, Hungary, 604--609. https://doi.org/10.1109/PerComW.2014.6815275
[9]
Leyla Bilge, Thorsten Strufe, Davide Balzarotti, and Engin Kirda. 2009. All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks. In Proceedings of the 18th International Conference on World Wide Web (WWW '09). ACM, New York, NY, USA, 551--560. https://doi.org/10.1145/1526709.1526784
[10]
Andrew C Bulhak. 1996. On the simulation of postmodernism and mental debility using recursive transition networks. Technical Report. Monash University.
[11]
Andrew C Bulhak. 2000. The Dada engine. dev.null.org/dadaengine/
[12]
Better Business Bureau. 2019. Scam Alert: Employment Scams Target College Students. https://www.bbb.org/article/news-releases/20710-scam-alert-employment-scams-target-college-students
[13]
Marcus Butavicius, Kathryn Parsons, Malcolm Pattinson, and Agata McCormac. 2016. Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails. arXiv:cs.CY/1606.00887
[14]
Casey Inez Canfield, Baruch Fischhoff, and Alex Davis. 2019. Better beware:comparing metacognition for phishing and legitimate emails. Metacognition andLearning14, 3 (2019), 343--362. https://doi.org/10.1007/s11409-019-09197--5
[15]
Jin-Hee Cho, Hasan Cam, and Alessandro Oltramari. 2016. Effect of personality traits on trust and risk to phishing vulnerability: Modeling and analysis. In 2016 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA). IEEE, San Diego, CA, USA, 7--13.
[16]
Morshed U Chowdhury, Jemal H Abawajy, Andrei V Kelarev, and T Hochin. 2017. Multilayer hybrid strategy for phishing email zero-day filtering. Concurrency and Computation: Practice and Experience29, 23 (2017), e3929.
[17]
A. Das, S. Baki, A. El Aassal, R. Verma, and A. Dunbar. 2020. SoK: A Comprehensive Reexamination of Phishing Research From the Security Perspective. IEEE Communications Surveys Tutorials22, 1 (2020), 671--708.
[18]
Avisha Das and Rakesh Verma. 2019. Automated email Generation for Targeted Attacks using Natural Language. arXiv:1908.06893
[19]
Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. BERT: Pre-training of deep bidirectional transformers for language understanding. arXiv:cs.CL/1810.04805
[20]
Rachna Dhamija, J. D. Tygar, and Marti Hearst. 2006. Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'06). ACM, New York, NY, USA, 581--590. https://doi.org/10.1145/1124772.1124861
[21]
Julie S. Downs, Mandy B. Holbrook, and Lorrie Faith Cranor. 2006. Decision Strategies and Susceptibility to Phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (SOUPS '06). ACM, New York, NY, USA, 79--90.
[22]
Yvonne D Eaves. 2001. A synthesis technique for grounded theory data analysis. Journal of advanced nursing35, 5 (2001), 654--663.
[23]
G. Egozi and R. Verma. 2018. Phishing Email Detection Using Robust NLP Techniques. In2018 IEEE International Conference on Data Mining Workshops(ICDMW). IEEE, Singapore, 7--12.
[24]
Ayman El Aassal and Rakesh Verma. 2019. Spears Against Shields: Are Defenders Winning the Phishing War?. In Proc. 5th ACM International Workshop on Security and Privacy Analytics (IWSPA). ACM, Richardson, Texas, USA, 15--24.
[25]
Yong Fang, Cheng Zhang, Cheng Huang, Liang Liu, and Yue Yang. 2019. Phishing email detection using improved RCNN model with multilevel vectors and attention mechanism. IEEE Access 7 (2019), 56329--56340.
[26]
Shane Frederick. 2005. Cognitive reflection and decision making. Journal of Economic perspectives 19, 4 (2005), 25--42.
[27]
Jack Jen Gieseking. 2013. Where we go from here: the mental sketch mapping method and its analytic components. Qualitative Inquiry19, 9 (2013), 712--724.
[28]
Robert Greszki, Marco Meyer, and Harald Schoen. 2014. The impact of speeding on data quality in nonprobability and freshly recruited probability-based online panels. John Wiley & Sons, Ltd, Chichester, UK, Chapter 11, 238--262.https://doi.org/10.1002/9781118763520.ch11arXiv: https://onlinelibrary.wiley.com/doi/pdf/10.1002/9781118763520.ch11
[29]
Anti-Phishing Working Group. 2019. Phishing activity trends reports. https://apwg.org/trendsreports/
[30]
Tzipora Halevi, James Lewis, and Nasir Memon. 2013. A pilot study of cybersecurity and privacy related behavior and personality traits. In Proc. of 22ndWWW Conf. (WWW '13 Companion). ACM, New York, NY, USA, 737--744.
[31]
Tzipora Halevi, Nasir Memon, and Oded Nov. 2015. Spear-phishing in the wild:A real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks (January 2, 2015)(2015).
[32]
Bing-Zhe He, Chien-Ming Chen, Yi-Ping Su, and Hung-Min Sun. 2014. A defense scheme against identity theft attack based on multiple social networks. Expert Systems with Applications41, 5 (2014), 2345--2352.
[33]
Amir Herzberg. 2009. Combining authentication, reputation and classification to make phishing unprofitable. In Emerging Challenges for Security, Privacy and Trust, Dimitris Gritzalis and Javier Lopez (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 13--24.
[34]
Markus Huber, Martin Mulazzani, Edgar Weippl, Gerhard Kitzler, and Sigrun Goluch. 2011. Friend-in-the-middle attacks: Exploiting social networking sites for spam. IEEE Internet Computing 15, 3 (2011), 28--34.
[35]
Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, and Calton Pu.2011. Reverse social engineering attacks in online social networks. In Detection of Intrusions and Malware, and Vulnerability Assessment, Thorsten Holz and Herbert Bos (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 55--74.
[36]
Lei Jin, Hassan Takabi, and James B.D. Joshi. 2011. Towards active detection of identity clone attacks on online social networks. In Proceedings of the First ACM CODASPY. ACM, New York, NY, USA, 27--38.
[37]
Oliver P John and Sanjay Srivastava. 1999. The Big Five trait taxonomy: History, measurement, and theoretical perspectives. Handbook of personality: Theory andresearch2, 1999 (1999), 102--138.
[38]
A Karakasiliotis, SM Furnell, and M Papadaki. 2006. Assessing end-user awareness of social engineering and phishing. In Australian Information Warfare and Security Conference. School of Computer and Information Science, Edith Cowan University, Perth, Western Australia, Perth, Western Australia.
[39]
Eleftherios Karavaras, Emmanouil Magkos, and Aggeliki Tsohou. 2016. Lowuse awareness against social malware: an empirical study and design of a security awareness application. In 13th European Mediterranean and Middle Eastern Conference on Information Systems, Vol. 13. Cracow, Poland, 1--10.
[40]
Paul J Lavrakas. 2008.Encyclopedia of survey research methods. Sage Publications, Los Angeles, London, New Delhi, Singapore, Washington DC.
[41]
Tian Lin, Daniel E. Capecci, Donovan M. Ellis, Harold A. Rocha, Sandeep Dommaraju, Daniela S. Oliveira, and Natalie C. Ebner. 2019. Susceptibility to spear-phishing emails: Effects of internet user demographics and email content. ACM Trans. Comput.-Hum. Interact. 26, 5, Article 32 (July 2019), 28 pages.
[42]
Shah Mahmood and Yvo Desmedt. 2012. Your facebook deactivated friend ora cloaked spy. In Pervasive Computing and Communications Workshops (PER-COM Workshops), 2012 IEEE International Conference on. IEEE, IEEE, Lugano, Switzerland, 367--373.
[43]
KC Meijdam, W Pieters, and J van den Berg. 2015. Phishing as a service: Designing an ethical way of mimicking targeted phishing attacks to train employees. TU Delft, TU Delft.
[44]
María M Moreno-Fernández, Fernando Blanco, Pablo Garaizar, and Helena Matute. 2017. Fishing for phishers. Improving Internet users' sensitivity to visual deception cues to prevent electronic fraud. Computers in Human Behavior 69 (2017), 421--436.
[45]
Ajaya Neupane, Md. Lutfor Rahman, Nitesh Saxena, and Leanne Hirshfield. 2015. A multi-modal neuro-physiological study of phishing detection and malware warnings. In Proc. of the 22nd CCS. ACM, New York, NY, USA, 479--491.
[46]
Information Security Office. 2019. FBI Alert: Employment Scam Targeting Students. https://informationsecurity.princeton.edu/news/fbi-alert-employment-scam-targeting-students
[47]
Information Security Office. 2019. PHISH BOWL/PHISHING SCAMS. https://www.it.ucla.edu/security/alerts/phishing-scams
[48]
PhishLabs. 2017. Q2 2017 Phishing Trends & Intelligence Report. https://info.phishlabs.com/q2_2017_phishing_trends_and_-intelligence_report
[49]
Phish Labs. 2018. 2018 Phishing Trends & Intelligence Report. https://info.phishlabs.com/2018_phishing_trends_and_-intelligence_report-0
[50]
Alec Radford, Jeffrey Wu, Rewon Child, David Luan, Dario Amodei, and Ilya Sutskever. 2019. Language models are unsupervised multitask learners. OpenAI Blog 1, 8 (2019).
[51]
L. Schipper. 1969. Human information processing and decision-making. In 1969 IEEE Symposium on Adaptive Processes (8th) Decision and Control. IEEE, University Park, PA, USA, USA, 25--25. https://doi.org/10.1109/SAP.1969.269909
[52]
Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. 2010. Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the CHI '10. ACM, New York, NY, USA, 373--382.
[53]
Cong Tang, Keith Ross, Nitesh Saxena, and Ruichuan Chen. 2011. What's in aname: A study of names, gender inference, and gender behavior in Facebook. In Database Systems for Advanced Applications, Jianliang Xu, Ge Yu, Shuigeng Zhou,and Rainer Unland (Eds.). Springer, Berlin, Heidelberg, 344--356.
[54]
Radicati Team. 2019. Email Statistics Report, 2019--2023. https://www.radicati.com/?p=15792
[55]
Rakesh M. Verma and David J. Marchette. 2019. Cybersecurity analytics. CRCPress LLC, Boca Raton, FL. https://books.google.com/books?id=zez3xwEACAAJ
[56]
Arun Vishwanath. 2015. Diffusion of deception in social media: Social contagion effects and its antecedents. Information Systems Frontiers17, 6 (2015), 1353--1367.
[57]
Arun Vishwanath. 2015. Habitual Facebook use and its impact on getting deceived on social media. J. of Computer-Mediated Communication20, 1 (2015), 83--98.
[58]
Zhilin Yang, Zihang Dai, Yiming Yang, Jaime Carbonell, Ruslan Salakhutdinov, and Quoc V. Le. 2019. XLNet: Generalized autoregressive pretraining for language understanding. arXiv:cs.CL/1906.08237
[59]
Zhi Yang, Christo Wilson, Xiao Wang, Tingting Gao, Ben Y Zhao, and Yafei Dai.2014. Uncovering social network sybils in the wild. ACM TKDD)8, 1 (2014), 2.

Cited By

View all
  • (2023)Adversarial Robustness of Phishing Email Detection ModelsProceedings of the 9th ACM International Workshop on Security and Privacy Analytics10.1145/3579987.3586567(67-76)Online publication date: 26-Apr-2023
  • (2021)Human Susceptibility to Phishing Attacks Based on Personality Traits: The Role of Neuroticism2021 IEEE 45th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC51774.2021.00192(1363-1368)Online publication date: Jul-2021

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security
October 2020
957 pages
ISBN:9781450367509
DOI:10.1145/3320269
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 October 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. natural language generation
  2. personality traits
  3. phishing
  4. social engineering attack
  5. usable security

Qualifiers

  • Research-article

Funding Sources

Conference

ASIA CCS '20
Sponsor:

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)143
  • Downloads (Last 6 weeks)12
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Adversarial Robustness of Phishing Email Detection ModelsProceedings of the 9th ACM International Workshop on Security and Privacy Analytics10.1145/3579987.3586567(67-76)Online publication date: 26-Apr-2023
  • (2021)Human Susceptibility to Phishing Attacks Based on Personality Traits: The Role of Neuroticism2021 IEEE 45th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC51774.2021.00192(1363-1368)Online publication date: Jul-2021

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media