Creative Persuasion: A Study on Adversarial Behaviors and Strategies in Phishing Attacks

Rajivan, Prashanth; González, Cleotilde

doi:10.3389/fpsyg.2018.00135

Cited by 54 publications

(40 citation statements)

References 53 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The psychology of end-users, the subjects to be trained to achieve higher phishingawareness, and attackers should be considered when devising effective anti-phishing training programs [142,143].…”

Section: Psychological Aspects Of Training Designmentioning

confidence: 99%

“…Regarding the attackers, a better understanding of the psychology of attackers is crucial in modeling adversary behavior and identifying the implicit factors that determine how deception and phishing strategies are employed in phishing emails in the first place [74,144]. Currently, the psychology of criminal behaviors is usually neglected in the field of cybersecurity [143]. Nevertheless, target-adversary interactions and how they are driven as part of adversary strategies are important in facilitating realistic phishing simulations and, consequently, training tools.…”

Section: Psychological Aspects Of Training Designmentioning

confidence: 99%

See 1 more Smart Citation

Don’t click: towards an effective anti-phishing training. A comparative literature review

Jampen

Gür

Sutter

et al. 2020

Hum. Cent. Comput. Inf. Sci.

View full text Add to dashboard Cite

The security threat posed by email-based phishing campaigns targeted at employees is a well-known problem experienced by many organizations. Attacks are reported each year, and a reduction in the number of such attacks is unlikely to occur in the near future (see Fig. 1). A common type of phishing attack involves an attacker attempting to trick victims into clicking on links sent via email. Such links redirect victims to websites that are carefully designed to mimic those of legitimate organizations with the goal of convincing users to provide their personal information and credentials. Attackers then use the phished data to execute their schemes further. Phishing attacks may be used to obtain access to an organization's internal servers and steal company secrets or to steal victims' personal information, such as credit card details [1]. In this publication, we focus on email-based phishing attacks, as this is currently the most commonly used channel and poses a significant threat to both individuals and companies globally

show abstract

Section: Psychological Aspects Of Training Designmentioning

confidence: 99%

Section: Psychological Aspects Of Training Designmentioning

confidence: 99%

Don’t click: towards an effective anti-phishing training. A comparative literature review

Jampen

Gür

Sutter

et al. 2020

Hum. Cent. Comput. Inf. Sci.

View full text Add to dashboard Cite

show abstract

“…Furthermore, high workload might cause unintended noncompliance behavior-high volumes of work could make one click on a phishing link because an overworked employee could have been too occupied to notice the imposed threats [15]. This is especially concerning given that cyberattacks today are extremely hard to detect because they have become extremely intricate; they are targeted attacks that have been carefully planned according to each organization's needs [67]. Tactics such as social engineering-the act of psychologically manipulating people into revealing personal information or allowing access to a secured server-have been increasingly successful in phishing [68].…”

Section: Principal Findingsmentioning

confidence: 99%

Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals

et al. 2019

View full text Add to dashboard Cite

Background: Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients. Objective: This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data. Methods: We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees' survey results with their actual clicking data from phishing campaigns. Results: Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees' workload is positively associated with the likelihood of employees clicking on a phishing link. Conclusions: This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees' workload to increase information security. Our findings can help health care organizations augment employees' compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.

show abstract

“…In the most direct version of this approach, the experimenter tries to phish people in the lab, for example by having them browse real and phishing websites to see whether or not they divulge sensitive information (Gavett et al, 2017). Other lab-based experiments involve roleplaying another person checking their emails (Downs, Holbrook, & Cranor, 2007;Sheng, Holbrook, Kumaraguru, Cranor, & Downs, 2010) or rating a series of emails according to how suspicious they appear or how likely the person would be to respond to such an email (Alsharnouby, Alaca, & Chiasson, 2015;Dhamija, Tygar, & Hearst, 2006;Jones, Towse, Race, & Harrison, 2019;Kelley & Bertenthal, 2016;Rajivan & Gonzalez, 2018;Wood, Liu, Hanoch, Xi, & Klapatch, 2018;Yan & Gozu, 2012). Despite the increased experimental control offered by these lab-based tasks, the extent to which these measures are ecologically valid remains unknown.…”

Section: Introductionmentioning

confidence: 99%

Evaluating the cognitive mechanisms of phishing detection with PEST, an ecologically valid lab-based measure of phishing susceptibility

Zm¹,

Ebner²,

Oliveira³

et al. 2019

Preprint

View full text Add to dashboard Cite

Phishing emails constitute a major public health problem, linked to negative health outcomes due to fraud and exploitation. Because of their sheer volume and because phishing emails are designed to deceive, purely technological solutions such as filters only go so far, leaving human judgment as the last line of defense against phishing. However, in part because it is difficult to phish people under controlled laboratory conditions, little is known about the cognitive and neural mechanisms underlying phishing susceptibility. There is therefore a critical need to develop an ecologically valid measure of phishing susceptibility that can be used in the lab to test cognitive models of phishing detection. In this work, we present such a task: PEST, the Phishing Email Suspicion Test, in which participants rate a series of phishing and non-phishing emails according to their level of suspicion. By comparing suspicion scores for each email to its real-world efficacy (assessed in a field experiment in an independent group of participants), we find support for the ecological validity of PEST in that phishing emails that were more effective in the real world were more effective at deceiving people in the lab. By modeling behavior in PEST, we find evidence that the suspicion level of emails is assessed using a comparison process in which the current email is compared with previously encountered emails to determine its suspicion level. Together our task and model provide a framework for studying the cognitive neuroscience of email phishing detection in the lab.

show abstract

Creative Persuasion: A Study on Adversarial Behaviors and Strategies in Phishing Attacks

Cited by 54 publications

References 53 publications

Don’t click: towards an effective anti-phishing training. A comparative literature review

Don’t click: towards an effective anti-phishing training. A comparative literature review

Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals

Evaluating the cognitive mechanisms of phishing detection with PEST, an ecologically valid lab-based measure of phishing susceptibility

Contact Info

Product

Resources

About