Phishing for the Truth: A Scenario-Based Experiment of Users’ Behavioural Response to Emails

Parsons, Kathryn; McCormac, Agata; Pattinson, Malcolm R.; Butavicius, Marcus A.; Jerram, Cate

doi:10.1007/978-3-642-39218-4_27

Cited by 48 publications

(64 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Obviously, social engineering attacks that are started from internal accounts or emails with forged internal addresses are more likely to slip through the screening of a potential victim. For instance, Parsons et al [31] conduced a role play scenario experiment where 117 participants were tested about their ability to judge about phishing emails and real emails. Their results indicates that people with a higher awareness level identify significantly more phishing emails.…”

Section: Office Communicationmentioning

confidence: 99%

Social engineering attacks on the knowledge worker

Krombholz

Hobel

Huber

et al. 2013

Proceedings of the 6th International Conference on Security of Information and Networks

View full text Add to dashboard Cite

Social engineering has become an emerging threat in virtual communities and is an effective means to attack information systems. Today's knowledge workers make use of a number of services that leverage sophisticated social engineering attacks. Moreover, there is a trend towards BYOD (bring your own device) policies and the usage of online communication and collaboration tools in private and business environments. In globally acting companies, teams are no longer geographically co-located but staffed just-intime. The decrease in personal interaction combined with the plethora of tools used (E-Mail, IM, Skype, Dropbox, LinkedIn, Lync, etc.) create new attack vectors for social engineering attacks. Recent attacks on companies such as the New York Times, RSA, or Apple have shown that targeted spear-phishing attacks are an effective evolution of social engineering attacks. When combined with zero-dayexploits they become a dangerous weapon, often used by advanced persistent threats. This paper provides a taxonomy of well-known social engineering attacks as well as a comprehensive overview of advanced social engineering attacks on the knowledge worker.

show abstract

Section: Office Communicationmentioning

confidence: 99%

Social engineering attacks on the knowledge worker

Krombholz

Hobel

Huber

et al. 2013

Proceedings of the 6th International Conference on Security of Information and Networks

View full text Add to dashboard Cite

show abstract

“…For each cue, the associated references and the criteria we used for counting are also provided. [2], [3], [8], [12], [13], [19], [20], [21], [31], [38], [40], [43] Does the message contain spelling or grammar errors, including mismatched plurality?…”

Section: Appendix Amentioning

confidence: 99%

“…Formatting and design elements that do not appear to have been professionally generated [7], [11], [19], [21], [31], [37] Does the design and formatting violate any conventional professional practices?…”

Section: Unprofessional Looking Design or Formattingmentioning

confidence: 99%

“…Generic greeting A generic greeting and an overall lack of personalization in the email [1], [3], [8], [9], [21], [31], [37] Does the message lack a greeting or lack personalization in the message?…”

Section: Requests For Sensitive Informationmentioning

confidence: 99%

“…Contest winnings or other unlikely monetary and/or material offerings [13], [21], [31], [43] Does the message offer anything that is too good to be true, such having won a contest, lottery, free vacation and so on?…”

Section: Lack Of Signer Detailsmentioning

confidence: 99%

See 2 more Smart Citations

A Phish Scale: Rating Human Phishing Message Detection Difficulty

Steves¹,

Greene²,

Theofanos³

2019

Proceedings 2019 Workshop on Usable Security

View full text Add to dashboard Cite

As organizations continue to invest in phishing awareness training programs, many Chief Information Security Officers (CISOs) are concerned when their training exercise click rates are high or variable, as they must justify training budgets to those who question the efficacy of training when click rates are not declining. We argue that click rates should be expected to vary based on the difficulty of the phishing email for a target audience. Past research has shown that when the premise of a phishing email aligns with a user's work context, it is much more challenging for users to detect a phish. Given this, we propose a Phish Scale, so CISOs and phishing training implementers can easily rate the difficulty of their phishing exercises and help explain associated click rates. We based our scale on past research in phishing cues and user context, and applied it to previously published data and new data from organization-wide phishing exercises targeting approximately 5 000 employees. The Phish Scale performed well with the current phishing dataset, but future work is needed to validate it with a larger variety of phishing emails. The Phish Scale shows great promise as a tool to help frame data sharing on phishing exercise click rates across sectors.

show abstract

Which phish is captured in the net? Understanding phishing susceptibility and individual differences

Sarno

Harris

Black

2023

Applied Cognitive Psychology

View full text Add to dashboard Cite

Phishing research presents conflicting findings regarding the psychological predictors of phishing susceptibility. The present work aimed to resolve these discrepancies by utilizing a diverse online sample and email set. Participants completed a survey that included an email classification task and measured several individual differences, including phishing awareness, age, impulsivity, curiosity, and personality (the Big-5).Phishing susceptibility was measured by participants' ability to distinguish between phishing and legitimate emails. Three regression analyses were performed to predict email discrimination ability; (1) an age model, (2) a deficient self-regulation model (i.e., impulsivity, response times, and curiosity), and (3) a personality (i.e., the Big-5) model. Overall, phishing susceptibility was predicted by younger age, higher levels of impulsivity and extraversion, lower levels of openness to experience and agreeableness, and quick responses. The present work identifies several populations that are particularly vulnerable to phishing attacks and may require targeted training interventions.

show abstract

Phishing for the Truth: A Scenario-Based Experiment of Users’ Behavioural Response to Emails

Cited by 48 publications

References 13 publications

Social engineering attacks on the knowledge worker

Social engineering attacks on the knowledge worker

A Phish Scale: Rating Human Phishing Message Detection Difficulty

Which phish is captured in the net? Understanding phishing susceptibility and individual differences

Contact Info

Product

Resources

About