Unveiling the Mask of Phishing: Threats, Preventive Measures, and Responsibilities

Bose, Indranil; Leung, Alvin Chung Man

doi:10.17705/1cais.01924

Cited by 17 publications

(8 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Existing research into phishing characteristics has provided researchers with the means of recommending counter-phishing strategies such as using the HTTPS text in the address bar as an indicator for legitimacy and to be suspicious of email asking for private information [ 41 – 42 ]. Within the literature, the majority of email characteristics which are highlighted by researchers as useful for phishing detection can be categorised into those that induce greater trust (e.g.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling

Kleitman

Kay

2018

PLoS ONE

View full text Add to dashboard Cite

Phishing email is one of the biggest risks to online information security due to its ability to exploit human trust and naivety. Prior research has examined whether some people are more susceptible to phishing than others and what characteristics may predict this susceptibility. Given that there are no standardised measures or methodologies to detect phishing susceptibility, results have conflicted. To address this issue, the current study created a 40-item phishing detection task to measure both cognitive and behavioural indicators of phishing susceptibility and false positives (misjudged genuine email). The task is based on current real-life email stimuli (i.e., phishing and genuine) relevant to the student and general population. Extending previous literature we also designed a methodology for assessing phishing susceptibility by allowing participants to indicate perception of maliciousness of each email type and the actions they would take (keep it, trash it or seek further information). This enabled us to: (1) examine the relationships that psychological variables share with phishing susceptibility and false positives–both captured as consistent tendencies; (2) determine the relationships between perceptions of maliciousness with behavioural outcomes and psychological variables; and (3) determine the relationships between these tendencies and email characteristics. In our study, 150 undergraduate psychology students participated in exchange for partial course credit (98 Females; Mean age = 19.70, SD = 2.27). Participants also completed a comprehensive battery of psychometric tests assessing intelligence, pre- and on-task confidence, Big 6 personality, and familiarity/competence in computing and phishing. Results revealed that people showed distinct and robust tendencies for phishing susceptibility and false positives. A series of regression analyses looking at the accuracy of both phishing and false positives detection revealed that human-centred variables accounted for a good degree of variance in phishing susceptibility (about 54%), with perceptions of maliciousness, intelligence, knowledge of phishing, and on-task confidence contributing significantly, directly and/or indirectly via perception of maliciousness. A regression model looking at discriminating false positives has also shown that human-centred variables accounted for a reasonable degree of variance (41%), with perceptions of maliciousness, intelligence and on-task confidence contributing significantly, directly and/or indirectly via perception of maliciousness. Furthermore, the characteristics of the most effective phishing and misjudged genuine email items were profiled. Based on our findings, we suggest that future research should investigate these significant variables in more detail. We also recommend that future research should capture consistent response tendencies to determine vulnerability to phishing and false positives (rather than a one off response to a single email), and use the collection of the most current phishing email obtaine...

show abstract

Section: Introductionmentioning

confidence: 99%

“…official domains such as edu) and those that induce greater suspicion (e.g. misspellings and grammatical errors) [ 37 ; 41 ]. However, phishing attacks can also be categorised through neutral characteristics such as the email’s intended target group [ 12 ].…”

Section: Introductionmentioning

confidence: 99%

It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling

Kleitman

Kay

2018

PLoS ONE

View full text Add to dashboard Cite

show abstract

“…Prevention-based techniques such as password management tools and 2-factor authentication focus on distorting the phishing infrastructure to protect the user's credentials (Bose and Leung, 2007). For instance, a password management tool may add IP address string to the password whenever the user creates a new account at a legitimate website.…”

Section: Prevention-based Techniquesmentioning

confidence: 99%

PhishWHO: Phishing webpage detection via identity keywords extraction and target domain name finder

Tan

Chiew

Wong

et al. 2016

Decision Support Systems

View full text Add to dashboard Cite

A B S T R A C TThis paper proposes a phishing detection technique based on the difference between the target and actual identities of a webpage. The proposed phishing detection approach, called PhishWHO, can be divided into three phases. The first phase extracts identity keywords from the textual contents of the website, where a novel weighted URL tokens system based on the N-gram model is proposed. The second phase finds the target domain name by using a search engine, and the target domain name is selected based on identity-relevant features. In the final phase, a 3-tier identity matching system is proposed to determine the legitimacy of the query webpage. The overall experimental results suggest that the proposed system outperforms the conventional phishing detection methods considered.

show abstract

“…Yue and Cakanyildirim [2007] proposed an analytical model which studies the decisions involved in the intrusion prevention process. Bose and Leung [2007] provided a tutorial on phishing and offered suggestions for detecting and/or preventing it.…”

Section: Content Checkingmentioning

confidence: 99%

Current State of Information Security Research In IS

Zafar¹,

Clark²

2009

CAIS

View full text Add to dashboard Cite

show abstract

Unveiling the Mask of Phishing: Threats, Preventive Measures, and Responsibilities

Cited by 17 publications

References 28 publications

It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling

It’s the deceiver and the receiver: Individual differences in phishing susceptibility and false positives with item profiling

PhishWHO: Phishing webpage detection via identity keywords extraction and target domain name finder

Current State of Information Security Research In IS

Contact Info

Product

Resources

About