Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails
📝 Abstract
We examined the influence of three social engineering strategies on users’ judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.
💡 Analysis
We examined the influence of three social engineering strategies on users’ judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.
📄 Content
Australasian Conference on Information Systems
Butavicius et al. 2015, Adelaide
Social engineering and emails
1
Breaching the Human Firewall: Social engineering in
Phishing and Spear-Phishing Emails
Marcus Butavicius
National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division
Defence Science and Technology Group
Edinburgh, South Australia
Email: marcus.butavicius@dsto.defence.gov.au
Kathryn Parsons
National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division
Defence Science and Technology Group
Edinburgh, South Australia
Email: kathryn.parsons@dsto.defence.gov.au
Malcolm Pattinson
Business School
University of Adelaide
Adelaide, South Australia
Email: malcolm.pattinson@adelaide.edu.au
Agata McCormac
National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division
Defence Science and Technology Group
Edinburgh, South Australia
Email: agata.mccormac@dsto.defence.gov.au
Abstract
We examined the influence of three social engineering strategies on users’ judgments of how safe it is
to click on a link in an email. The three strategies examined were authority, scarcity and social proof,
and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of
authority was the most effective strategy in convincing users that a link in an email was safe. When
detecting phishing and spear-phishing emails, users performed the worst when the emails used the
authority principle and performed best when social proof was present. Overall, users struggled to
distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in
making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications
for education and training are discussed.
Keywords
human-computer interaction, cyber security, phishing, empirical evaluation
1 Introduction
Phishing emails are emails sent with malicious intent that attempt to trick recipients into providing
information or access to the sender. Typically, the sender masquerades as a legitimate entity and crafts
the email to try and persuade the user to perform an action. This action may involve revealing sensitive
personal information (e.g., passwords) and / or inadvertently providing access to their computer or
network (e.g., through the installation of malware) (Aaron and Rasmussen 2010; APWG 2014; Hong
2012). In a recent survey of Australian organisations, the most common security incident reported
(45%) was that of employees opening phishing emails (Telstra Corporation 2014). While the direct
financial costs of such cyber-attacks in 2013 is estimated at a staggering USD $5.9 billion (RSA
Security 2014), there are also a range of other negative consequences to organisations that can be just
as harmful (Alavi et al. 2015). These include damage to reputation, loss of intellectual property and
sensitive information, and the corruption of critical data (Telstra Corporation 2014).
A more sinister development in cyber-attacks has been the increase in spear-phishing (Hong 2012). In
contrast with phishing emails, which tend to be more generic and are sent in bulk to a large number of
recipients, spear-phishing emails are sent to, and created specifically for, an individual or small group
of individuals (APWG 2014). When directed towards senior executives and high-ranking staff, such
Australasian Conference on Information Systems
Butavicius et al. 2015, Adelaide
Social engineering and emails
2
attacks are known as ‘whaling’. These targets typically have greater access to sensitive corporate
information and may have privileged access accounts when compared to the average user. Spear-
phishing emails include more detailed contextual information to increase the likelihood of a recipient
falling victim to them (Hong 2012). For example, they may include information relevant to the
recipient’s personal or business interests to increase the likelihood that the recipient will respond.
Such attacks are increasingly deployed by criminals who are attempting to commit financial crimes
against specific targets, corporate spies involved in stealing intellectual property and sensitive
information, and hacktivists who wish to draw attention to their cause (APWG 2014).
Phishing and spear-phishing remain ongoing threats because they circumvent many technical
safeguards by targeting the user, rather than the system (Hong 2012). Previous phishing studies have
attempted to understand these human issues by studying the visual and structural elements of emails
that influence people (Jakobbsson 2007; Furnell 2007; Parsons et al. 2013). However, phishing emails
also frequently use social engineering to coerce the target into responding (Samani and McFarland
2015), and there is a lack of research examining the influence of social engineering strategies.
1.1 The Influence of Soci
This content is AI-processed based on ArXiv data.