How Experts Detect Phishing Scam Emails

Author:
Rick Wash

Michigan State University, East Lansing, MI, USA

Michigan State University, East Lansing, MI, USA
View Profile

Proceedings of the ACM on Human-Computer Interaction Volume 4 Issue CSCW2Article No.: 160pp 1–28https://doi.org/10.1145/3415231

Published:15 October 2020Publication History

Proceedings of the ACM on Human-Computer Interaction

Abstract

Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. To better understand the cognitive process that end users can use to identify phishing messages, I interviewed 21 IT experts about instances where they successfully identified emails as phishing in their own inboxes. IT experts naturally follow a three-stage process for identifying phishing emails. In the first stage, the email recipient tries to make sense of the email, and understand how it relates to other things in their life. As they do this, they notice discrepancies: little things that are "off'' about the email. As the recipient notices more discrepancies, they feel a need for an alternative explanation for the email. At some point, some feature of the email --- usually, the presence of a link requesting an action --- triggers them to recognize that phishing is a possible alternative explanation. At this point, they become suspicious (stage two) and investigate the email by looking for technical details that can conclusively identify the email as phishing. Once they find such information, then they move to stage three and deal with the email by deleting it or reporting it. I discuss ways this process can fail, and implications for improving training of end users about phishing.

Supplemental Material

Available for Download

zip

V4cscw160aux.zip (39.1 KB)

References

Ammar Almomani, B. B. Gupta, Samer Atawneh, A. Meulenberg, and Eman Almomani. 2013. A Survey of Phishing Email Filtering Techniques. IEEE Communications Surveys & Tutorials 15, 4 (2013), 2070--2090. https://doi.org/10.1109/ SURV.2013.030713.00020Google ScholarCross Ref
Ankesh Anand, Kshitij Gorde, Joel Ruben Antony Moniz, Noseong Park, Tanmoy Chakraborty, and Bei-Tseng Chu. 2018. Phishing URL Detection with Oversampling based on Text Generative Adversarial Networks. In 2018 IEEE International Conference on Big Data (Big Data). IEEE, 1168--1177. https://doi.org/10.1109/BigData.2018.8622547Google ScholarCross Ref
Nalin Asanka Gamagedara Arachchilage and Steve Love. 2013. A game design framework for avoiding phishing attacks. Computers in Human Behavior 29, 3 (May 2013), 706--714. https://doi.org/10.1016/j.chb.2012.12.018Google Scholar
Alejandro Correa Bahnsen, Eduardo Contreras Bohorquez, Sergio Villegas, Javier Vargas, and Fabio A. Gonzalez. 2017. Classifying phishing URLs using recurrent neural networks. In 2017 APWG Symposium on Electronic Crime Research (eCrime). IEEE, 1--8. https://doi.org/10.1109/ECRIME.2017.7945048Google ScholarCross Ref
Zinaida Benenson, Freya Gassmann, and Robert Landwirth. 2017. Unpacking Spear Phishing Susceptibility. In FC 2017: Financial Cryptography and Data Security. Vol. 10323 LNCS. 610--627. https://doi.org/10.1007/978--3--319--70278-0_39Google Scholar
Mark Blythe, Helen Petrie, and John A Clark. 2011. F for Fake: Four Studies on How We Fall for Phish. In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, New York, New York, USA, 3469--3478. https://doi.org/10.1145/1978942.1979459Google ScholarDigital Library
Deanna D Caputo, Shari Lawrence Pfleeger, Joshua D Freeman, and M Eric Johnson. 2014. Going Spear Phishing: Exploring Embedded Training and Awareness. Security & Privacy, IEEE 12, 1 (Jan. 2014), 28--38.Google Scholar
Robert Cialdini. 2009. Influence: The Psychology of Persuasion (revised ed.). HarperCollins.Google Scholar
Vincent C. Conzola and Michael S. Wogalter. 2001. A Communication--Human Information Processing (C--HIP) approach to warning effectiveness in the workplace. Journal of Risk Research 4, 4 (2001), 309--322. https://doi.org/10. 1080/13669870110062712 arXiv:https://doi.org/10.1080/13669870110062712Google ScholarCross Ref
David A. Cowan. 1986. Developing a Process Model of Problem Recognition. Academy of Management Review 11, 4 (Oct 1986), 763--776. https://doi.org/10.5465/amr.1986.4283930Google ScholarCross Ref
Beth Crandall, Gary Klein, and Robert Hoffman. 2006. Working Minds: A Practitioner's Guide to Cognitive Task Analysis. A Bradford Book. 332 pages.Google ScholarCross Ref
Lorrie Faith Cranor. 2008. A Framework for Reasoning About the Human in the Loop.. In Usability, Psychology, and Security (UPSEC). https://www.usenix.org/legacy/event/upsec08/tech/full_papers/cranor/cranor.pdfGoogle Scholar
Rachna Dhamija, J. D. Tygar, and Marti Hearst. 2006. Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada) (CHI '06). Association for Computing Machinery, New York, NY, USA, 581--590. https://doi.org/10.1145/1124772.1124861Google ScholarDigital Library
Serge Egelman, Lorrie Cranor, Jason Hong, and Yue Zhang. 2007. Phinding Phish : Evaluating Anti-Phishing Tools Phinding Phish : Evaluating Anti-Phishing Tools. In Network and Distributed System Security. San Diego, CA.Google Scholar
Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. 2015. Improving SSL Warnings. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems - CHI '15. ACM Press, New York, New York, USA, 2893--2902. https://doi.org/10.1145/2702123. 2702442Google ScholarDigital Library
Gil Friedrich. 2018. URL Defense Link Rewrites: The Good, The Bad, and The Over-Promised. https://www.avanan. com/resources/url-defense-link-rewritesGoogle Scholar
Bill Gardner and Valerie Thomas. 2014. Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats (1st ed.). Syngress. 214 pages.Google Scholar
Erving Goffman. 1974. Frame Analysis: An Essay on the Organizatino of Experience. Harper and Row.Google Scholar
The Radicati Group. 2019. Email Statistics Report 2019--2023 Executive Summary. Technical Report. The Radicati Group.Google Scholar
Ryan Heartfield, George Loukas, and Diane Gan. 2017. An eye for deception: A case study in utilizing the human-asa- security-sensor paradigm to detect zero-day semantic social engineering attacks. In 2017 IEEE 15th International Conference on Software Engineering Research, Management and Applications (SERA). IEEE, 371--378. https://doi.org/10. 1109/SERA.2017.7965754Google ScholarCross Ref
Robert R. Hoffman. 1998. How Can Expertise be Defined? Implications of Research from Cognitive Psychology. In Exploring Expertise. Palgrave Macmillan UK, London, 81--100. https://doi.org/10.1007/978--1--349--13693--3_4Google Scholar
Robert R Hoffman, Beth Crandall, and Nigel Shadbolt. 1998. Use of the Critical Decision Method to Elicit Expert Knowledge: A Case Study in the Methodology of Cognitive Task Analysis. Human Factors: The Journal of the Human Factors and Ergonomics Society 40, 2 (jun 1998), 254--276. https://doi.org/10.1518/001872098779480442Google ScholarCross Ref
Jason Hong. 2012. The state of phishing attacks. Commun. ACM 55, 1 (jan 2012), 74. https://doi.org/10.1145/2063176. 2063197Google ScholarDigital Library
Gary Klein. 1998. Sources of Power: How People Make Decisions. MIT Press. Proc. ACM Hum.-Comput. Interact., Vol. 4, No. CSCW, Article 160. Publication date: October 2020. How Experts Detect Phishing Scam Emails 160:27Google Scholar
Gary Klein, Rebecca Pliske, Beth Crandall, and David D Woods. 2005. Problem detection. Cognition, Technology & Work 7, 1 (mar 2005), 14--28. https://doi.org/10.1007/s10111-004-0166-yGoogle ScholarDigital Library
Gary A Klein, Roberta Calderwood, and Anne Clinton-Cirocco. 1986. Rapid Decision Making on the Fire Ground. Proceedings of the Human Factors Society Annual Meeting 30, 6 (Sep 1986), 576--580. https://doi.org/10.1177/ 154193128603000616Google ScholarCross Ref
G A Klein, R Calderwood, and D MacGregor. 1989. Critical decision method for eliciting knowledge. IEEE Transactions on Systems, Man, and Cybernetics 19, 3 (Jan 1989), 462--472. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm? arnumber=31053Google ScholarCross Ref
Gary A Klein and Robert R Hoffman. 1992. Seeing The Invisible: Perceptual--Cognitive Aspects of Expertise. In Cognitive Science Foundations of Instruction, M Rabinowitz (Ed.). Erlbaum, 203?-226. http://cmapspublic3.ihmc.us/rid= 1G9NSY15K-N7MJMZ-LC5/SeeingTheInvisible.pdfGoogle Scholar
Gary A Klein, Jennifer K Phillips, Erica L Rall, and Deborah A Peluso. 2007. A Data-Frame Theory of Sensemaking. In Expertise Out of Context: The Sixth International Conference on Naturalistic Decision Making, Robert R Hoffman (Ed.). Lawrence Erlbaum Associates, Inc., 13--155.Google Scholar
Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2010. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology 10, 2 (May 2010), 1--31. https://doi.org/10.1145/ 1754393.1754396Google ScholarDigital Library
Tian Lin, Daniel E. Capecci, Donovan M. Ellis, Harold A. Rocha, Sandeep Dommaraju, Daniela S. Oliveira, and Natalie C. Ebner. 2019. Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content. ACM Trans. Comput.-Hum. Interact. 26, 5, Article 32 (July 2019), 28 pages. https://doi.org/10.1145/3336141Google ScholarDigital Library
Eric Lipton, David E Sanger, and Scott Shane. 2016. The Perfect Weapon: How Russian Cyberpower Invaded the U.S. The New York Times (dec 2016). https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.htmlGoogle Scholar
MacEwan University. 2017. University Discovers Online Fraud. https://www.macewan.ca/wcm/MacEwanNews/ PHISHING_ATTACKGoogle Scholar
Matthew B Miles, A. Michael Huberman, and Johnny Saldaña. 2013. Qualitative Data Analysis: A Methods Sourcebook (third ed.). Sage Publications.Google Scholar
Daniela Oliveira, Harold Rocha, Huizi Yang, Donovan Ellis, Sandeep Dommaraju, Melis Muradoglu, DevonWeir, Adam Soliman, Tian Lin, and Natalie Ebner. 2017. Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (Denver, Colorado, USA) (CHI '17). Association for Computing Machinery, New York, NY, USA, 6412--6424. https://doi.org/10.1145/3025453.3025831Google ScholarDigital Library
Anthony J Onwuegbuzie and Nancy L Leech. 2007. Validity and Qualitative Research: An Oxymoron? Quality and Quantity 41 (2007), 233--249.Google ScholarCross Ref
Will Oremus. 2016. ?Is This Something That?s Going to Haunt Me the Rest of My Life??. Slate (Dec 2016). https://slate.com/technology/2016/12/an-interview-with-charles-delavan-the-it-guy-whose-typo-led-to-thepodesta- email-hack.htmlGoogle Scholar
Justin Petelka, Yixin Zou, and Florian Schaub. 2019. Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems - CHI '19. ACM Press, New York, New York, USA, 1--15. https://doi.org/10.1145/3290605.3300748Google ScholarDigital Library
Denise F. Polit and Cheryl Tatano Beck. 2010. Generalization in quantitative and qualitative research: Myths and strategies. International Journal of Nursing Studies 47, 11 (Nov 2010), 1451--1458. https://doi.org/10.1016/j.ijnurstu. 2010.06.004Google ScholarCross Ref
Emilee Rader and Rick Wash. 2015. Identifying patterns in informal sources of security information. Journal of Cybersecurity 1 (Dec 2015), tyv008. https://doi.org/10.1093/cybsec/tyv008Google ScholarCross Ref
Karol G Ross, Gary A Klein, Peter Thunholm, John F Schmitt, and Holly C Baxter. 2004. The Recognition-Primed Decision Model. Military Review (Aug 2004). http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html& identifier=ADA521492Google Scholar
Angela Sasse. 2015. Scaring and Bullying People into Security Won't Work. IEEE Security & Privacy 13, 3 (May 2015), 80--83. https://doi.org/10.1109/MSP.2015.65Google ScholarDigital Library
Bruce Schneier. 2000. Semantic Attacks: The Third Wave of Network Attacks. https://www.schneier.com/cryptogram/ archives/2000/1015.html{#}1Google Scholar
Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. 2010. Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Atlanta, Georgia, USA) (CHI '10). Association for Computing Machinery, New York, NY, USA, 373--382. https://doi.org/10.1145/1753326.1753383Google ScholarDigital Library
Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-Phishing Phil. In Proceedings of the 3rd symposium on Usable privacy and security - SOUPS Proc. ACM Hum.-Comput. Interact., Vol. 4, No. CSCW, Article 160. Publication date: October 2020. 160:28 Rick Wash '07. ACM Press, New York, New York, USA, 88. https://doi.org/10.1145/1280680.1280692Google Scholar
Sami Smadi, Nauman Aslam, and Li Zhang. 2018. Detection of online phishing email using dynamic evolving neural network based on reinforcement learning. Decision Support Systems 107 (2018), 88--102. https://doi.org/10.1016/j.dss. 2018.01.001Google ScholarCross Ref
Rebecca Smith. 2016. How a U.S. Utility Got Hacked. Wall Street Journal (Dec 2016). https://www.wsj.com/articles/howa- u-s-utility-got-hacked-1483120856Google Scholar
Symantec. 2019. Internet Security Threat Report. Technical Report February. https://doi.org/10.1016/S1353--4858(05) 00194--7Google Scholar
Mary Theofanos, Brian Stanton, Susanne Furman, Sandra Spickard Prettyman, and Simson Garfinkel. 2017. Be Prepared: How US Government Experts Think About Cybersecurity. In Workshop on Usable Security (USec). Internet Society.Google Scholar
Verizon. 2019. 2019 Data Breach Investigations Report. Technical Report. https://doi.org/10.1016/s1361--3723(19)30060-0Google Scholar
Rick Wash and Molly M. Cooper. 2018. Who Provides Phishing Training?. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI '18. ACM Press, New York, New York, USA, 1--12. https://doi.org/10.1145/ 3173574.3174066Google Scholar
Karl E. Weick. 1995. Sensemaking in Organizations. Sage Publications. 248 pages.Google Scholar
Josephine Wolff. 2018. You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches. MIT Press, Cambridge, MA, USA. https://mitpress.mit.edu/books/youll-see-message-when-it-too-lateGoogle Scholar
Weiwei Zhuang, Qingshan Jiang, and Tengke Xiong. 2012. An Intelligent Anti-phishing Strategy Model for Phishing Website Detection. In 2012 32nd International Conference on Distributed Computing Systems Workshops. IEEE, 51--56. https://doi.org/10.1109/ICDCSW.2012.66Google Scholar

Index Terms

Recommendations

A Sender-Centric Approach to Detecting Phishing Emails
CYBERSECURITY '12: Proceedings of the 2012 International Conference on Cyber Security

Email-based online phishing is a critical security threat on the Internet. Although phishers have great flexibility in manipulating both the content and structure of phishing emails, phishers have much less flexibility in completely concealing the ...
Read More
Learning to detect phishing emails
WWW '07: Proceedings of the 16th international conference on World Wide Web

Each month, more attacks are launched with the aim of making web users believe that they are communicating with a trusted entity for the purpose of stealing account information, logon credentials, and identity information in general. This attack method, ...
Read More
Status Update on Phishing Emails Awareness: Jordanian Case
ICEMIS'21: The 7th International Conference on Engineering & MIS 2021

Abstract—This study is a response to the rapid proliferation of high-risk phishing emails, representing one of the most dangerous cybercrimes and the primary medium for the deception of online users. This study aims to investigate the various ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
Proceedings of the ACM on Human-Computer Interaction Volume 4, Issue CSCW2
CSCW
October 2020
2310 pages
EISSN:2573-0142
DOI:10.1145/3430143
Editor:
Jeff Nichols
Apple Inc.
Issue’s Table of Contents
Copyright © 2020 Owner/Author
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 October 2020
Published in pacmhci Volume 4, Issue CSCW2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
email
phishing
security
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 28
  Total Citations
  View Citations
- 5,285
  Total Downloads
- Downloads (Last 12 months)1,451
- Downloads (Last 6 weeks)236
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

How Experts Detect Phishing Scam Emails

Proceedings of the ACM on Human-Computer Interaction

Abstract

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

A Sender-Centric Approach to Detecting Phishing Emails

Learning to detect phishing emails

Status Update on Phishing Emails Awareness: Jordanian Case