Abstract
Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. To better understand the cognitive process that end users can use to identify phishing messages, I interviewed 21 IT experts about instances where they successfully identified emails as phishing in their own inboxes. IT experts naturally follow a three-stage process for identifying phishing emails. In the first stage, the email recipient tries to make sense of the email, and understand how it relates to other things in their life. As they do this, they notice discrepancies: little things that are "off'' about the email. As the recipient notices more discrepancies, they feel a need for an alternative explanation for the email. At some point, some feature of the email --- usually, the presence of a link requesting an action --- triggers them to recognize that phishing is a possible alternative explanation. At this point, they become suspicious (stage two) and investigate the email by looking for technical details that can conclusively identify the email as phishing. Once they find such information, then they move to stage three and deal with the email by deleting it or reporting it. I discuss ways this process can fail, and implications for improving training of end users about phishing.
Supplemental Material
Available for Download
- Ammar Almomani, B. B. Gupta, Samer Atawneh, A. Meulenberg, and Eman Almomani. 2013. A Survey of Phishing Email Filtering Techniques. IEEE Communications Surveys & Tutorials 15, 4 (2013), 2070--2090. https://doi.org/10.1109/ SURV.2013.030713.00020Google ScholarCross Ref
- Ankesh Anand, Kshitij Gorde, Joel Ruben Antony Moniz, Noseong Park, Tanmoy Chakraborty, and Bei-Tseng Chu. 2018. Phishing URL Detection with Oversampling based on Text Generative Adversarial Networks. In 2018 IEEE International Conference on Big Data (Big Data). IEEE, 1168--1177. https://doi.org/10.1109/BigData.2018.8622547Google ScholarCross Ref
- Nalin Asanka Gamagedara Arachchilage and Steve Love. 2013. A game design framework for avoiding phishing attacks. Computers in Human Behavior 29, 3 (May 2013), 706--714. https://doi.org/10.1016/j.chb.2012.12.018Google Scholar
- Alejandro Correa Bahnsen, Eduardo Contreras Bohorquez, Sergio Villegas, Javier Vargas, and Fabio A. Gonzalez. 2017. Classifying phishing URLs using recurrent neural networks. In 2017 APWG Symposium on Electronic Crime Research (eCrime). IEEE, 1--8. https://doi.org/10.1109/ECRIME.2017.7945048Google ScholarCross Ref
- Zinaida Benenson, Freya Gassmann, and Robert Landwirth. 2017. Unpacking Spear Phishing Susceptibility. In FC 2017: Financial Cryptography and Data Security. Vol. 10323 LNCS. 610--627. https://doi.org/10.1007/978--3--319--70278-0_39Google Scholar
- Mark Blythe, Helen Petrie, and John A Clark. 2011. F for Fake: Four Studies on How We Fall for Phish. In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, New York, New York, USA, 3469--3478. https://doi.org/10.1145/1978942.1979459Google ScholarDigital Library
- Deanna D Caputo, Shari Lawrence Pfleeger, Joshua D Freeman, and M Eric Johnson. 2014. Going Spear Phishing: Exploring Embedded Training and Awareness. Security & Privacy, IEEE 12, 1 (Jan. 2014), 28--38.Google Scholar
- Robert Cialdini. 2009. Influence: The Psychology of Persuasion (revised ed.). HarperCollins.Google Scholar
- Vincent C. Conzola and Michael S. Wogalter. 2001. A Communication--Human Information Processing (C--HIP) approach to warning effectiveness in the workplace. Journal of Risk Research 4, 4 (2001), 309--322. https://doi.org/10. 1080/13669870110062712 arXiv:https://doi.org/10.1080/13669870110062712Google ScholarCross Ref
- David A. Cowan. 1986. Developing a Process Model of Problem Recognition. Academy of Management Review 11, 4 (Oct 1986), 763--776. https://doi.org/10.5465/amr.1986.4283930Google ScholarCross Ref
- Beth Crandall, Gary Klein, and Robert Hoffman. 2006. Working Minds: A Practitioner's Guide to Cognitive Task Analysis. A Bradford Book. 332 pages.Google ScholarCross Ref
- Lorrie Faith Cranor. 2008. A Framework for Reasoning About the Human in the Loop.. In Usability, Psychology, and Security (UPSEC). https://www.usenix.org/legacy/event/upsec08/tech/full_papers/cranor/cranor.pdfGoogle Scholar
- Rachna Dhamija, J. D. Tygar, and Marti Hearst. 2006. Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada) (CHI '06). Association for Computing Machinery, New York, NY, USA, 581--590. https://doi.org/10.1145/1124772.1124861Google ScholarDigital Library
- Serge Egelman, Lorrie Cranor, Jason Hong, and Yue Zhang. 2007. Phinding Phish : Evaluating Anti-Phishing Tools Phinding Phish : Evaluating Anti-Phishing Tools. In Network and Distributed System Security. San Diego, CA.Google Scholar
- Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. 2015. Improving SSL Warnings. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems - CHI '15. ACM Press, New York, New York, USA, 2893--2902. https://doi.org/10.1145/2702123. 2702442Google ScholarDigital Library
- Gil Friedrich. 2018. URL Defense Link Rewrites: The Good, The Bad, and The Over-Promised. https://www.avanan. com/resources/url-defense-link-rewritesGoogle Scholar
- Bill Gardner and Valerie Thomas. 2014. Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats (1st ed.). Syngress. 214 pages.Google Scholar
- Erving Goffman. 1974. Frame Analysis: An Essay on the Organizatino of Experience. Harper and Row.Google Scholar
- The Radicati Group. 2019. Email Statistics Report 2019--2023 Executive Summary. Technical Report. The Radicati Group.Google Scholar
- Ryan Heartfield, George Loukas, and Diane Gan. 2017. An eye for deception: A case study in utilizing the human-asa- security-sensor paradigm to detect zero-day semantic social engineering attacks. In 2017 IEEE 15th International Conference on Software Engineering Research, Management and Applications (SERA). IEEE, 371--378. https://doi.org/10. 1109/SERA.2017.7965754Google ScholarCross Ref
- Robert R. Hoffman. 1998. How Can Expertise be Defined? Implications of Research from Cognitive Psychology. In Exploring Expertise. Palgrave Macmillan UK, London, 81--100. https://doi.org/10.1007/978--1--349--13693--3_4Google Scholar
- Robert R Hoffman, Beth Crandall, and Nigel Shadbolt. 1998. Use of the Critical Decision Method to Elicit Expert Knowledge: A Case Study in the Methodology of Cognitive Task Analysis. Human Factors: The Journal of the Human Factors and Ergonomics Society 40, 2 (jun 1998), 254--276. https://doi.org/10.1518/001872098779480442Google ScholarCross Ref
- Jason Hong. 2012. The state of phishing attacks. Commun. ACM 55, 1 (jan 2012), 74. https://doi.org/10.1145/2063176. 2063197Google ScholarDigital Library
- Gary Klein. 1998. Sources of Power: How People Make Decisions. MIT Press. Proc. ACM Hum.-Comput. Interact., Vol. 4, No. CSCW, Article 160. Publication date: October 2020. How Experts Detect Phishing Scam Emails 160:27Google Scholar
- Gary Klein, Rebecca Pliske, Beth Crandall, and David D Woods. 2005. Problem detection. Cognition, Technology & Work 7, 1 (mar 2005), 14--28. https://doi.org/10.1007/s10111-004-0166-yGoogle ScholarDigital Library
- Gary A Klein, Roberta Calderwood, and Anne Clinton-Cirocco. 1986. Rapid Decision Making on the Fire Ground. Proceedings of the Human Factors Society Annual Meeting 30, 6 (Sep 1986), 576--580. https://doi.org/10.1177/ 154193128603000616Google ScholarCross Ref
- G A Klein, R Calderwood, and D MacGregor. 1989. Critical decision method for eliciting knowledge. IEEE Transactions on Systems, Man, and Cybernetics 19, 3 (Jan 1989), 462--472. http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm? arnumber=31053Google ScholarCross Ref
- Gary A Klein and Robert R Hoffman. 1992. Seeing The Invisible: Perceptual--Cognitive Aspects of Expertise. In Cognitive Science Foundations of Instruction, M Rabinowitz (Ed.). Erlbaum, 203?-226. http://cmapspublic3.ihmc.us/rid= 1G9NSY15K-N7MJMZ-LC5/SeeingTheInvisible.pdfGoogle Scholar
- Gary A Klein, Jennifer K Phillips, Erica L Rall, and Deborah A Peluso. 2007. A Data-Frame Theory of Sensemaking. In Expertise Out of Context: The Sixth International Conference on Naturalistic Decision Making, Robert R Hoffman (Ed.). Lawrence Erlbaum Associates, Inc., 13--155.Google Scholar
- Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2010. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology 10, 2 (May 2010), 1--31. https://doi.org/10.1145/ 1754393.1754396Google ScholarDigital Library
- Tian Lin, Daniel E. Capecci, Donovan M. Ellis, Harold A. Rocha, Sandeep Dommaraju, Daniela S. Oliveira, and Natalie C. Ebner. 2019. Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content. ACM Trans. Comput.-Hum. Interact. 26, 5, Article 32 (July 2019), 28 pages. https://doi.org/10.1145/3336141Google ScholarDigital Library
- Eric Lipton, David E Sanger, and Scott Shane. 2016. The Perfect Weapon: How Russian Cyberpower Invaded the U.S. The New York Times (dec 2016). https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.htmlGoogle Scholar
- MacEwan University. 2017. University Discovers Online Fraud. https://www.macewan.ca/wcm/MacEwanNews/ PHISHING_ATTACKGoogle Scholar
- Matthew B Miles, A. Michael Huberman, and Johnny Saldaña. 2013. Qualitative Data Analysis: A Methods Sourcebook (third ed.). Sage Publications.Google Scholar
- Daniela Oliveira, Harold Rocha, Huizi Yang, Donovan Ellis, Sandeep Dommaraju, Melis Muradoglu, DevonWeir, Adam Soliman, Tian Lin, and Natalie Ebner. 2017. Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (Denver, Colorado, USA) (CHI '17). Association for Computing Machinery, New York, NY, USA, 6412--6424. https://doi.org/10.1145/3025453.3025831Google ScholarDigital Library
- Anthony J Onwuegbuzie and Nancy L Leech. 2007. Validity and Qualitative Research: An Oxymoron? Quality and Quantity 41 (2007), 233--249.Google ScholarCross Ref
- Will Oremus. 2016. ?Is This Something That?s Going to Haunt Me the Rest of My Life??. Slate (Dec 2016). https://slate.com/technology/2016/12/an-interview-with-charles-delavan-the-it-guy-whose-typo-led-to-thepodesta- email-hack.htmlGoogle Scholar
- Justin Petelka, Yixin Zou, and Florian Schaub. 2019. Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems - CHI '19. ACM Press, New York, New York, USA, 1--15. https://doi.org/10.1145/3290605.3300748Google ScholarDigital Library
- Denise F. Polit and Cheryl Tatano Beck. 2010. Generalization in quantitative and qualitative research: Myths and strategies. International Journal of Nursing Studies 47, 11 (Nov 2010), 1451--1458. https://doi.org/10.1016/j.ijnurstu. 2010.06.004Google ScholarCross Ref
- Emilee Rader and Rick Wash. 2015. Identifying patterns in informal sources of security information. Journal of Cybersecurity 1 (Dec 2015), tyv008. https://doi.org/10.1093/cybsec/tyv008Google ScholarCross Ref
- Karol G Ross, Gary A Klein, Peter Thunholm, John F Schmitt, and Holly C Baxter. 2004. The Recognition-Primed Decision Model. Military Review (Aug 2004). http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html& identifier=ADA521492Google Scholar
- Angela Sasse. 2015. Scaring and Bullying People into Security Won't Work. IEEE Security & Privacy 13, 3 (May 2015), 80--83. https://doi.org/10.1109/MSP.2015.65Google ScholarDigital Library
- Bruce Schneier. 2000. Semantic Attacks: The Third Wave of Network Attacks. https://www.schneier.com/cryptogram/ archives/2000/1015.html{#}1Google Scholar
- Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. 2010. Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Atlanta, Georgia, USA) (CHI '10). Association for Computing Machinery, New York, NY, USA, 373--382. https://doi.org/10.1145/1753326.1753383Google ScholarDigital Library
- Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-Phishing Phil. In Proceedings of the 3rd symposium on Usable privacy and security - SOUPS Proc. ACM Hum.-Comput. Interact., Vol. 4, No. CSCW, Article 160. Publication date: October 2020. 160:28 Rick Wash '07. ACM Press, New York, New York, USA, 88. https://doi.org/10.1145/1280680.1280692Google Scholar
- Sami Smadi, Nauman Aslam, and Li Zhang. 2018. Detection of online phishing email using dynamic evolving neural network based on reinforcement learning. Decision Support Systems 107 (2018), 88--102. https://doi.org/10.1016/j.dss. 2018.01.001Google ScholarCross Ref
- Rebecca Smith. 2016. How a U.S. Utility Got Hacked. Wall Street Journal (Dec 2016). https://www.wsj.com/articles/howa- u-s-utility-got-hacked-1483120856Google Scholar
- Symantec. 2019. Internet Security Threat Report. Technical Report February. https://doi.org/10.1016/S1353--4858(05) 00194--7Google Scholar
- Mary Theofanos, Brian Stanton, Susanne Furman, Sandra Spickard Prettyman, and Simson Garfinkel. 2017. Be Prepared: How US Government Experts Think About Cybersecurity. In Workshop on Usable Security (USec). Internet Society.Google Scholar
- Verizon. 2019. 2019 Data Breach Investigations Report. Technical Report. https://doi.org/10.1016/s1361--3723(19)30060-0Google Scholar
- Rick Wash and Molly M. Cooper. 2018. Who Provides Phishing Training?. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI '18. ACM Press, New York, New York, USA, 1--12. https://doi.org/10.1145/ 3173574.3174066Google Scholar
- Karl E. Weick. 1995. Sensemaking in Organizations. Sage Publications. 248 pages.Google Scholar
- Josephine Wolff. 2018. You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches. MIT Press, Cambridge, MA, USA. https://mitpress.mit.edu/books/youll-see-message-when-it-too-lateGoogle Scholar
- Weiwei Zhuang, Qingshan Jiang, and Tengke Xiong. 2012. An Intelligent Anti-phishing Strategy Model for Phishing Website Detection. In 2012 32nd International Conference on Distributed Computing Systems Workshops. IEEE, 51--56. https://doi.org/10.1109/ICDCSW.2012.66Google Scholar
Index Terms
- How Experts Detect Phishing Scam Emails
Recommendations
A Sender-Centric Approach to Detecting Phishing Emails
CYBERSECURITY '12: Proceedings of the 2012 International Conference on Cyber SecurityEmail-based online phishing is a critical security threat on the Internet. Although phishers have great flexibility in manipulating both the content and structure of phishing emails, phishers have much less flexibility in completely concealing the ...
Learning to detect phishing emails
WWW '07: Proceedings of the 16th international conference on World Wide WebEach month, more attacks are launched with the aim of making web users believe that they are communicating with a trusted entity for the purpose of stealing account information, logon credentials, and identity information in general. This attack method, ...
Status Update on Phishing Emails Awareness: Jordanian Case
ICEMIS'21: The 7th International Conference on Engineering & MIS 2021Abstract—This study is a response to the rapid proliferation of high-risk phishing emails, representing one of the most dangerous cybercrimes and the primary medium for the deception of online users. This study aims to investigate the various ...
Comments