Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

How Users Investigate Phishing Emails that Lack Traditional Phishing Cues

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14585))

Included in the following conference series:

Abstract

Phishing is still one of the prevalent threats targeting private persons and organizations. Current teaching best practices often advocate cue-based investigation methods. Previous research primarily confronted participants with phishing emails showing such indicators to assess the success of different education measures. Our large-scale mixed-methods study challenges the behavior of 4,729 participants with four phishing emails that lack technical cues. The phishing emails concerned entirely fictitious entities and were directed at participants in their private lives, recruited from the online education platform openHPI. For our analysis, we apply the human-in-the-loop model for interaction with phishing content to investigate participant behavior when their learned best practices for detection fail. The primary indicator of enhanced phishing resiliency observed in our study was awareness of missing context to the supposed entity. Such context is often successfully enhanced by web searches, significantly contributing to decreased phishing susceptibility.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Emails were sent and delivered to all participants throughout approximately one week for each iteration. This measure ensured that no sudden traffic spike from formerly little-known domains would put the respective domains on a spam list.

  2. 2.

    This delivery rate is based on email server acceptance. Email classification, e.g., into the junk/spam folder as done by secondary filters, can not be tracked in our setup.

  3. 3.

    Once every 800ms, the user’s browser sent all events that occurred in the past timeframe to our server. This included blur events of the webpage in case users placed the open tab in the background.

References

  1. Al-Daeef, M.M., Basir, N., Saudi, M.M.: Security awareness training: a review. Lecture Notes in Engineering and Computer Science (2017) iSBN: 2078-0958

    Google Scholar 

  2. Alharbi, A., Alotaibi, A., Alghofaili, L., Alsalamah, M., Alwasil, N., Elkhediri, S.: Security in social-media: awareness of phishing attacks techniques and countermeasures. In: 2022 2nd International Conference on Computing and Information Technology (ICCIT) (2022). https://doi.org/10.1109/ICCIT52419.2022.9711640

  3. Alzubaidi, A.: Measuring the level of cyber-security awareness for cybercrime in Saudi Arabia. Heliyon 7(1) (2021). https://doi.org/10.1016/j.heliyon.2021.e06016

  4. Caputo, D.D., Pfleeger, S.L., Freeman, J.D., Johnson, M.E.: Going spear phishing: exploring embedded training and awareness. IEEE Security Privacy 12(1), 28–38 (2014). https://doi.org/10.1109/MSP.2013.106

    Article  Google Scholar 

  5. Cranor, L.F.: A framework for reasoning about the human in the loop (2008)

    Google Scholar 

  6. European Union Agency for Cybersecurity: ENISA Threat Landscape 2022 (2022). https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022

  7. Federal Bureau of Investigation: Business email compromise (2022). https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise

  8. Fernando, M., Arachchilage, N.: Why Johnny can’t rely on anti-phishing educational interventions to protect himself against contemporary phishing attacks? ACIS 2019 Proceedings (Jan 2019). https://aisel.aisnet.org/acis2019/42

  9. Finn, P., Jakobsson, M.: Designing ethical phishing experiments. IEEE Technology and Society Magazine 26(1), 46–58 (2007). https://doi.org/10.1109/MTAS.2007.335565conference Name: IEEE Technology and Society Magazine

  10. Furnell, S.: Phishing: can we spot the signs? Comput. Fraud Secur. 2007(3), 10–15 (2007). https://doi.org/10.1016/S1361-3723(07)70035-0

    Article  Google Scholar 

  11. Greitzer, F.L., Li, W., Laskey, K.B., Lee, J., Purl, J.: Experimental investigation of technical and human factors related to phishing susceptibility. ACM Trans. Social Computi. 4(2), 1–48 (2021). https://doi.org/10.1145/3461672

    Article  Google Scholar 

  12. Innab, N., Al-Rashoud, H., Al-Mahawes, R., Al-Shehri, W.: Evaluation of the effective anti-phishing awareness and training in governmental and private organizations in Riyadh. In: 2018 21st Saudi Computer Society National Computer Conference (NCC), pp. 1–5 (Apr 2018). https://doi.org/10.1109/NCG.2018.8593144

  13. Jampen, D., Gür, G., Sutter, T., Tellenbach, B.: Don’t click: towards an effective anti-phishing training. A comparative literature review. Human-centric Comput. Inform. Sci. 10(1), 33 (Aug 2020). https://doi.org/10.1186/s13673-020-00237-7

  14. Jensen, M.L., Dinger, M., Wright, R.T., Thatcher, J.B.: Training to mitigate phishing attacks using mindfulness techniques. J. Manag. Inf. Syst. 34(2), 597–626 (2017). https://doi.org/10.1080/07421222.2017.1334499, publisher: Routledge

  15. Köhler, D., Pünter, W., Meinel, C.: Fishing for non-professional answers: Quantitative study on email phishing susceptibility in private contexts (2023). https://doi.org/10.13140/RG.2.2.21865.47201/1in Review

  16. Kumaraguru, P., et al.: School of phish: a real-world evaluation of anti-phishing training. In: Proceedings of the 5th Symposium on Usable Privacy and Security, pp. 1–12 (2009)

    Google Scholar 

  17. Meinel, C., Willems, C., Staubitz, T., Sauer, D., Hagedorn, C.: openHPI: 10 Years of MOOCs at the Hasso Plattner Institute (2022)

    Google Scholar 

  18. Mitnick, K.D., Simon, W.L.: The art of deception: Controlling the human element of security. John Wiley & Sons (2003)

    Google Scholar 

  19. Nguyen, C., Jensen, M., Day, E.: Learning not to take the bait: a longitudinal examination of digital training methods and overlearning on phishing susceptibility. Eur. J. Inf. Syst. 32(2), 238–262 (2023). https://doi.org/10.1080/0960085X.2021.1931494

    Article  Google Scholar 

  20. Nthala, N., Wash, R.: how non-experts try to detect phishing scam emails. Workshop on Consumer Protection (May 2021). https://par.nsf.gov/biblio/10297019-how-non-experts-try-detect-phishing-scam-emails

  21. Parsons, K., Butavicius, M., Pattinson, M., McCormac, A., Calic, D., Jerram, C.: Do Users Focus on the Correct Cues to Differentiate Between Phishing and Genuine Emails? In: ACIS 2015 Proceedings (Jan 2015). https://aisel.aisnet.org/acis2015/6

  22. Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., Jerram, C.: Phishing for the truth: a scenario-based experiment of users’ behavioural response to emails. In: Security and Privacy Protection in Information Processing Systems, pp. 366–378. IFIP Advances in Information and Communication Technology, Springer, Berlin, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39218-4_27

  23. Rajivan, P., Gonzalez, C.: Creative persuasion: a study on adversarial behaviors and strategies in phishing attacks. Front. Psychol. 9 (2018)

    Google Scholar 

  24. Resnik, D.B., Finn, P.R.: Ethics and phishing experiments. Sci. Eng. Ethics 24(4), 1241–1252 (2018). https://doi.org/10.1007/s11948-017-9952-9

    Article  Google Scholar 

  25. Schroeder, J.: Advanced persistent training: take your security awareness program to the next level. Apress (Jun 2017). google-Books-ID: UjgoDwAAQBAJ

    Google Scholar 

  26. Siadati, H., Palka, S., Siegel, A., McCoy, D.: Measuring the effectiveness of embedded phishing exercises (2017). https://www.usenix.org/conference/cset17/workshop-program/presentation/siadatii

  27. Stockhardt, S., et al.: Teaching phishing-security: which way is best? In: ICT Systems Security and Privacy Protection. pp. 135–149. IFIP Advances in Information and Communication Technology, Springer International Publishing, Cham (2016). https://doi.org/10.1007/978-3-319-33630-5_10

  28. Sutter, T., Bozkir, A.S., Gehring, B., Berlich, P.: Avoiding the hook: influential factors of phishing awareness training on click-rates and a data-driven approach to predict email difficulty perception. IEEE Access 10, 100540–100565 (2022). https://doi.org/10.1109/ACCESS.2022.3207272

    Article  Google Scholar 

  29. The MITRE Corporation: CAPEC-98: Phishing (2021). https://capec.mitre.org/data/definitions/98.html

  30. UNESCO Institute for Statistics: International standard classification of education: Isced 2011 (2012). https://uis.unesco.org/sites/default/files/documents/international-standard-classification-of-education-isced-2011-en.pdf

  31. United Nations Department of Economic and Social Affairs: International standard industrial classification of all economic activities (2008). https://unstats.un.org/unsd/publication/SeriesM/seriesm_4rev4e.pdf

  32. Wagner, N.: Instructional product evaluation using the staged innovation design. J. Instruct. Develop. 7 (1984)

    Google Scholar 

  33. Wash, R.: How experts detect phishing scam emails. Proc.ACM Human-Comput. Interact. 4 (2020). https://doi.org/10.1145/3415231

  34. Wash, R., Cooper, M.M.: Who provides phishing training? facts, stories, and people like me. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. ACM, New York (2018). https://doi.org/10.1145/3173574.3174066

  35. Wash, R., Nthala, N., Rader, E.: Knowledge and capabilities that non-expert users bring to phishing detection, pp. 377–396 (2021). https://www.usenix.org/conference/soups2021/presentation/wash

  36. Wen, Z.A., Lin, Z., Chen, R., Andersen, E.: What. hack: engaging anti-phishing training through a role-playing phishing simulation game. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pp. 1–12. CHI ’19, ACM, New York, USA (May 2019). https://doi.org/10.1145/3290605.3300338

  37. Williams, E.J., Polage, D.: How persuasive is phishing email? the role of authentic design, influence and current events in email judgements. Behav. Inform. Technol. 38 (Feb 2019). https://doi.org/10.1080/0144929X.2018.1519599

  38. Zheng, S., Becker, I.: Presenting suspicious details in user-facing e-mail headers does not improve phishing detection. In: SOUPS @ USENIX Security Symposium (2022). https://api.semanticscholar.org/CorpusID:252996739

  39. Zheng, S.Y., Becker, I.: Checking, nudging or scoring? evaluating e-mail user security tools, pp. 57–76 (2023). https://www.usenix.org/conference/soups2023/presentation/zheng

Download references

Author information

Authors and Affiliations

  1. Hasso Plattner Institute, University of Potsdam, Potsdam, Germany

    Daniel Köhler, Wenzel Pünter & Christoph Meinel

Authors
  1. Daniel Köhler
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenzel Pünter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christoph Meinel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Köhler .

Editor information

Editors and Affiliations

  1. New York University Abu Dhabi, Abu Dhabi, United Arab Emirates

    Christina Pöpper

  2. Radboud University Nijmegen, Nijmegen, The Netherlands

    Lejla Batina

Appendices

A Appendix: Survey Instrument

The survey questions are translated from German for publication in this manuscript. The following sub-sections layout the survey instrument used to obtain the responses presented throughout the manuscript.

1.1 A.1 Demography

  • Q1: Please enter your email address.

  • Q2: How old are you?

  • Q3: Which gender would you associate yourself with?

  • Q4: Which is your highest level of education?

  • Q5: In which industry are you currently working? (Multi-Select among primary industry groups according to UN ISIC Rev.4 [31])

1.2 A.2 Phishing Emails and Reactions

  • Q6: In the past 4 months, we have sent 4 phishing emails as part of this study. In the following questions, we would like to know whether and how you reacted to the corresponding emails. You can view the four emails again here:

  • Q7: Have we successfully persuaded you to enter data during our campaign?

  • Q8: Which of the four phishing emails do you remember? (Multi-Select)

  • Q9: What was the major reason for a reaction to the email? (Matrix-Select, one reason per email)

    • Curiosity

    • Fear

    • Pressure

    • Financial Interest

    • Trust

    • Authority

    • I did not react to this mail.

    • Prefer not to answer.

  • Q10: Please provide more information on your reaction. (Freetext)

  • Q11: Which of the emails gave you the feeling that something was wrong? (Multi-Select)

  • Q12: Please explain your feelings on the emails. (Freetext answer for each email)

  • Q13: What did you do when you had off feelings with an email? (Multi-Select)

    • Visit the main webpage

    • Perform a web search

    • View the website imprint

    • View the website data privacy declaration

    • Investigate the website source code

    • Investigate the link target

    • Investigate the sender

    • Investigate the email header

  • Q14: Have you carried out any further checks? (Freetext)

  • Q15: Which precautions have you taken for your investigation? (Multi-Select)

    • I did not take special precautions.

    • VPN

    • TOR

    • Deactivate JavaScript

    • Deactivate Cookies

    • Use a special browser

    • Use a sandbox / virtual machine

    • Issue WHOIS / RDAP request for the IP / domain

  • Q16: Did you implement any other precautions or technical measures? (Freetext)

1.3 A.3 IT-Context and Sensitization

  • Q17: How often do you use IT-Devices for your work and in your leisure time?

  • Q18: Estimate, how many emails you receive per day in your private and work contexts.

  • Q19: Did you previously participate in courses or training for cybersecurity awareness?

  • Q20: Which types of trainings did you previously participate in? (Multi-Select)

    • Classroom training (including digital group training)

    • Awareness information emails

    • Test phishing emails (outside this study)

    • Computer-based training

    • Online courses

    • Information videos

    • Social media content

    • Documentations (TV, Youtube)

    • Podcasts and radio

    • Print media (newspapers, flyer)

    • Posters and billboard advertisement

    • Other (Freetext)

  • Q21: How long ago did you participate in your last training?

  • Q22: Have you previously been affected by a security incident? (Multi-Select)

    • Reacted to a phishing email

    • Malware infection

    • Lost a password

    • Lost data

    • Lost access to an account

    • Stolen devices

    • Lost money

    • Other (Freetext)

B Appendix: Large Scale Images of Phishing Content

The paper incorporates tiny graphics as an overview of the emails and webpages employed throughout the four iterations of our phishing study. Here, we provide the following images for readers who want to look at larger-scale variants.

Fig. 8.
figure 8

Large-scale screenshots of German phishing content sent throughout the four iterations.

Full size image

Appendix: HITL-Model: Figures

Presented in the paper were shortened versions of the two taxonomies that highlight aspects which were more frequently named by study participants. However, in case fellow researchers would be designing similar studies, even answers from single participants could be helpful to understand what behavior to expect. Therefore, we present Figs. 9 and 10, showing the full range of participant responses to the survey on the respective stages in the HITL model.

Fig. 9.
figure 9

Hierarchical overview of noticed properties named in survey responses. Participants noticed aspects within the Email, Website and during their Online Searches. \(^*\) Numbers in [brackets] refer to the count of mentions.

Full size image
Fig. 10.
figure 10

Hierarchical overview of expected and suspected properties named in survey responses. We differentiate between Global expectations that could be identical across participants and Personal expectations, such as a concrete shipment. \(^*\) Numbers in [brackets] refer to the count of mentions.

Full size image

D Appendix: Resulting Correlations

In Table 3, we summarized the most important correlations we observed between our participant responses and their interaction with our phishing emails and web pages. The analysis has brought us to identify the highlighted observations as particularly important, e.g. because we further observed mentions of the aspects in qualitative answers. Additionally, Table 4 provides an overview of all impactful aspects derived during our analysis. In the table, we group the findings by the iteration they were reported of, with General applying to answers given to general, overarching question not directly targeted towards single interventions. Inside each iteration, we differentiate between the different phases of the HITL interaction model: Notice (N), Expect (E), Suspect (S), Investigate (Inv.), and Act (A). We compare the performance of the group that reported the respective feature (Share of Participants) to the performance of the General Population. Depending on whether participants who reported the respective feature performed better or worse, we indicate whether the respective group of participants reacted (React.) more or less often than their peers. The reaction translates to the phishing susceptibility, as indicated in Table 3 in the manuscript. An increased amount of reaction and, thereby, increased susceptibility hereby indicates worse behavior. Below, we provide one example of how to read the table:

Reading Example: People that highlighted General Expections towards how (third party) entities perform email communication (global/entities/email) performed better than their peers. Out of the 32 people who highlighted the respective feature, only 3.1% Clicked on the links provided in the emails, while generally, 24% of participants clicked on the links provided. This observation is statistically significant, as confirmed with a \(\chi ^2\) test for significance resulting in \(p = 0.001\).

Table 4. Overview of all Correlations observed between Participant Responses clustered to the HITL model.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Köhler, D., Pünter, W., Meinel, C. (2024). How Users Investigate Phishing Emails that Lack Traditional Phishing Cues. In: Pöpper, C., Batina, L. (eds) Applied Cryptography and Network Security. ACNS 2024. Lecture Notes in Computer Science, vol 14585. Springer, Cham. https://doi.org/10.1007/978-3-031-54776-8_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54776-8_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54775-1

  • Online ISBN: 978-3-031-54776-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation