research-article

F for fake: four studies on how we fall for phish

Authors:

John A. ClarkAuthors Info & Claims

CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 3469 - 3478

https://doi.org/10.1145/1978942.1979459

Published: 07 May 2011 Publication History

Abstract

This paper reports findings from a multi-method set of four studies that investigate why we continue to fall for phish. Current security advice suggests poor spelling and grammar in emails can be signs of phish. But a content analysis of a phishing archive indicates that many such emails contain no obvious spelling or grammar mistakes and often use convincing logos and letterheads. An online survey of 224 people finds that although phish are detected approximately 80% of the time, those with logos are significantly harder to detect. A qualitative interview study was undertaken to better understand the strategies used to identify phish. Blind users were selected because it was thought they may be more vulnerable to phishing attacks, however they demonstrated robust strategies for identifying phish based on careful reading of emails. Finally an analysis was undertaken of phish as a literary form. This identifies the main literary device employed as pastiche and draws on critical theory to consider why security based pastiche may be currently very persuasive.

References

[1]

Anti-Phishing Working Group (APWG). http://antiphishing.org/.

[2]

Bank Safe Online: Protecting Yourself. http://www.banksafeonline.org.uk/protecting_yourself.html.

[3]

Bardzell, J. (2009). Interaction criticism and aesthetics. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '09). New York: ACM Press.

Digital Library

[4]

Bell, G., Blythe, M., Gaver, B., Sengers, P. &#38; Wright, P. (2003). Designing culturally situated technologies for the home. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '03) Extended Abstracts. New York: ACM Press.

Digital Library

[5]

Blythe, M., Reid, J., Wright, P. &#38; Geelhoed, E. (2006). Interdisciplinary Criticism: Analysing The Experience Of Riot! A Location Sensitive Digital Narrative. Behaviour and Information Technology, 25(2), 127--139.

[6]

Blythe, M., McCarthy, J., Light, A., Bardzell, S., Wright, P., Bardzell, J. &#38; Blackwell, A. (2010). Critical dialogue: interaction, experience and cultural theory. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI 2010). New York: ACM Press.

Digital Library

[7]

Braun, N. (2004). Storytelling and Conversation to Improve the Fun Factor in Software Applications. In M. Blythe, K. Overbeeke, A. F. Monk, &#38; P. C. Wright (Eds.), Funology: From Usability to Enjoyment. Dordecht, NL: Kluwer.

Digital Library

[8]

Cohen, J., Cohen, P., West, S. G. and Aiken, L. S. (2003). Applied multiple regression/correlation analysis for the behavioural sciences. Hillsdale, NJ: Lawrence Erlbaum.

[9]

Dhamija, R., Tygar, D. &#38; Hearst, M. (2006). Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '06). New York: ACM Press.

Digital Library

[10]

Dong, X., Clark, J. A. &#38; Jacob, J. (2008). Modelling user-phishing interaction. Proceedings of Human-System Interaction, May 25--27, 2008, Krak&#243;w, Poland.

[11]

Dourish, P., Grinter, E., Delgado de la Flor, J. &#38; Joseph, M. (2004). Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8(6), 391--401.

[12]

Downs, J. S., Holbrook, M. B. &#38; Cranor, L. F. (2006). Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12 - 14, 2006) (SOUPS '06). New York: ACM Press.

Digital Library

[13]

Eagleton T. (2003). After theory. London: Penguin Books.

[14]

Easthope, A. &#38; McGowan, K. (1992). A Critical and Cultural Theory Reader. Milton Keynes: Open University Press.

[15]

Giani, A. &#38; Thompson, P. (2007). Detecting deception in the context of Web 2.0. In Proceedings of Web 2.0 Security and Privacy 2007. http://w2spconf.com/2007/.

[16]

HSBC Phishing Scams. http://www.hsbc.com/1/2/online-security/phishing.

[17]

Jakobsson, M. (2007). The human factor in phishing. In Proceedings of Privacy &#38; Security of Consumer Information '07. http://markus-jakobsson.com/papers/jakobsson-psci07.pdf.

[18]

Jolliffe, I. T. (1986). Principal Component Analysis. Berlin: Springer Verlag.

[19]

Keppel, G. &#38; Wickens, T. D. (2004). Design and analysis: a researcher's handbook. Upper Saddle River, NJ: Pearson Prentice-Hall.

[20]

Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J. &#38; Nunge, E. (2007). Protecting people from phishing: the design and evaluation of an embedded training email system. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '07). New York: ACM Press.

Digital Library

[21]

Mayring P. (2004). Qualitative Content Analysis in Flickr. In Kardorff, U. &#38; Steinke, E. (Eds.), A Companion to Qualitative Research. London: Sage.

[22]

MillerSmiles.co.uk 419 scams. http://419.millersmiles.co.uk/.

[23]

Propp, V. (1968). Morphology of the Folk Tale. Texas: University of Texas Press.

[24]

Satchell C. (2008) Cultural Theory and Real World Design: Dystopian and Utopian Outcomes. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '08). New York: ACM Press.

Digital Library

[25]

Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., and Downs, J. 2010. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. New York: ACM Press.

Digital Library

[26]

Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., and Furlong, M. 2007. Password sharing: implications for security design based on social practice. In Proceedings of the Conference on Human Factors in Computing Systems (CHI '07). New York: ACM Press.

Digital Library

[27]

The One Show: Phishing in Your Bank Account? http://www.bbc.co.uk/blogs/theoneshow/consumer/2008/10/30/phishing.html.

[28]

Wickens, T. D. (2002). Elementary signal detection. New York: Oxford University Press.

[29]

Wu, M., Miller, R. C. and Garfinkel, S. L. (2006). Do security toolbars actually prevent phishing attacks? In Proceedings of the Conference on Human Factors in Computing Systems. New York: ACM Press.

Digital Library

[30]

Zizek S. (1992). Looking Awry: an introduction to Jacques Lacan through popular culture. Cambridge, MA: October Books.

Cited By

Fan ZLi WLaskey KChang K(2024)Investigation of Phishing Susceptibility with Explainable Artificial IntelligenceFuture Internet10.3390/fi1601003116:1(31)Online publication date: 17-Jan-2024
https://doi.org/10.3390/fi16010031
Doing ABárbaro Evan der Roest Fvan Gelder PZhauniarovich YParkin S(2024)An analysis of phishing reporting activity in a bankProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688481(44-57)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688481
Palheiros Da Silva AMbaka WMayer JBullee JTuma K(2024)Does trainer gender make a difference when delivering phishing training? A new experimental design to capture biasProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661232(130-139)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661232
Show More Cited By

Index Terms

F for fake: four studies on how we fall for phish
1. Human-centered computing

Recommendations

How Good Are We at Detecting a Phishing Attack? Investigating the Evolving Phishing Attack Email and Why It Continues to Successfully Deceive Society
Abstract
Phishing attacks are on the increase. The fact that our ways of living, studying and working have drastically changed as a result of the COVID pandemic (i.e., almost everything being done online) has created many new cyber security concerns. In ...
An Anatomy of Phishing Messages as Deceiving Persuasion: A Categorical Content and Semantic Network Study

Previous research on phishing has focused on the extent to which their presentation (e.g., logo, interface, and email address) resembled legitimate emails from well-known companies. Although the message content is an important factor of phishing, it has ...
The persuasive phish: examining the social psychological principles hidden in phishing emails
HotSos '16: Proceedings of the Symposium and Bootcamp on the Science of Security

Phishing is a social engineering tactic used to trick people into revealing personal information [Zielinska, Tembe, Hong, Ge, Murphy-Hill, & Mayhorn 2014]. As phishing emails continue to infiltrate users' mailboxes, what social engineering techniques ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

May 2011

3530 pages

ISBN:9781450302289

DOI:10.1145/1978942

General Chair:
Desney Tan
Microsoft Research
,
Program Chairs:
Geraldine Fitzpatrick
Vienna University of Technology
,
Carl Gutwin
University of Saskatchewan
,
Bo Begole
PARC
,
Wendy A. Kellogg
IBM Research

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 May 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CHI '11

Sponsor:

SIGCHI

CHI '11: CHI Conference on Human Factors in Computing Systems

May 7 - 12, 2011

BC, Vancouver, Canada

Acceptance Rates

CHI '11 Paper Acceptance Rate 410 of 1,532 submissions, 27%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

63
Total Citations
View Citations
1,303
Total Downloads

Downloads (Last 12 months)128
Downloads (Last 6 weeks)12

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Fan ZLi WLaskey KChang K(2024)Investigation of Phishing Susceptibility with Explainable Artificial IntelligenceFuture Internet10.3390/fi1601003116:1(31)Online publication date: 17-Jan-2024
https://doi.org/10.3390/fi16010031
Doing ABárbaro Evan der Roest Fvan Gelder PZhauniarovich YParkin S(2024)An analysis of phishing reporting activity in a bankProceedings of the 2024 European Symposium on Usable Security10.1145/3688459.3688481(44-57)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3688459.3688481
Palheiros Da Silva AMbaka WMayer JBullee JTuma K(2024)Does trainer gender make a difference when delivering phishing training? A new experimental design to capture biasProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661232(130-139)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661232
Khan EAtique EJaved M(2024)Investigating Phishing Threats in the Email Browsing Experience of Visually Impaired IndividualsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3651076(1-11)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3651076
Janeiro JAlves SGuerreiro TAlt FDistler V(2024)Understanding Phishing Experiences of Screen Reader UsersIEEE Security and Privacy10.1109/MSEC.2024.343011022:5(63-72)Online publication date: 1-Sep-2024
https://dl.acm.org/doi/10.1109/MSEC.2024.3430110
Smithwick ANguyen CGorial ETran NFlores AMunyaka I(2024)"Parent seeking Roblox Safety Help": Comparing Parental Roblox Concerns to Roblox Offerings2024 IEEE International Symposium on Technology and Society (ISTAS)10.1109/ISTAS61960.2024.10732489(1-9)Online publication date: 18-Sep-2024
https://doi.org/10.1109/ISTAS61960.2024.10732489
Morrow E(2024)Scamming higher ed: An analysis of phishing content and trendsComputers in Human Behavior10.1016/j.chb.2024.108274158(108274)Online publication date: Sep-2024
https://doi.org/10.1016/j.chb.2024.108274
Thomopoulos GLyras DFidas C(2024)A systematic review and research challenges on phishing cyberattacks from an electroencephalography and gaze-based perspectivePersonal and Ubiquitous Computing10.1007/s00779-024-01794-928:3-4(449-470)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s00779-024-01794-9
Aldaraani NPetrie HShahandashti S(2024)A Diary Study to Understand Young Saudi Adult Users’ Experiences of Online Security ThreatsHuman Aspects of Information Security and Assurance10.1007/978-3-031-72559-3_4(47-60)Online publication date: 28-Nov-2024
https://doi.org/10.1007/978-3-031-72559-3_4
Zhou ZSharma TEmano LDas SWang YKelley PKapadia A(2023)Iterative design of an accessible crypto wallet for blind usersProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632207(381-398)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632207
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents