research-article

Public Access

Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing

Authors:

Daniela Oliveira,

Sandeep Dommaraju,

Melis Muradoglu,

Natalie EbnerAuthors Info & Claims

CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems

Pages 6412 - 6424

https://doi.org/10.1145/3025453.3025831

Published: 02 May 2017 Publication History

Abstract

Spear phishing emails are key in many cyber attacks. Successful emails employ psychological weapons of influence and relevant life domains. This paper investigates spear phishing susceptibility as a function of Internet user age (old vs young), weapon of influence, and life domain. A 21-day study was conducted with 158 participants (younger and older Internet users). Data collection took place at the participants' homes to increase ecological validity. Our results show that older women were the most vulnerable group to phishing attacks. While younger adults were most susceptible to scarcity, older adults were most susceptible to reciprocation. Further, there was a discrepancy, particularly among older users, between self-reported susceptibility awareness and their behavior during the intervention. Our results show the need for demographic personalization for warnings, training and educational tools in targeting the specifics of the older adult population.

References

[1]

P. Singer and A. Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know. Oxford University Press, 2014.

[2]

L. James, Phishing Exposed. Syngress, 2006.

[3]

T. Wrightson, Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization. McGraw-Hill Education, 2014.

Digital Library

[4]

RSA: SecurID Attack Was Phishing Via an Excel Spreadsheet (https://threatpost.com/rsasecurid-attack-was-phishing-excelspreadsheet-040111/75099/).

[5]

J. Carr, Cyber Warfare. O'Reily, 2011.

[6]

Email Attacks: This Time It's Personal (http: //itknowledgeexchange.techtarget.com/ security-detail/cisco-report-emailattacks-this-time-its-personal/).

[7]

R. B. Cialdini, Influence - The Psychology of Persuasion. Collins Business Essentials, 2006.

[8]

P. Verhaeghen and T. A. Salthouse, "Meta-Analyses of Age-Cognition Relations in Adulthood: Estimates of Linear and Nonlinear Age Effects and Structural Models," Psychological Bulletin, vol. 122, no. 3, pp. 231--249, 1997.

[9]

M. Mather, When I'm 64 - A Review of Decision-Making Processes: Weighing the Risks and Benefits of Aging. The National Academies Press, 2006.

[10]

M. Johnson, "Age Differences in Decision Making: A Process Methodology for Examining Strategic Information Processing," Journal of Gerontology: Psychological Sciences, vol. 45, no. 2, pp. 75--78, 1990.

[11]

R. Mata, A. Josef, G. Samanez-Larkin, and R. Hertwig, "Age Differences in Risky Choice: A Meta-Analysis," NY Academy of Sciences, 2011.

[12]

K. Tentoria, D. Oshersonb, L. Hasherc, and C. May, "Wisdom and Aging: Irrational Preferences in College Students But Not Older Adults," Elsevier Science, 2001.

[13]

USA Census 2010 (http://www.census.gov/2010census/).

[14]

Healthy Aging Improving and Extending Quality of Life Among Older Americans CDC (http://www.cdc.gov/nccdphp/publications/aag/).

[15]

E. Peters, M. A. Diefenbach, T. M. Hess, and D. Vastfjall, "Age Differences in Dual Information-Processing Modes: Implications for Cancer Decision Making," Cancer, vol. 113, p. 12, 2008.

[16]

G. R. Samanez-Larkin and B. Knutson, "Decision Making In The Ageing Brain: Changes In Affective And Motivational Circuits," Nature reviews. Neuroscience, 2015.

[17]

S. J. Westerman and D. R. Davies, "Acquisition and Application of New Technology Skills: The Influence of Age," Occup. Med., vol. 50, p. 1, 2000.

[18]

D. Caputo, S. Pfieeger, J. Freeman, and M. Johnson, "Going spear phishing: Exploring embedded training and awareness," IEEE Security & Privacy, vol. 12, no. 1, pp. 28--38, 2014.

[19]

T. Vidas, E. Owusu, S. Wang, C. Zen, and L. F. Cranor, "Qrishing: The susceptibility of smartphone users to qr code phishing attacks," Carnegie Mellon University-CyLab-12-022, 2012.

[20]

I. Fette, N. Sadeh, and A. Tomasic, "Learning to detect phishing emails," in Proceedings of the 16th international conference on World Wide Web, pp. 649--656, ACM, 2007.

Digital Library

[21]

N. Toolbar, "Netcraft, ltd," 2009.

[22]

Y. Zhang, S. Egelman, L. Cranor, and J. Hong, "Phinding phish: Evaluating anti-phishing tools," ISOC, 2006.

[23]

S. Sheng, B. Wardman, G. Warner, L. F. Cranor, J. Hong, and C. Zhang, "An empirical analysis of phishing blacklists," 2009.

[24]

S. Egelman, L. F. Cranor, and J. Hong, "You've been warned: an empirical study of the effectiveness of web browser phishing warnings," in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1065--1074, ACM, 2008.

Digital Library

[25]

M. Wu, R. C. Miller, and S. L. Garfinkel, "Do security toolbars actually prevent phishing attacks", in Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 601--610, ACM, 2006.

Digital Library

[26]

G. Liu, G. Xiang, B. A. Pendleton, J. I. Hong, and W. Liu, "Smartening the crowds: computational techniques for improving human verification to fight phishing scams," in Proceedings of the Seventh Symposium on Usable Privacy and Security, p. 8, ACM, 2011.

Digital Library

[27]

R. Dhamija, J. D. Tygar, and M. Hearst, "Why phishing works," in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '06, (NY, NY, USA), pp. 581--590, ACM, 2006.

Digital Library

[28]

S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, "Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish," in Proceedings of the 3rd symposium on Usable privacy and security, pp. 88--99, ACM, 2007.

Digital Library

[29]

P. Kumaraguru, Phishguru: a system for educating users about semantic attacks. ProQuest, 2009.

[30]

P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, "Protecting people from phishing: the design and evaluation of an embedded training email system," in Proceedings of the SIGCHI conference on Human factors in computing systems, pp. 905--914, ACM, 2007.

Digital Library

[31]

P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong, "Teaching johnny not to fall for phish," ACM Transactions on Internet Technology (TOIT), vol. 10, no. 2, p. 7, 2010.

Digital Library

[32]

S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs, "Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions," in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 373--382, ACM, 2010.

Digital Library

[33]

P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham, "School of phish: a real-world evaluation of anti-phishing training," in Proceedings of the 5th Symposium on Usable Privacy and Security, p. 3, ACM, 2009.

Digital Library

[34]

G. R. Samanez-Larkin, "Financial decision making and the aging brain," APS observer, vol. 26, no. 5, p. 30, 2013.

[35]

J. S. Downs, M. B. Holbrook, and L. F. Cranor, "Decision Strategies and Susceptibility to Phishing," Symposium on Usable Privacy and Security (SOUPS), 2006.

Digital Library

[36]

J. S. Downs, M. Holbrook, and L. F. Cranor, "Behavioral response to phishing risk," in Proceedings of the Anti-phishing Working Groups 2Nd Annual eCrime Researchers Summit, eCrime '07, (NY, NY, USA), pp. 37--44, ACM, 2007.

Digital Library

[37]

V. Boothroyd, "Older adults' Perception of Online Risk," Master's thesis, Carleton University, 2014.

[38]

P. A. M. V. Lange, "Generalized Trust: Four Lessons From Genetics and Culture," Current Directions in Psychological Science, vol. 24, no. 1, pp. 71--76, 2015.

[39]

R. Petrican, T. English, J. J. Gross, C. Grady, T. Hai, and M. Moscovitch, "Friend or foe" Age Moderates Time-Course Specific Responsiveness to Trustworthiness Cues,? The Journals of Gerontology Series B, Psychological Sciences and Social Sciences and Social Sciences, vol. 68, no. 2, pp. 215--223, 2013.

[40]

E. Castle, N. I. Eisenberger, T. E. Seeman, W. G. Moons, I. A. Boggero, M. S. Grinblatt, and S. E. Taylor, "Neural and behavioral bases of age differences in perceptions of trust," in Proceedings of the National Academy of Sciences, vol. 109, pp. 20848--20852, 2012.

[41]

T. Ruffman, J. Murray, J. Halberstadt, and T. Vater, "Age-related Differences in Deception," in Psychology and Aging, vol. 27, pp. 543--549, 2012.

[42]

N. C. Ebner, P. E. Bailey, M. Horta, and J. Joiner, Multidisciplinary Perspective on Prosociality in Aging. (Invited book chapter). Sommerville & J. Decety, 2015.

[43]

N. C. Ebner, P. E. Bailey, M. Horta, J. Joiner, and S. W. C. Chang, Multidisciplinary perspective on prosociality in aging. In (Eds.), in Social Cognition for the Frontiers in Developmental Science Series (Psychology). J. Sommerville & J. Decety, 2015.

[44]

T. Ruffman, S. Sullivan, and N. Edge, "Differences in the Way Older and Younger Adults Rate Threat in Faces But Not Situations," in The Journals of Gerontology Series B, Psychological Sciences and Social Sciences and Social Sciences, vol. 61, pp. 187--194, 2006.

[45]

L. C. A. E. Reed and J. A. Mikels, "Meta-Analysis of the Age-Related Positivity Effect: Age Differences in Preferences for Positive Over Negative Information," in Psychology and Aging, pp. 1--15, 2014.

[46]

A. Adams and M. A. Sasse, "Users Are Not the Enemy," Communications of the ACM, vol. 42, no. 12, 1999.

Digital Library

[47]

V. Garg and L. J. Camp, "Risk Communication Design for Older Adults," Gerontechnology, vol. 11, no. 2, 2012.

[48]

E. Albrechtsen, "A Qualitative Study of Users' View on Information Security," Computers and Security, vol. 26, no. 4, 2007.

Digital Library

[49]

F. Asgapour, D. Liu, and L. J. Camp, "Mental Models of Computer Security Risks," Financial Cryptography and Data Security Lecture Notes in Computer Science, vol. 4886, pp. 367--377, 2007.

Digital Library

[50]

D.-L. Huang, Pei-Luen, P. Raua, G. Salvendya, F. Gaoa, and J. Zhoua, "Factors Affecting Perception of Information Security and Their Impacts on IT Adoption and Security Practices," International Journal of Human-Computer Studies, vol. 69, no. 12, 2011.

Digital Library

[51]

V. Garg and L. J. Camp, "End User Perception of Online Risk Under Uncertainty," Hawaii International Conference On System Sciences, vol. 4886, 2012.

Digital Library

[52]

B. Fischhoff, P. Slovic, S. Lichtenstein, and B. C. Stephen Read, "How Safe is Safe Enough" A Osychometric Study of Attitudes Towards Technological Risks and Benefits, Policy Sciences, vol. 9, no. 2, 1978.

[53]

Lies, Secrets, and Scams: How to Prevent Elder Abuse (http://www.consumerreports.org/cro/ consumer-protection/preventing-elderabuse).

[54]

D. Kahneman, Thinking, Fast and Slow. Farrar, Straus and Giroux, 2011.

[55]

K. Mitnick, W. L. Simonand, and S. Wozniak, The Art of Deception: Controlling the Human Element of Security. Wiley, 2002.

Digital Library

[56]

C. Hadnagy, Social Engineering: The Art of Human Hacking. Wiley, 2010.

[57]

P. B. Baltes, U. Lindenberger, and U. M. Staudinger, "Life Span Theory in Developmental Psychology," Wiley Online Library, 2007.

[58]

J. Brandt, M. Spencer, and D. R. Davies, "The telephone interview for cognitive status," Neuropsychiatry, Neuropsychology, & Behavioral Neurology, vol. 1, pp. 111--117, 1988.

[59]

P. Tun and M. Lachman, "Telephone assessment of cognitive function in adulthood: the brief test of adult cognition by telephone," Age and Ageing, vol. 35, pp. 629--632, 2006.

[60]

Symantec Internet Security Threat Report 2016 https://www.symantec.com/securitycenter/threat-report.

Cited By

Dubrovina AAlcordi M(2024)Development of methods for neutralizing «Zero-day» threatsHerald of Dagestan State Technical University. Technical Sciences10.21822/2073-6185-2023-50-4-93-10050:4(93-100)Online publication date: 22-Jan-2024
https://doi.org/10.21822/2073-6185-2023-50-4-93-100
Aung KSoubutts ESingh A(2024)"What a stupid way to do business": Towards an Understanding of Older Adults' Perceptions of Deceptive Patterns and Ways to Develop ResistanceProceedings of the ACM on Human-Computer Interaction10.1145/36771138:CHI PLAY(1-31)Online publication date: 15-Oct-2024
https://dl.acm.org/doi/10.1145/3677113
Nguyen QWu TNguyen VYuan XXue JRudolph C(2024)Utilizing Large Language Models with Human Feedback Integration for Generating Dedicated Warning for Phishing EmailsProceedings of the 2nd ACM Workshop on Secure and Trustworthy Deep Learning Systems10.1145/3665451.3665531(35-46)Online publication date: 2-Jul-2024
https://dl.acm.org/doi/10.1145/3665451.3665531
Show More Cited By

Index Terms

Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing

Recommendations

Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content

Phishing is fundamental to cyber attacks. This research determined the effect of Internet user age and email content such as weapons of influence (persuasive techniques that attackers can use to lure individuals to fall for an attack) and life domains (a ...
Spear phishing in organisations explained

PurposeThe purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient.Design/methodology/approachTwo types of phishing emails were sent to 593 employees, who were asked to provide ...
Why do users not report spear phishing emails?
Highlights
- Antiphishing self-efficacy increases intention to report spear phishing emails.
Abstract
Cyber security training programs encourage users to report suspicious spear phishing emails, and most antiphishing software provide interfaces to assist in the reporting. Evidence, however, suggests that reporting is scarce. This ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems

May 2017

7138 pages

ISBN:9781450346559

DOI:10.1145/3025453

General Chairs:
Gloria Mark
University of California Irvine
,
Susan Fussell
Cornell University
,
Program Chairs:
Cliff Lampe
University of Michigan
,
m.c. schraefel
University of Southampton
,
Juan Pablo Hourcade
University of Iowa
,
Caroline Appert
Université Paris-Sud
,
Daniel Wigdor
University of Toronto

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 May 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CHI '17

Sponsor:

SIGCHI

CHI '17: CHI Conference on Human Factors in Computing Systems

May 6 - 11, 2017

Colorado, Denver, USA

Acceptance Rates

CHI '17 Paper Acceptance Rate 600 of 2,400 submissions, 25%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

101
Total Citations
View Citations
4,598
Total Downloads

Downloads (Last 12 months)690
Downloads (Last 6 weeks)82

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dubrovina AAlcordi M(2024)Development of methods for neutralizing «Zero-day» threatsHerald of Dagestan State Technical University. Technical Sciences10.21822/2073-6185-2023-50-4-93-10050:4(93-100)Online publication date: 22-Jan-2024
https://doi.org/10.21822/2073-6185-2023-50-4-93-100
Aung KSoubutts ESingh A(2024)"What a stupid way to do business": Towards an Understanding of Older Adults' Perceptions of Deceptive Patterns and Ways to Develop ResistanceProceedings of the ACM on Human-Computer Interaction10.1145/36771138:CHI PLAY(1-31)Online publication date: 15-Oct-2024
https://dl.acm.org/doi/10.1145/3677113
Nguyen QWu TNguyen VYuan XXue JRudolph C(2024)Utilizing Large Language Models with Human Feedback Integration for Generating Dedicated Warning for Phishing EmailsProceedings of the 2nd ACM Workshop on Secure and Trustworthy Deep Learning Systems10.1145/3665451.3665531(35-46)Online publication date: 2-Jul-2024
https://dl.acm.org/doi/10.1145/3665451.3665531
Burda PAllodi LZannone N(2024)Cognition in Social Engineering Empirical Research: A Systematic Literature ReviewACM Transactions on Computer-Human Interaction10.1145/363514931:2(1-55)Online publication date: 29-Jan-2024
https://dl.acm.org/doi/10.1145/3635149
Shrestha AFlood ASohrawardi SWright MAl-Ameen M(2024)A First Look into Targeted Clickbait and its Countermeasures: The Power of StorytellingProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642301(1-23)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642301
Wang CJia ZBenkraouda HZevnik CHeuermann NFoulger RHandler JWang G(2024)VeriSMS: A Message Verification System for Inclusive Patient Outreach against Phishing AttacksProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642027(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642027
Duman SBüchler MEgele MKirda E(2024)PellucidAttachment: Protecting Users From Attacks via E-Mail AttachmentsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.327903221:3(1342-1354)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3279032
Nagpal AKumar SReddy URadha KKumar AAbdulla N(2024)Exploring Advanced Techniques in Computer and Network Forensics for Enhanced Cybersecurity2024 OPJU International Technology Conference (OTCON) on Smart Computing for Innovation and Advancement in Industry 4.010.1109/OTCON60325.2024.10688350(1-6)Online publication date: 5-Jun-2024
https://doi.org/10.1109/OTCON60325.2024.10688350
Alsulami SDupuis M(2024)The Effectiveness of Education and Fear Appeal to Prevent Spear Phishing Attacks2024 Cyber Awareness and Research Symposium (CARS)10.1109/CARS61786.2024.10778693(1-8)Online publication date: 28-Oct-2024
https://doi.org/10.1109/CARS61786.2024.10778693
Owen MFlowerday Svan der Schyff K(2024)Optimism bias in susceptibility to phishing attacks: an empirical studyInformation & Computer Security10.1108/ICS-02-2023-002332:5(656-675)Online publication date: 24-May-2024
https://doi.org/10.1108/ICS-02-2023-0023
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents