Researchers identify how phishing strategies may lead to success or failure

February 26, 2018

Phishing is a common social engineering attack that involves criminals impersonating a trustworthy third party to persuade people to visit fraudulent websites or download malicious attachments.

But not all phishing campaigns work. To begin to understand the psychology of criminals' behaviors in cybersecurity and how it can be used to prevent phishing attacks, Carnegie Mellon University's Prashanth Rajivan and Cleotilde Gonzalez identified how adversaries may be more successful when they exploit specific phishing strategies than when they use other less successful ones.

Published in Frontiers in Psychology, Rajivan and Gonzalez, present a new methodology to study the important but often ignored aspect of phishing: adversarial behavior. In their experiment, participants played the role of phishing attackers and accumulated points over a number of turns for successfully deceiving other people who were acting as email recipients. The game was constructed to train and reward participants to produce phishing emails that used different tactics and email topics.

"We created a game-like experiment to assess how well different strategies work, and to understand how incentives and success rates, or an individual's personality, can affect criminal motivation," said Rajivan, the lead author and a postdoctoral research associate in the Dietrich College of Humanities and Social Sciences' Department of Social and Decision Sciences.

They found that when adversaries stuck to strategies such as communicating failure, using an authoritative tone, expressing a shared interest and sending notifications, they were more likely to succeed.

"It was particularly surprising to find that communicating failure--such as fake emails communicating failed password attempts--was one of the most successful phishing tactics which demonstrates how susceptible we may be when it comes to avoiding personal losses," Rajivan said.

Conversely, they found that strategies like offering deals, selling illegal materials and using a positive tone were less likely to succeed.

The results also showed that incentives had a direct influence on criminal motivation and that delayed rewards resulted in lesser efforts.

"We need to improve current security practices and determine policies that make it harder for attackers to obtain quick and large returns for their phishing efforts," Rajivan said.

They found no evidence suggesting that criminals' creative ability alone could be a good predictor whether a phishing campaign would work.

"Phishing attacks are on the rise, and attackers' strategies are becoming more sophisticated," said Gonzalez, research professor of social and decision sciences. "Multiple techniques are needed to combat these attacks, including end-user training and automated anti-phishing tools. However, we might be able to develop better tools if we are more informed regarding the psychology of criminal behavior. Our work begins to offer insights of how adversaries behave and how they most effectively deceive end-users."
The Army Research Laboratory funded this research.

Read the full study:

Carnegie Mellon University

Related Psychology Articles from Brightsurf:

More than one cognition: A call for change in the field of comparative psychology
In a paper published in the Journal of Intelligence, researchers argue that cognitive studies in comparative psychology often wrongly take an anthropocentric approach, resulting in an over-valuation of human-like abilities and the assumption that cognitive skills cluster in animals as they do in humans.

Psychology research: Antivaxxers actually think differently than other people
As vaccine skepticism has become increasingly widespread, two researchers in the Texas Tech University Department of Psychological Sciences have suggested a possible explanation.

In court, far-reaching psychology tests are unquestioned
Psychological tests are important instruments used in courts to aid legal decisions that profoundly affect people's lives.

Psychology program for refugee children improves wellbeing
A positive psychology program created by researchers at Queen Mary University of London focuses on promoting wellbeing in refugee children.

Psychology can help prevent deadly childhood accidents
Injuries have overtaken infectious disease as the leading cause of death for children worldwide, and psychologists have the research needed to help predict and prevent deadly childhood mishaps, according to a presentation at the annual convention of the American Psychological Association.

Raising the standard for psychology research
Researchers from Stanford University, Arizona State University, and Dartmouth College used Texas Advanced Computing Center supercomputers to apply more rigorous statistical methods to psychological studies of self-regulation.

Psychology: Robot saved, people take the hit
To what extent are people prepared to show consideration for robots?

Researchers help to bridge the gap between psychology and gamification
A multi-disciplinary research team is bridging the gap between psychology and gamification that could significantly impact learning efforts in user experience design, healthcare, and government.

Virtual reality at the service of psychology
Our environment is composed according to certain rules and characteristics which are so obvious to us that we are scarcely aware of them.

Modeling human psychology
A human being's psychological make-up depends on an array of emotional and motivational parameters.

Read More: Psychology News and Psychology Current Events is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to