Nav: Home

Researchers identify how phishing strategies may lead to success or failure

February 26, 2018

Phishing is a common social engineering attack that involves criminals impersonating a trustworthy third party to persuade people to visit fraudulent websites or download malicious attachments.

But not all phishing campaigns work. To begin to understand the psychology of criminals' behaviors in cybersecurity and how it can be used to prevent phishing attacks, Carnegie Mellon University's Prashanth Rajivan and Cleotilde Gonzalez identified how adversaries may be more successful when they exploit specific phishing strategies than when they use other less successful ones.

Published in Frontiers in Psychology, Rajivan and Gonzalez, present a new methodology to study the important but often ignored aspect of phishing: adversarial behavior. In their experiment, participants played the role of phishing attackers and accumulated points over a number of turns for successfully deceiving other people who were acting as email recipients. The game was constructed to train and reward participants to produce phishing emails that used different tactics and email topics.

"We created a game-like experiment to assess how well different strategies work, and to understand how incentives and success rates, or an individual's personality, can affect criminal motivation," said Rajivan, the lead author and a postdoctoral research associate in the Dietrich College of Humanities and Social Sciences' Department of Social and Decision Sciences.

They found that when adversaries stuck to strategies such as communicating failure, using an authoritative tone, expressing a shared interest and sending notifications, they were more likely to succeed.

"It was particularly surprising to find that communicating failure--such as fake emails communicating failed password attempts--was one of the most successful phishing tactics which demonstrates how susceptible we may be when it comes to avoiding personal losses," Rajivan said.

Conversely, they found that strategies like offering deals, selling illegal materials and using a positive tone were less likely to succeed.

The results also showed that incentives had a direct influence on criminal motivation and that delayed rewards resulted in lesser efforts.

"We need to improve current security practices and determine policies that make it harder for attackers to obtain quick and large returns for their phishing efforts," Rajivan said.

They found no evidence suggesting that criminals' creative ability alone could be a good predictor whether a phishing campaign would work.

"Phishing attacks are on the rise, and attackers' strategies are becoming more sophisticated," said Gonzalez, research professor of social and decision sciences. "Multiple techniques are needed to combat these attacks, including end-user training and automated anti-phishing tools. However, we might be able to develop better tools if we are more informed regarding the psychology of criminal behavior. Our work begins to offer insights of how adversaries behave and how they most effectively deceive end-users."
The Army Research Laboratory funded this research.

Read the full study:

Carnegie Mellon University

Related Psychology Articles:

Psychology can help prevent deadly childhood accidents
Injuries have overtaken infectious disease as the leading cause of death for children worldwide, and psychologists have the research needed to help predict and prevent deadly childhood mishaps, according to a presentation at the annual convention of the American Psychological Association.
Raising the standard for psychology research
Researchers from Stanford University, Arizona State University, and Dartmouth College used Texas Advanced Computing Center supercomputers to apply more rigorous statistical methods to psychological studies of self-regulation.
Psychology: Robot saved, people take the hit
To what extent are people prepared to show consideration for robots?
Researchers help to bridge the gap between psychology and gamification
A multi-disciplinary research team is bridging the gap between psychology and gamification that could significantly impact learning efforts in user experience design, healthcare, and government.
College roommates underestimate each other's distress, new psychology research shows
College roommates are sensitive to their roommates' distress but tend to underestimate the level of distress being experienced by others.
More Psychology News and Psychology Current Events

Best Science Podcasts 2019

We have hand picked the best science podcasts for 2019. Sit back and enjoy new science podcasts updated daily from your favorite science news services and scientists.
Now Playing: TED Radio Hour

Erasing The Stigma
Many of us either cope with mental illness or know someone who does. But we still have a hard time talking about it. This hour, TED speakers explore ways to push past — and even erase — the stigma. Guests include musician and comedian Jordan Raskopoulos, neuroscientist and psychiatrist Thomas Insel, psychiatrist Dixon Chibanda, anxiety and depression researcher Olivia Remes, and entrepreneur Sangu Delle.
Now Playing: Science for the People

#537 Science Journalism, Hold the Hype
Everyone's seen a piece of science getting over-exaggerated in the media. Most people would be quick to blame journalists and big media for getting in wrong. In many cases, you'd be right. But there's other sources of hype in science journalism. and one of them can be found in the humble, and little-known press release. We're talking with Chris Chambers about doing science about science journalism, and where the hype creeps in. Related links: The association between exaggeration in health related science news and academic press releases: retrospective observational study Claims of causality in health news: a randomised trial This...