A Preliminary Investigation on User Factors of Phishing E-mail
Abstract
The increasing rate of Internet users and the adaptation to technology are threatening security. The most prevalent threat is phishing, which uses social engineering attacks to mislead users to reveal confidential and sensitive information such as usernames and passwords. Phishing is a type of e-mail fraud in which an intruder poses a trustworthy or trusted source by clicking on a link or opening an e- mail attachment to deceive the recipient. Phishing e-mails are those that employ both social engineering and technological tricks. It is essential to use e-mails today because almost every person in the world has to use them, whether personal or business. The truth is that anyone who has used e-mails may be a possible target for cybercriminals. User factor is an essential element in a phishing e-mail. In this study, interviews were conducted to get the user factors involved in a phishing e-mail. The findings show that the user factors are demographic, behaviour, weapons of influence and e-mail contents phishing e-mail.
Downloads
References
Goel, D. and A.K. Jain, Mobile phishing attacks and defence mechanisms: State of art and open research challenges. Computers & Security, 2018. 73: p. 519-544.DOI: https://doi.org/10.1016/j.cose.2017.12.006.
APWG:, Phishing Activity Trends Report Q4 2018,” Comput. Fraud Secur., vol 2019, no. 3, p. 4,.2019.DOI: https://doi.org/10.1016/S1361-3723(19)30025-9.
Hadlington, L., Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon, 2017. 3(7): p. e00346.DOI: https://doi.org/10.1016/j.heliyon.2017.e00346.
Butavicius, M., et al., Breaching the human firewall: Social engineering in phishing and spear- phishing emails. arXiv preprint arXiv:1606.00887, 2016.
Henshel, D., et al., Trust as a human factor in holistic cyber security risk assessment. Procedia Manufacturing, 2015. 3: p. 1117-1124.DOI: https://doi.org/10.1016/j.promfg.2015.07.186.
Harrison, B., E. Svetieva, and A. Vishwanath, Individual processing of phishing emails: How attention and elaboration protect against phishing. Online Information Review, vol. 40, no. 2, pp. 265–281, 2016.DOI: https://doi.org/10.1108/OIR-04-2015-0106.
K. Rekouche, “Early Phishing,” pp. 1–9. 2011.
Jakobsson, M. and S. Myers, Phishing and countermeasures: understanding the increasing problem of electronic identity theft, 3rd edition. 2006: John Wiley & Sons.
Lastdrager, E.E.H., Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Science, 2014. 3(1): p. 1-10.DOI: https://doi.org/10.1186/s40163-014-0009-y.
Jagatic, T.N., et al., Social phishing. Communications of the ACM, 2007. 50(10): p. 94-100.DOI: https://doi.org/10.1145/1290958.1290968.
Khonji, M., Y. Iraqi, and A. Jones, Phishing detection: a literature survey. IEEE Communications Surveys & Tutorials, 2013. 15(4): p. 2091-2121.DOI: https://doi.org/10.1109/SURV.2013.032213.00009.
Junger, M., L. Montoya, and F.J. Overink, Priming and warnings are not effective to prevent social engineering attacks. Computers in human behavior, 2017. 66: p. 75-87.DOI: https://doi.org/10.1016/j.chb.2016.09.012.
Ferreira, A. and S. Teles, Persuasion: How phishing emails can influence users and bypass security measures. International Journal of Human-Computer Studies, 2019. 125: p. 19-31.DOI: https://doi.org/10.1016/j.ijhcs.2018.12.004.
Parsons, K., et al., Predicting susceptibility to social influence in phishing emails. International Journal of Human-Computer Studies, 2019. 128: p. 17-26.DOI: https://doi.org/10.1016/j.ijhcs.2019.02.007.
Anwar, M., et al., Gender difference and employees' cybersecurity behaviors. Computers in Human Behavior, 2017. 69: p. 437-443.DOI: https://doi.org/10.1016/j.chb.2016.12.040.
Vance, A., M. Siponen, and S. Pahnila, Motivating IS security compliance: insights from habit and protection motivation theory. Information & Management, 2012. 49(3-4): p. 190-198.DOI: https://doi.org/10.1016/j.im.2012.04.002.
Hoy, M.G. and G. Milne, Gender differences in privacy-related measures for young adult Facebook users. Journal of interactive advertising, 2010. 10(2): p. 28-45.DOI: https://doi.org/10.1080/15252019.2010.10722168.
McGill, T. and N. Thompson, Gender differences in information security perceptions and behaviour, pp. 1–11,. 2018.DOI: https://doi.org/10.5130/acis2018.co.
Halevi, T., J. Lewis, and N. Memon, Phishing, personality traits and Facebook. arXiv preprint arXiv:1301.7643, 2013.
Sheng, S., et al. Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions.DOI: https://doi.org/10.1145/1753326.1753383.
Wright, R.T. and K. Marett, The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived. Journal of Management Information Systems, 2010. 27(1): p. 273-303.DOI: https://doi.org/10.2753/MIS0742-1222270111.
Halevi, T., N. Memon, and O. Nov, Spear-phishing in the wild: a real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. SSRN Electron. J.(2015). 2015.
Kirlappos, I., M.A. Sasse, and N. Harvey. Why trust seals don’t work: A study of user perceptions and behavior. Springer.DOI: https://doi.org/10.1007/978-3-642-30921-2_18.
Lin, T., et al., Susceptibility to spear-phishing emails: Effects of internet user demographics and email content. ACM Transactions on Computer-Human Interaction (TOCHI), 2019. 26(5): p. 1- 28.DOI: https://doi.org/10.1145/3336141.
Verkijika, S.F., “If you know what to do, will you take action to avoid mobile phishing attacks”: Self-efficacy, anticipated regret, and gender. Computers in Human Behavior, 2019. 101: p. 286- 296.DOI: https://doi.org/10.1016/j.chb.2019.07.034.
Karakasiliotis, A., S.M. Furnell, and M. Papadaki, Assessing end-user awareness of social engineering and phishing, pp. 60–72. 2006.
Oliveira, D., et al. Dissecting spear phishing emails for older vs young adults: On the interplay of weapons of influence and life domains in predicting susceptibility to phishing.DOI: https://doi.org/10.1145/3025453.3025831.
Mohebzada, J.G., et al. Phishing in a university community: Two large scale phishing experiments. IEEE.DOI: https://doi.org/10.1109/INNOVATIONS.2012.6207742.
Diaz, A., A.T. Sherman, and A. Joshi, Phishing in an academic community: A study of user susceptibility and behavior. Cryptologia, 2020. 44(1): p. 53-67.DOI: https://doi.org/10.1080/01611194.2019.1623343.
Kumaraguru, P., et al. Protecting people from phishing: the design and evaluation of an embedded training email system.DOI: https://doi.org/10.1145/1240624.1240760.
Li, W., et al. Experimental investigation of demographic factors related to phishing susceptibility, pp. 2240–2249, .DOI: https://doi.org/10.24251/HICSS.2020.274.
Parrish Jr, J.L., J.L. Bailey, and J.F. Courtney, A personality based model for determining susceptibility to phishing attacks. Little Rock: University of Arkansas, 2009: p. 285-296.
Hong, K.W., et al. Keeping up with the Joneses: Assessing phishing susceptibility in an email task. SAGE Publications Sage CA: Los Angeles, CA.DOI: https://doi.org/10.1177/1541931213571226.
Furnell, S., K. Millet, and M. Papadaki, Fifteen years of phishing: can technology save us? Computer Fraud & Security, 2019. 2019(7): p. 11-16.DOI: https://doi.org/10.1016/S1361-3723(19)30074-0.
Vishwanath, A., B. Harrison, and Y.J. Ng, Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research, 2018. 45(8): p. 1146-1166.DOI: https://doi.org/10.1177/0093650215627483.
Musuva, P.M.W., K.W. Getao, and C.K. Chepken, A new approach to modelling the effects of cognitive processing and threat detection on phishing susceptibility. Computers in Human Behavior, 2019. 94: p. 154-175.DOI: https://doi.org/10.1016/j.chb.2018.12.036.
Lastdrager, E., et al. How Effective is {Anti-Phishing} Training for Children?DOI: https://doi.org/10.1186/s40163-014-0009-y.
Abiodun, O., A.S. Sodiya, and S.O. Kareem, Linkcalculator–an efficient link-based phishing detection tool. Acta Informatica Malaysia, 2020. 4(2): p. 37-44.DOI: https://doi.org/10.26480/aim.02.2020.37.44.
Gordon, W.J., et al., Assessment of employee susceptibility to phishing attacks at US health care institutions. JAMA network open, 2019. 2(3): p. e190393-e190393.DOI: https://doi.org/10.1001/jamanetworkopen.2019.0393.
Frauenstein, E.D. and S. Flowerday, Susceptibility to phishing on social network sites: A personality information processing model. Computers & security, 2020. 94: p. 101862.DOI: https://doi.org/10.1016/j.cose.2020.101862.
Downloads
Published
Issue
Section
License
Copyright (c) 2022 Author
This work is licensed under a Creative Commons Attribution 4.0 International License.
You are free to:
- Share — copy and redistribute the material in any medium or format for any purpose, even commercially.
- Adapt — remix, transform, and build upon the material for any purpose, even commercially.
- The licensor cannot revoke these freedoms as long as you follow the license terms.
Under the following terms:
- Attribution — You must give appropriate credit , provide a link to the license, and indicate if changes were made . You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
- No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
Notices:
You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation .
No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material.
