Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 13 submissions in the queue.
posted by janrinok on Tuesday January 30 2024, @02:02PM   Printer-friendly
from the phish-email-not-Phish-the-band dept.

From the Abstract:

Despite technical and non-technical countermeasures, humans continue to be tricked by phishing emails. How users make email response decisions is a missing piece in the puzzle to identifying why people still fall for phishing emails. We conducted an empirical study using a think-aloud method to investigate how people make 'response decisions' while reading emails. The grounded theory analysis of the in-depth qualitative data has enabled us to identify different elements of email users' decision-making that influence their email response decisions. Furthermore, we developed a theoretical model that explains how people could be driven to respond to emails based on the identified elements of users' email decision-making processes and the relationships uncovered from the data. The findings provide deeper insights into phishing email susceptibility due to people's email response decision-making behavior. We also discuss the implications of our findings for designers and researchers working in anti-phishing training, education, and awareness interventions.

The conclusion:

In this paper, we investigate in-depth how people make email response decisions while reading their emails. Analysis of the collected qualitative data enabled us to develop a theoretical model that describes how people can be driven to respond to emails by clicking on email links and replying to or downloading attachments based on people's email response decision-making elements and their relationships. Based on an improved understanding of how people make email responses, this study enables us to identify how people can be susceptible to manipulation, even in our controlled experiment environment. We proposed five concrete enhancements to state-of-the-art anti-phishing education, training, and awareness tools to support users in making safe email responses. Among others, we suggest that the goal of anti-phishing education, training, and awareness tools should shift from accurate email legitimacy judgments to secure email responses. Therefore, we believe our work lays the foundation for improving future anti- phishing interventions to make a significant difference in how we prevent phishing email attacks in the future.

Journal Reference: Why People Still Fall for Phishing Emails: An Empirical Investigation into How Users Make Email Response Decisions, Asangi Jayatilaka, Nalin Asanka Gamagedara Arachchilage, Muhammad Ali Babar - https://arxiv.org/pdf/2401.13199.pdf


Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Opportunist on Tuesday January 30 2024, @02:42PM

    by Opportunist (5545) on Tuesday January 30 2024, @02:42PM (#1342401)

    People feel safe, secure and in control in a familiar environment, most so, at home. They are in a familiar environment, using familiar equipment and hence have no reason to expect anything problematic or "bad". This is where they let their guard down, so they are more susceptible to falling for trickery and deceit.

    This is also where any emails that speak of a "threat", "alert" or "immediate action required" have a lot more impact, because they don't expect it. They immediately feel very vulnerable and threatened and want to reestablish the comfortable status ante where they were safe and secure and will more readily accept whatever they are required to do (open this PDF, log into your account so you don't lose it...) to get back to the comfy, safe situation.

    Try to analyze this. I'm fairly sure there will be a considerable link between being in an environment people consider "safe" and the susceptibility to phishing.

  • (Score: 3, Interesting) by Barenflimski on Tuesday January 30 2024, @02:48PM (2 children)

    by Barenflimski (6836) on Tuesday January 30 2024, @02:48PM (#1342403)

    I've seen Phishing emails that are so good that even the top brass and best admins get confused.

    When someone has already stolen the companies LDAP database or purchased it from an actor who has, Smishing and Phishing are relatively easy to pull off.

    One of the better campaigns I saw were texts that went out to very specific admins right at the time they normally log on daily that told them their passwords needed to be updated as they locked themselves out while authenticating. They were so well timed, that they nailed folks in the middle of logging in. The fake site looked like an official Azure MFA login, was hosted by Microsoft's cloud, and even logged them in as it passed the 'new' credentials in the background.

    These guys are good when they need to be.

    • (Score: 4, Insightful) by Thexalon on Wednesday January 31 2024, @11:59AM (1 child)

      by Thexalon (636) on Wednesday January 31 2024, @11:59AM (#1342492)

      even the top brass ... get confused

      You must not have been in the working world for very long. Confusing the top brass is incredibly easy, since a significant percentage of them don't have the slightest clue what you or they are talking about. Their career trajectory typically involves "go through business school and get their MBA, work as a management consultant for a while giving Powerpoint presentations on topics they know not very much about, if they sound smart to other top brass they get hired in as a VP of something-or-other, and if they continue to sound smart to other top brass their career will continue to go up". Without contrary evidence, when communicating with them you should assume that they know nothing about what you do, including not knowing any of the vocabulary, and do everything you can to simplify what you're saying into terms your non-technical relative who maybe graduated high school could understand. Pretty shiny pictures help too.

      Oh, and how to confuse them if you want to do it intentionally: If a colleague you don't like and you are presenting something to the top brass, and you want to prevent whatever it is from happening, disagree with them about any minor point you like, using the most jargony technical language you can get away with (which will sound like gobbledygook to your audience). The top brass will invariably get extremely distracted by this point, spend the remaining time asking you both about the jargony technical language thing, and will refuse to make a decision until they fully understand the point, which is never, so whatever thing you came to them with will never happen. Your colleague will probably hate your guts after performing this maneuver, so don't do it if you intend to work with them on anything ever again.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 2) by lentilla on Wednesday January 31 2024, @11:40PM

        by lentilla (1770) on Wednesday January 31 2024, @11:40PM (#1342575)

        how to confuse them if you want to do it intentionally

        Pure evil genius! Interested parties are encouraged to watch the training video Yes Minister [wikipedia.org], episode "The Greasy Pole", where concerns are raised regarding the safety of an harmless compound called metadioxin.

  • (Score: 0, Troll) by Anonymous Coward on Tuesday January 30 2024, @03:12PM (2 children)

    by Anonymous Coward on Tuesday January 30 2024, @03:12PM (#1342408)

    From the fine PDF:

    1) Facilitating to eliminate misconceptions and invalid assumptions: Our study findings point to several misconceptions and invalid assumptions users have with respect to strategies that phishing attackers use and their capacities. For example, we saw that people often assume that phishing emails always contain URLs; hence, the absence of email links tends to create a false sense of security in email recipients.
    2) Tailored anti-phishing education, training and awareness: Our results provide insights into the diversity and complexity of how people make email responses. For example, our results point to situations where some people struggle to identify the legitimacy of emails, some struggle to validate the emails, and some struggle to take safe actions even after making correct legitimacy judgment.
    3) Shifting focus from accurate email legitimacy judgements to secure email responses: Our theoretical model suggests that perceived email legitimacy may not be the sole influencer of email response decisions. However, frequently anti-phishing education, training, and awareness interventions often focus only on people’s email legitimacy judgments in their study designs and/or in their evaluations.
    4) Facilitating safe email validation: Given that the trust perceived based on email validation techniques could drive people’s email response behavior (see Section IV-L), it is important to make sure people validate emails in safer ways. Unfortunately, our study provides evidence that people use unsafe techniques to validate emails when they have doubts about email legitimacy.
    5) Giving more prominence to diverse personal habits and emotions in tool design: Our results provide insights into how different emotions (see Section IV-N) and personal habits (see Section IV-M) can positively and negatively influence people’s response behaviors. For example, certain emotions such as happiness and excitement, anxiety about maintaining work priorities and relationships, and anxiety about maintaining personal relationships positively affect the intention to respond to phishing emails.
    6) Facilitating to assess the validity of self-learned strategies: Our findings in Section IV-L reveal several inaccurate strategies that people learned through past phishing encounters that they use to detect phishing emails. They could apply those strategies to new emails leading to unsafe email responses to phishing emails (see H8.2).

    That's 6 strategies, they only mentioned 5 in the abstract; I wonder which one they forgot to count :P

    • (Score: 2, Interesting) by Runaway1956 on Tuesday January 30 2024, @04:57PM (1 child)

      by Runaway1956 (2926) Subscriber Badge on Tuesday January 30 2024, @04:57PM (#1342417) Journal

      1) Facilitating to eliminate misconceptions and invalid assumptions: Our study findings point to several misconceptions and invalid assumptions users have with respect to strategies that phishing attackers use and their capacities. For example, we saw that people often assume that phishing emails always contain URLs; hence, the absence of email links tends to create a false sense of security in email recipients.

      That's an important one that needs to be stressed. A lot of people KNOW not to click links, but they don't suspect phone contacts so much. I recently interrupted one of those Norton/McAfee/GeekSquad scams. The software was downloaded, installed, but not connected. I overheard part of the phone conversation, and interrupted the proceedings. People feel safer with a phone contact, than with a URL. That "human touch" seems to overcome caution.

      What I really need to do, is train people to be more aggressive in moving emails to spam. On my own machine, I seldom see any spam, so I'm seldom tempted to open it up. Because I'm aggressive, the algorithms responsible for routing trash into the spam box works overtime for me. Hmmmm - maybe I'll put my Helpy Helperton hat on, and go through my wife's Inbox for her. Spam, spam, spam, no eggs, and spam.

      --
      “I have become friends with many school shooters” - Tampon Tim Walz
      • (Score: 3, Interesting) by Thexalon on Wednesday January 31 2024, @12:10PM

        by Thexalon (636) on Wednesday January 31 2024, @12:10PM (#1342494)

        It takes more courage to defy a real live human being, even a total stranger, than it does to defy an impersonal email message. This is true even in contexts where obedience to that human being makes exactly zero sense, e.g. a Brit named Jack Churchill once captured over 40 German soldiers in World War II mostly by walking up to them with a broadsword and barking orders at them.

        --
        The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 2) by looorg on Tuesday January 30 2024, @03:57PM (3 children)

    by looorg (578) on Tuesday January 30 2024, @03:57PM (#1342410)

    Way to many variables, but then it's hard to have a model with only one and it doesn't make for the best paper. But why do people fall for scams, phishing or email or otherwise? It can be summed up with one word: GREED. They all thing they are getting something awesome for nothing.

    • (Score: 2) by PiMuNu on Tuesday January 30 2024, @04:45PM

      by PiMuNu (3823) on Tuesday January 30 2024, @04:45PM (#1342415)

      Not really. Most of the phishing emails coming to me are not associated with greed (the days of Nigerian princes seems to have passed, as far as my inbox is concerned).

      I had a very good one recently, coming apparently from my old line manager (but not). Someone obviously had access to our org chart (they attacked a couple of us in the same group).

    • (Score: 4, Interesting) by theluggage on Tuesday January 30 2024, @05:54PM

      by theluggage (1797) on Tuesday January 30 2024, @05:54PM (#1342422)

      Sure, in the case of - say - the classic 419 scam (which, even it was "honest" would be an invitation to collaborate in a questionable money-laundering scheme) - but you can't generalise. Many phishing schemes are of the "please login and update your details to avoid account suspension", "This invoice is overdue please pay immediately!" or "your UPS parcel is held up in customs, please send $x to secure delivery" variety, which are hardly playing on greed. They also rely on sending out vast numbers of messages and only expecting a low "hit" rate - so although you might think "D'oh! - I don't even have an account with [well-known company name]" or "Yeah, right, that parcel that I'm not expecting!" that just means that they're not after you - chances are some of the thousands of recipients of that spam do have accounts with that company or will be expecting a package.

      Then there are the better-targetted ones where the scammers have some information about you: E.g. if you have ever registered a domain name then you'll probably have received "fake" renewal notices including the name of your domain (sometimes these are pedantically genuine offers to take over DNS hosting, just presented in a very deceptive form). Luckily, I'd heard of the scam before I saw it (plus, I'm a suspicious bastard) - but I'd have a certain amount of sympathy for anybody who was hooked.

      Or, someone you know gets their pwned and you receive a desperate message from them asking for urgent money to get them out of a spot... Again, the bots are after the 1 in 1000 target who's signicant-other-in-law - or boss - might actually make such a request. Far from greed, they're preying on generosity.

      Also, you need to consider all this from the perspective of, maybe, an over-worked secretary who's pointy-haired-boss doesn't always keep them in the loop on what has been ordered or requested but would still deliver a royal bollocking if that parcel is late, their account got suspended, or they didn't reset their boss' password.

      ...none of which is helped by legitimate businesses who send out genuine, unsolicited requests that look like phishing to train us to happily click on links in email. Only today I got an email from my bank saying that a document was available and - credit where credit is due - they didn't include a link, just said go to your normal online banking app or website... except the rest of the message was stuffed with hyperlinks to "click here if you can't see the graphics" and - ultimate irony - "click here to visit our online security advice centre". Honestly, it's like handing a ladder and a bucket of fake whitewash to a clown - they only know one way to behave.

      I also periodically have to explain to nice people who cold-call me that, no, I'm not going to confirm my personal details because although they have a computer screen in front of them to confirm who I am, I have no way of knowing who they are or what bits of information an identity thief might need to finish the job. I'm 90% sure that all but one of those has been legitimate, but that's not the point - and its certainly not about "greed".

      If you think you would never fall victim to a well-crafted or serendipitous phishing/spam attack then you are really, really tempting fate.

    • (Score: 1) by khallow on Tuesday January 30 2024, @11:23PM

      by khallow (3766) Subscriber Badge on Tuesday January 30 2024, @11:23PM (#1342457) Journal

      It can be summed up with one word: GREED.

      I have to agree with the rest of the peanut gallery. No, it can't. For example, a classic scam is the threat. Your checking account at bigbank.com is empty and the checks are bouncing right now!, the IRS (US version) doesn't love you tonight - repent/respond now or else, or someone has h@xor3d your Amazon account! Then there's the "honest mistake" scams - sorry, we accidentally transferred $1300 to your bank account, we'll need to move the money back to its rightful owners.

      It's a convenient myth that you have to have some moral defect in order to get scammed. While in theory, there might be a robin hood scammer who only steals from the greedy, my take is that the vast majority will steal from anyone they can gull - no matter how vulnerable or innocent the victim.

  • (Score: 1, Disagree) by Rosco P. Coltrane on Tuesday January 30 2024, @04:02PM (8 children)

    by Rosco P. Coltrane (4757) on Tuesday January 30 2024, @04:02PM (#1342411)

    People are fucking dumb. And that's 4 words: that's how dumb they are.

    • (Score: 5, Insightful) by PiMuNu on Tuesday January 30 2024, @04:48PM (6 children)

      by PiMuNu (3823) on Tuesday January 30 2024, @04:48PM (#1342416)

      You obviously haven't been attacked by a competent attacker. They are quite good.

      • (Score: 3, Interesting) by Rosco P. Coltrane on Tuesday January 30 2024, @05:15PM (5 children)

        by Rosco P. Coltrane (4757) on Tuesday January 30 2024, @05:15PM (#1342418)

        Well, I fancy myself as reasonably critical of the emails I receive but not particularly cleverer than anybody else, I've gotten all kinds of more or less cleverly crafted scam mails - even before email filters - and I've never been took in 30-odd years on the internet

        So at some point, I can confidently say that "people are fucking dumb" is truly 99% of why scam emails still have a positive return on investment. I don't believe someone with an average level of intelligence and some education falls for any of those emails anymore. Especially today, when everybody is perfectly aware of the existence of email scams.

        • (Score: 2, Interesting) by Runaway1956 on Tuesday January 30 2024, @07:02PM (3 children)

          by Runaway1956 (2926) Subscriber Badge on Tuesday January 30 2024, @07:02PM (#1342424) Journal

          I mostly agree. But I think your 99% figure is a little high. I don't claim to be the most tech savvy guy around, by a long shot, but I've been roped in a couple times. Other people who are much more tech savvy than I have been roped in. I'll agree that at least 50% are just ignorant. I'll agree that another 40% or more are dumb. A couple percent are STUPID - you can find them, people who have been conned repeatedly. They just won't learn. But, there is more than just 1% that are very well done scams, that intelligent people can be, and are, tricked by. It's a pretty sure thing when people start throwing around figures like 99% or even 100%, they are probably overstating their case. Ignorance and stupidity go a long way toward explaining spam, scams, phishing, and every other form of online fraud. but that isn't all of it.

          --
          “I have become friends with many school shooters” - Tampon Tim Walz
          • (Score: 2, Informative) by anubi on Tuesday January 30 2024, @07:32PM

            by anubi (2828) on Tuesday January 30 2024, @07:32PM (#1342429) Journal

            My fear is pissing someone off. Someone who has a legitimate claim, but I do not know them that well. Especially if it's a "authority" type like a government, court, lawyer, or some financial firm.

            I have a Spoke account just for peace of mind. Should anyone send me notices, I look them up. If it doesn't jive, I feel more comfortable ignoring them. Sometimes, I will forward the offending Phish.

                https://search.brave.com/search?q=where+to+forward+phishing+email [brave.com]

            If they are using IRS for the threat enforcer:

            https://www.irs.gov/businesses/small-businesses-self-employed/tax-scams-how-to-report-them [irs.gov]

            Follow the instructions. Hopefully, if it IS legit, they will tell me. At least I have left a record that I did respond

            Just try to minimize your exposure window. I use a separate email for government, as I find it extremely time consuming to try to interact with them, they have damned near unlimited power to mangle me up.

            --
            "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
          • (Score: 1, Touché) by Anonymous Coward on Tuesday January 30 2024, @08:46PM

            by Anonymous Coward on Tuesday January 30 2024, @08:46PM (#1342438)

            > ... but I've been roped in a couple times.

            Weren't you roped in by Trump hisself? I seem to remember something about a donation to build a wall or something(grin).

            Just a reminder that scams come in many flavors and from many different directions.

          • (Score: 3, Interesting) by Tork on Tuesday January 30 2024, @09:26PM

            by Tork (3914) Subscriber Badge on Tuesday January 30 2024, @09:26PM (#1342445)

            I mostly agree. But I think your 99% figure is a little high. I don't claim to be the most tech savvy guy around, by a long shot, but I've been roped in a couple times. Other people who are much more tech savvy than I have been roped in.

            I agree with your view as well. While I haven't been roped in (yet.... knock on wood) I think it's best if I assume one day I will be. A zillion years ago I worked at a tech company and we had had a security incident where someone higher up ran a corrupted attachment. I saw the email that triggered it and I remember thinking: "Damn, I *would* have fallen for it, too.", and this was at the peak of my "I know everything" phase. Basically the way it worked an affected machine would send out emails to other potential targets. The message it actually sent was randomized, but in this case it got a lucky shot. Its randomly-chosen context fit with something that had happened only hours before. In simpler terms I mean the email said the right thing, came from the right person, and it happened at just the right time.

            Now we've got AI generating text, social media leaking 'trusted' contexts, and I'm getting older and losing touch with all the new fangled tok ticks or whatever the new hotness is. If I do reach the end of my life without getting burned by something like this I'll only have good fortune to thank.

            --
            🏳️‍🌈 Proud Ally 🏳️‍🌈
        • (Score: 2) by PiMuNu on Thursday February 01 2024, @09:16AM

          by PiMuNu (3823) on Thursday February 01 2024, @09:16AM (#1342610)

          I don't believe I have been taken in either, but I have had a couple of near misses. It isn't the email "scams" that worry me, rather the (sometimes spear) phishing attempts where someone is trying to take over my pc for Evil porpoises.

    • (Score: 0) by Anonymous Coward on Wednesday January 31 2024, @11:02AM

      by Anonymous Coward on Wednesday January 31 2024, @11:02AM (#1342488)

      Coincidentally, that the explanation for why MAGAts fall for Trump grifting all the time everytime.

  • (Score: 5, Insightful) by Ingar on Tuesday January 30 2024, @05:51PM

    by Ingar (801) on Tuesday January 30 2024, @05:51PM (#1342421) Homepage Journal

    The volume of spam and scam is now so high that, statistically speaking, at some point you will click the wrong link by accident.

    --
    Understanding is a three-edged sword: your side, their side, and the truth.
  • (Score: 2, Insightful) by Anonymous Coward on Wednesday January 31 2024, @09:40AM

    by Anonymous Coward on Wednesday January 31 2024, @09:40AM (#1342482)
    When I was a vendor for a customer, we were regularly required to watch some "security awareness" videos done by KnowBe4 (remember Kevin Mitnick?).

    Well the links were sent via email. And the links weren't to a URL that belonged to the customer. They were to "KnowBe4". And when you clicked on them, there was a page that asked you to enter your username and password! Some of us regularly reported such emails to the customer's security teams as phishing emails...

    To be fair the password you use to register with KnowBe4 could and should be different from what you use elsewhere, but I bet KnowBe4 has tons of reused passwords from people and organizations around the world now...

    It also doesn't help that Microsoft regularly pops up prompts asking for people to log in AND Microsoft has tons of URLs AND many of those URLs arguably look phishy. aka.ms, wpc.v0cdn.net, s-msn.com and so on.

    So if the sign in link was to https://www.msazuresponsorships.com/ instead of https://www.microsoftazuresponsorships.com/ how would you expect a normal user to figure out whether it was legit or not?

    Heck how would you even know whether microsoftazuresponsorships.com is a legit microsoft domain in the first place? Because the link came from an email supposedly from Microsoft?
(1)