Despite technical and non-technical countermeasures, humans continue to be tricked by phishing emails. How users make email response decisions is a missing piece in the puzzle to identifying why people still fall for phishing emails. We conducted an empirical study using a think-aloud method to investigate how people make 'response decisions' while reading emails. The grounded theory analysis of the in-depth qualitative data has enabled us to identify different elements of email users' decision-making that influence their email response decisions. Furthermore, we developed a theoretical model that explains how people could be driven to respond to emails based on the identified elements of users' email decision-making processes and the relationships uncovered from the data. The findings provide deeper insights into phishing email susceptibility due to people's email response decision-making behavior. We also discuss the implications of our findings for designers and researchers working in anti-phishing training, education, and awareness interventions.
The conclusion:
In this paper, we investigate in-depth how people make email response decisions while reading their emails. Analysis of the collected qualitative data enabled us to develop a theoretical model that describes how people can be driven to respond to emails by clicking on email links and replying to or downloading attachments based on people's email response decision-making elements and their relationships. Based on an improved understanding of how people make email responses, this study enables us to identify how people can be susceptible to manipulation, even in our controlled experiment environment. We proposed five concrete enhancements to state-of-the-art anti-phishing education, training, and awareness tools to support users in making safe email responses. Among others, we suggest that the goal of anti-phishing education, training, and awareness tools should shift from accurate email legitimacy judgments to secure email responses. Therefore, we believe our work lays the foundation for improving future anti- phishing interventions to make a significant difference in how we prevent phishing email attacks in the future.
Journal Reference: Why People Still Fall for Phishing Emails: An Empirical Investigation into How Users Make Email Response Decisions, Asangi Jayatilaka, Nalin Asanka Gamagedara Arachchilage, Muhammad Ali Babar - https://arxiv.org/pdf/2401.13199.pdf
(Score: 5, Insightful) by Opportunist on Tuesday January 30, @02:42PM
People feel safe, secure and in control in a familiar environment, most so, at home. They are in a familiar environment, using familiar equipment and hence have no reason to expect anything problematic or "bad". This is where they let their guard down, so they are more susceptible to falling for trickery and deceit.
This is also where any emails that speak of a "threat", "alert" or "immediate action required" have a lot more impact, because they don't expect it. They immediately feel very vulnerable and threatened and want to reestablish the comfortable status ante where they were safe and secure and will more readily accept whatever they are required to do (open this PDF, log into your account so you don't lose it...) to get back to the comfy, safe situation.
Try to analyze this. I'm fairly sure there will be a considerable link between being in an environment people consider "safe" and the susceptibility to phishing.
(Score: 3, Interesting) by Barenflimski on Tuesday January 30, @02:48PM (2 children)
I've seen Phishing emails that are so good that even the top brass and best admins get confused.
When someone has already stolen the companies LDAP database or purchased it from an actor who has, Smishing and Phishing are relatively easy to pull off.
One of the better campaigns I saw were texts that went out to very specific admins right at the time they normally log on daily that told them their passwords needed to be updated as they locked themselves out while authenticating. They were so well timed, that they nailed folks in the middle of logging in. The fake site looked like an official Azure MFA login, was hosted by Microsoft's cloud, and even logged them in as it passed the 'new' credentials in the background.
These guys are good when they need to be.
(Score: 4, Insightful) by Thexalon on Wednesday January 31, @11:59AM (1 child)
You must not have been in the working world for very long. Confusing the top brass is incredibly easy, since a significant percentage of them don't have the slightest clue what you or they are talking about. Their career trajectory typically involves "go through business school and get their MBA, work as a management consultant for a while giving Powerpoint presentations on topics they know not very much about, if they sound smart to other top brass they get hired in as a VP of something-or-other, and if they continue to sound smart to other top brass their career will continue to go up". Without contrary evidence, when communicating with them you should assume that they know nothing about what you do, including not knowing any of the vocabulary, and do everything you can to simplify what you're saying into terms your non-technical relative who maybe graduated high school could understand. Pretty shiny pictures help too.
Oh, and how to confuse them if you want to do it intentionally: If a colleague you don't like and you are presenting something to the top brass, and you want to prevent whatever it is from happening, disagree with them about any minor point you like, using the most jargony technical language you can get away with (which will sound like gobbledygook to your audience). The top brass will invariably get extremely distracted by this point, spend the remaining time asking you both about the jargony technical language thing, and will refuse to make a decision until they fully understand the point, which is never, so whatever thing you came to them with will never happen. Your colleague will probably hate your guts after performing this maneuver, so don't do it if you intend to work with them on anything ever again.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by lentilla on Wednesday January 31, @11:40PM
Pure evil genius! Interested parties are encouraged to watch the training video Yes Minister [wikipedia.org], episode "The Greasy Pole", where concerns are raised regarding the safety of an harmless compound called metadioxin.
(Score: 0, Troll) by Anonymous Coward on Tuesday January 30, @03:12PM (2 children)
From the fine PDF:
That's 6 strategies, they only mentioned 5 in the abstract; I wonder which one they forgot to count :P
(Score: 2, Interesting) by Runaway1956 on Tuesday January 30, @04:57PM (1 child)
That's an important one that needs to be stressed. A lot of people KNOW not to click links, but they don't suspect phone contacts so much. I recently interrupted one of those Norton/McAfee/GeekSquad scams. The software was downloaded, installed, but not connected. I overheard part of the phone conversation, and interrupted the proceedings. People feel safer with a phone contact, than with a URL. That "human touch" seems to overcome caution.
What I really need to do, is train people to be more aggressive in moving emails to spam. On my own machine, I seldom see any spam, so I'm seldom tempted to open it up. Because I'm aggressive, the algorithms responsible for routing trash into the spam box works overtime for me. Hmmmm - maybe I'll put my Helpy Helperton hat on, and go through my wife's Inbox for her. Spam, spam, spam, no eggs, and spam.
(Score: 3, Interesting) by Thexalon on Wednesday January 31, @12:10PM
It takes more courage to defy a real live human being, even a total stranger, than it does to defy an impersonal email message. This is true even in contexts where obedience to that human being makes exactly zero sense, e.g. a Brit named Jack Churchill once captured over 40 German soldiers in World War II mostly by walking up to them with a broadsword and barking orders at them.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by looorg on Tuesday January 30, @03:57PM (3 children)
Way to many variables, but then it's hard to have a model with only one and it doesn't make for the best paper. But why do people fall for scams, phishing or email or otherwise? It can be summed up with one word: GREED. They all thing they are getting something awesome for nothing.
(Score: 2) by PiMuNu on Tuesday January 30, @04:45PM
Not really. Most of the phishing emails coming to me are not associated with greed (the days of Nigerian princes seems to have passed, as far as my inbox is concerned).
I had a very good one recently, coming apparently from my old line manager (but not). Someone obviously had access to our org chart (they attacked a couple of us in the same group).
(Score: 4, Interesting) by theluggage on Tuesday January 30, @05:54PM
Sure, in the case of - say - the classic 419 scam (which, even it was "honest" would be an invitation to collaborate in a questionable money-laundering scheme) - but you can't generalise. Many phishing schemes are of the "please login and update your details to avoid account suspension", "This invoice is overdue please pay immediately!" or "your UPS parcel is held up in customs, please send $x to secure delivery" variety, which are hardly playing on greed. They also rely on sending out vast numbers of messages and only expecting a low "hit" rate - so although you might think "D'oh! - I don't even have an account with [well-known company name]" or "Yeah, right, that parcel that I'm not expecting!" that just means that they're not after you - chances are some of the thousands of recipients of that spam do have accounts with that company or will be expecting a package.
Then there are the better-targetted ones where the scammers have some information about you: E.g. if you have ever registered a domain name then you'll probably have received "fake" renewal notices including the name of your domain (sometimes these are pedantically genuine offers to take over DNS hosting, just presented in a very deceptive form). Luckily, I'd heard of the scam before I saw it (plus, I'm a suspicious bastard) - but I'd have a certain amount of sympathy for anybody who was hooked.
Or, someone you know gets their pwned and you receive a desperate message from them asking for urgent money to get them out of a spot... Again, the bots are after the 1 in 1000 target who's signicant-other-in-law - or boss - might actually make such a request. Far from greed, they're preying on generosity.
Also, you need to consider all this from the perspective of, maybe, an over-worked secretary who's pointy-haired-boss doesn't always keep them in the loop on what has been ordered or requested but would still deliver a royal bollocking if that parcel is late, their account got suspended, or they didn't reset their boss' password.
...none of which is helped by legitimate businesses who send out genuine, unsolicited requests that look like phishing to train us to happily click on links in email. Only today I got an email from my bank saying that a document was available and - credit where credit is due - they didn't include a link, just said go to your normal online banking app or website... except the rest of the message was stuffed with hyperlinks to "click here if you can't see the graphics" and - ultimate irony - "click here to visit our online security advice centre". Honestly, it's like handing a ladder and a bucket of fake whitewash to a clown - they only know one way to behave.
I also periodically have to explain to nice people who cold-call me that, no, I'm not going to confirm my personal details because although they have a computer screen in front of them to confirm who I am, I have no way of knowing who they are or what bits of information an identity thief might need to finish the job. I'm 90% sure that all but one of those has been legitimate, but that's not the point - and its certainly not about "greed".
If you think you would never fall victim to a well-crafted or serendipitous phishing/spam attack then you are really, really tempting fate.
(Score: 1) by khallow on Tuesday January 30, @11:23PM
I have to agree with the rest of the peanut gallery. No, it can't. For example, a classic scam is the threat. Your checking account at bigbank.com is empty and the checks are bouncing right now!, the IRS (US version) doesn't love you tonight - repent/respond now or else, or someone has h@xor3d your Amazon account! Then there's the "honest mistake" scams - sorry, we accidentally transferred $1300 to your bank account, we'll need to move the money back to its rightful owners.
It's a convenient myth that you have to have some moral defect in order to get scammed. While in theory, there might be a robin hood scammer who only steals from the greedy, my take is that the vast majority will steal from anyone they can gull - no matter how vulnerable or innocent the victim.
(Score: 1, Disagree) by Rosco P. Coltrane on Tuesday January 30, @04:02PM (8 children)
People are fucking dumb. And that's 4 words: that's how dumb they are.
(Score: 5, Insightful) by PiMuNu on Tuesday January 30, @04:48PM (6 children)
You obviously haven't been attacked by a competent attacker. They are quite good.
(Score: 3, Interesting) by Rosco P. Coltrane on Tuesday January 30, @05:15PM (5 children)
Well, I fancy myself as reasonably critical of the emails I receive but not particularly cleverer than anybody else, I've gotten all kinds of more or less cleverly crafted scam mails - even before email filters - and I've never been took in 30-odd years on the internet
So at some point, I can confidently say that "people are fucking dumb" is truly 99% of why scam emails still have a positive return on investment. I don't believe someone with an average level of intelligence and some education falls for any of those emails anymore. Especially today, when everybody is perfectly aware of the existence of email scams.
(Score: 2, Interesting) by Runaway1956 on Tuesday January 30, @07:02PM (3 children)
I mostly agree. But I think your 99% figure is a little high. I don't claim to be the most tech savvy guy around, by a long shot, but I've been roped in a couple times. Other people who are much more tech savvy than I have been roped in. I'll agree that at least 50% are just ignorant. I'll agree that another 40% or more are dumb. A couple percent are STUPID - you can find them, people who have been conned repeatedly. They just won't learn. But, there is more than just 1% that are very well done scams, that intelligent people can be, and are, tricked by. It's a pretty sure thing when people start throwing around figures like 99% or even 100%, they are probably overstating their case. Ignorance and stupidity go a long way toward explaining spam, scams, phishing, and every other form of online fraud. but that isn't all of it.
(Score: 2, Informative) by anubi on Tuesday January 30, @07:32PM
My fear is pissing someone off. Someone who has a legitimate claim, but I do not know them that well. Especially if it's a "authority" type like a government, court, lawyer, or some financial firm.
I have a Spoke account just for peace of mind. Should anyone send me notices, I look them up. If it doesn't jive, I feel more comfortable ignoring them. Sometimes, I will forward the offending Phish.
https://search.brave.com/search?q=where+to+forward+phishing+email [brave.com]
If they are using IRS for the threat enforcer:
https://www.irs.gov/businesses/small-businesses-self-employed/tax-scams-how-to-report-them [irs.gov]
Follow the instructions. Hopefully, if it IS legit, they will tell me. At least I have left a record that I did respond
Just try to minimize your exposure window. I use a separate email for government, as I find it extremely time consuming to try to interact with them, they have damned near unlimited power to mangle me up.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Touché) by Anonymous Coward on Tuesday January 30, @08:46PM
> ... but I've been roped in a couple times.
Weren't you roped in by Trump hisself? I seem to remember something about a donation to build a wall or something(grin).
Just a reminder that scams come in many flavors and from many different directions.
(Score: 3, Interesting) by Tork on Tuesday January 30, @09:26PM
I agree with your view as well. While I haven't been roped in (yet.... knock on wood) I think it's best if I assume one day I will be. A zillion years ago I worked at a tech company and we had had a security incident where someone higher up ran a corrupted attachment. I saw the email that triggered it and I remember thinking: "Damn, I *would* have fallen for it, too.", and this was at the peak of my "I know everything" phase. Basically the way it worked an affected machine would send out emails to other potential targets. The message it actually sent was randomized, but in this case it got a lucky shot. Its randomly-chosen context fit with something that had happened only hours before. In simpler terms I mean the email said the right thing, came from the right person, and it happened at just the right time.
Now we've got AI generating text, social media leaking 'trusted' contexts, and I'm getting older and losing touch with all the new fangled tok ticks or whatever the new hotness is. If I do reach the end of my life without getting burned by something like this I'll only have good fortune to thank.
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2) by PiMuNu on Thursday February 01, @09:16AM
I don't believe I have been taken in either, but I have had a couple of near misses. It isn't the email "scams" that worry me, rather the (sometimes spear) phishing attempts where someone is trying to take over my pc for Evil porpoises.
(Score: 0) by Anonymous Coward on Wednesday January 31, @11:02AM
Coincidentally, that the explanation for why MAGAts fall for Trump grifting all the time everytime.
(Score: 5, Insightful) by Ingar on Tuesday January 30, @05:51PM
The volume of spam and scam is now so high that, statistically speaking, at some point you will click the wrong link by accident.
(Score: 2, Insightful) by Anonymous Coward on Wednesday January 31, @09:40AM
Well the links were sent via email. And the links weren't to a URL that belonged to the customer. They were to "KnowBe4". And when you clicked on them, there was a page that asked you to enter your username and password! Some of us regularly reported such emails to the customer's security teams as phishing emails...
To be fair the password you use to register with KnowBe4 could and should be different from what you use elsewhere, but I bet KnowBe4 has tons of reused passwords from people and organizations around the world now...
It also doesn't help that Microsoft regularly pops up prompts asking for people to log in AND Microsoft has tons of URLs AND many of those URLs arguably look phishy. aka.ms, wpc.v0cdn.net, s-msn.com and so on.
So if the sign in link was to https://www.msazuresponsorships.com/ instead of https://www.microsoftazuresponsorships.com/ how would you expect a normal user to figure out whether it was legit or not?
Heck how would you even know whether microsoftazuresponsorships.com is a legit microsoft domain in the first place? Because the link came from an email supposedly from Microsoft?