nach oben

Erschienen in:

2021 | OriginalPaper | Buchkapitel

Spotlight on Phishing: A Longitudinal Study on Phishing Awareness Trainings

verfasst von : Florian Quinkert, Martin Degeling, Thorsten Holz

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Phishing is in practice one of the most common attack vectors threatening digital assets. An attacker sends a legitimate-looking e-mail to a victim to lure her on a website with the goal of tricking the victim into revealing credentials. A phishing e-mail can use both technical (e.g., a forged link) and psychological vectors (e.g., an authoritarian tone) to persuade the victim.

In this paper, we present an analysis of more than 420,000 phishing e-mails sent over more than 1.5 years by a consulting company offering awareness trainings. Our data set contains detailed information on how users interact with the e-mails, e.g., when they click on links and what psychological vectors are used in the e-mails to convince the recipient of its legitimacy. While previous studies often used lab environments, the e-mails in our data set are sent to real users during their day-to-day work so that we can study their behavior in a genuine setting. Our results indicate a continually decreasing click rate (from 19% to 10%) with progressing awareness training. We also found some psychological vectors, including an authoritative tone and curiosity, to be more effective than others to trick a user into falling for this type of scam e-mails.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel PetaDroid: Adaptive Android Malware Detection Using Deep Learning

Nächstes Kapitel Extended Abstract: A First Large-Scale Analysis on Usage of MTA-STS

Nur mit Berechtigung zugänglich

Aaron, G.: Phishing activity trends report - 4th quarter 2019 (2019). https://docs.apwg.org/reports/apwg_trends_report_q4_2019.pdf

Aaron, G.: Phishing activity trends report - 2nd quarter 2020 (2020). https://docs.apwg.org/reports/apwg_trends_report_q2_2020.pdf

Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Network and Distributed System Security Symposium (NDSS) (2015)

Bauer, E.: The 2017 email marketing field guide: the best times and days to send your message and get it read. https://www.propellercrm.com/blog/2017-email-marketing-field-guide

Blythe, M., Petrie, H.L., Clark, J.A.: F for fake: four studies on how we fall for phish. In: Conference on Human Factors in Computing Systems (CHI) (2011)

Butavicius, M., Parsons, K., Pattinson, M., McCormac, A.: Breaching the human firewall: social engineering in phishing and spear-phishing emails. In: Australian Conference of Information System (2015)

Canova, G., Volkamer, M., Bergmann, C., Reinheimer, B.: NoPhish app evaluation: lab and retention study. In: Workshop on Usable Security and Privacy (USEC) (2015)

Caputo, D.D., Pfleeger, S.L., Freeman, J.D., Johnson, M.E.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2013)CrossRef

Cialdini, R.B., Goldstein, N.J.: The science and practice of persuasion. Cornell Hotel Restaur. Adm. Q. 43(2), 40–50 (2002)CrossRef

10.

Cidon, A., Gavish, L., Bleier, I., Korshun, N., Schweighauser, M., Tsitkin, A.: High precision detection of business email compromise. In: Usenix Security Symposium (2019)

11.

Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Conference on Human Factors in Computing Systems (CHI) (2006)

12.

Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 36–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_4CrossRef

13.

Ferreira, A., Lenzini, G.: An analysis of social engineering principles in effective phishing. In: Workshop on Socio-Technical Aspects in Security and Trust (STAST) (2015)

14.

Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: World Wide Web Conference (WWW) (2007)

15.

Government, C.: Phishing: how many take the bait? https://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs-2012-10-11-en.aspx

16.

Gragg, D.: A Multi-Level Defense Against Social Engineering. SANS Institute - Information Security Reading Room (2003)

17.

van der Heijden, A., Allodi, L.: Cognitive triaging of phishing attacks. In: Usenix Security Symposium (2019)

18.

Ho, G., et al.: Detecting and characterizing lateral phishing at scale. In: 28th USENIX Security Symposium (USENIX Security 2019) (2019)

19.

Ho, G., Sharma, A., Javed, M., Paxson, V., Wagner, D.: Detecting credential spear phishing attacks in enterprise settings. In: Usenix Security Symposium (2017)

20.

Hodgekiss, R.: What our data told us about the best time to send email campaigns. https://www.campaignmonitor.com/blog/email-marketing/2019/01/best-time-to-send-email-campaigns-by-device/

21.

Hong, J.: The state of phishing attacks. Commun. ACM 55(1), 74–81 (2012)CrossRef

22.

Isacenkova, J., Thonnard, O., Costin, A., Francillon, A., Balzarotti, D.: Inside the scam jungle: a closer look at 419 scam email operations. EURASIP J. Inf. Secur. 2014, 1–8 (2014)CrossRef

23.

Kintis, P., et al.: Hiding in plain sight: a longitudinal study of combosquatting abuse. In: Conference on Computer and Communications Security (CCS) (2017)

24.

KnowBe4: Report: 2018 phishing by industry benchmarking report (2018). https://www.ciosummits.com/KnowBe4-Phishing-By-Industry-Benchmarking-Report.pdf

25.

Kumaraguru, P., et al.: School of phish: a real-world evaluation of anti-phishing training. In: Symposium on Usable Privacy and Security (SOUPS) (2009)

26.

Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Teaching Johnny not to fall for phish. ACM Trans. Internet Technol. (TOIT) 10(2), 1–31 (2010)CrossRef

27.

Lin, E., Greenberg, S., Trotter, E., Ma, D., Aycock, J.: Does domain highlighting help people identify phishing sites? In: Conference on Human Factors in Computing Systems (CHI) (2011)

28.

Mailchimp: Insights from Mailchimp’s send time optimization system. https://mailchimp.com/resources/insights-from-mailchimps-send-time-optimization-system/

29.

Mao, J., Li, P., Li, K., Wei, T., Liang, Z.: BaitAlarm: detecting phishing sites using similarity in fundamental visual features. In: International Conference on Intelligent Networking and Collaborative Systems (INCoS) (2013)

30.

Nikiforakis, N., Balduzzi, M., Desmet, L., Piessens, F., Joosen, W.: Soundsquatting: uncovering the use of homophones in domain squatting. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 291–308. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_17CrossRef

31.

Oliveira, D., et al.: Dissecting spear phishing emails for older vs young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In: Conference on Human Factors in Computing Systems (CHI) (2017)

32.

Petelka, J., Zou, Y., Schaub, F.: Put your warning where your link is: improving and evaluating email phishing warnings. In: Conference on Human Factors in Computing Systems (CHI) (2019)

33.

Quinkert, F., Lauinger, T., Robertson, W., Kirda, E., Holz, T.: It’s not what it looks like: measuring attacks and defensive registrations of homograph domains. In: Conference on Communications and Network Security (CNS) (2019)

34.

Rajivan, P., Gonzalez, C.: Creative persuasion: a study on adversarial behaviors and strategies in phishing attacks. Front. Psychol. 9, 135 (2018)CrossRef

35.

Rosiello, A., Kirda, E., Kruegel, C., Ferrandi, F.: A layout-similarity-based approach for detecting phishing pages (2007)

36.

Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011)CrossRef

37.

Wash, R., Cooper, M.M.: Who provides phishing training? Facts, stories, and people like me. In: Conference on Human Factors in Computing Systems (CHI) (2018)

38.

Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages. In: Network and Distributed System Security Symposium (NDSS) (2010)

39.

Williams, E.J., Hinds, J., Joinson, A.N.: Exploring susceptibility to phishing in the workplace. Int. J. Hum. Comput. Stud. 120, 1–13 (2018)CrossRef

40.

Wright, R., Jensen, M., Thatcher, J., Dinger, M., Marett, K.: Research note–influence techniques in phishing attacks: an examination of vulnerability and resistance. Inf. Syst. Res. 25, 385–400 (2014)CrossRef

Titel: Spotlight on Phishing: A Longitudinal Study on Phishing Awareness Trainings
verfasst von: Florian Quinkert
Martin Degeling
Thorsten Holz
Verlag: Springer International Publishing
Buch: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-80824-2

Electronic ISBN: 978-3-030-80825-9

Copyright-Jahr: 2021
DOI: https://doi.org/10.1007/978-3-030-80825-9_17

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"