Phishing Attacks get Personal

Monday, January 26, 2015 @ 04:01 PM gHale


There is evidence the incredible spread of email phishing scams may be due to phishers’ increased use of “information-rich” emails that alter recipients’ cognitive processes and tricks them into becoming victims.

“Information-rich” emails include graphics, logos and other brand markers that communicate authenticity, said Arun Vishwanath, professor of communication at the University at Buffalo, and co-author of a study entitled “Examining the impact of presence on individual phishing victimization.”

RELATED STORIES
Zero Day Abused in Sony Hack: Report
Sony: Risk Management in Real Time
Talk to Me: Elevating Security Awareness
Defending ICS Against Dragonfly Attacks

“In addition, the text is carefully framed to sound personal, arrest attention and invoke fear,” Vishwanath said. “It often will include a deadline for response for which the recipient must use a link to a spoof ‘response’ website. Such sites, set up by the phisher, can install spyware that data mines the victim’s computer for usernames, passwords, address books and credit card information.

“We found that these information-rich lures are successful because they are able to provoke in the victim a feeling of social presence, which is the sense that they are corresponding with a real person,” Vishwanath said.

“‘Presence’ makes a message feel more personal, reduces distrust and also provokes heuristic processing, marked by less care in evaluating and responding to it,” he said. “In these circumstances, we found that if the message asks for personal information, people are more likely to hand it over, often very quickly.

“In this study, such an information-rich phishing message triggered a victimization rate of 68 percent among participants. These are significant findings that indicate the importance of developing anti-phishing interventions that educate individuals about the threat posed by richness and presence cues in emails,” he said.

The study involved 125 undergraduate university students — a group often targeted by phishers — who received an experimental phishing email from a Gmail account prepared for use in the study. The message used a reply-to address and sender’s address, both of which included the name of the university.

The email ended up written to emphasize urgency and invoke fear. It said there was an error in the recipients’ student email account settings that required them to use an enclosed link to access their account settings and resolve the problem. They had to do so within a short time period, otherwise they would no longer have access to the account, the email said. In a real phishing expedition, the enclosed link would take them to an outside account/phishing site that would collect the respondent’s personal information.

Vishwanath said 49 participants replied to the phishing request immediately and another 36 replied after a reminder. The respondents then completed a five-point scale that measured their use of systemic (critical thinking) and heuristic information processing in deciding what to do with the email. When a few other variables factored in, the phishing attack had an overall success rate of 68 percent.

“With email becoming the dominant way of communicating worldwide, the phishing trend is expected to increase as technology becomes more advanced and phishers find new ways to appeal to their victims,” Vishwanath said.

“While these criminals may not be easily stopped, understanding what makes us more susceptible to these attacks is a vital advancement in protecting Internet users worldwide.”



Leave a Reply

You must be logged in to post a comment.