Daniela Oliveira
Harold Rocha
ABSTRACT
Spear phishing emails are key in many cyber attacks. Successful emails employ psychological weapons of influence and relevant life domains. This paper investigates spear phishing susceptibility as a function of Internet user age (old vs young), weapon of influence, and life domain. A 21-day study was conducted with 158 participants (younger and older Internet users). Data collection took place at the participants' homes to increase ecological validity. Our results show that older women were the most vulnerable group to phishing attacks. While younger adults were most susceptible to scarcity, older adults were most susceptible to reciprocation. Further, there was a discrepancy, particularly among older users, between self-reported susceptibility awareness and their behavior during the intervention. Our results show the need for demographic personalization for warnings, training and educational tools in targeting the specifics of the older adult population.
- P. Singer and A. Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know. Oxford University Press, 2014.Google Scholar
Cross Ref
- L. James, Phishing Exposed. Syngress, 2006.Google Scholar
- T. Wrightson, Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization. McGraw-Hill Education, 2014. Google ScholarDigital Library
- RSA: SecurID Attack Was Phishing Via an Excel Spreadsheet (https://threatpost.com/rsasecurid-attack-was-phishing-excelspreadsheet-040111/75099/).Google Scholar
- J. Carr, Cyber Warfare. O'Reily, 2011.Google Scholar
- Email Attacks: This Time It's Personal (http: //itknowledgeexchange.techtarget.com/ security-detail/cisco-report-emailattacks-this-time-its-personal/).Google Scholar
- R. B. Cialdini, Influence - The Psychology of Persuasion. Collins Business Essentials, 2006.Google Scholar
- P. Verhaeghen and T. A. Salthouse, "Meta-Analyses of Age-Cognition Relations in Adulthood: Estimates of Linear and Nonlinear Age Effects and Structural Models," Psychological Bulletin, vol. 122, no. 3, pp. 231--249, 1997.Google ScholarCross Ref
- M. Mather, When I'm 64 - A Review of Decision-Making Processes: Weighing the Risks and Benefits of Aging. The National Academies Press, 2006.Google Scholar
- M. Johnson, "Age Differences in Decision Making: A Process Methodology for Examining Strategic Information Processing," Journal of Gerontology: Psychological Sciences, vol. 45, no. 2, pp. 75--78, 1990.Google ScholarCross Ref
- R. Mata, A. Josef, G. Samanez-Larkin, and R. Hertwig, "Age Differences in Risky Choice: A Meta-Analysis," NY Academy of Sciences, 2011.Google Scholar
- K. Tentoria, D. Oshersonb, L. Hasherc, and C. May, "Wisdom and Aging: Irrational Preferences in College Students But Not Older Adults," Elsevier Science, 2001.Google Scholar
- USA Census 2010 (http://www.census.gov/2010census/).Google Scholar
- Healthy Aging Improving and Extending Quality of Life Among Older Americans CDC (http://www.cdc.gov/nccdphp/publications/aag/).Google Scholar
- E. Peters, M. A. Diefenbach, T. M. Hess, and D. Vastfjall, "Age Differences in Dual Information-Processing Modes: Implications for Cancer Decision Making," Cancer, vol. 113, p. 12, 2008.Google ScholarCross Ref
- G. R. Samanez-Larkin and B. Knutson, "Decision Making In The Ageing Brain: Changes In Affective And Motivational Circuits," Nature reviews. Neuroscience, 2015.Google Scholar
- S. J. Westerman and D. R. Davies, "Acquisition and Application of New Technology Skills: The Influence of Age," Occup. Med., vol. 50, p. 1, 2000.Google ScholarCross Ref
- D. Caputo, S. Pfieeger, J. Freeman, and M. Johnson, "Going spear phishing: Exploring embedded training and awareness," IEEE Security & Privacy, vol. 12, no. 1, pp. 28--38, 2014.Google ScholarCross Ref
- T. Vidas, E. Owusu, S. Wang, C. Zen, and L. F. Cranor, "Qrishing: The susceptibility of smartphone users to qr code phishing attacks," Carnegie Mellon University-CyLab-12-022, 2012.Google Scholar
- I. Fette, N. Sadeh, and A. Tomasic, "Learning to detect phishing emails," in Proceedings of the 16th international conference on World Wide Web, pp. 649--656, ACM, 2007. Google ScholarDigital Library
- N. Toolbar, "Netcraft, ltd," 2009.Google Scholar
- Y. Zhang, S. Egelman, L. Cranor, and J. Hong, "Phinding phish: Evaluating anti-phishing tools," ISOC, 2006.Google Scholar
- S. Sheng, B. Wardman, G. Warner, L. F. Cranor, J. Hong, and C. Zhang, "An empirical analysis of phishing blacklists," 2009.Google Scholar
- S. Egelman, L. F. Cranor, and J. Hong, "You've been warned: an empirical study of the effectiveness of web browser phishing warnings," in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1065--1074, ACM, 2008. Google ScholarDigital Library
- M. Wu, R. C. Miller, and S. L. Garfinkel, "Do security toolbars actually prevent phishing attacks", in Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 601--610, ACM, 2006. Google ScholarDigital Library
- G. Liu, G. Xiang, B. A. Pendleton, J. I. Hong, and W. Liu, "Smartening the crowds: computational techniques for improving human verification to fight phishing scams," in Proceedings of the Seventh Symposium on Usable Privacy and Security, p. 8, ACM, 2011. Google ScholarDigital Library
- R. Dhamija, J. D. Tygar, and M. Hearst, "Why phishing works," in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '06, (NY, NY, USA), pp. 581--590, ACM, 2006. Google ScholarDigital Library
- S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, "Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish," in Proceedings of the 3rd symposium on Usable privacy and security, pp. 88--99, ACM, 2007. Google ScholarDigital Library
- P. Kumaraguru, Phishguru: a system for educating users about semantic attacks. ProQuest, 2009.Google Scholar
- P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, "Protecting people from phishing: the design and evaluation of an embedded training email system," in Proceedings of the SIGCHI conference on Human factors in computing systems, pp. 905--914, ACM, 2007. Google ScholarDigital Library
- P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong, "Teaching johnny not to fall for phish," ACM Transactions on Internet Technology (TOIT), vol. 10, no. 2, p. 7, 2010. Google ScholarDigital Library
- S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs, "Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions," in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 373--382, ACM, 2010. Google ScholarDigital Library
- P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham, "School of phish: a real-world evaluation of anti-phishing training," in Proceedings of the 5th Symposium on Usable Privacy and Security, p. 3, ACM, 2009. Google ScholarDigital Library
- G. R. Samanez-Larkin, "Financial decision making and the aging brain," APS observer, vol. 26, no. 5, p. 30, 2013.Google Scholar
- J. S. Downs, M. B. Holbrook, and L. F. Cranor, "Decision Strategies and Susceptibility to Phishing," Symposium on Usable Privacy and Security (SOUPS), 2006. Google ScholarDigital Library
- J. S. Downs, M. Holbrook, and L. F. Cranor, "Behavioral response to phishing risk," in Proceedings of the Anti-phishing Working Groups 2Nd Annual eCrime Researchers Summit, eCrime '07, (NY, NY, USA), pp. 37--44, ACM, 2007. Google ScholarDigital Library
- V. Boothroyd, "Older adults' Perception of Online Risk," Master's thesis, Carleton University, 2014.Google Scholar
- P. A. M. V. Lange, "Generalized Trust: Four Lessons From Genetics and Culture," Current Directions in Psychological Science, vol. 24, no. 1, pp. 71--76, 2015.Google ScholarCross Ref
- R. Petrican, T. English, J. J. Gross, C. Grady, T. Hai, and M. Moscovitch, "Friend or foe" Age Moderates Time-Course Specific Responsiveness to Trustworthiness Cues,? The Journals of Gerontology Series B, Psychological Sciences and Social Sciences and Social Sciences, vol. 68, no. 2, pp. 215--223, 2013.Google ScholarCross Ref
- E. Castle, N. I. Eisenberger, T. E. Seeman, W. G. Moons, I. A. Boggero, M. S. Grinblatt, and S. E. Taylor, "Neural and behavioral bases of age differences in perceptions of trust," in Proceedings of the National Academy of Sciences, vol. 109, pp. 20848--20852, 2012.Google ScholarCross Ref
- T. Ruffman, J. Murray, J. Halberstadt, and T. Vater, "Age-related Differences in Deception," in Psychology and Aging, vol. 27, pp. 543--549, 2012.Google ScholarCross Ref
- N. C. Ebner, P. E. Bailey, M. Horta, and J. Joiner, Multidisciplinary Perspective on Prosociality in Aging. (Invited book chapter). Sommerville & J. Decety, 2015.Google Scholar
- N. C. Ebner, P. E. Bailey, M. Horta, J. Joiner, and S. W. C. Chang, Multidisciplinary perspective on prosociality in aging. In (Eds.), in Social Cognition for the Frontiers in Developmental Science Series (Psychology). J. Sommerville & J. Decety, 2015.Google Scholar
- T. Ruffman, S. Sullivan, and N. Edge, "Differences in the Way Older and Younger Adults Rate Threat in Faces But Not Situations," in The Journals of Gerontology Series B, Psychological Sciences and Social Sciences and Social Sciences, vol. 61, pp. 187--194, 2006.Google ScholarCross Ref
- L. C. A. E. Reed and J. A. Mikels, "Meta-Analysis of the Age-Related Positivity Effect: Age Differences in Preferences for Positive Over Negative Information," in Psychology and Aging, pp. 1--15, 2014.Google Scholar
- A. Adams and M. A. Sasse, "Users Are Not the Enemy," Communications of the ACM, vol. 42, no. 12, 1999. Google ScholarDigital Library
- V. Garg and L. J. Camp, "Risk Communication Design for Older Adults," Gerontechnology, vol. 11, no. 2, 2012.Google Scholar
- E. Albrechtsen, "A Qualitative Study of Users' View on Information Security," Computers and Security, vol. 26, no. 4, 2007. Google ScholarDigital Library
- F. Asgapour, D. Liu, and L. J. Camp, "Mental Models of Computer Security Risks," Financial Cryptography and Data Security Lecture Notes in Computer Science, vol. 4886, pp. 367--377, 2007. Google ScholarDigital Library
- D.-L. Huang, Pei-Luen, P. Raua, G. Salvendya, F. Gaoa, and J. Zhoua, "Factors Affecting Perception of Information Security and Their Impacts on IT Adoption and Security Practices," International Journal of Human-Computer Studies, vol. 69, no. 12, 2011. Google ScholarDigital Library
- V. Garg and L. J. Camp, "End User Perception of Online Risk Under Uncertainty," Hawaii International Conference On System Sciences, vol. 4886, 2012. Google ScholarDigital Library
- B. Fischhoff, P. Slovic, S. Lichtenstein, and B. C. Stephen Read, "How Safe is Safe Enough" A Osychometric Study of Attitudes Towards Technological Risks and Benefits, Policy Sciences, vol. 9, no. 2, 1978.Google Scholar
- Lies, Secrets, and Scams: How to Prevent Elder Abuse (http://www.consumerreports.org/cro/ consumer-protection/preventing-elderabuse).Google Scholar
- D. Kahneman, Thinking, Fast and Slow. Farrar, Straus and Giroux, 2011.Google Scholar
- K. Mitnick, W. L. Simonand, and S. Wozniak, The Art of Deception: Controlling the Human Element of Security. Wiley, 2002. Google ScholarDigital Library
- C. Hadnagy, Social Engineering: The Art of Human Hacking. Wiley, 2010.Google Scholar
- P. B. Baltes, U. Lindenberger, and U. M. Staudinger, "Life Span Theory in Developmental Psychology," Wiley Online Library, 2007.Google Scholar
- J. Brandt, M. Spencer, and D. R. Davies, "The telephone interview for cognitive status," Neuropsychiatry, Neuropsychology, & Behavioral Neurology, vol. 1, pp. 111--117, 1988.Google Scholar
- P. Tun and M. Lachman, "Telephone assessment of cognitive function in adulthood: the brief test of adult cognition by telephone," Age and Ageing, vol. 35, pp. 629--632, 2006.Google ScholarCross Ref
- Symantec Internet Security Threat Report 2016 https://www.symantec.com/securitycenter/threat-report.Google Scholar
Index Terms
- Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing
Recommendations
Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content
Phishing is fundamental to cyber attacks. This research determined the effect of Internet user age and email content such as weapons of influence (persuasive techniques that attackers can use to lure individuals to fall for an attack) and life domains (...
Spear phishing in organisations explained
PurposeThe purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient.Design/methodology/approachTwo types of phishing emails were sent to 593 employees, who were asked to provide ...
Why do users not report spear phishing emails?
Highlights- Antiphishing self-efficacy increases intention to report spear phishing emails.
AbstractCyber security training programs encourage users to report suspicious spear phishing emails, and most antiphishing software provide interfaces to assist in the reporting. Evidence, however, suggests that reporting is scarce. This ...
Comments