Thursday, 25 April 2019

Persuasion: How phishing emails can influence users and bypass security measures

an article by AnaFerreira and SoraiaTeles (University of Porto, Portugal) published in International Journal of Human-Computer Studies Volume 125 (May 2019)

Highlights

  • Phishing email subject lines contain high and diverse persuasive power in just a few words.
  • The paper builds on the well-known and foundational work of Cialdini's (2007), Gragg's (2003) and Stajano and Wilson (2011) to derive a unique list of Principles of Persuasion in social engineering, resulting from the application of the relational method by two independent researchers.
  • The study of the relations between existing persuasion principles was applied to the content analysis, by two independent researchers, of a random sample of phishing emails subject lines (N = 194), dated from 2008 to 2017. A thematic content analysis and a sample characterization in terms of visual elements and targeted content, revealed that the most prominent persuasion principles were ‘Authority’, ‘Strong Affect’, ‘Integrity’ and ‘Reciprocation’. The persuasion principle ‘Strong Affect’ was the one containing the larger percentage of references with the presence of visual elements. The use of the pronoun ‘you’ and ‘your’ was more evident for the categories ‘Strong Affect’ and ‘Authority’, while the employment of the pronouns ‘we, us, our’ was more expressive in the ‘Reciprocation’ principle.
  • This paper presents a method on the way to define a tool for automated identification of principles of human persuasion in social engineering, within phishing emails. Future solutions should focus on the use of socio-technical aspects related mainly to a small number of persuasion principles (‘Authority’ and ‘Distraction – Strong Affect’), which seem to be the most commonly used in phishing emails.

Abstract

Phishing is a very dangerous form of social engineering with the aim to deceive people into disclosing private/confidential information.

Despite widespread warnings and means to educate users to identify phishing messages, these are still a prevalent practice and a lucrative business.

The authors believe that persuasion, as a style of human communication designed to influence others, has a central role in successful digital scams. Research on persuasion applied to phishing emails is scarce and tends to build on Cialdini's work alone.

Only a single study has proposed a list of merged principles from three different perspectives but it has methodological limitations regarding the analysis’ performance by a single researcher and the testing of principles in a small, not validated sample of phishing emails. This paper aims to fill those gaps by building on Cialdini's, Gragg's and Stajano & Wilson's works to derive a unique list of Principles of Persuasion in Social Engineering (PPSE), resulting from the application of the relational method by two independent researchers.

The PPSE are identified, by two independent researchers (Kappa > 0.789) on a sample of phishing email subject lines (N = 194), dated from 2008 to 2017 and randomly selected from a reliable phishing archive (millersmiles.co.uk).

A thematic content analysis, together with the sample characterization in terms of visual elements and targeted content, revealed that the most prominent principles of persuasion in phishing emails were ‘Authority’, ‘Strong Affect’, ‘Integrity’ and ‘Reciprocation’. The larger percentage of references with the presence of visual elements was found for the ‘Strong Affect’ principle. The use of the pronouns ‘you' and ‘your’ was more evident for the categories ‘Strong Affect’ and ‘Authority’, while the employment of the pronouns ‘we, us, our’ was more frequent in the ‘Reciprocation’ principle.

This paper constitutes a step further in understanding the use of principles of persuasion in phishing emails with future applications on how their recognition can be automated.


No comments: