Human Factors in Phishing Attacks: A Systematic Literature Review

Phishing is the fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity in digital communication. It is a type of cyber attack often successful because users are not aware of their vulnerabilities or are unable to understand the risks. This article presents a systematic literature review conducted to draw a “big picture” of the most important research works performed on human factors and phishing. The analysis of the retrieved publications, framed along the research questions addressed in the systematic literature review, helps in understanding how human factors should be considered to defend against phishing attacks. Future research directions are also highlighted.

Phishing Attack: Raising Awareness and Protection Techniques

Phishing is a form of social engineering attack that can be used to steal sensitive and vital information and details from unsuspecting entities which could either be organizations or individuals. This paper gives a review on how phishing attacks are carried out and the protection techniques involved in defending against such attacks and how to raise awareness about such attacks in Bournemouth University using the MINDSPACE framework. The protection techniques would be classified into three layers namely; automated tools, training and knowledge, and multifactor authentication. The awareness would be raised using the MINDSPACE framework and it revealed that about 50% of the students approached were ignorant of the phishing attack and the tactics used to carry the attack out.

Evaluating user susceptibility to phishing attacks

Purpose Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data breaches and subsequent financial losses. To study the user side, this paper aims to conduct a literature review and user study. Design/methodology/approach To investigate phishing attacks, the authors provide a detailed overview of previous research on phishing techniques by conducting a systematic literature review of n = 367 peer-reviewed academic papers published in ACM Digital Library. Also, the authors report on an evaluation of a high school community. The authors engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research using signal detection theory (SDT). Findings Through the literature review which goes back to as early as 2004, the authors found that only 13.9% of papers focused on user studies. In the user study, through scenario-based analysis, participants were tasked with distinguishing phishing e-mails from authentic e-mails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background. Originality/value The authors conducted a literature review with a focus on user study which is a first in this field as far the authors know. Additionally, the authors conducted a detailed user study with high school students and faculty using SDT which is also an understudied area and population.

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

To better understand employees’ reporting behaviors in relation to phishing emails, we gamified the phishing security awareness training process by creating and conducting a month-long “Phish Derby” competition at a large university in the U.S. The university’s Information Security Office challenged employees to prove they could detect phishing emails as part of the simulated phishing program currently in place. Employees volunteered to compete for prizes during this special event and were instructed to report suspicious emails as potential phishing attacks. Prior to the beginning of the competition, we collected demographics and data related to the concepts central to two theoretical foundations: the Big Five personality traits and goal orientation theory. We found several notable relationships between demographic variables and Phish Derby performance, which was operationalized from the number of phishing attacks reported and employee report speed. Several key findings emerged, including past performance on simulated phishing campaigns positively predicted Phish Derby performance; older participants performed better than their younger colleagues, but more educated participants performed poorer; and individuals who used a mix of PCs and Macs at work performed worse than those using a single platform. We also found that two of the Big Five personality dimensions, extraversion and agreeableness, were both associated with poorer performance in phishing detection and reporting. Likewise, individuals who were driven to perform well in the Phish Derby because they desired to learn from the experience (i.e., learning goal orientation) performed at a lower level than those driven by other goals. Interestingly, self-reported levels of computer skill and the perceived ability to detect phishing messages failed to exhibit a significant relationship with Phish Derby performance. We discuss these findings and describe how focusing on motivating the good in employee cyber behaviors is a necessary yet too often overlooked component in organizations whose training cyber cultures are rooted in employee click rates alone.

Anti-Phishing Awareness Delivery Methods

Phishing attacks are increasingly exploited by cybercriminals, they become more sophisticated and evade detection even by advanced technical countermeasures. With cybercriminals resorting to more sophisticated phishing techniques, strategies, and different channels such as social networks, phishing is becoming a hard problem to solve. Therefore, the main objective for any anti-phishing solution is to minimize phishing success and its consequences through complementary means to advanced technical countermeasures. Specifically, phishing threats cannot be controlled by technical controls alone, thus it is imperative to complement cybersecurity programs with cybersecurity awareness programs to successfully fight against phishing attacks. This paper provides a review of the delivery methods of cybersecurity training programs used to enhance personnel security awareness and behavior in terms of phishing threats. Although there are a wide variety of educational intervention methods against phishing, the differences between the cybersecurity awareness delivery methods are not always clear. To this end, we present a review of the most common methods of workforce cybersecurity training methods in order for them to be able to protect themselves from phishing threats.

A Study on Various Phishing Techniques and Recent Phishing Attacks

Now-a-days internet has become a very unsafe space to deal with. Hackers are constantly trying to gain the user's personal information, and detailed credentials. So many websites on the internet, even though safe, this safety cannot be assured by all websites. These rule breakers avoid abiding by rules, and try to employ methods like trickery and hacking to gain illegal access to private information. T o be able to overcome this problem, we need to first understand the intricacies of how the virus is designed. This paper mainly deals with the different phishing techniques and recent phishing attacks that took place during COVID 19. like Link Manipulation, Filter Evasion, Website Forgery, Phone Phishing and Website Forgery. We have also studied a subtle method to perform phishing attacks that makes links appear legitimate, but actually redirect a victim to an attacker's website called Convert Redirect. In this paper , we present some phishing examples like Paypal phishing which involves sending an email that fraudulently claims to be from a well known company and Rapidshare Phishing where in the spoofed web page, phishers attempt to confuse their victims just enough to entice them to enter their login name and password. To perform these types of phishing the Phishers uses so many phishing techniques like Link Manipulation, Filter Evasion, Website Forgery, Phone Phishing and Website Forgery. Phishing techniques include the domain of email messages. Phishing emails have hosted such a phishing website, where a click on the URL or the malware code as executing some actions to perform is socially engineered messages. Lexically analyzing the URLs can enhance the performance and help to differentiate between the original email and the phishing URL. As assessed in this study , in addition to textual analysis of phishing URL, email classification is successful and results in a highly precise anti phishing. From the thorough analysis of the research paper, we have understood how phishing attacks work and the different methods employed to carry out the attack. Also, we have studied some of the most recent phishing attacks and measures taken by the authorities to overcome and prevent any such attacks in future.