Researchers identify how phishing strategies may lead to success or failure

Phishing is a common social engineering attack that involves criminals impersonating a trustworthy third party to persuade people to visit fraudulent websites or download malicious attachments.

But not all phishing campaigns work. To begin to understand the psychology of criminals' behaviours in cybersecurity and how it can be used to prevent phishing attacks, Carnegie Mellon University's Prashanth Rajivan and Cleotilde Gonzalez identified how adversaries may be more successful when they exploit specific phishing strategies than when they use other less successful ones.

Published in Frontiers in Psychology, Rajivan and Gonzalez, present a new methodology to study the important but often ignored aspect of phishing: adversarial behaviour. In their experiment, participants played the role of phishing attackers and accumulated points over a number of turns for successfully deceiving other people who were acting as email recipients. The game was constructed to train and reward participants to produce phishing emails that used different tactics and email topics.

"We created a game-like experiment to assess how well different strategies work, and to understand how incentives and success rates, or an individual's personality, can affect criminal motivation," says Rajivan, the lead author and a post-doctoral research associate in the Dietrich College of Humanities and Social Sciences' Department of Social and Decision Sciences.

They found that when adversaries stuck to strategies such as communicating failure, using an authoritative tone, expressing a shared interest and sending notifications, they were more likely to succeed.

"It was particularly surprising to find that communicating failure - such as fake emails communicating failed password attempts - was one of the most successful phishing tactics which demonstrates how susceptible we may be when it comes to avoiding personal losses," Rajivan says.

Conversely, they found that strategies like offering deals, selling illegal materials and using a positive tone were less likely to succeed.

The results also showed that incentives had a direct influence on criminal motivation and that delayed rewards resulted in lesser efforts.

"We need to improve current security practices and determine policies that make it harder for attackers to obtain quick and large returns for their phishing efforts," Rajivan says.

They found no evidence suggesting that criminals' creative ability alone could be a good predictor whether a phishing campaign would work.

"Phishing attacks are on the rise, and attackers' strategies are becoming more sophisticated," said Gonzalez, research professor of social and decision sciences. "Multiple techniques are needed to combat these attacks, including end-user training and automated anti-phishing tools.

"However, we might be able to develop better tools if we are more informed regarding the psychology of criminal behavior. Our work begins to offer insights of how adversaries behave and how they most effectively deceive end-users."