Persuasion: How phishing emails can influence users and bypass security measures. Issue 125 (May 2019)
- Record Type:
- Journal Article
- Title:
- Persuasion: How phishing emails can influence users and bypass security measures. Issue 125 (May 2019)
- Main Title:
- Persuasion: How phishing emails can influence users and bypass security measures
- Authors:
- Ferreira, Ana
Teles, Soraia - Abstract:
- Highlights: Phishing email subject lines contain high and diverse persuasive power in just a few words. The paper builds on the well-known and foundational work of Cialdini's (2007), Gragg's (2003) and Stajano and Wilson (2011) to derive a unique list of Principles of Persuasion in social engineering, resulting from the application of the relational method by two independent researchers. The study of the relations between existing persuasion principles was applied to the content analysis, by two independent researchers, of a random sample of phishing emails subject lines (N = 194), dated from 2008 to 2017. A thematic content analysis and a sample characterization in terms of visual elements and targeted content, revealed that the most prominent persuasion principles were 'Authority', 'Strong Affect', 'Integrity' and 'Reciprocation'. The persuasion principle 'Strong Affect' was the one containing the larger percentage of references with the presence of visual elements. The use of the pronoun 'you' and 'your' was more evident for the categories 'Strong Affect' and 'Authority', while the employment of the pronouns 'we, us, our' was more expressive in the 'Reciprocation' principle. This paper presents a method on the way to define a tool for automated identification of principles of human persuasion in social engineering, within phishing emails. Future solutions should focus on the use of socio-technical aspects related mainly to a small number of persuasion principlesHighlights: Phishing email subject lines contain high and diverse persuasive power in just a few words. The paper builds on the well-known and foundational work of Cialdini's (2007), Gragg's (2003) and Stajano and Wilson (2011) to derive a unique list of Principles of Persuasion in social engineering, resulting from the application of the relational method by two independent researchers. The study of the relations between existing persuasion principles was applied to the content analysis, by two independent researchers, of a random sample of phishing emails subject lines (N = 194), dated from 2008 to 2017. A thematic content analysis and a sample characterization in terms of visual elements and targeted content, revealed that the most prominent persuasion principles were 'Authority', 'Strong Affect', 'Integrity' and 'Reciprocation'. The persuasion principle 'Strong Affect' was the one containing the larger percentage of references with the presence of visual elements. The use of the pronoun 'you' and 'your' was more evident for the categories 'Strong Affect' and 'Authority', while the employment of the pronouns 'we, us, our' was more expressive in the 'Reciprocation' principle. This paper presents a method on the way to define a tool for automated identification of principles of human persuasion in social engineering, within phishing emails. Future solutions should focus on the use of socio-technical aspects related mainly to a small number of persuasion principles ('Authority' and 'Distraction – Strong Affect'), which seem to be the most commonly used in phishing emails. Abstract: Phishing is a very dangerous form of social engineering with the aim to deceive people into disclosing private/confidential information. Despite widespread warnings and means to educate users to identify phishing messages, these are still a prevalent practice and a lucrative business. The authors believe that persuasion, as a style of human communication designed to influence others, has a central role in successful digital scams. Research on persuasion applied to phishing emails is scarce and tends to build on Cialdini's work alone. Only a single study has proposed a list of merged principles from three different perspectives but it has methodological limitations regarding the analysis' performance by a single researcher and the testing of principles in a small, not validated sample of phishing emails. This paper aims to fill those gaps by building on Cialdini's, Gragg's and Stajano & Wilson's works to derive a unique list of Principles of Persuasion in Social Engineering (PPSE), resulting from the application of the relational method by two independent researchers. The PPSE are identified, by two independent researchers (Kappa > 0.789) on a sample of phishing email subject lines (N = 194), dated from 2008 to 2017 and randomly selected from a reliable phishing archive (millersmiles.co.uk). A thematic content analysis, together with the sample characterization in terms of visual elements and targeted content, revealed that the most prominent principles of persuasion in phishing emails were 'Authority', 'Strong Affect', 'Integrity' and 'Reciprocation'. The larger percentage of references with the presence of visual elements was found for the 'Strong Affect' principle. The use of the pronouns 'you' and 'your' was more evident for the categories 'Strong Affect' and 'Authority', while the employment of the pronouns 'we, us, our' was more frequent in the 'Reciprocation' principle. This paper constitutes a step further in understanding the use of principles of persuasion in phishing emails with future applications on how their recognition can be automated. … (more)
- Is Part Of:
- International journal of human-computer studies. Issue 125(2019)
- Journal:
- International journal of human-computer studies
- Issue:
- Issue 125(2019)
- Issue Display:
- Volume 125, Issue 125 (2019)
- Year:
- 2019
- Volume:
- 125
- Issue:
- 125
- Issue Sort Value:
- 2019-0125-0125-0000
- Page Start:
- 19
- Page End:
- 31
- Publication Date:
- 2019-05
- Subjects:
- Principles of persuasion -- Social engineering -- Phishing emails -- Human computer interaction -- Computer security and human behaviour
Human-machine systems -- Periodicals
Systems engineering -- Periodicals
Human engineering -- Periodicals
Human engineering
Human-machine systems
Systems engineering
Periodicals
Electronic journals
004.019 - Journal URLs:
- http://www.sciencedirect.com/science/journal/10715819 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.ijhcs.2018.12.004 ↗
- Languages:
- English
- ISSNs:
- 1071-5819
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4542.288100
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 11925.xml