Personalized persuasion: Quantifying susceptibility to information exploitation in spear-phishing attacks. (April 2023)
- Record Type:
- Journal Article
- Title:
- Personalized persuasion: Quantifying susceptibility to information exploitation in spear-phishing attacks. (April 2023)
- Main Title:
- Personalized persuasion: Quantifying susceptibility to information exploitation in spear-phishing attacks
- Authors:
- Xu, Tianhao
Singh, Kuldeep
Rajivan, Prashanth - Abstract:
- Abstract: Many cyberattacks begin with a malicious email message, known as spear phishing, targeted at unsuspecting victims. Although security technologies have improved significantly in recent years, spear phishing continues to be successful due to the bespoke nature of such attacks. Crafting such emails requires attackers to conduct careful research about their victims and collect personal information about them and their acquaintances. Despite the widespread nature of spear-phishing attacks, little is understood about the human factors behind them. This is particularly the case when considering the role of attack personalization on end-user vulnerability. To study spear-phishing attacks in the laboratory, we developed a simulation environment called SpearSim that simulates the tasks involved in the generation and reception of spear-phishing messages. Using SpearSim, we conducted a laboratory experiment with human subjects to study the effect of information availability and information exploitation end-user vulnerability. The results of the experiment show that end-users in the high information-availability condition were 2.97 times more vulnerable to spear-phishing attacks than those in the low information-availability condition. We found that access to more personal information about targets can result in attacks involving contextually meaningful impersonation and narratives. We discuss the implications of this research for the design of anti-phishing training solutions.Abstract: Many cyberattacks begin with a malicious email message, known as spear phishing, targeted at unsuspecting victims. Although security technologies have improved significantly in recent years, spear phishing continues to be successful due to the bespoke nature of such attacks. Crafting such emails requires attackers to conduct careful research about their victims and collect personal information about them and their acquaintances. Despite the widespread nature of spear-phishing attacks, little is understood about the human factors behind them. This is particularly the case when considering the role of attack personalization on end-user vulnerability. To study spear-phishing attacks in the laboratory, we developed a simulation environment called SpearSim that simulates the tasks involved in the generation and reception of spear-phishing messages. Using SpearSim, we conducted a laboratory experiment with human subjects to study the effect of information availability and information exploitation end-user vulnerability. The results of the experiment show that end-users in the high information-availability condition were 2.97 times more vulnerable to spear-phishing attacks than those in the low information-availability condition. We found that access to more personal information about targets can result in attacks involving contextually meaningful impersonation and narratives. We discuss the implications of this research for the design of anti-phishing training solutions. Highlights: Designed a synthetic simulation environment to simulate spear phishing. Understood cognitived process from both the adversarial and end-user perspectives. Found that end-users were more vulnerable to spear phishing attacks as more information was exposed to attackers. Revealed that attackers tended to create narratives and impersonation contextually when accessing more information about their targets. … (more)
- Is Part Of:
- Applied ergonomics. Volume 108(2023)
- Journal:
- Applied ergonomics
- Issue:
- Volume 108(2023)
- Issue Display:
- Volume 108, Issue 2023 (2023)
- Year:
- 2023
- Volume:
- 108
- Issue:
- 2023
- Issue Sort Value:
- 2023-0108-2023-0000
- Page Start:
- Page End:
- Publication Date:
- 2023-04
- Subjects:
- Spear phishing -- Security awareness -- Cyber security -- Deceptive strategies -- Social engineering attacks
Human engineering -- Periodicals
620.82 - Journal URLs:
- http://www.sciencedirect.com/science/journal/00036870 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.apergo.2022.103908 ↗
- Languages:
- English
- ISSNs:
- 0003-6870
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 1572.500000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 25980.xml