Combining Authentication, Reputation and Classification to Make Phishing Unprofitable

Herzberg, Amir

doi:10.1007/978-3-642-01244-0_2

Cited by 6 publications

(1 citation statement)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Also, several studies have been done on the human interaction with phishing/spam emails and social networks [39,43,53]. There is also much research on detection of phishing attacks and also on authentication mechanisms or protection from phishing [17,33], which are not directly relevant to our work. We organize previous works into three categories based on different variables that we studied in this work:…”

Section: Related Workmentioning

confidence: 99%

Scam Augmentation and Customization: Identifying Vulnerable Users and Arming Defenders

Baki

Verma

Gnawali

2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Why do "classical" attacks such as phishing, IRS scams, etc., still succeed? How do attackers increase their chances of success? How do people reason about scams and frauds they face daily? More research is needed on these questions, which is the focus of this paper. We take a well-known attack, viz. company representative fraud, and study several parameters that bear on its effectiveness with a between-subjects study. We also study the effectiveness of a coherent language generation technique in producing phishing emails. We give ample room for the participants to demonstrate their reasoning and strategies. Unfortunately, our experiment indicates that participants are inadequately prepared for dealing with even the company representative fraud. Participants also could not differentiate between offers written by human or generated semi-automatically. Moreover, our results show attackers can easily increase their success rate by adding some basic information about the sender, so defenders should focus more on such attacks. We also observed that participants who paid attention to more clues were better in distinguishing legitimate messages from phishing, hence training regimes should check for reasoning strategies, not just who did not click on a link or download an attachment. Thus, insights from our work can help defenders in developing better strategies to evaluate their defenses and also in devising more effective training strategies. CCS CONCEPTS • Security and privacy → Phishing; Usability in security and privacy; • Human-centered computing → User studies.

show abstract

Section: Related Workmentioning

confidence: 99%