Why Do Some People Fall for Phishing Scams and What Do I Do About it?


Published on

Why do certain users fall for phishing attacks? What's going on? Are they on auto-pilot, not fully engaged in their online activities? Are they lacking critical thinking abilities? The short answer is no, they are in fact fully aware of what they are doing and reading but lack the experience to know they are being scammed. There are also several personality traits that contribute to their increased likelihood of victimization.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Why am I interested in this topic? Critical thinking and technology, more school, speaking about this at the U last week
  • Southern Methodist University; security awareness campaign, image works for drugs, alcohol, daterape, cheating
  • Technical side and a user side.Phishing and malware have a similar delivery system.
  • Delivery is similar to phishing
  • We are the #2 most phished industry
  • The onion was hacked on twitter by the syrian electronic army
  • How the onion was hacked
  • Cognitive bias, pretty commonPeople are not good at estimating their vulnerability to internet attack.Neuroticism causes people to be more upset at when being lied to and prefer to believe people are more truthfulIntroversion – prefer online communication
  • The SSC was printed on official university letterhead with the title disclaimer “Do Not Disclose This Code.”SSC was used to access grades, quizzes, professor/ta email info: SSC is important and private.Giving it out would affect grades and violate the student conduct code. A nondisclosure agreement was signed.
  • Week 6: a real, unplanned phishing attack with IT warning students, written up in student paper.
  • No links, no company logo.The goal: don’t respond to this, report it to Campus IT
  • Started with 446147 subjects were excluded: Dropped classDidn’t receive the email/couldn’t find itDidn’t take the post instruction testDidn’t complete all items on final survey
  • The responses
  • 4 page educause article on a study done at West Point: average sat score in the top 25%Center of Academic Excellence in Information Assurance Education (IT Security)No discussion on ongoing IT security training
  • Sent to 512 cadetsLink returned a 404 error but might have had more results if presented w a login screen.
  • There was no mention of an actual phishing attempt near this test.
  • From both studies
  • Disposition to trustPerceived risk Did not matter
  • Users were engaging in their online activities and thinking critically about them.
  • My mom used to respond to spam asking them to stop emailing her. I have a instructor led power point training on phishing, malware and spam and plan to do a captivate video. Will be on the wiki
  • Why Do Some People Fall for Phishing Scams and What Do I Do About it?

    1. 1. Why Do Some People Fall for Phishing Scams and What Do I Do About it? Contact me via Slideshare.
    2. 2. This is from a really good ad campaign on security awareness from Southern Methodist University.
    3. 3. Phishing Scamming method used to elicit information from uninformed computer users through impersonation of trusted sources; respelling of fishing used to evade scans and filters by mainstream servers policing the internet.
    4. 4. Malware Any code, program, script, software or any instructions interpreted as attacking a computer operating system. Malware includes spyware, trojans, viruses denial of service/DoS attacks.
    5. 5. Malware and Phishing have a similar delivery method: 1.Threats 2.Company Logo or Name 3.Links 4.+/- misspelled words and typos
    6. 6. Why do some people seem to fall for phishing? Are users: • On autopilot? • Not engaged or passive in their online activities? • Cowed by perceived authority? • Lacking critical thinking abilities? • Other?
    7. 7. Subject: Faculty / Staff / Student Mail Warning Notification ! Mail account compromised, Confirm and verify your account by clicking Mailbox Verification . IMPORTANT NOTICE: Current Mailbox Quota- size:95.6% You will not be able to send and receive email messages at 98.8% quota size. Admin Help-desk © Copyright 2013 This is an example we get sent to the Campus Help Desk about once a month:
    8. 8. And according to Educause we are the #2 most phished industry:
    9. 9. Early in 2013 the Syrian Electronic Army successfully phished several news media Twitter accounts. One of them was the Onion (which took some time to discover because their tweets are already strange).
    10. 10. The Onion was the only hacked account that later released information on exactly how it happened. Their staff were sent this email multiple times over the course of a week. Eventually a staff member clicked the link and entered the requested information (if a user clicks the link they are most likely going to continue on entering what is asked if given no warning from their browser or mail client).
    11. 11. Emotional Triggers Exploited by Phishing There are certain personality types that are the most susceptible: • Greed • Fear • Heroism • Desire to be Liked • Authority
    12. 12. Greed Date: Mon, 5 Jan 2004 09:30:13 From: chika_williams@tiscali.co.uk To: gullible@yahoo.com Subject: URGENT RE: URGENT REQUEST FOR YOUR UNALLOYED CO-OPERATION TO TRANSFER (US$20.4 MILLION U.S. DOLLARS ONLY) INTO YOUR PRIVATE OR COMPANY’S ACCOUNT
    13. 13. Fear/Authority
    14. 14. Heroism/Desire to be Liked
    15. 15. There are certain victim personality traits when combined with a cognitive bias that can result in a user who will fall for phishing attacks. Remember that each of these traits are completely normal in small amounts. • Neuroticism: causes people to be more upset when being lied to and prefer to believe people are more truthful. • Impulsivity: read, decide and click as fast as possible. • Introversion: prefer online communication.
    16. 16. Cognitive Bias We are bad at detecting deception in others but good at detecting honesty. We tend to overestimate our abilities and underestimate risk. We believe what we want to believe (cognitive dissonance).
    17. 17. Research Study #1: Unnamed University An 8 week study was done on 446 undergrads in an Intro to Information Systems course. They were given aSuper Secret Code (SSC) and told to never give it out to anyone. The SSC was printed on official university letterhead with the title disclaimer “Do Not Disclose This Code.” It was used to access grades, quizzes, professor/ta email info communicating that the SSC is important and private. Giving it out would affect grades and violate the student conduct code. A nondisclosure agreement was signed.
    18. 18. For 8 Weeks of the class they were instructed on internet security, phishing, hacking, etc., all lectures began with reminder displayed on PowerPoint: ‘DO NOT GIVE OUT YOUR SSC’. Week 6: The unexpected, but not really. A real, unplanned phishing attack occurred with IT warning students. It was written up in the student paper.
    19. 19. Week 8 they were emailed the following message. Notice that there is no link or logo present. From: Jason Roth Database Administrator This e-mail is to inform you of a problem we are having with the information technology database. Due to a data collision we have lost some information and are unable to recover it. In order to get the database back up and working we need you to forward us your “super-secure code.” Please respond to this e-mail with your code. Sorry for the inconvenience.
    20. 20. Out of 299 [final] participants*: •57% ignored (170) •32% replied with SSC (97) •9% alerted IT (26) •1% responded with a question/comment (4) •<1% responded with incorrect info (2) *147 students were excluded because they dropped class, didn’t receive the email/couldn’t find it, didn’t take the post instruction test, didn’t complete all items on final survey.
    21. 21. • here is my SSC xxxxxx. I hope that the database will get fixed very soon. Best of luck to you on fixing the database. • My Network ID is xxxxx, My Student Number is xxxxx, my super secure Code is xxxxx, my home number is xxxxx. • I think this is my code: xxxx, but I’m not sure. you can call my mom at xxx- xxxx if this isn’t it as she will have it for you. • I was told to never give out my super secrete (sic) code. . . . So how do I know this isn’t a scam? • I’m sorry to hear about your problems, but I will not be able to assist you.
    22. 22. What happened?!
    23. 23. Research Study #2: West Point 2004 A random sampling of 512 cadets were phished. West Point is unique in that the students have an average SAT score in the top 25%. The school was the first to be certified by the Center of Academic Excellence in Information Assurance Education (NSA), have a Security Emergency Response Team and security awareness training at the beginning of each semester.
    24. 24. (note: the article mainly focused on the intelligence of the cadets and the issues that would arise from betraying their trust with this study) There was no discussion on ongoing IT security training. The following email was sent to the cadets with a link, replying email address and physical location of the sender. When the link was clicked on it returned a 404 error so there is no data on how many entered in their personal information.
    25. 25. The name is not found in the global address book, Washington Hall does not have a 7th floor and the building is used by all cadets on a regular basis. This is all information that is easily independently verified. Out of 512 cadets, 80% clicked the link (~400).
    26. 26. Reasons ‘The email looked suspicious but it was from an Army colonel so I figured it must be legitimate.’ ‘Any e-mail that contains the word ‘grade’ in it gets my immediate attention and action!’
    27. 27. What happened?!
    28. 28. Data Analysis Experience Factors: • Lack of Computer self confidence • Lack of Web experience • Lack of Security policy knowledge Personality Factors • Victim personality traits (neurotic, impulsive, introverted) Phishing and Social Engineering works better on naive and vulnerable users.
    29. 29. What Made the Difference? • Reinforced and Ongoing Trainings • Security Awareness • Communication from IT on Actual Phishing Attacks
    30. 30. Back to the original questions. Are users: On autopilot? no Not engaged or passive in their online activities? no Cowed by perceived authority? A bit Lacking critical thinking abilities? No Other? yes :Of the personality type that phishing exploits? yes!
    31. 31. They are engaging in these emails critically but do not have the experience, security knowledge and confidence to correctly asses the threat.
    32. 32. Be aware of potential victim users: • Oversharing on Facebook (content and quality) • New to the web • Victim Personality Traits
    33. 33. Talk about it: (think of a personal story that relates): my mom once told me she replies to spam asking them to take her off their mailing list. Yes I told her to stop doing that and why.
    34. 34. Educate Users: Training on the Difference Between Phishing, Malware and Spam.
    35. 35. Questions??
    36. 36. Recommended Articles The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived Journal of management information systems [0742-1222] Wright, Ryan yr:2010 vol:27 iss:1 pg:273 -303 An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering 2007 IEEE Intelligence and Security Informatics Tiantian Qi, Tiantian yr:2007 pg:152 -159 Fostering E-Mail Security Awareness: The West Point Carronade EDUCAUSE quarterly [1528-5324] Ferguson, Aaron yr:2005 vol:28 iss:1 pg:54 -57 The State of Phishing Attacks Communications of the ACM [0001-0782] Hong, Jason yr:2012 vol:55 iss:1 pg:74 -81 Phishing, Personality Traits and Facebook Halevi, Tzipora yr:2013 Telling Lies: Clues to Deceit in the Marketplace, Politics, and Marriage Paul Ekman; c1985 New York : Norton