Studying how online users react to attacks in of itself is not going to solve the phishing epidemic. Researchers suggest looking at digital fraudsters' adversarial behavior.

Phishing attacks remain a top tactic for targeting cyberattacks at business Watch Now

The proverb "Fool me once shame on you, fool me twice, shame on me" seems a bit harsh when it comes to phishing, a type of online fraud. Being tricked by a phishing email or online scam a second or even third time is not out of the question.

As to why, indications are that those involved in phishing are figuring out what offers the best chance of success, and, thanks to the internet, have access to more usable information than Robert Redford and Paul Newman had in The Sting.

SEE: IT leader's guide to cyberattack recovery (Tech Pro Research)

That said, there is something in play when it comes to all types of fraud: Human psychology. Marika Samarati, in the article The psychology behind phishing attacks, suggests phishing is the act of psychologically manipulating people into performing actions or divulging confidential information they normally would not.

"Phishing campaigns are all about human behavior and psychology," writes Samarati. "They require only limited technical skills. Their success depends on understanding human nature well enough to anticipate how people will behave and react to the bait."

Samarati offers the following examples of how online fraudsters maximize the success of their phishing emails.

Emails are sent when people are most vulnerable and stressed--for example, late in the afternoon, on Fridays, or at the end of the month.

C-level managers' email addresses are spoofed to make sure employees do not question the request.

Phishing campaigns employ fear tactics and request immediate responses.

A staggering increase in phishing attacks

There is an extensive amount of data on why we humans fall for online con games. There are also all sorts of user-training regimens and tools aimed at curbing phishing attacks, but they don't seem to be working.

According to the APWG, phishing has had a resurgence. There was a 250% increase in phishing attacks from 2015 to 2016, and during 2017 an average of 1.4 million unique phishing websites were created each month.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Studying adversarial behavior might be the answer

Two researchers working in Carnegie Mellon University's Department of Social and Decision Science decided to look beyond the reasons why users fall for online fraud attacks. "Psychological research on human adversarial behavior is necessary to uncover factors that determine how deception and phishing strategies originally manifest in phishing emails," explain Prashanth Rajivan and Cleotilde Gonzalez in their coauthored paper Creative Persuasion: A Study on Adversarial Behaviors and Strategies in Phishing Attacks. "Currently, there is a severe lack of work on the psychology of criminal behaviors in cybersecurity."

The two decided to change that, looking specifically at:

The importance of incentives;

How much of a role creativity plays; and

The effect of adversarial strategies on attack success.

To determine the importance of each item above, Rajivan and Gonzalez developed a two-part experiment consisting of these phases.

Adversarial phase: 105 participants were given the task of creating phishing emails that would evade detection and persuade end users to respond.

105 participants were given the task of creating phishing emails that would evade detection and persuade end users to respond. End-user phase: 304 participants were asked to examine and classify the phishing emails generated in the adversarial phase that were intermixed with benign emails.

The diagram in Figure A offers a visual of the two individual phases of the study.

Figure A

Image: Carnegie Mellon University, Prashanth Rajivan, Cleotilde Gonzalez





The results

After analyzing the data with regards to phishing effort and persuasion performance, Rajivan and Gonzalez came to the following conclusions.

Incentives: The amount of effort (based on the number of edits made per email) given to create a phishing attack was very much related to when the reward was obtained. The researchers found participants who received high rewards early on exerted more effort; Rajivan and Gonzalez concluded that delaying rewards might be one way to lessen phishing's impact.

Creativity: The researchers determined that participants with a high degree of creativity were more likely to spend more effort developing their phishing emails. "However, contrary to expectations from the cybersecurity criminal literature we did not find any evidence for creativity being a key predictor of phishing success," write the authors in the survey report. "Hence, we could theorize attackers with higher creativity could be capable of changing and adapting their emails to evade detection, but their creativity may not determine their success in persuading end users to respond to their emails."

Strategies: Perseverance in using a certain strategy appears to be a key to success. Rajivan and Gonzalez compiled the strategies most likely to be viewed and responded to immediately by end users, which include:

Send notifications;

Use an authoritative tone;

Pretend to be a friend;

Express shared interest; and

Communicate failure.

The researchers also identified the least successful strategies, which were:

Offering deals;

Selling illegal materials; and

Using an "obvious" positive tone.

SEE: Phishing schemes net hackers millions of dollars from Fortune 500 (ZDNet)

The researchers' conclusion

Interestingly, Rajivan and Gonzalez were able to show that creativity and receiving sufficient payback quickly are key to incentivizing individuals to defraud users online. They are optimistic that these insights and others presented in their paper can be used to improve training programs and current anti-phishing technology.

Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays Sign up today

Also see