Getting users to click: a content analysis of phishers’ tactics and techniques in mobile instant messaging phishing
Information and Computer Security
ISSN: 2056-4961
Article publication date: 31 January 2024
Issue publication date: 25 September 2024
Abstract
Purpose
This study aims to investigate how phishers apply persuasion principles and construct deceptive URLs in mobile instant messaging (MIM) phishing.
Design/methodology/approach
In total, 67 examples of real-world MIM phishing attacks were collected from various online sources. Each example was coded using established guidelines from the literature to identify the persuasion principles, and the URL construction techniques employed.
Findings
The principles of social proof, liking and authority were the most widely used in MIM phishing, followed by scarcity and reciprocity. Most phishing examples use three persuasion principles, often a combination of authority, liking and social proof. In contrast to email phishing but similar to vishing, the social proof principle was the most commonly used in MIM phishing. Phishers implement the social proof principle in different ways, most commonly by claiming that other users have already acted (e.g. crafting messages that indicate the sender has already benefited from the scam). In contrast to email, retail and fintech companies are the most commonly targeted in MIM phishing. Furthermore, phishers created deceptive URLs using multiple URL obfuscation techniques, often using spoofed domains, to make the URL complex by adding random characters and using homoglyphs.
Originality/value
The insights from this study provide a theoretical foundation for future research on the psychological aspects of phishing in MIM apps. The study provides recommendations that software developers should consider when developing automated anti-phishing solutions for MIM apps and proposes a set of MIM phishing awareness training tips.
Keywords
Acknowledgements
This work is part of a PhD research sponsored by the Petroleum Technology Development Fund (PTDF)-Nigeria. There were no conflicts of interest in this study.
Citation
Ahmad, R., Terzis, S. and Renaud, K. (2024), "Getting users to click: a content analysis of phishers’ tactics and techniques in mobile instant messaging phishing", Information and Computer Security, Vol. 32 No. 4, pp. 420-435. https://doi.org/10.1108/ICS-11-2023-0206
Publisher
:Emerald Publishing Limited
Copyright © 2024, Emerald Publishing Limited