Search results
1 – 10 of 569Phishing attacks exploit social vulnerabilities and remain a global concern. Financial institutions often use their websites as part of their online awareness and education…
Abstract
Purpose
Phishing attacks exploit social vulnerabilities and remain a global concern. Financial institutions often use their websites as part of their online awareness and education efforts. This paper aims to explore the effectiveness of phishing-related information made available by financial institutions to raise awareness and educate customers.
Design/methodology/approach
In this mixed methods research, a survey of online consumers was first performed and analysed. Second, the information available on the websites of major financial institutions was analysed. Using the construct of information quality (IQ), content analysis was performed to determine whether the phishing-related information meets the IQ criteria.
Findings
The survey confirmed that consumers are indeed targeted by phishers. It established that they turn to their financial institutions, more often than any other source, for anti-phishing information. When analysing the IQ of phishing-related information, significant deficiencies as well as different levels of performance between the financial institutions, emerged. In general, the worst performing IQ criteria was information being current and fit for purpose.
Research limitations/implications
As the research is conducted within South Africa, the results cannot be generalised. The ethical clearance did not allow for identification of the different financial institutions and thus comparing consumers’ perceptions with the observed IQ from the content analysis to determine correlation.
Practical implications
Protecting consumers against phishing attacks remains critical, and this paper confirms that users turn to their financial institutions for information. Yet, the phishing-related information made available on the websites of financial institutions has severe deficiencies. Practitioners should use IQ to determine the appropriateness of phishing-related information and focus on improving customer awareness and education.
Originality/value
Researchers often highlight the importance of awareness and education programmes in protecting consumers, but rarely investigate if consumers access publicly available information and express an opinion on the quality of this information. Although the results should not generalised, the recommendations, if necessary through similar analysis, has an impact beyond the geographical constraints of the study.
Details
Keywords
Swapan Purkait, Sadhan Kumar De and Damodar Suar
The aim of this study is to report on the results of an empirical investigation of the various factors which have significant impacts on the Internet user’s ability to correctly…
Abstract
Purpose
The aim of this study is to report on the results of an empirical investigation of the various factors which have significant impacts on the Internet user’s ability to correctly identify a phishing website.
Design/methodology/approach
The research participants were Internet users who have had at least some experience of financial transactions over the Internet. This study conducted a quantitative research with the help of a structured survey questionnaire along with three experimental tasks. A total of 621 valid samples were collected and the multiple regression analysis technique was used to deduce the answers to the research question.
Findings
The results show that the model is useful and has explanatory power. And adjusted R2 computed as 0.927, means that 92.7 per cent of the variations in the Internet user’s ability to identify phishing website can be explained by the predictors selected for the model.
Research limitations/implications
Future research should account for the Internet user’s general security practices and behaviour, attitude towards online financial activity, risk-taking ability or risk behaviour and their potential effects on Internet users' ability to identify a phishing website.
Practical implications
The implications of this study provide the foundation for future research on the areas that intend to explain the Internet user’s necessity to take protection or avoid risky behaviour while performing financial transaction over the Internet.
Originality/value
This study provides the body of knowledge with an empirical analysis of impact of various factors on an Internet user’s ability to identify phishing websites. The results of this study can help practitioners create a more successful research model and help researchers better understand user behaviour on the Internet.
Details
Keywords
Phishing remains a major cybersecurity problem. Mainly adopting variance approaches, researchers have suggested several recommendations to help users avoid being victimized in…
Abstract
Purpose
Phishing remains a major cybersecurity problem. Mainly adopting variance approaches, researchers have suggested several recommendations to help users avoid being victimized in phishing attacks. However, the evidence suggests that anti-phishing recommendations are not very effective. The purpose of this paper is threefold: first, to analyze why the existing anti-phishing recommendations may not be very effective; second, to propose stage theorizing as an additional approach for studying phishing that can contribute toward more effective recommendations; and third, to demonstrate using a stage theory, how IS researchers can utilize the concept of stages in phishing research.
Design/methodology/approach
The study draws on findings from previous empirical phishing research to assess whether the reasons why people are victimized in phishing attacks can be categorized into stages. The criteria for stages of the Transtheoretical Model (TTM) are used as an example.
Findings
Analysis indicates support for the existence of stages of phishing victims. The criteria for stages of the TTM were applied to the reasons that subjects in previous studies gave for clicking on phishing links and to the anti-phishing recommendations proposed in previous studies. There was overall support for four of the five criteria of the TTM. The results from the current study indicate that a targeted approach is a better approach to proposing anti-phishing recommendations.
Practical implications
The analysis identified the stages of phishing victims and the processes of change for each stage. It is suggested that recommendations against phishing should target individuals based on their resident stages. Moreover, the processes of change should be applied to the correct stage for the recommendations to be effective.
Originality/value
From a phishing perspective, there is a lack of research based on stage theorizing. The current study presents stage theorizing as an additional approach to the existing approaches and demonstrates how a stage theory can be used to make more effective recommendations against phishing. The study has thrown light on the benefits of stage theorizing and how its approach to targeted recommendations can be useful in IS security research.
Details
Keywords
This paper aims to review the behavioral phishing literature to understand why anti-phishing recommendations are not very effective and to propose ways of making the…
Abstract
Purpose
This paper aims to review the behavioral phishing literature to understand why anti-phishing recommendations are not very effective and to propose ways of making the recommendations more effective. The paper also examines how the concept of stages from health communication and psychology can be used to make recommendations against phishing more effective.
Design/methodology/approach
This literature review study focused on the behavioral phishing literature that has relied on human subjects. Studies were excluded for reasons that included lacking practical recommendations and human subjects.
Findings
The study finds that phishing research does not consider where victims are residing in qualitatively different stages. Consequently, the recommendations do not often match the specific needs of different victims. This study proposes a prototype for developing stage theories of phishing victims and identifies three stages of phishing victims from analyzing the previous phishing research.
Research limitations/implications
This study relied on published research on phishing victims. Future research can overcome this problem by interviewing phishing victims. Further, the authors’ recommendation that phishing researchers categorize phishing victims into stages and develop targeted messages is not based on direct empirical evidence. Nonetheless, evidence from cancer research and health psychology suggests that targeted messaging is efficacious and cost-effective. Thus, the impact of targeted messaging in phishing could be quite large.
Practical implications
The study recommends categorizing individuals into stages, based on their security knowledge and online behaviors, and other similar characteristics they may possess. A stage approach will consider that individuals who at one time clicked on a phishing link because they lacked the requisite security knowledge, after receiving security training, may click on a link because they are overconfident.
Originality/value
The paper explains why proposing anti-phishing recommendations, based on a “one-size fits all” approach has not been very effective (e.g. because it simplifies why people engage in different behaviors). The proposals introduce a new approach to designing and deploying anti-phishing recommendations based on the concept of stages.
Details
Keywords
Yi Yong Lee, Chin Lay Gan and Tze Wei Liew
The purpose of this paper is to understand the influence of exposure to motivated offenders who may alter the vulnerability levels to phishing victimization. This is particularly…
Abstract
Purpose
The purpose of this paper is to understand the influence of exposure to motivated offenders who may alter the vulnerability levels to phishing victimization. This is particularly focused on explaining the influences of individuals’ online lifestyles and attitudes toward information sharing online on phishing susceptibility.
Design/methodology/approach
This conceptual paper explores the risk of phishing victimization using criminological theories. The authors draw on empirical evidence from existing cybercrime literature and revisit routine activities theory (RAT) and lifestyle RAT (LRAT) to elucidate the risk of phishing victimization. This paper proposes that cyber-RAT, which was developed from RAT and LRAT, could interpret phishing victimization. Grounded on the intervention-based theory against cybercrime phishing, this study suggests that an attitude toward precautionary behavior (information sharing online) is essential to mitigate the phishing victimization risk.
Findings
This paper aims to provide a clear insight into the understanding of phishing victimization risk using theoretical and empirical evidence.
Originality/value
The theoretical perspective outlined provides the understanding of the impacts of online routine activities on a phishing attack which in turn will increase the awareness of phishing threats. The important role of the precautionary countermeasure, that is, attitudes toward information sharing online is highlighted to reconcile the phishing victimization risk.
Details
Keywords
Molly Cooper, Yair Levy, Ling Wang and Laurie Dringus
This study introduces the concept of audiovisual alerts and warnings as a way to reduce phishing susceptibility on mobile devices.
Abstract
Purpose
This study introduces the concept of audiovisual alerts and warnings as a way to reduce phishing susceptibility on mobile devices.
Design/methodology/approach
This study has three phases. The first phase included 32 subject matter experts that provided feedback toward a phishing alert and warning system. The second phase included development and a pilot study to validate a phishing alert and warning system prototype. The third phase included delivery of the Phishing Alert and Warning System (PAWSTM mobile app) to 205 participants. This study designed, developed, as well as empirically tested the PAWSTM mobile app that alerted and warned participants to the signs of phishing in emails on mobile devices.
Findings
The results of this study indicated audio alerts and visual warnings potentially lower phishing susceptibility in emails. Audiovisual warnings appeared to assist study participants in noticing phishing emails more easily and in less time than without audiovisual warnings.
Practical implications
This study's implications to mitigation of phishing emails are key, as it appears that alerts and warnings added to email applications may play a significant role in the reduction of phishing susceptibility.
Originality/value
This study extends the existing information security body of knowledge on phishing prevention and awareness by using audiovisual alerts and warnings to email recipients tested in real-life applications.
Details
Keywords
Rufai Ahmad, Sotirios Terzis and Karen Renaud
This study aims to investigate how phishers apply persuasion principles and construct deceptive URLs in mobile instant messaging (MIM) phishing.
Abstract
Purpose
This study aims to investigate how phishers apply persuasion principles and construct deceptive URLs in mobile instant messaging (MIM) phishing.
Design/methodology/approach
In total, 67 examples of real-world MIM phishing attacks were collected from various online sources. Each example was coded using established guidelines from the literature to identify the persuasion principles, and the URL construction techniques employed.
Findings
The principles of social proof, liking and authority were the most widely used in MIM phishing, followed by scarcity and reciprocity. Most phishing examples use three persuasion principles, often a combination of authority, liking and social proof. In contrast to email phishing but similar to vishing, the social proof principle was the most commonly used in MIM phishing. Phishers implement the social proof principle in different ways, most commonly by claiming that other users have already acted (e.g. crafting messages that indicate the sender has already benefited from the scam). In contrast to email, retail and fintech companies are the most commonly targeted in MIM phishing. Furthermore, phishers created deceptive URLs using multiple URL obfuscation techniques, often using spoofed domains, to make the URL complex by adding random characters and using homoglyphs.
Originality/value
The insights from this study provide a theoretical foundation for future research on the psychological aspects of phishing in MIM apps. The study provides recommendations that software developers should consider when developing automated anti-phishing solutions for MIM apps and proposes a set of MIM phishing awareness training tips.
Details
Keywords
Moruf Akin Adebowale, Khin T. Lwin and M. A. Hossain
Phishing attacks have evolved in recent years due to high-tech-enabled economic growth worldwide. The rise in all types of fraud loss in 2019 has been attributed to the increase…
Abstract
Purpose
Phishing attacks have evolved in recent years due to high-tech-enabled economic growth worldwide. The rise in all types of fraud loss in 2019 has been attributed to the increase in deception scams and impersonation, as well as to sophisticated online attacks such as phishing. The global impact of phishing attacks will continue to intensify, and thus, a more efficient phishing detection method is required to protect online user activities. To address this need, this study focussed on the design and development of a deep learning-based phishing detection solution that leveraged the universal resource locator and website content such as images, text and frames.
Design/methodology/approach
Deep learning techniques are efficient for natural language and image classification. In this study, the convolutional neural network (CNN) and the long short-term memory (LSTM) algorithm were used to build a hybrid classification model named the intelligent phishing detection system (IPDS). To build the proposed model, the CNN and LSTM classifier were trained by using 1m universal resource locators and over 10,000 images. Then, the sensitivity of the proposed model was determined by considering various factors such as the type of feature, number of misclassifications and split issues.
Findings
An extensive experimental analysis was conducted to evaluate and compare the effectiveness of the IPDS in detecting phishing web pages and phishing attacks when applied to large data sets. The results showed that the model achieved an accuracy rate of 93.28% and an average detection time of 25 s.
Originality/value
The hybrid approach using deep learning algorithm of both the CNN and LSTM methods was used in this research work. On the one hand, the combination of both CNN and LSTM was used to resolve the problem of a large data set and higher classifier prediction performance. Hence, combining the two methods leads to a better result with less training time for LSTM and CNN architecture, while using the image, frame and text features as a hybrid for our model detection. The hybrid features and IPDS classifier for phishing detection were the novelty of this study to the best of the authors' knowledge.
Details
Keywords
Sanchari Das, Christena Nippert-Eng and L. Jean Camp
Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data…
Abstract
Purpose
Phishing is a well-known cybersecurity attack that has rapidly increased in recent years. It poses risks to businesses, government agencies and all users due to sensitive data breaches and subsequent financial losses. To study the user side, this paper aims to conduct a literature review and user study.
Design/methodology/approach
To investigate phishing attacks, the authors provide a detailed overview of previous research on phishing techniques by conducting a systematic literature review of n = 367 peer-reviewed academic papers published in ACM Digital Library. Also, the authors report on an evaluation of a high school community. The authors engaged 57 high school students and faculty members (12 high school students, 45 staff members) as participants in research using signal detection theory (SDT).
Findings
Through the literature review which goes back to as early as 2004, the authors found that only 13.9% of papers focused on user studies. In the user study, through scenario-based analysis, participants were tasked with distinguishing phishing e-mails from authentic e-mails. The results revealed an overconfidence bias in self-detection from the participants, regardless of their technical background.
Originality/value
The authors conducted a literature review with a focus on user study which is a first in this field as far the authors know. Additionally, the authors conducted a detailed user study with high school students and faculty using SDT which is also an understudied area and population.
Details
Keywords
The frequency and sophistication of cybercrimes are increasing. These cybercrimes are impacting government and private organizations as well as individuals. One of the…
Abstract
Purpose
The frequency and sophistication of cybercrimes are increasing. These cybercrimes are impacting government and private organizations as well as individuals. One of the countermeasures is to improve the cyber hygiene of the end-users. Serious games or game-based learning has emerged as a promising approach for implementing security education, training and awareness program. In this paper, the researchers propose a tabletop card game called Cyber Suraksha to increase threat awareness and motivate users to adopt recommended security controls for smartphone users. Cyber Suraksha provides an active learning environment for the players. This paper aims to provide the details of the design and evaluation of the game using a between-subjects design.
Design/methodology/approach
The researchers have used constructive learning theory and the Fogg behaviour model (FBM) to design a tabletop card game called Cyber Suraksha. The researchers evaluated the game using a between-subjects design. The participants' responses in the control and intervention groups were collected using the risk behaviour diagnosis scale. Pearson’s Chi-Square test with a 5% significance level was used to test the hypotheses.
Findings
The results indicate that the game is enjoyable and fun. Cyber Suraksha game effectively motivates users to adopt the recommended security control for the targeted behaviour. The results indicate that the participants in the intervention group are 2.65 times more likely to adopt recommended behaviour. The findings of this study provide evidence for the effectiveness of hope and fear appeals in improving cybersecurity awareness.
Research limitations/implications
The generalizability of the study is limited because the sample size is small compared to the total number of smartphone users in India, and only students from computer/IT UG programs in India are used as participants in this study.
Practical implications
This study uses hope and a fear appeal to design an effective serious game. It also demonstrates using the FBM and constructive learning principles for effective serious game design. Cyber Suraksha is effective for the student group and may be tested with other age groups.
Originality/value
To the researchers' knowledge, there are no serious games for cybersecurity awareness focusing on the threats faced by smartphone users based on FBM and constructive learning theory. This research used hope along with a fear appeal to motivate smartphone users to adopt recommended security controls.
Details