Phishing can cause severe security breaches and its frequency and diversity has rapidly increased. Current countermeasures consist mostly of training users in identifying phishing emails by their appearance. However, we argue that in the long run the effect of such trainings will be limited because phishers rapidly evolve their email design and this makes phishing attacks unrecognizable. Still, phishing emails have a universal characteristic: They attempt to influence the users to perform certain behaviors using influencing strategies. Thus, we argue that training users in recognizing the influencing strategies used by technology helps them to defend themselves against (even very advanced, visually unrecognizable) phishing emails. In this study, we randomly assigned 151 participants to two groups (trained on influencing strategies vs. trained on the history of emails). Our learning material was a six-minute training video. After watching the video, participants were presented with a series of emails that contained influencing strategies. These emails were followed by questions about recognition of influencing strategies and the user’s behavioral intentions towards the email. Results provided no evidence that a participant’s intension of clicking on links was influenced by the influencing strategy training video. Importantly, results did show that participants who had watched the influencing strategy training video, correctly recognized more influencing strategies in emails. Also, participants who recognized the use of manipulation techniques in emails, intended to click on less links. These results open a new line of defense against persuasive technology: harnessing users by training them in influencing strategy recognition.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Training for Defense: The Influence of Knowledge About Influencing Strategies on Phishing Email Recognition Accuracy

  • Asal Hojjati,
  • Jaap Ham

摘要

Phishing can cause severe security breaches and its frequency and diversity has rapidly increased. Current countermeasures consist mostly of training users in identifying phishing emails by their appearance. However, we argue that in the long run the effect of such trainings will be limited because phishers rapidly evolve their email design and this makes phishing attacks unrecognizable. Still, phishing emails have a universal characteristic: They attempt to influence the users to perform certain behaviors using influencing strategies. Thus, we argue that training users in recognizing the influencing strategies used by technology helps them to defend themselves against (even very advanced, visually unrecognizable) phishing emails. In this study, we randomly assigned 151 participants to two groups (trained on influencing strategies vs. trained on the history of emails). Our learning material was a six-minute training video. After watching the video, participants were presented with a series of emails that contained influencing strategies. These emails were followed by questions about recognition of influencing strategies and the user’s behavioral intentions towards the email. Results provided no evidence that a participant’s intension of clicking on links was influenced by the influencing strategy training video. Importantly, results did show that participants who had watched the influencing strategy training video, correctly recognized more influencing strategies in emails. Also, participants who recognized the use of manipulation techniques in emails, intended to click on less links. These results open a new line of defense against persuasive technology: harnessing users by training them in influencing strategy recognition.