Unveiling Behavioral Phishing: A Study on Attack Strategies and User Decision-Making
摘要
Email-based phishing is a constantly evolving threat affecting organizations worldwide. Understanding the behavior of attackers and victims is crucial to addressing it effectively. Cybercriminals exploit cognitive vulnerabilities using various techniques to increase the success of phishing attacks. Although the scientific community is progressively focusing on human factors rather than just technical aspects, comprehensive analyses that consider user backgrounds and diverse phishing strategies are still scarce. This gap in research has motivated this study. This research analyzes phishing from a new perspective, focusing on attack strategies, psychological vectors, and user behavior. We conducted an analysis of users’ ability to classify emails as legitimate or malicious through a web application that presents each user with 10 properly crafted emails, collecting data about their background and personality. The analysis revealed significant findings on the ability of the general study population to detect phishing attempts and highlighted substantial differences in behavior between user groups. It also shed light on the attributes of the most dangerous phishing emails, including visual elements and content. For example, it shows that short phishing emails are more effective at appearing legitimate, which is also the case for emails that incorporate both links and attachments. Furthermore, emails expressing commitment, stability or authority are the most effective in deceiving users when considered individually, but those that use a combination of appreciation for the recipient and a helpful tone are even more effective. These findings can inform the development of more effective technological solutions and customized cybersecurity training programs.