Original Research ARTICLE
Creative Persuasion: A study on adversarial behaviors and strategies in phishing attacks
- 1Social and Decision Sciences, Carnegie Mellon University, United States
Success of phishing attacks depend on effective exploitation of human weaknesses. This research explores a largely ignored, but crucial aspect of phishing: the adversarial behavior. We aim at understanding human behaviors and strategies that adversaries use, and how these may determine the end-user response to phishing emails. We accomplish this through a novel experiment paradigm involving two phases. In the adversarial phase, 105 participants played the role of a phishing adversary who were incentivized to produce multiple phishing emails that would evade detection and persuade end-users to respond. In the end-user phase, 340 participants performed an email management task, where they examined and classified phishing emails generated by participants in phase-one along with benign emails. Participants in the adversary role, self-reported the strategies they employed in each email they created, and responded to a test of individual creativity. Data from both phases of the study was combined and analyzed, to measure the effect of adversarial behaviors on end-user response to phishing emails. We found that participants who persistently used specific attack strategies (e.g., sending notifications, use of authoritative tone, or expressing shared interest) in all their attempts were overall more successful, compared to others who explored different strategies in each attempt. We also found that strategies largely determined whether an end-user was more likely to respond to an email immediately, or delete it. Individual creativity was not a reliable predictor of adversarial performance, but it was a predictor of an adversary's ability to evade detection. In summary, the phishing example provided initially, the strategies used, and the participants' persistence with some of the strategies led to higher performance in persuading end-users to respond to phishing emails. These insights may be used to inform tools and training procedures to detect phishing strategies in emails.
Keywords: phishing, Adversarial behavior, phishing strategy, deception, creativity, persuasion
Received: 23 Oct 2017;
Accepted: 29 Jan 2018.
Edited by:Stefan Sütterlin, Østfold University College, Norway
Reviewed by:Evie Michailidis, University of Surrey, United Kingdom
Marta Walentynowicz, University of Southern California, United States
Copyright: © 2018 Rajivan and Gonzalez. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.
* Correspondence: Dr. Prashanth Rajivan, Carnegie Mellon University, Social and Decision Sciences, 4609 Winthrop St, Pittsburgh, 15213, PA, United States, firstname.lastname@example.org