Risk
8/14/2013
11:53 AM
Connect Directly
RSS
E-Mail
50%
50%

3 Signs You're Phishing Bait

Beware, introverts and overconfident people. Phishers love to fool you, email security researchers say.

"I am cautious about making too much of the gender difference because we also found that there were differences between computer science and psychology students in terms of phishing susceptibility," he said, noting that "most psychology students were female and most of the CS students were male." In other words, CS students in general, thanks to their computing expertise -- relative to the rest of society -- might be better at avoiding phishing attacks.

Going forward, the researchers plan to expand their research beyond the tested students -- who were all aged 18 and 27 -- to cover professionals in the workplace. They already conducted related studies of employees of an unnamed government agency, although have yet to analyze the results.

How might these findings be applied? Hong's academic profile notes that the goal of the phishing research project is to develop better "phishing susceptibility profiles and anti-phishing tools."

"Many of the anti-phishing tools that are currently available are not based on research with human users, so we think we can do better in developing an effective tool that can be personalized to meet the needs of individual users," said Mayhorn. Such a training tool might require users to respond to a short survey taking 15 minutes or less that gauges their phishing awareness. Another option might be a system along the lines of Amazon.com's artificial intelligence predictive buying algorithms, only tailored to assess what types of risky behaviors people might exhibit as they handle their email.

Either approach would allow a training tool to build a better profile of individual users and target any risky behavior. "If one person is susceptible due to trust-based issues, but another is susceptible due to attacks that cater to their personality traits, it would be useful to have systems that can address specific needs -- not 'one size fits all' systems ... that attempt to address everything, which may not be necessary," said Mayhorn.

Some information security experts, however, have argued that in general, attempting to train users in security is a waste of time. But given the quantity and severity of phishing attacks -- now a favored tool of today's advanced persistent threat (APT) attackers -- as well as the inability of security tools to block all phishing attacks, might not related training be a necessity?

Mayhorn argued that training and technological defenses must supplement each other. "Unfortunately, technological approaches will not always be responsive to new threats," he said. "Cyber-criminals will continue to come up with new ways to attack and security measures will always be reactive rather than proactive. As long as there is a human in the loop, there is always going to be the potential for security breaches so we need to use both approaches -- training and security approaches -- to combat efforts to exploit computer systems."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/21/2013 | 3:17:42 PM
re: 3 Signs You're Phishing Bait
David, the answer is yes. So far, they're planning follow-on studies with professionals, and have preliminary (though as yet unanalyzed) data from a government agency.
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
8/16/2013 | 2:59:20 PM
re: 3 Signs You're Phishing Bait
I have developed special methodologies for automatically detecting pfishing attempts and am launching a company that is sure to make millions of dollars as a cloud service. I have several investors lined up, but we need a bit more venture capital to complete development. An investment of just $10,000 will secure you a 51% stake in the company and a guaranteed profit stream of hundreds of thousands of dollars per year. If you would just respond with your name and social security number...
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/16/2013 | 1:31:56 PM
re: 3 Signs You're Phishing Bait
Do the researchers plan to do a follow up study with a broader pool of people?
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
8/14/2013 | 9:12:18 PM
re: 3 Signs You're Phishing Bait
I wonder how many man hours we all put in advising family members about phishes. I know some of them look quite convincing to my parents, who are not introverted or overconfident. Age surely factored into this study as well.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/14/2013 | 8:10:54 PM
re: 3 Signs You're Phishing Bait
I know an older woman who fell for a phishing scheme and got money taken from a bank account. I had wondered who fell for such things...

A nice lady and more, I think, naive than overconfident. This was several years ago, and I'd say the phishing attempts I've received have gotten MUCH more sophisticated since then. (Her identity also was stolen for a Twitter account recently, but that's another story.)

Jim Donahue
Managing Editor
InformationWeek
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.