Content area
Full Text
Abstract: Fraudsters are constantly adapting their phishing scam designs by increasing the sophistication of urgency and trust cues used to deceive users. Drawing from the social engineering and social psychology literature, this paper uses deductive thematic analysis to examine how phishing scam designs employ urgency and trust cues. The complete anatomy of a sample of 51 distinctive email scams were analysed including the: from, to, date, subject, content, links and attachment components, using a major South African bank's archived records of phishing attacks from 2011-2013. The analysis suggests that urgency cues were almost always present to prime cognitive biases and lure users into compliance, while surprisingly important trust cues were less present. The study proposes that users can minimise their risk of being lured into compliance by assessing weaknesses in phishing designs attempting to mimic important trust cues. Technology based email text filtering countermeasures may be more effective if they apply the proposed critical trust and urgency attribute filtering detection approach.
Keywords: banking; filtering; phishing scams; psychology of compliance; social engineering; trust cues; urgency cues
1. Introduction
Phishing is a type of fraud where criminals impersonate a trustworthy third party to lure users into revealing sensitive information such as personal, financial or password data to fraudulent or 'spoofed' web sites (Jagatic et al, 2005). For example, fraudsters send an email instructing a user to click on a link to a convincing fake or copy of a bank's web site. If the user provides their sensitive information, fraudsters are able to use it to steal their money or commit other crimes related to identity theft.
E-mail phishing attacks continue to grow steadily with at least one in 319 e-mails being identified as a form of attack (Symantec Corporation, 2014). Moreover, up to 20% of users are being deceived by these malicious information requests (Norton Report, 2013). These attacks are costing organizations more than $3 billion annually (Gartner, 2007). South Africa is ranked high among the top most targeted countries accounting for 5% of the total global volume of phishing attacks. These attacks cost the country approximately $320 million (Van Vuuren, 2014). Another major concern is the inability of users - as many as 50 to 90% - to recognize phishing (Rachna, Tygar and Hearst,...