Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails

Marcus Butavicius, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Defence Science and Technology Group, Edinburgh, South Australia
Kathryn Parsons, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Defence Science and Technology Group, Edinburgh, South Australia
Malcolm Pattinson, Business School, University of Adelaide, Adelaide, South Australia
Agata McCormac, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Defence Science and Technology Group, Edinburgh, South Australia

Abstract

We examined the influence of three social engineering strategies on users’ judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.