Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails

Authors

Marcus Butavicius, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Defence Science and Technology Group, Edinburgh, South AustraliaFollow
Kathryn Parsons, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Defence Science and Technology Group, Edinburgh, South AustraliaFollow
Malcolm Pattinson, Business School, University of Adelaide, Adelaide, South AustraliaFollow
Agata McCormac, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Defence Science and Technology Group, Edinburgh, South AustraliaFollow

Abstract

We examined the influence of three social engineering strategies on users’ judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.

Recommended Citation

Butavicius, Marcus; Parsons, Kathryn; Pattinson, Malcolm; and McCormac, Agata, "Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails" (2015). ACIS 2015 Proceedings. 98.
https://aisel.aisnet.org/acis2015/98