Decision strategies and susceptibility to phishing

Authors:
Julie S. Downs;Mandy B. Holbrook;Lorrie Faith Cranor
Affiliations:
Carnegie Mellon University, Pittsburgh, PA;Carnegie Mellon University, Pittsburgh, PA;Carnegie Mellon University, Pittsburgh, PA
Venue:
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Year:
2006

Citing 7
Cited 37

Users' conceptions of web security: a comparative study

CHI '02 Extended Abstracts on Human Factors in Computing Systems
Trusted paths for browsers

ACM Transactions on Information and System Security (TISSEC)
The battle against phishing: Dynamic Security Skins

SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Human Problem Solving

Human Problem Solving
Why phishing works

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Social phishing

Communications of the ACM

Protecting people from phishing: the design and evaluation of an embedded training email system

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Security user studies: methodologies and best practices

CHI '07 Extended Abstracts on Human Factors in Computing Systems
Cantina: a content-based approach to detecting phishing web sites

Proceedings of the 16th international conference on World Wide Web
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish

Proceedings of the 3rd symposium on Usable privacy and security
Behavioral response to phishing risk

Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
Getting users to pay attention to anti-phishing education: evaluation of retention and transfer

Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
Understanding web credibility: a synthesis of the research literature

Foundations and Trends in Human-Computer Interaction
Itrustpage: a user-assisted anti-phishing tool

Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Measuring trust in wi-fi hotspots

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Sesame: informing user security decisions with system visualization

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
You've been warned: an empirical study of the effectiveness of web browser phishing warnings

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
A framework for reasoning about the human in the loop

UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Analyzing websites for user-visible security design flaws

Proceedings of the 4th symposium on Usable privacy and security
Exploring User Reactions to New Browser Cues for Extended Validation Certificates

ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Threat Modelling in User Performed Authentication

ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security
Trust modelling for online transactions: a phishing scenario

Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
Security and usability: the gap in real-world online banking

NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
Visual e-mail authentication and identification services: An investigation of the effects on e-mail use

Decision Support Systems
Browser interfaces and extended validation SSL certificates: an empirical study

Proceedings of the 2009 ACM workshop on Cloud computing security
Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Investigating an appropriate design for personal firewalls

CHI '10 Extended Abstracts on Human Factors in Computing Systems
BogusBiter: A transparent protection against phishing attacks

ACM Transactions on Internet Technology (TOIT)
What instills trust? a qualitative study of phishing

FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls

Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
F for fake: four studies on how we fall for phish

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model

Decision Support Systems
An efficient phishing webpage detector

Expert Systems with Applications: An International Journal
Improving computer security dialogs

INTERACT'11 Proceedings of the 13th IFIP TC 13 international conference on Human-computer interaction - Volume Part IV
The state of phishing attacks

Communications of the ACM
The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived

Journal of Management Information Systems
A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings

Proceedings of the Seventh Symposium on Usable Privacy and Security
Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on OS password-entry dialogs

Proceedings of the 2012 ACM conference on Computer and communications security
OTO: online trust oracle for user-centric trust establishment

Proceedings of the 2012 ACM conference on Computer and communications security
Measuring SSL indicators on mobile browsers: extended life, or end of the road?

ISC'12 Proceedings of the 15th international conference on Information Security
Understanding the weaknesses of human-protocol interaction

FC'12 Proceedings of the 16th international conference on Financial Cryptography and Data Security
A game design framework for avoiding phishing attacks

Computers in Human Behavior
PhishSafe: leveraging modern JavaScript API's for transparent and robust protection

Proceedings of the 4th ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.02

Visualization

Abstract

Phishing emails are semantic attacks that con people into divulging sensitive information using techniques to make the user believe that information is being requested by a legitimate source. In order to develop tools that will be effective in combating these schemes, we first must know how and why people fall for them. This study reports preliminary analysis of interviews with 20 non-expert computer users to reveal their strategies and understand their decisions when encountering possibly suspicious emails. One of the reasons that people may be vulnerable to phishing schemes is that awareness of the risks is not linked to perceived vulnerability or to useful strategies in identifying phishing emails. Rather, our data suggest that people can manage the risks that they are most familiar with, but don't appear to extrapolate to be wary of unfamiliar risks. We explore several strategies that people use, with varying degrees of success, in evaluating emails and in making sense of warnings offered by browsers attempting to help users navigate the web.