The Papers: Got Phished


In this episode

You’ve won a prize! Or have you? This week we look at recent developments in phishing research. Think: Do your personal values make you more phishable? And do phishers always run a profit?

Transcript

Hello and welcome to The Papers on Vulnerable By Design, the series in which we cover some of the latest and most interesting research on the things that make us vulnerable. I am Chris Onrust. In today’s episode: phishing.

What is phishing?

Important security alert, click here to review your details. You are eligible for a refund. I need your help urgently! Attention. For further details, click here. Please check the attached form to confirm your order.

This is just some phraseology that you might find in messages from your friends, acquaintances, organizations that you interact with. Or, less desirably, you are receiving phishing emails.

What exactly is phishing? Well, you probably guessed at this point that I’m not talking about the limbless, cold-blooded vertebrate animals that live in water.

What we’re talking about here is the practice of persuasion, manipulation or deception. When someone sends you an email pretending to be someone you know, or some organization you trust, in order to get you to open their email, click on dodgy links, open shonky attachments. Hoping that you will unwittingly reveal some personal information—password here, or account number there—with the results that your data gets stolen, and you’ll probably lose money.

Now, statistics about the prevalence of phishing vary hugely, depending on who you ask. But all sources align on the observation that it’s one of, or even the, most common forms of cybercrime. So one source suggested that in early 2020, nearly one in every 4000 emails sent was a phishing email. That is a lot.

I know, phishing, it’s not the most cheerful topic in the world, is it? But I think precisely for that reason, it’s relevant to know about. So that’s why at the papers, we’re covering some up to date findings today.

Why is it called ph-ish?

Just before we start, you might be wondering: What’s up with all of this ph-spelling? Why call it ‘phish’? (I realize I failed miserably there in slipping in a different pronunciation for fishing and phishing.) Well, a fisherperson is, figuratively, fishing—with an ‘f’—for your information.

The ph-spelling is a historical legacy thing, dating from the 1990s. And it derives from the subculture of studying, exploring and manipulating telecommunication systems, especially public telephone networks, where the participants self-described as ‘phone phreaks’ (‘phreaks’ with ‘ph-). So this ph-spelling in ‘phishing’ builds upon that established pattern.

Papers overview

Okay, well, which papers are we looking at today? When I was searching for some recent work, what I found was that there was an avalanche of studies on who gets phished and under what conditions. So I’ll start with giving you two recent papers on that topic.

Who is vulnerable to phishing? Well, the short answer is: We all are. Because we are humans. And humans are the targets for phishing. Or, at least, humans on the internet are.

But it turns out that some behaviors and attitudes make certain people especially vulnerable to getting phished. Or at least more vulnerable than others.

Paper 1: Phishing and personal values

The first paper that we’ll look at starts out from this observation. The title is ‘The Effects of Personal Values and Message Values on Vulnerability to Phishing’. And it’s written by Maayan Sayag, Maya Gross, Avner Caspi, Zohar Weinstein, and Shir Etgar. Supposedly, this paper came out in 2022. Which seems impossible? It’s here already, so I’m just going to tell you about it.

This paper starts out from some existing studies on the characteristics of people who are more likely to successfully get phished. Success being success for the phisher, not the person who has their data stolen.

The characteristics include: risk seeking; sensation seeking; the tendency to trust others, especially authority figures; or a trust in security symbols.

Surprisingly, to me, this list of characteristics of people who are more likely to get phished also includes: self-control, and conscientiousness. So if you want to do your job or your tasks well and thoroughly.

Now, with these two characteristics, I wonder: how does that even work? So you’re sitting there, white knuckles, you’re trying not to eat the marshmallow. And then you get phished? Sorry for the nerd culture references here. There was an experiment in the 1970s that seemed to suggest that children who managed to delay gratification and not immediately gobble down marshmallows when offered, did so much better in life in terms of health, education, and well-being. That study has been debunked. You do not need to worry about it. You may eat the marshmallow now.

But seriously, I find these two characteristics puzzling. Well, anyway. Against this background, what the authors of this study did was focus on a new dimension that hadn’t been studied before. Namely that of personal values. So how do the personal values that you have relate to phishability?

What is a value?

With a value what they have in mind here is a desirable, stable, broad goal, which guides or motivates your behavior, your perception and your judgment. So an example that they mention is the value of conformity, which might guide you to behave like other people do. You want to conform. Or the value of hedonism, which guides you to behave in a pleasure-seeking way.

Universalism and achievement

Well, what did the authors find here? What they state is that in particular two values correlate with phishability. But in contrasting ways. The first was the value that they label ‘universalism’, which is having an understanding, appreciation, tolerance, and protection for the welfare of all people, and for nature. So basically, when you value things that go beyond an immediate concern for yourself. People who score high on this value, universalism, get phished more.

The second value to correlate with phishability was achievement, which was described by the authors as: personal success through demonstrating competence according to social standards. So basically, wanting to improve things or the situation for yourself. Now, here the idea was that if you score low on the value of achievement done, then you get phished more. People who score low on this get phished more.

Here’s the finding in a quote: “… participants who were high on universalism, or low on achievement, reported greater frequencies of experiencing actual phishing.”

Let me recap that. People who weren’t too concerned with their personal success and who did care about the welfare of all people, and about nature, were more likely to get phished. That makes me rather sad? The authors of this study don’t explain why or how this might be. Is it that if you care about people and about nature, you’re less likely to double check? I can’t tell you, because it’s not in the paper. But in any case, this is a connection that this study found.

Paper 2: Risks of stages of phishing

Paper number two. This picks up on one of the characteristics of phishability that was already in the list of established traits, namely risk-seeking behavior. But what the authors in this paper want to do is refine the point.

The title of their paper is ‘Phishing Happens Beyond Technology: The Effects of Human Behaviors and Demographics on Each Step of a Phishing Process’. This paper was by Hossein Abroshan, Jan Devos, Geert Poels and Eric Laermans. And this paper came out this year, in 2021.

And what the authors did here was a simulate a phishing attack with an email link to a malicious website. And then based on that, they’ve refined at what stage specifically of a phishing attack it actually goes wrong for people who are keen on risk. And the stages that they distinguish of the phishing process here were three.

Stage one was opening the email. Stage two was the clicking on (what turns out to be) a malicious link. And that would get you to a malicious website. And stage three was, once you’re on such a website, filling out your personal details. So whether you do that or not.

Now, what the authors found here was that it’s especially the second stage—so the stage of the link-clicking—which is particularly dangerous.

So they have a quote here: “We found that a high level of general risk-taking can increase the possibility,” I think they mean ‘probability’ here, “of clicking on a phishing link.” And here the authors do suggest why that might be. So they say: “[Scammers] can, for example, ask the recipient to click on a web link to win a prize. Some people’s high risk-taking attitudes or a desire to gamble mean that they will click on the link, which opens a phishing website. Some of them might then decide to enter sensitive information on the web page.”

Let’s pause here. Because I’m wondering about the gloss that the authors are giving here. It sounds quite okay for the stereotypical too-good-to-be-true prize email. But let’s face it: phishing practices are evolving. There is the so-called spear-phishing, which is getting more common. Where you’ve got an attack which is really tailored to a specific person, or to a small group, to trick them.

There’s also a development which will surprise exactly no one. Namely that over the past, what, 20 months? Has it really been that long? Phishery has gotten more into coronavirus-themed emails. Where you get an email which purports to be from the World Health Organization, and which pretends to give you information about the spread of the virus.

Now, if you get phished in this way, do we really want to attribute that to a desire to gamble?

Maybe? But I’d say, only insofar as clicking on any link on the internet, or opening any file, is always a bit of a risk or always a bit of a gamble. Okay, I mean: this is something to think about.

Relevance of the research

Now why, you might ask, are any of these studies relevant? Why is it relevant to know about who is, or who is not, more vulnerable to phishing? I mean, nobody wants to get fished, do they?

The authors of this second study, they make a bit of a big, grand gesture. So what they say is that this insight can help, and here’s a quote, “tackle the root causes of successful phishing attacks”.

I’m going to be slightly provocative here. Because personally, I’d say that the root cause of phishing is people sending out phishing messages to other people. The root cause of phishing lies with the perpetrators, or people profiting off phishing.

Perpetrators understudied

Now, as I said at the beginning, there’s an overwhelming focus in phishing science—yes, that’s a thing–on people who get phished and on the characteristics and the condition under which people fall victim to phishing. There’s far less research on the perpetrators and the phishers. Why is that? Because everything’s already known about fishers? Well, no, I don’t think so. I mean, one paper even admits that the study of perpetrators of phishing is a neglected domain in the study of cybercrime.

Is it because victims are easier to study than criminals? Is it because potential victims of phishing can be sold anti-phishing software and training, at a good price? Shhht.

Paper 3: Business model of phishing

Let’s see if we can bring these perpetrators a bit more into the picture. And I found a paper here. It’s called ‘Phishing: An Economic Analysis of Cybercrime Perpetrators’. It is written by Brigitte Werners, Christian Konradt, andAndreas Schilling. This paper is a tad older, from 2016, but I think it’s suitable.

This paper gives an analysis, basically, of the business model of phishing as a cybercrime. What the authors note here is that there’s been a shift in the construction of phishing. In the past, what you might get is a lonely individual attacker, who might be motivated by money, but who might also see it as something of a personal or a technical challenge, to see if they can steal a person’s data.

Today, phishing has become professionalized. So what you’ll see far more, is attacks mainly motivated or focused on financial profit. Well-organized, well-established structures where you get multiple people involved. So for example: a programmer who develops a malicious website; a person who carries out the actual phishing attack, so the data theft; and then also further people doing the selling and other people buying stolen data.

Phishing often not profitable

Now, what the authors did is also a simulation study where they calculated the expected profit of a phishing attack. They would take into account different variables, such as the number of attacks carried out, the force of each attack, the force of the defense against the attack, the expected revenue per successful attack, the probability of getting caught, and also the penalty that an attacker might expect, were they to get caught.

What did they find? One point they found is that most phishing attacks are not profitable. In 89% of the attacks, there was no profit at all, but an expected result of zero, or a loss-making operation.

Another finding is that on average, a phishing attack actually returns a loss. The average (and they’re talking about mean here) expected result of a phishing attack is -$88,000, which is equivalent to around a loss of €80,000.

And these losses could actually go quite deep. The lowest possible value that they found as an expected result of a phishing attack was a loss of $154,000, which is equivalent to roughly €140,000 loss.

Now, there could be highs, and highs, if they come, they can be quite high. The highest possible profit of a phishing attack, according to this study—which was reached very infrequently—was an expected $705,000, which is equivalent to around €640,000 potential profit.

I find this economic angle very helpful to understand phishing, because it demystifies. It helps understand phishing as involving people who have a criminal business to run. Businesses which can make other people’s lives very miserable.

Phishers are risk-seekers, too

And what the authors also say is that, based on their study, they’re able to get some insight into the perpetrators. So what they say is: if you’re operating within such a business, then a phisher must be a risk-seeker. There is a quote from the paper: “… a very risk averse person who is influenced by the highest potential loss of a distribution (…) and a risk neutral person who uses the expected value of a distribution as a criterion for decision making (…), should not execute a phishing attack. For these decision makers, it is economically unreasonable to carry out an attack with respect to their individual profit function. Only risk-seeking decision makers would execute such a phishing attack, because they are tempted by the possible high profit of an attack”.

Now it all starts hanging together! It’s not just those who get phished, who tend to be on the risk-taking side. That also holds for the perpetrators, too. So this whole business of phishing, it just thrives on one big tangle of risk.

Strategies against phishing

OK, good. What might all of this mean for you? This is where we’re moving into the bonus time territory. If you’ve been bearing with me this far, you definitely deserve it.

So what can we do about these phisheries? I’m sad to say: the reality check is that getting rid of phishing might not be very straightforward. The authors of the article on ‘Phishing Beyond Technology’, they say: “Scams have existed since long before computers and the Internet, and they’re unlikely to disappear, as scammers adapt and find new ways of fooling us. But I guess some pointers are better than nothing.” So I’ll just collate a couple of points that are mentioned in these papers.

One strategy is really a strategy for developers. One thing that can be done is develop a technical solution, or multiple technical solutions, to filter out or block phishing email and to block outgoing malicious links. For example, people could here use machine learning to recognize suspicious patterns. And I’m actually quite sure that people are already developing this, and it’s also already being implemented.

Another strategy mentioned regularly is more on the plate of law enforcement or internet service providers, namely to get quicker and more proactive in taking down phishing websites.

Tricky thing. This is always bound to be a bit reactive, because you can only close them down after they’re already there. And after they get spotted. But yeah, it’s at least an effort in thwarting phishing operations.

A third strategy, which gets mentioned regularly, is: humans. Anti-phishing training programs. This is where they tell you things such as: Check that the email address or the sender is who you think it is. Check URLs, and whether they go where you expect them to go. So hover over the URL before you actually click on anything. Be cautious with opening attachments. And the question, of course, is this is super sensible. But to what extent will any of this stick when you’re in a rush, when you’re tired, when you’re distracted, when you’re just really happy to hear from someone? Relevant, tricky.

Now the authors of the study on the business model of phishing, they give a slightly different take on what might be done. What they say is that it’s actually more effective to intervene at the level of the market. So this is how they put it: “… countermeasures could aim at better control of the dark markets under connected forums to hamper the dealing of malicious software and selling of the stolen data, which could decrease the selling rate of stolen data.”

The idea here is if you just can’t sell phished data anymore, or if you can’t sell it as easily, for not so good a price, then the lower rewards might just not be worth the effort, even for the profit-seeking risk-takers out there. Will we get there? Question mark.

Now if I could urgently draw your attention to the important fact that you may have won a prize! I request that you click on this button and download the relevant form to process your payment and then … (Fade out)

Thanks to the authors of this week’s phishing papers. For more vulnerability research, talks and essays, stay tuned for fresh episodes from Vulnerable By Design, our parent programme. You can also sign up to our email newsletter, The Vulnerability Letter. Head to vulnerablebydesign.net for more information. I’m Chris Onrust. Thanks for listening and bye for now.

See also