Authors: Tom Jagatic, Indiana University; Nathaniel Johnson, Indiana University; Markus Jakobsson, Indiana University; and Filippo Menczer, Indiana University
Publication: Communications of the ACM (Association for Computing Machinery)
Year: 2005
Focus Area: Persuasion, Profile
Relevance: This paper provides a behind-the-scenes look at an experimental scam. In particular, the work illustrates the ability of scammers to exploit social networks – both to gain personal information and to take advantage of relationships between individuals.
Summary: Using publicly available information from social networking databases, the authors illustrate the increasing ability of phishing attacks to create a seemingly trustworthy context for fraudulent attacks. A “successful” attack was defined as one in which the recipient went to the link included in the email and entered their university username and password, even though the website was not a university website.
- 72% of the subjects in this study entered their secure university credentials when prompted by a phishing email (using information gained from public social networks) to go to an unknown website.
- Within this group, 70% of the subjects went to the website within 12 hours of receiving the scam email.
- Younger students were more vulnerable than older, more women than men fell for the scam, and both men and women were more likely to fall for the scam if the apparent sender was the opposite gender.
- Students’ majors did not influence their susceptibility to this phishing experiment, except that technology majors were the least vulnerable.
Abstract (from the authors): Phishing is a form of social engineering in which an attacker attempts to fraudulently acquire sensitive information from a victim by impersonating a trustworthy third party. Phishing attacks today typically employ generalized “lures.” For instance, a phisher misrepresenting himself as a large banking corporation or popular on-line auction site will have a reasonable yield, despite knowing little to nothing about the recipient. In a study by Gartner [11], about 19% of all those surveyed reported having clicked on a link in a phishing email, and 3% admitted to giving up financial or personal information. However, no existing studies provide us with a baseline success rate for individual phishing attacks. This was one of the motivating factors for the research project described here.