You Are Not Alone: Helping Users Not to Fall For Phishing

Date

2020-12

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Phishing continues to be a serious threat to Internet users and organizations. Humans are known to be the weakest link in the defense line against phishing attacks. Researchers have shown that Internet users mainly fail to make the correct choice when they receive a malicious content due to: 1) lack of enough knowledge to focus on proper clues, 2) security not being the main focus of their daily work and not thinking about it. In this work, we propose a new warning and highlighting system for emails to increase users awareness and give them some clues to make a more informed decision. We start by creating a diverse and up-to-date dataset of phishing and legitimate emails since having a good dataset is the building block of creating a detection system. Then, we evaluate the effectiveness of our highlighting system by conducting a user study and show that our method improves users detection ability. We also create a model to automatically generate the warning for users whenever they receive a new email. In our effort to create a diverse phishing dataset, we show that language generation techniques can be used to generate phishing emails. It can be useful since many organizations are not willing to share the fraudulent emails that they receive due to security concerns. Then, we use this dataset to train a model to detect suspicious sentences in emails. Our warning system highlights the suspicious contents in emails and warns users to pay more attention to them. The results of our user experiment show that our warning system outperforms the existing state-of-the-art systems significantly. Since our work focuses on content, it can be readily adapted to text/chat messages, not just emails.

Description

Keywords

phishing, usable security, email warning, social engineering, email classification, deep learning, persuasive techniques, systematic review, meta-analysis

Citation

Portions of this document appear in: Das, Avisha, Shahryar Baki, Ayman El Aassal, Rakesh Verma, and Arthur Dunbar. "SoK: a comprehensive reexamination of phishing research from the security perspective." IEEE Communications Surveys & Tutorials 22, no. 1 (2019): 671-708. And in: Baki, Shahryar, Rakesh Verma, Arjun Mukherjee, and Omprakash Gnawali. "Scaling and effectiveness of email masquerade attacks: Exploiting natural language generation." In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 469-482. 2017. And in: Baki, Shahryar, Rakesh M. Verma, and Omprakash Gnawali. "Scam Augmentation and Customization: Identifying Vulnerable Users and Arming Defenders." In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 236-247. 2020.