Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content

Phishing vulnerability compounded by older age, apolipoprotein E e4 genotype, and lower cognition

With technological advancements, financial exploitation tactics have expanded into the online realm. Older adults may be particularly susceptible to online scams due to age- and Alzheimer's disease-related changes in cognition. In this study, 182 adults ranging from 18 to 90 years underwent cognitive assessment, genotyping for apolipoprotein E e4 (APOE4), and completed the lab-based Short Phishing Email Suspicion Test (S-PEST) as well as the real-life PHishing Internet Task (PHIT). Across both paradigms, older age predicted heightened susceptibility to phishing, with this enhanced susceptibility pronounced among older APOE4 allele carriers with lower working memory. Additionally, performance in both phishing tasks was correlated in that reduced ability to discriminate between phishing and safe emails in S-PEST predicted greater phishing susceptibility in PHIT. The current study identifies older age, APOE4, and lower cognition as risk factors for phishing vulnerability and introduces S-PEST as an easy-to-administer, ecologically valid tool for assessing phishing susceptibility.

New directions for studying the aging social-cognitive brain

The study of social cognition has extended across the lifespan with a recent special focus on the impacts of aging on the social-cognitive brain. This review summarizes current knowledge on social perception, theory of mind, empathy, and social behavior from a social-cognitive neuroscience of aging perspective and identifies new directions for studying the aging social-cognitive brain. These new directions highlight the need for (i) standardized operationalization and analysis of social-cognitive constructs; (ii) use of naturalistic paradigms to enhance ecological validity of social-cognitive measures; (iii) application of repeated assessments via single-N designs for robust delineation of social-cognitive processes in the aging brain; (iv) increased representation of vulnerable aging populations in social-cognitive brain research to enhance diversity, promote generalizability, and allow for cross-population comparisons.

Financial Fraud and Deception in Aging

Financial exploitation among older adults is a significant concern with often devastating consequences for individuals and society. Deception plays a critical role in financial exploitation, and detecting deception is challenging, especially for older adults. Susceptibility to deception in older adults is heightened by age-related changes in cognition, such as declines in processing speed and working memory, as well as socioemotional factors, including positive affect and social isolation. Additionally, neurobiological changes with age, such as reduced cortical volume and altered functional connectivity, are associated with declining deception detection and increased risk for financial exploitation among older adults. Furthermore, characteristics of deceptive messages, such as personal relevance and framing, as well as visual cues such as faces, can influence deception detection. Understanding the multifaceted factors that contribute to deception risk in aging is crucial for developing interventions and strategies to protect older adults from financial exploitation. Tailored approaches, including age-specific warnings and harmonizing artificial intelligence as well as human-centered approaches, can help mitigate the risks and protect older adults from fraud.

Novel methods for assessment of vulnerability to financial exploitation (FE)

Financial exploitation (FE) is a complex problem influenced by many factors. This article introduces two novel methods for assessment of FE vulnerability: (1) performance-based measures of financial skills using web-based simulations of common financial tasks; (2) scam vulnerability measures based on credibility ratings of common scam scenarios. Older adults who were male, younger, Hispanic, more educated, with higher incomes performed better on the simulated financial tasks. Better performance was also related to higher cognitive function and numeracy, and more experience with technology. On the scenario-based measures, older adults who were male, younger, African American, less educated, and lower income showed higher FE vulnerability. Higher scam vulnerability was also related to poorer performance on the simulated financial tasks, lower cognitive function, less experience with technology, more financial conflict/anxiety, more impulsivity, and more stranger-initiated FE. Findings indicate that these novel measures show promise as valid indicators of vulnerability to FE.

Personalized persuasion: Quantifying susceptibility to information exploitation in spear-phishing attacks

Many cyberattacks begin with a malicious email message, known as spear phishing, targeted at unsuspecting victims. Although security technologies have improved significantly in recent years, spear phishing continues to be successful due to the bespoke nature of such attacks. Crafting such emails requires attackers to conduct careful research about their victims and collect personal information about them and their acquaintances. Despite the widespread nature of spear-phishing attacks, little is understood about the human factors behind them. This is particularly the case when considering the role of attack personalization on end-user vulnerability. To study spear-phishing attacks in the laboratory, we developed a simulation environment called SpearSim that simulates the tasks involved in the generation and reception of spear-phishing messages. Using SpearSim, we conducted a laboratory experiment with human subjects to study the effect of information availability and information exploitation end-user vulnerability. The results of the experiment show that end-users in the high information-availability condition were 2.97 times more vulnerable to spear-phishing attacks than those in the low information-availability condition. We found that access to more personal information about targets can result in attacks involving contextually meaningful impersonation and narratives. We discuss the implications of this research for the design of anti-phishing training solutions.

SoK: Human-Centered Phishing Susceptibility

Phishing is recognized as a serious threat to organizations and individuals. While there have been significant technical advances in blocking phishing attacks, end users remain the last line of defence after phishing emails reach their email inboxes. Most of the existing literature on this subject has focused on the technical aspects related to phishing. The factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature and systematically categorised the phishing susceptibility variables studied. We classify variables based on their temporal scope which led us to propose a three-stage Phishing Susceptibility Model (PSM) for explaining how humans are vulnerable to phishing attacks. This model reveals several research gaps that need to be addressed to understand and improve protection against phishing susceptibility. Our review also systematizes existing studies by their sample size and generalizability, and further suggests a practical impact assessment of the value of studying variables: some more easily lead to improvements than others. We believe that this paper can provide guidelines for future phishing susceptibility research to improve experiment design and the quality of findings.

“Alexa, What’s a Phishing Email?”: Training users to spot phishing emails using a voice assistant

This paper reports the findings from an empirical study investigating the effectiveness of using intelligent voice assistants, Amazon Alexa in our case, to deliver a phishing training to users. Because intelligent voice assistants can hardly utilize visual cues but provide for convenient interaction with users, we developed an interaction-based phishing training focused on the principles of persuasion with examples on how to look for them in phishing emails. To test the effectiveness of this training, we conducted a between-subject study where 120 participants were randomly assigned in three groups: no training, interaction-based training with Alexa, and a facts-and-advice training and assessed a vignette of 28 emails. The results show that the participants in the interaction-based group statistically outperformed the others when detecting phishing emails that employed the following persuasion principles (and/or combinations of): authority, authority/scarcity, commitment, commitment/liking, and scarcity/liking. The paper discusses the implication of this result for future phishing training and anti-phishing efforts.

Lumen: A machine learning framework to expose influence cues in texts

Phishing and disinformation are popular social engineering attacks with attackers invariably applying influence cues in texts to make them more appealing to users. We introduce Lumen, a learning-based framework that exposes influence cues in text: (i) persuasion, (ii) framing, (iii) emotion, (iv) objectivity/subjectivity, (v) guilt/blame, and (vi) use of emphasis. Lumen was trained with a newly developed dataset of 3K texts comprised of disinformation, phishing, hyperpartisan news, and mainstream news. Evaluation of Lumen in comparison to other learning models showed that Lumen and LSTM presented the best F1-micro score, but Lumen yielded better interpretability. Our results highlight the promise of ML to expose influence cues in text, toward the goal of application in automatic labeling tools to improve the accuracy of human-based detection and reduce the likelihood of users falling for deceptive online content.

Association between internet use and successful aging of older Chinese women: a cross-sectional study

BACKGROUND

The internet has become ubiquitous in contemporary human life. However, little is known about the association between internet use and older people's aging process, especially that of older women.

METHODS

Using the nationally representative dataset of the China Longitudinal Aging Social Survey 2016, we examined the relationship between internet usage and the successful aging of older Chinese women. The sample in this study consisted of 2713 respondents with an average age of 69.963 years. Successful aging was defined as no major diseases, no disability, high cognitive functioning, high physical functioning, and active engagement with life. Older women's internet use behavior was represented by internet use frequency. Probit and instrumental variable models were employed to test the association between internet use frequency and successful aging of older women. The Karlson/Holm/Breen (KHB) mediation analysis was used to estimate the mediating effect of social capital on the relationship between internet use frequency and older women's successful aging.

RESULTS

Using a probit model (coefficient = 0.030, p < 0.001) and an instrumental variable probit model (coefficient = 0.287, p < 0.001), it was found that a successful aging status was significantly correlated with an increase in internet use frequency. The functional mechanism analysis suggested that social capital partially mediated the overall association between internet use frequency and successful aging.

CONCLUSIONS

This study suggests that the more frequently older Chinese women use the internet, the greater the possibility of successful aging. Our findings provide new evidence from China about the determinants of older women's aging process and aid in formulating targeted aging policies for older women in developing countries and regions.

Research trends in cybercrime victimization during 2010-2020: a bibliometric analysis

Research on cybercrime victimization is relatively diversified; however, no bibliometric study has been found to introduce the panorama of this subject. The current study aims to address this research gap by performing a bibliometric analysis of 387 Social Science Citation Index articles relevant to cybercrime victimization from Web of Science database during the period of 2010-2020. The purpose of the article is to examine the research trend and distribution of publications by five main fields, including time, productive authors, prominent sources, active institutions, and leading countries/regions. Furthermore, this study aims to determine the global collaborations and current gaps in research of cybercrime victimization. Findings indicated the decidedly upward trend of publications in the given period. The USA and its authors and institutions were likely to connect widely and took a crucial position in research of cybercrime victimization. Cyberbullying was identified as the most concerned issue over the years and cyber interpersonal crimes had the large number of research comparing to cyber-dependent crimes. Future research is suggested to concern more about sample of the elder and collect data in different countries which are not only European countries or the USA. Cross-nation research in less popular continents in research map was recommended to be conducted more. This paper contributed an overview of scholarly status of cybercrime victimization through statistical evidence and visual findings; assisted researchers to optimize their own research direction; and supported authors and institutions to build strategies for research collaboration.

Exploring how, why and in what contexts older adults are at risk of financial cybercrime victimisation: A realist review

Although older people rarely report being victims of financial cybercrime, there is evidence that older online users are at increased risk. This realist review identified factors leading to older adults' victimisation and reviewed the theory and evidence for interventions to reduce victimisation risks. We developed an initial programme theory from a scoping review and expert stakeholder consultations. We searched electronic databases, references and websites for literature meeting inclusion criteria. We analysed 52 primary and secondary data sources, seeking stakeholder views to develop and refine the programme theory and generate Context-Mechanism-Outcome Configurations (CMOCs) explaining how, why and in what circumstances older adults become financial cybercrime victims; and extrapolated this to consider rational intervention strategies. Our programme theory comprised 16 CMOCs describing how: social isolation, cognitive, physical and mental health problems; wealth status, limited cyber security skills or awareness, societal attitudes and content of scams led to victimisation. Our refined programme theory provides a novel framework to guide future intervention design. Only interventions to enhance older internet users' awareness and skills have been trialled to date. Other theoretically plausible interventions include: offender management programmes, tailored security measures, society-wide stigma reduction and awareness-raising with groups who support older people.

Is This Phishing? Older Age Is Associated With Greater Difficulty Discriminating Between Safe and Malicious Emails

OBJECTIVES

As our social worlds become increasingly digitally connected, so too has concern about older adults falling victim to "phishing" emails, which attempt to deceive a person into identity theft and fraud. In the present study, we investigated whether older age is associated with differences in perceived suspiciousness of phishing emails.

METHODS

Sixty-five cognitively normal middle-aged to older adults rated a series of genuine and phishing emails on a scale from definitely safe to definitely suspicious.

RESULTS

Although older age was not related to a shift in overall perception of email safety, older age was related to worse discrimination between genuine and phishing emails, according to perceived suspiciousness.

DISCUSSION

These findings suggest that cognitively normal older adults may be at particular risk for online fraud because of an age-associated reduction in their sensitivity to the credibility of emails.

Can adults discriminate between fraudulent and legitimate e-mails? Examining the role of age and prior fraud experience

The present study assessed how accurate adults are at detecting fraudulent e-mail activity. A total of 100 younger (18-26 years) and 96 older adults (60-90 years) categorized a series of e-mails as legitimate or fraudulent phishing schemes and self-reported their fraud experiences. Younger and older adults did not differ in accuracy rates when categorizing the e-mails (72%), but older adults used a "high-suspicion" strategy where they were more likely to mislabel a legitimate e-mail as fraudulent compared to younger adults. Younger adults were less likely to be targeted by fraud than older adults, but the groups were victimized at similar rates. Being a prior fraud victim negatively related to e-mail detection performance, but this differed across age groups and the extent of fraud experience. Together, these results provide insight into the relation between fraud experience and the ability to detect e-mail scams and can inform fraud prevention and education initiatives.

The role of analytical reasoning and source credibility on the evaluation of real and fake full-length news articles

AIM

Previous research has focused on accuracy associated with real and fake news presented in the form of news headlines only, which does not capture the rich context news is frequently encountered in real life. Additionally, while previous studies on evaluation of real and fake news have mostly focused on characteristics of the evaluator (i.e., analytical reasoning), characteristics of the news stimuli (i.e., news source credibility) and the interplay between the two have been largely ignored. To address these research gaps, this project examined the role of analytical reasoning and news source credibility on evaluation of real and fake full-length news story articles. The project considered both accuracy and perceived credibility ratings as outcome variables, thus qualifying previous work focused solely on news detection accuracy.

METHOD

We conducted two independent but parallel studies, with Study 2 as a direct replication of Study 1, employing the same design but in a larger sample (Study 1: N = 292 vs. Study 2: N = 357). In both studies, participants viewed 12 full-length news articles (6 real, 6 fake), followed by prompts to evaluate each article's veracity and credibility. Participants were randomly assigned to view articles with a credible or non-credible source and completed the Cognitive Reflection Test as well as short demographic questions.

FINDINGS

Consistent across both studies, higher analytical reasoning was associated with greater fake news accuracy, while analytical reasoning was not associated with real news accuracy. In addition, in both studies, higher analytical reasoning was associated with lower perceived credibility for fake news, while analytical reasoning was not associated with perceived credibility for real news. Furthermore, lower analytical reasoning was associated with greater accuracy for real (but not fake) news from credible compared to non-credible sources, with this effect only detected in Study 2.

CONCLUSIONS

The novel results generated in this research are discussed in light of classical vs. naturalistic accounts of decision-making as well as cognitive processes underlying news articles evaluation. The results extend previous findings that analytical reasoning contributes to fake news detection to full-length news articles. Furthermore, news-related cues such as the credibility of the news source systematically affected discrimination ability between real and fake news.

Age and intranasal oxytocin effects on trust-related decisions after breach of trust: Behavioral and brain evidence

Age-related differences in cognition and socioemotional functions, and in associated brain regions, may reduce sensitivity to cues of untrustworthiness, with effects on trust-related decision making and trusting behavior. This study examined age-group differences in brain activity and behavior during a trust game. In this game, participants received "breach-of-trust" feedback after half of the trials. The feedback indicated that only 50% of the monetary investment into their fellow players had resulted in returns. The study also explored the effects of intranasal oxytocin on trust-related decisions in aging, based on suggestions of a modulatory role of oxytocin in response to negative social stimuli and perceptions of trust. Forty-seven younger and 46 older participants self-administered intranasal oxytocin or placebo, in a randomized, double-blind, between-subjects procedure, before they engaged in the trust game while undergoing functional magnetic resonance imaging (fMRI). Younger participants invested less into their game partners after breach-of-trust feedback, while older participants showed no significant difference in their investment after breach-of-trust feedback. Oxytocin did not modulate the behavioral effects. However, after breach-of-trust feedback, older participants in the oxytocin group showed less activity in the left superior temporal gyrus. In contrast, older participants in the placebo group showed more activity in left superior temporal gyrus after breach of trust. The findings may reflect reduced responsiveness to cues of untrustworthiness in older adults. Furthermore, the modulatory effect of oxytocin on left superior temporal gyrus activity among older adults supports the neuropeptide's age-differential role in neural processes in aging, including in the context of trust-related decision making. (PsycInfo Database Record (c) 2021 APA, all rights reserved).

“Warn Them” or “Just Block Them”?: Investigating Privacy Concerns Among Older and Working Age Adults

Prior work suggests that older adults are less aware of potential digital privacy risks compared to younger groups. We seek to expand on these findings by using drawmetrics with 20 older adults (60+) to visualize their experiences with digital privacy via drawing sessions. We further compared older adults with 20 adults of working age (18-59) with the goal of identifying both overlapping concerns and key differences that may be missed when viewing each group in isolation. We extended our evaluation with a survey with questions and themes derived from open-coding of the drawn images and confirmed three key differences between the age groups. These include older adults perceiving a greater threat from using online banking and e-commerce compared to working age adults, older adults exhibiting greater levels of concern about global scale threats, and working age adults showing more privacy-related concern regarding social media. Our findings can be used to potentially tailor applications to better accommodate privacy concerns for older adults.

The Phishing Email Suspicion Test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection

Phishing emails constitute a major problem, linked to fraud and exploitation as well as subsequent negative health outcomes including depression and suicide. Because of their sheer volume, and because phishing emails are designed to deceive, purely technological solutions can only go so far, leaving human judgment as the last line of defense. However, because it is difficult to phish people in the lab, little is known about the cognitive and neural mechanisms underlying phishing susceptibility. There is therefore a critical need to develop an ecologically valid lab-based measure of phishing susceptibility that will allow evaluation of the cognitive mechanisms involved in phishing detection. Here we present such a measure based on a task, the Phishing Email Suspicion Test (PEST), and a cognitive model to quantify behavior. In PEST, participants rate a series of phishing and non-phishing emails according to their level of suspicion. By comparing suspicion scores for each email to its real-world efficacy, we find initial support for the ecological validity of PEST - phishing emails that were more effective in the real world were more effective at deceiving people in the lab. In the proposed computational model, we quantify behavior in terms of participants' overall level of suspicion of emails, their ability to distinguish phishing from non-phishing emails, and the extent to which emails from the recent past bias their current decision. Together, our task and model provide a framework for studying the cognitive neuroscience of phishing detection.

Phishing Attacks Survey: Types, Vectors, and Technical Approaches

Phishing attacks, which have existed for several decades and continue to be a major problem today, constitute a severe threat in the cyber world. Attackers are adopting multiple new and creative methods through which to conduct phishing attacks, which are growing rapidly. Therefore, there is a need to conduct a comprehensive review of past and current phishing approaches. In this paper, a review of the approaches used during phishing attacks is presented. This paper comprises a literature review, followed by a comprehensive examination of the characteristics of the existing classic, modern, and cutting-edge phishing attack techniques. The aims of this paper are to build awareness of phishing techniques, educate individuals about these attacks, and encourage the use of phishing prevention techniques, in addition to encouraging discourse among the professional community about this topic.

Human Cognition Through the Lens of Social Engineering Cyberattacks

Social engineering cyberattacks are a major threat because they often prelude sophisticated and devastating cyberattacks. Social engineering cyberattacks are a kind of psychological attack that exploits weaknesses in human cognitive functions. Adequate defense against social engineering cyberattacks requires a deeper understanding of what aspects of human cognition are exploited by these cyberattacks, why humans are susceptible to these cyberattacks, and how we can minimize or at least mitigate their damage. These questions have received some amount of attention, but the state-of-the-art understanding is superficial and scattered in the literature. In this paper, we review human cognition through the lens of social engineering cyberattacks. Then, we propose an extended framework of human cognitive functions to accommodate social engineering cyberattacks. We cast existing studies on various aspects of social engineering cyberattacks into the extended framework, while drawing a number of insights that represent the current understanding and shed light on future research directions. The extended framework might inspire future research endeavor toward a new sub-field that can be called Cybersecurity Cognitive Psychology, which tailors or adapts principles of Cognitive Psychology to the cybersecurity domain while embracing new notions and concepts that are unique to the cybersecurity domain.

Don’t click: towards an effective anti-phishing training. A comparative literature review

Email is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be designed sustainably and effectively to minimize the vulnerability of employees to phishing attacks. In this paper, we survey and categorize works that consider different elements of such programs via a clearly laid-out methodology, and identify key findings in the technical literature. Overall, we find that researchers agree on the answers to many relevant questions regarding the utility and effectiveness of anti-phishing training. However, we identified influencing factors, such as the impact of age on the success of anti-phishing training programs, for which mixed findings are available. Finally, based on our comprehensive analysis, we describe how a well-founded anti-phishing training program should be designed and parameterized with a set of proposed research directions.