“Alexa, What’s a Phishing Email?”: Training users to spot phishing emails using a voice assistant

EURASIP Journal on Information Security - Tập 2022 Số 1
Filipo Sharevski1, Peter Jachim1
1School of Computing, DePaul University, Chicago, IL, USA

Tóm tắt

AbstractThis paper reports the findings from an empirical study investigating the effectiveness of using intelligent voice assistants, Amazon Alexa in our case, to deliver a phishing training to users. Because intelligent voice assistants can hardly utilize visual cues but provide for convenient interaction with users, we developed an interaction-based phishing training focused on the principles of persuasion with examples on how to look for them in phishing emails. To test the effectiveness of this training, we conducted a between-subject study where 120 participants were randomly assigned in three groups: no training, interaction-based training with Alexa, and a facts-and-advice training and assessed a vignette of 28 emails. The results show that the participants in the interaction-based group statistically outperformed the others when detecting phishing emails that employed the following persuasion principles (and/or combinations of): authority, authority/scarcity, commitment, commitment/liking, and scarcity/liking. The paper discusses the implication of this result for future phishing training and anti-phishing efforts.

Từ khóa


Tài liệu tham khảo

H. Hu, G. Wang, in 27th USENIX Security Symposium (USENIX Security 18). End-to-End Measurements of Email Spoofing Attacks (USENIX Association, Baltimore, 2018), pp. 1095–1112. https://www.usenix.org/conference/usenixsecurity18/presentation/hu

S. Egelman, L.F. Cranor, J. Hong, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings (Association for Computing Machinery, New York, 2008), CHI ’08, p. 1065–1074. https://doi.org/10.1145/1357054.1357219

Z.A. Wen, Z. Lin, R. Chen, E. Andersen, in Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. What.Hack: Engaging Anti-Phishing Training Through a Role-playing Phishing Simulation Game (ACM, New York, 2019), CHI ’19, pp. 108:1–108:12. https://doi.org/10.1145/3290605.3300338

C. Bravo-Lillo, S. Komanduri, L.F. Cranor, R.W. Reeder, M. Sleeper, J. Downs, S. Schechter, in Proceedings of the Ninth Symposium on Usable Privacy and Security. Your Attention Please: Designing Security-Decision UIs to Make Genuine Risks Harder to Ignore (Association for Computing Machinery, New York, 2013), SOUPS ’13. https://doi.org/10.1145/2501604.2501610

R. Wash, M.M. Cooper, in Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. Who Provides Phishing Training? Facts, Stories, and People Like Me (Association for Computing Machinery, New York, 2018), CHI ’18. https://doi.org/10.1145/3173574.3174066

S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L.F. Cranor, J. Hong, E. Nunge, in Proceedings of the 3rd Symposium on Usable Privacy and Security. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish (Association for Computing Machinery, New York, 2007), SOUPS ’07, p. 88–99. https://doi.org/10.1145/1280680.1280692

W. Yang, A. Xiong, J. Chen, R.W. Proctor, N. Li, in Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp. Use of Phishing Training to Improve Security Warning Compliance: Evidence from a Field Experiment (Association for Computing Machinery, New York, 2017), HoTSoS, p. 52–61. https://doi.org/10.1145/3055305.3055310

G. Canova, M. Volkamer, C. Bergmann, R. Borza, in Security and Trust Management, ed. by S. Mauw, C.D. Jensen. NoPhish: An Anti-Phishing Education App (Springer International Publishing, Cham, 2014), pp.188–192

O.A. Zielinska, R. Tembe, K.W. Hong, X. Ge, E. Murphy-Hill, C.B. Mayhorn, One phish, two phish, how to avoid the internet phish: Analysis of training strategies to detect phishing emails. Proc. Hum. Factors Ergon. Soc. Annu. Meet. 58(1), 1466–1470 (2014)

N. Zhang, X. Mi, X. Feng, X. Wang, Y. Tian, F. Qian, in 2019 IEEE Symposium on Security and Privacy (SP). Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems (2019). pp. 1381–1396. https://doi.org/10.1109/SP.2019.00016

F. Sharevski, P. Treebridge, P. Jachim, A. Li, A. Babin, J. Westbrook, Meet malexa, alexa’s malicious twin: Malware-induced misperception through intelligent voice assistants. Int J Hum-Comput Stud 149, 102604–5 (2020). https://doi.org/10.1016/j.ijhcs.2021.102604

J. Marsden, Z. Albrecht, P. Berggren, J. Halbert, K. Lemons, A. Moncivais, M. Thompson, in Extended Abstracts of the 2020 CHI Conference on Human Factors in Computing Systems. Facts and Stories in Phishing Training: A Replication and Extension (Association for Computing Machinery, New York, 2020), CHI EA ’20, p. 1–6. https://doi.org/10.1145/3334480.3381435

E. Rader, R. Wash, Identifying patterns in informal sources of security information. J. Cybersecurity 1(1), 121–144 (2015). https://doi.org/10.1093/cybsec/tyv008

E.M. Redmiles, A.R. Malone, M.L. Mazurek, in 2016 IEEE Symposium on Security and Privacy (SP). I Think They’re Trying to Tell Me Something: Advice Sources and Selection for Digital Security (2016), pp. 272–288

A. Purington, J.G. Taft, S. Sannon, N.N. Bazarova, S.H. Taylor, in Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems. “Alexa is My New BFF”: Social Roles, User Satisfaction, and Personification of the Amazon Echo (Association for Computing Machinery, New York, 2017), CHI EA ’17, p. 2853–2859. https://doi.org/10.1145/3027063.3053246

M. Tabassum, T. Kosiński, A. Frik, N. Malkin, P. Wijesekera, S. Egelman, H.R. Lipford, Investigating users’ preferences and expectations for always-listening voice assistants. 3(4) (2019). https://doi.org/10.1145/3369807

M. Gondree, Z.N.J. Peterson, T. Denning, Security through play. IEEE Secur. Priv. 11(3), 64–67 (2013)

M. Carlisle, M. Chiaramonte, D. Caswell, in 2015 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 15). Using CTFs for an Undergraduate Cyber Education (USENIX Association, Washington, 2015). https://www.usenix.org/conference/3gse15/summit-program/presentation/carlisle

N.A.G. Arachchilage, S. Love, K. Beznosov, Phishing threat avoidance behaviour: An empirical investigation. Comput. Hum. Behav. 60, 185–197 (2016). https://doi.org/10.1016/j.chb.2016.02.065

T. Lin, D.E. Capecci, D.M. Ellis, H.A. Rocha, S. Dommaraju, D.S. Oliveira, N.C. Ebner, Susceptibility to spear-phishing emails: Effects of internet user demographics and email content. ACM Trans. Comput.-Hum. Interact. 26(5) (2019). https://doi.org/10.1145/3336141

D. Oliveira, H. Rocha, H. Yang, D. Ellis, S. Dommaraju, M. Muradoglu, D. Weir, A. Soliman, T. Lin, N. Ebner, in Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. Dissecting Spear phishing emails for older vs young adults: On the interplay of weapons of influence and life domains in predicting susceptibility to phishing (2017), ser. CHI ’17, pp. 6412–6424. https://doi.org/10.1145/3025453.3025831

E.J. Williams, J. Hinds, A.N. Joinson, Exploring susceptibility to phishing in the workplace. Int. J. Hum.-Comput. Stud. 120, 1–13 (2018). https://doi.org/10.1016/j.ijhcs.2018.06.004

H. Gascon, S. Ullrich, B. Stritter, K. Rieck, in Research in Attacks, Intrusions, and Defenses. ed. by M. Bailey, T. Holz, M. Stamatogiannakis, S. Ioannidis, R. Between, the Lines: Content-Agnostic Detection of Spear-Phishing Emails, (Springer International Publishing, Cham, 2018), pp.69–91

H. Chung, M. Iorga, J. Voas, S. Lee, Alexa, Can I Trust You? Computer 50(9), 100–104 (2017). https://doi.org/10.1109/MC.2017.3571053

D.J. O’keefe, Persuasion: Theory and research (Sage Publications, 2015)

D.D. Caputo, S.L. Pfleeger, J.D. Freeman, M.E. Johnson, Going spear phishing: Exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2014)

O. Zielinska, A. Welk, C.B. Mayhorn, E. Murphy-Hill, in Proceedings of the Symposium and Bootcamp on the Science of Security. The Persuasive Phish: Examining the Social Psychological Principles Hidden in Phishing Emails (Association for Computing Machinery, New York, 2016), HotSos ’16, p. 126. https://doi.org/10.1145/2898375.2898382

A. Ferreira, L. Coventry, G. Lenzini, in Human Aspects of Information Security, Privacy, and Trust, ed. by T. Tryfonas, I. Askoxylakis. Principles of Persuasion in Social Engineering and Their Use in Phishing (Springer, 2015), pp. 36–47

P. Lawson, C.J. Pearson, A. Crowson, C.B. Mayhorn, Email phishing and signal detection: how persuasion principles and personality influence response patterns and accuracy. Appl. Ergon. 86, 103084 (2020). https://doi.org/10.1016/j.apergo.2020.103084. http://www.sciencedirect.com/science/article/pii/S0003687020300478

M. Blythe, H. Petrie, J.A. Clark, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. F for Fake: Four Studies on How We Fall for Phish (Association for Computing Machinery, New York, 2011), CHI ’11, p. 3469–3478. https://doi.org/10.1145/1978942.1979459

C. Gao. Use New Alexa Emotions and Speaking Styles to Create a More Natural and Intuitive Voice Experience (2019). Accessed 26 Nov 2019, https://developer.amazon.com/en-US/blogs/alexa/alexa-skills-kit/2019/11/new-alexa-emotions-and-speaking-styles

Thông tin
Thông tin xuất bản

EURASIP Journal on Information Security

Tập 2022 Số 1

Thông tin tác giả