Partnering with MSU IT Services, ComArtSci Assistant Professor Rick Wash conducted a study on how people identify or are trained to identify phishing emails. Contrary to the nautical whimsy of its pronunciation, phishing occurs when a fake email is sent to someone with the intention of extorting information from the recipient. This ruse may ask the recipient to click and install harmful software but is most commonly used to mine for sensitive information. Phishing is often targeted toward higher-ups at large-scale entities, such as executives, financial operators and system administrators, and can potentially lead to the loss of millions of dollars. Needless to say, this is a major concern for cybersecurity.
“It’s really hard for a computer to look at two emails and say ‘This one is okay and this one is not,’ even though they look almost the same,” said Wash. “You need to have all the context of the person the email is being sent to to be able to tell if this is something they were expecting to receive and is actually intentional, or if it’s a fake email. You need to have everything that is the recipients head, which computers don’t. This is a problem that needs people involved in order to be able to deal with that.”
Traditionally, phish identification training uses facts and advice to educate people about the indicators of harmful emails. According to Wash’s research, this type of user education alone is inadequate to prevent users from clicking on emails and links that can open the gateway to information breeches.
“Normally when we try to help people we try to tell them what to do, so I call it facts and advice. We tell people what phishing is, what the problem is, do this and don’t do this,” said Wash. “It’s usually like, ‘Don’t click on any links in email,’ which is completely impractical advice. Not clicking on links in email would basically make email useless.”
So Wash joined forces with IT Services for an experiment. They delivered phishing emails to 2,000 university staff members without the recipients’ knowledge. If recipients clicked on the link provided in the email, they received a pop-up message that used either facts or a story to teach about phishing. After several days, the same recipients were sent a second phishing email to determine what percentage of people would click on the link again. The researchers used the results to determine the effectiveness of facts and advice in educating recipients compared to the effectiveness of stories. The study also examined to what extent the identity of the sender influenced perceptions of what was a safe email and what was a fake email.
The study found that facts and advice were effective in helping recipients identify scam emails when provided by experts, but not when they came from peers. If educational facts and advice were provided by a peer, recipients were more likely to not recognize a phishing email later.
“The stories were the exact opposite,” said Wash. “Stories worked really well when they came from peers, but it made things worse when it was coming from an expert. If central IT was trying to tell people stories it actually might backfire. So we have this really interesting interaction where the best type of message to send depended on who was sending it, so that was the basic finding of the paper.”
Wash co-authored the paper with Molly Cooper, a cybersecurity analyst for MSU, and it was presented at the 2018 ACM Conference on Computer Human Interaction earlier this spring. The study began as a side project, but is now funded by a $515,987 grant from the National Science Foundation.
Learning through Stories
Now, Wash is conducting interviews to gather stories from phishing victims, people who have worked with victims and those who receive phishing messages on a regular basis to try to discover what triggers recipients’ suspicion of an email.
“People have hundreds of emails that they receive every day. Most of them are perfectly fine emails from your friends or random companies, and every once in a while there are one or two in there that are really bad,” said Wash. “I think there’s a lot of potential in using stories to help people recognize what the problems are. I’m collecting all these stories and trying to figure out how people who are doing this right now do it well, and then I’m going to try to use those stories to help train people who aren’t doing it well or don’t know as much about it.”
Incongruencies such as color schemes, grammar and spelling or sender context may all be indicators that something is suspicious about an email. Learning to intuitively recognize these types of elements as suspicious appears to be a key skill in identifying phishing. So what does Wash recommend when it comes to training email users to identify phishing?
“I would say to IT staff right now, think about telling stories of specific incidents. There’s a lot of evidence that people remember those, and there’s a lot of things you get out of story that you don’t get out of facts and advice. So think about telling stories, and think about what’s clearly distinguishing. Likewise for end users, I think that’s the big message that my research is coming up with right now. Listen to your friends. Listen to stories.”
By Kristina Pierson