Persuasion: How phishing emails can influence users and bypass security measures

作     者：Ferreira, Ana Teles, Soraia 

作者机构：Univ Porto Fac Med CINTESIS Ctr Hlth Technol & Serv Res Porto Portugal Univ Porto Inst Biomed Sci Abel Salazar ICBAS Porto Portugal 

出 版 物：《INTERNATIONAL JOURNAL OF HUMAN-COMPUTER STUDIES》 (国际人机研究杂志)

年 卷 期：2019年第125卷

页      面：19-31页

核心收录：

学科分类：0402[教育学-心理学(可授教育学、理学学位）] 12[管理学] 1201[管理学-管理科学与工程(可授管理学、工学学位)] 08[工学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：ActiveAdvice - Decision Support Solutions for Independent Living using an Intelligent AAL Product and Service Cloud - National Funds through FCT - Fundacao para a Ciencia e a Tecnologia [AAL-2015-2-058] TagUBig - Taming Your Big Data from Researcher FCT Program - National Funds through FCT - Fundacao para a Ciencia e a Tecnologia [IF/00693/2015] Portuguese Foundation for Science and Technology (FCT) [PD/BD/135496/2018] Fundação para a Ciência e a Tecnologia [PD/BD/135496/2018] Funding Source: FCT 

主　　题：Principles of persuasion Social engineering Phishing emails Human computer interaction Computer security and human behaviour 

摘      要：Phishing is a very dangerous form of social engineering with the aim to deceive people into disclosing private/confidential information. Despite widespread warnings and means to educate users to identify phishing messages, these are still a prevalent practice and a lucrative business. The authors believe that persuasion, as a style of human communication designed to influence others, has a central role in successful digital scams. Research on persuasion applied to phishing emails is scarce and tends to build on Cialdini s work alone. Only a single study has proposed a list of merged principles from three different perspectives but it has methodological limitations regarding the analysis performance by a single researcher and the testing of principles in a small, not validated sample of phishing emails. This paper aims to fill those gaps by building on Cialdini s, Gragg s and Stajano & Wilson s works to derive a unique list of Principles of Persuasion in Social Engineering (PPSE), resulting from the application of the relational method by two independent researchers. The PPSE are identified, by two independent researchers (Kappa 0.789) on a sample of phishing email subject lines (N = 194), dated from 2008 to 2017 and randomly selected from a reliable phishing archive (*** ). A thematic content analysis, together with the sample characterization in terms of visual elements and targeted content, revealed that the most prominent principles of persuasion in phishing emails were Authority , Strong Affect , Integrity and `Reciprocation . The larger percentage of references with the presence of visual elements was found for the `Strong Affect principle. The use of the pronouns you and your was more evident for the categories Strong Affect and Authority , while the employment of the pronouns we, us, our was more frequent in the `Reciprocation principle. This paper constitutes a step further in understanding the use of principles of persuasion