Were you phished? Read this post immediately to discover how

A few months ago, the department head sent me a short email asking whether I had a few minutes to spare. A bit odd – I thought – but I replied. The response email was utterly suspicious. It read, “Can you buy X amount of gift cards and send me the codes? We need them as a present for our clients, but I am right now in the middle of a meeting and can’t get them myself. Don’t worry, I’ll refund you after the meeting is over.” Ok, I’m out … we don’t work with clients! The signature style matched ours, however, on closer inspection, the email address came from a domain that resembled (but wasn’t) our address.

Not without feeling slightly foolish for replying to the first email, I reported it to our IT department and learned that several people received similar phishing emails (i.e., malicious emails that attempt to appear legitimate but intend to cause harm). Although it had no consequence at the time, I suddenly found it easy to imagine how much worse situations occur every day because of this. Sometimes as transcending as the infamous cases of political phishing affecting Hillary Clinton’s campaign in 2016.

Something interesting about phishing attacks is that they don’t breach security through a fancy and complex hacking technique but by exploiting human decision-making. By attempting to look legitimate, they trick people into harmful behavior. Falling for the trick can lead to enormous economic and psychological consequences (see also here).

Because phishing targets humans, technological attempts to prevent phishing from reaching users don’t suffice. To understand the cognitive processes and individual differences underlying susceptibility to phishing attempts, reliable methods for studying these processes in the lab are needed. This is the topic that Hakim, Ebner, Oliveira, Getz, Levin, Lin, Lloyd, Lai, Grilli, Wilson address in their paper “The Phishing Email Suspicion Test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection,” published in the Psychonomic Society journal, Behavior and Research Methods.

The authors designed a task, the Phishing Email Suspicion Test (PEST), that presents emails to participants and measures how suspicious they are perceived. In addition, they tested the relationship of suspicion scores with the capacity of emails to successfully phish people and introduce a cognitive model of how emails engender suspicion.

The Phishing Email Suspicion Test (PEST)

The PEST consists of phishing and safe emails (from simulated and real sources) that are randomly presented to participants who rate them in terms of suspiciousness. Examples of the task and texts used are shown in the figure below.

Hakim 2020 Fig 1
Examples of the task screen and sample texts from safe and phishing emails from real/simulated sources

A previous study by the research group tested the effectiveness of the simulated phishing emails to persuade people to click links embedded in them, reproducing the aspects of real phishing except for the harm intent. This allowed them to relate the ratings of suspicion obtained from the PEST with existing empirical data on the emails’ effectiveness to trick people into clicking on the links. The PEST, in combination with previous data, gave the authors insights into various aspects of phishing emails, including how they influence people’s suspicion levels, the similarities between real and simulated emails, and the relationship between suspicion levels and actual effectiveness of phishing attempts.

This seems phishy…

Are people more suspicious of phishing emails than safe ones? The answer is yes. Point scored for us humans! This was the case for real and simulated emails. Note, however, that the real safe emails were rated as less suspicious than simulated safe emails (but the real and simulated phishing emails were equivalently suspicious). You can appreciate these results in the figure below, which compares the suspicion scores between conditions, and illustrates the relationships between real and simulated emails.

Hakim 2020 Fig 2
a) Mean suspicion scores by type (safe/phishing) and source (real/simulated) source of the emails. b) scatterplot and correlation between real and simulated safe emails’ suspicion scores, c) scatterplot and correlation between real and simulated phishing emails’ suspicion scores

Are emails that are more effective in luring people in perceived as less suspicious than those that fail to do so? As shown in the figure below, the more suspicious emails are less likely to lead to a successful attack (i.e., make the recipient click a risky link) and those that successfully tricked people at least once (i.e., a risk link clicked at least once) are less suspicious than those that didn’t.

Hakim 2020 Fig 3
a) Suspicion scores by email type; safe emails in blue and phishing emails in red.

Falling into the phishing pond

If phishing emails are consistently more suspicious than safe emails, why are some phishing attempts successful at all? There are several factors to consider. For example, while the mean suspicion levels are higher for phishing than safe emails overall, there is considerable overlap. The most dangerous ones are likely the phishing emails that manage to somehow look less suspicious. The figure below shows the overlap in mean suspicion scores between all types of emails used in the PEST.

Hakim 2020 Fig 4
Mean suspicion score of individual emails of the study (blue: safe emails, red: phishing emails)

Delving into the psychological processes, some important factors to consider are individual differences in the propensity to suspect about the legitimacy of emails, the effects of previous experience with emails, and the possible contribution of sequential effects.

To assess the contribution of these factors in driving people’s suspicion ratings, the authors included them in a cognitive model based on a regression approach. The authors modelled suspicion ratings given to individual emails as a function of

1) the person’s general bias towards considering emails suspicious,

2) the email’s intrinsic suspicion level,

3) the effect of the previous email’s suspicion level, and

4) the rating given by the participant to the previous email.

The last two factors capture sequential effects and models previous experience. All factors predicted the suspicion scores, which is shown in the figure below.

Hakim 2020 Fig 5
Regression weights for phish bias, and the effects of current and past stimulus and past ratings

The model suggests that:

  1. people tend to have a slight bias to consider emails as suspicious rather than safe
  2. individuals’ suspicion levels for a given email align with the group average suspicion level, suggesting perceptual consensus with marked individual differences
  3. a perceptual bias away of the last stimulus’ perceived suspiciousness
  4. a response bias towards the response given in the previous trial

The two last findings constitute signature contrastive and assimilative effects often described in psychophysics and perceptual research, suggesting that the underlying cognitive process might involve covert comparisons with previously encountered emails.

Reducing phishing risk

The PEST is an effort to advance methods for the study of cognitive processes associated with phishing and could constitute a step towards preventing or reducing its devastating effects. In the words of the authors:

“If phishing susceptibility could be accurately predicted by PEST, then a simple online test could be deployed as an assessment tool to target people in need of intervention – either to improve their ability to detect phishing emails or to provide guidance and support for their use of email (for example in older adults with cognitive decline) .”

Beware of phishing emails. If it looks fishy and smells fishy … chances are it is phishy. Don’t click!

Featured Psychonomic Society’s article

Hakim, Z.M., Ebner, N.C., Oliveira, D.S., Getz, S.J. Levin, B.E., Lin, T., Lloyd, K. Lai, V.T., Grilli, M.D. & Wilson, R.C. (2020). The Phishing Email Suspicion Test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing etection. Behavior Research Methods. https://doi.org/10.3758/s13428-020-01495-0

Author

  • Jonathan Caballero is a cognitive and behavioral scientist specializing in social perception and its role in decision-making. Currently, he is a postdoctoral researcher at McGill University, in Canada, where he conducts studies addressing the role that verbal and non-verbal cues play in the perception of social situations, personal traits, and affective inferences and how this information influences social interaction and ultimately health and well-being in healthy and clinical populations. His research is done using a combination of perceptual, behavioral, acoustic, and electrophysiological methodologies. The long-term goal is to generate knowledge of how ambiguous social information guides decision-making and to use this knowledge to inform interventions for improving the quality of social outcomes in clinical populations and in healthy individuals that, nevertheless, are exposed to negative social treatment, such as speakers with nonstandard accents.

    View all posts

The Psychonomic Society (Society) is providing information in the Featured Content section of its website as a benefit and service in furtherance of the Society’s nonprofit and tax-exempt status. The Society does not exert editorial control over such materials, and any opinions expressed in the Featured Content articles are solely those of the individual authors and do not necessarily reflect the opinions or policies of the Society. The Society does not guarantee the accuracy of the content contained in the Featured Content portion of the website and specifically disclaims any and all liability for any claims or damages that result from reliance on such content by third parties.

You may also like