Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails
This research addresses the problem of human vulnerability to phishing attacks for cybersecurity education and training, though it is incremental in testing known social engineering principles.
The study investigated how social engineering strategies like authority, scarcity, and social proof affect users' judgments of email link safety, finding that authority was most effective in convincing users links were safe and users performed worst at detecting phishing and spear-phishing emails with authority, while struggling to distinguish genuine from spear-phishing emails.
We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.