Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Awardee:RESEARCH FOUNDATION FOR THE STATE UNIVERSITY OF NEW YORK, THE
Doing Business As Name:SUNY at Buffalo
PD/PI:
  • H. Raghav Rao
  • (210) 458-4340
  • hr.rao@utsa.edu
Co-PD(s)/co-PI(s):
  • Arun Vishwanath
Award Date:08/27/2012
Estimated Total Award Amount: $ 320,000
Funds Obligated to Date: $ 326,000
  • FY 2012=$320,000
  • FY 2013=$6,000
Start Date:09/01/2012
End Date:08/31/2016
Transaction Type:Grant
Agency:NSF
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.075
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:E-mail Deception and Visual E-Mail Authentication Services: an Investigation
Federal Award ID Number:1227353
DUNS ID:038633251
Parent DUNS ID:020657151
Program:Decision, Risk & Mgmt Sci
Program Officer:
  • Robert O'Connor
  • (703) 292-7263
  • roconnor@nsf.gov

Awardee Location

Street:520 Lee Entrance
City:Buffalo
State:NY
ZIP:14228-2567
County:Buffalo
Country:US
Awardee Cong. District:26

Primary Place of Performance

Organization Name:SUNY at Buffalo
Street:
City:
State:NY
ZIP:14260-1660
County:Buffalo
Country:US
Cong. District:26

Abstract at Time of Award

Phishing is a scam by which an e-mail user is duped into revealing personal or confidential information that the scammer can use illicitly. This research explores the design features presented in phishing attacks, investigates how individual knowledge and psychological involvement influences people's abilities in phishing detection across levels of deceptiveness, and evaluates the effects of phishing related education and phishing detection technologies in mitigating individuals' phishing susceptibility. The experiments involve students, real world consumers, and employees in an organization to compare the effectiveness of email authentication toolbars and client software (either by themselves or in conjunction with phishing related educational interventions) on mitigating individual susceptibility to phishing attacks. The purpose of the project is to explore the features of phishing e-mails and evaluate the mechanism of its effects by using a variety of research methodologies such as content analysis, telephone surveys, and quasi-experiments. Phishing is a phenomenon of internet fraud that not only directly causes millions of dollars in loss, but also erodes consumers' trust in online communication and transactions. The erosion drives consumers away from online businesses. Fighting the threat of phishing is an urgent task and calls for research from multiple perspectives. The research deepens our understanding of phishing as a social phenomenon that takes advantages of human vulnerabilities. The research team disseminates the findings to the general public, industry organizations, the research community, and law enforcement organizations. The channels include workshops on internet crimes and information security and also the local InfaGuard program in collaboration with a regional FBI office.

Publications Produced as a Result of this Research

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

J. Wang, R. Chen, T. Herath, A.Vishwanath, H. R. Rao "Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email" IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, v.55, 2012, p.345. doi:IEEE 10.1109/TPC.2012.2208392 

Jingguo Wang***, Tejaswini Herath*, Rui Chen**, Arun Vishwanath^, And H. Raghav Rao^ "Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email" IEEE Transactions on Professional Communication, v.55, 2012, p.345.

Jingguo Wang, Tejaswini Herath, Rui Chen, Arun Vishwanath, And H. Raghav Rao "Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email" IEEE Transactions on Professional Communication, v.55, 2012, p.345. doi:DOI:10.1109/TPC.2012.2208392 

Herath, T., R. Chen,J. Wang,K. Banjara,J. Wilbur,H. Raghav Rao "Security Services As Coping Mechanisms: An Investigation Into User Intention To Adopt An Email Authentication Service" Information Systems Journal, v.24, 2014, p.61. doi:0.1111/j.1365-2575.2012.00420.x 

Teju Herath*, Rui Chen**, Jingguo Wang***, Ketan Banjara#, Jeff Wilbur#, H. Raghav Rao^ "Security Services As Coping Mechanisms: An Investigation Into User Intention To Adopt An Email Authentication Service" Information systems journal, v.24, 2014, p.61.

Vishwanath, Arun "Mobile device affordance: Explicating how smartphones influence the outcome of phishing attacks." Computers in Human Behavior, v.63, 2016, p.. doi:http://dx.doi.org/10.1016/j.chb.2016.05.035 

Teju Herath, Rui Chen, Jingguo Wang*, Ketan Banjara, Jeff Wilbur, H. Raghav Rao "Security Services As Coping Mechanisms: An Investigation Into User Intention To Adopt An Email Authentication Service" Information systems journal, v.24, 2014, p.61. doi:DOI:10.1111/j.1365-2575.2012.00420 


Project Outcomes Report

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

As part of the NSF SaTC grant, our research team looked at at the impact of the structural factors of spear phishing emails on individual phishing victimization. 

            At the structural end, we experimentally examined the cues in the spear phishing email as well as how the message content of emails differed, and how these influenced individual victimization. The specific cues examined included rich information cues and graphics, such as those that communicate social presence (e.g., messenger icons, 1-800 numbers, and such), and at the content end we focused on whether spear phishing messages that informed victims of a prize, i.e., “gain frame,” had a different impact than an email with a “loss frame” (e.g., a warning about account closure). 

            At the individual level, we focused on the impact of such cues and frames on individual cognitive processing using theories that explained how people cognitively process information. We also looked at whether individual personality mattered, particularly where their their baseline, personality based level of suspicion [what is termed their Generalized Communicative Suspicion (GCS)] had a protective influence. Finally, we also examined the impact of mobile devices, which the majority of consumer today use to access email, and whether such usage enhanced or mitigated spear phishing susceptibility. 

            Our findings suggest that the content framing had little effect on individual phishing susceptibility but cues in emails, especially those that communicate presence did. This is likely because of the mode of cognitive processing people employ. People are cognitive misers who eschew detailed information assessment. They, therefore, seldom cognitively attend to the messages in emails, which explain why framing does not matter. If anything, a text only spear phishing email has a reduced chance of success. Icons, graphical content, and other rich cues such as brandnames and logos instead trigger adjunct thumb rules or cognitive heuristics that lead to their victimization.

            Our findings also point to individual level of GCS playing a protective role. Our work also explicated the underlying reason for this. It appears that individuals with higher GCS tend to suffer higher anxiety during online communication that they alleviate through active information assessment; in conjunction with experience and appropriate prior knowledge, such individuals are more likely to spot a spear phishing email.

            Finally our research on device usage found that people who frequently utilize mobile devices are significantly more likely to fall victim to spear phishing. The reasons for this was both surprising and unexpected. While we thought that devices, because of their smaller screen sizes, would lead to victimization by constraining the presentation of cues, we found that merely using devices made people more susceptible to certain types of spear phishing attacks. This led us to the discovery of a causative factor outside of cognitive processing: habits. It appears that frequent mobile device use creates routinized patterns where people reactively attend to emails thereby falling prey to spear phishing attacks. These findings contributed to extant theory as well as expanded our overall understanding of the interplay between the individual and the email-based structural factors that led to spear phishing victimization.

 

 

 


Last Modified: 11/30/2016
Modified by: H. Raghav Rao

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.