What Makes the Academic Community an Attractive Target for Phishing?
CC-DRIVER is an H2020 project supported by the European Commission that investigates the human and technical drivers of cybercrime. Its research findings will be translated into a wide range of innovative tools, including cybercrime awareness and investigation tools for law enforcement agencies to strengthen public security and cyber resilience in the European Union. This blog post supplements other project-related insights by casting new light on phishing attacks.
Phishing attacks are among the most popular cyber-attacks. They are carried out through means of communication aimed at luring the recipient to obtain personal, financial or sensitive information by posing as a legitimate source (Sahingoz, Buber, Demir, & Diri, 2019). This can take place through sms (smishing), phone calls (vishing), or social networks; also, and its most common form is by email. Universities and their community (students, professors, and academic staffs) seem to be particularly targeted by phishing emails. Several studies have therefore been carried out within universities, mostly by simulating phishing attacks with students or collecting data on attacks within universities; in order to measure the extent of the phenomenon, to understand who the most vulnerable victims are and what content or components of these attacks are most effective in the academic setting.
A 2007 pioneering study (Jagatic et al.) was carried out at Indiana University, simulating phishing attacks on students. Results concluded that 72% of the students clicked on the link and gave their credentials, but also that women clicked more often compared to men, and men were more likely to click if the recipient appeared to be of the opposite sex.
Since then, most recent studies have also simulated attacks within universities in order to identify which students are most vulnerable to phishing attacks. These established that there would be no gender differences, although it was found that students aged 21-30 were more likely to be victims (in comparison to 17-20 year olds or 31 and above) (Diaz, Sherman, & Joshi, 2020; Kob, Rahib & Azman, 2020). However, those who attended classes on IT (information technology) would be less likely to be victims, while the link between self-evaluation on IT knowledge and the likelihood to discover phishing attack shows contradicting results (Diaz et al., 2020). This discrepancy in the literature may be related to the fact that objective knowledge about emails and phishing attacks is not always sufficient to recognise attacks, but also it depends on whether the person (here student and staff) takes the time to analyse the information according to the context (Jensen, Dinger, Wright, & Thatcher, 2017). However, another study stressed that the repeated exposure to phishing emails is linked with the detection of phishing attacks, while past victimisation is not (Chen, Gaia, & Rao, 2020). All in all, the link between knowledge or experience with victimisation to phishing attacks seems important to understand the vulnerability, but is yet difficult to measure.
In addition to victim characteristics, the anatomy of emails is a key element, since it must persuade the recipient that it comes from a legitimate source. First, it is important to mention that mostly effective phishing attacks in a university context have specific elements targeting an academic population, and unlike generic phishing attacks these emails would not suit other targets (Broadhurst et al., 2018). Phishing emails are most effective with students, thus because the elements seen in the emails seem realistic and believable, but also because the university is endowed with a certain authority (Frauenstein, 2018).
Moreover, email subjects inducing fear (as checking changes on exam timetables for example) are more efficient than reward-based emails (as winning a contest) (Harrison et al., 2016). Also, the way in which the sender addresses the recipient helps to convince phishing victims; email contents written with scarcity and emergency tone, or nice and pleasant expressions have more influence (Wright, Jensen, Thatcher, Dinger, & Marett, 2014). The writing and the elements that make up the email contribute to convince victims of its legitimacy. On the one hand, emails with no typos and good arguments are more likely to convince the victim. On the other hand, emails using elements as the logo of the entity they pretend to belong, and other parameters such as the name or signature of a trusted source are more effective (Luo, Zhang, Burd, & Seazzu, 2013; Walker, 2016).
Phishing attacks seem to be targeted in an academic way and affect young men or women. Most of the past studies have simulated phishing attacks, to understand which emails are the most effective and who are the most vulnerable people. However, the protective role that prior knowledge can bring is yet to be explored, as the differences between students and university staff. The anatomy of emails, moreover, provides some interesting information for prevention among the academic community and particularly among the most vulnerable. Nevertheless, it would be relevant with all this information to test what reflexes and thinking people need to adopt in order to detect phishing attacks; and then to draw comparisons with attacks out of university environment.
Broadhurst, R., Skinner, K., Sifniotis, N., Matamoros-Macias, B., & Ipsen, Y. (2018). Phishing and cybercrime risks in a university student community. Available at SSRN 3176319.
Chen, R., Gaia, J., & Rao, H. R. (2020). An examination of the effect of recent phishing encounters on phishing susceptibility. Decision Support Systems, 133, 113287.
Diaz, A., Sherman, A. T., & Joshi, A. (2020). Phishing in an academic community: A study of user susceptibility and behavior. Cryptologia, 44(1), 53-67.
Frauenstein, E. D. (2018, August). An investigation into students responses to various phishing emails and other phishing-related behaviours. In International Information Security Conference (pp. 44-59). Springer, Cham.
Harrison, B., Svetieva, E., & Vishwanath, A. (2016). Individual processing of phishing emails: How attention and elaboration protect against phishing. Online Information Review.
Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2007). Social phishing. Communications of the ACM, 50(10), 94-100.
Jensen, M. L., Dinger, M., Wright, R. T., & Thatcher, J. B. (2017). Training to mitigate phishing attacks using mindfulness techniques. Journal of Management Information Systems, 34(2), 597-626.
Kob, T. N. H. B. T., Rahim, F. A., & Azman, F. (2020, August). Phishing Attack Simulation: Measuring Susceptibility among Undergraduate Students. In 2020 8th International Conference on Information Technology and Multimedia (ICIMU) (pp. 132-137). IEEE.
Luo, X. R., Zhang, W., Burd, S., & Seazzu, A. (2013). Investigating phishing victimization with the Heuristic–Systematic Model: A theoretical framework and an exploration. Computers & Security, 38, 28-38.
Sahingoz, O. K., Buber, E., Demir, O., & Diri, B. (2019). Machine learning based phishing detection from URLs. Expert Systems with Applications, 117, 345-357.
Walker, L. E. (2016). Deception of Phishing: Studying the Techniques of Social Engineering by Analyzing Modern-day Phishing Attacks on Universities.
Wright, R. T., Jensen, M. L., Thatcher, J. B., Dinger, M., & Marett, K. (2014). Research note—influence techniques in phishing attacks: an examination of vulnerability and resistance. Information systems research, 25(2), 385-400.
Download this blogpost in Spanish: