A Quantitative Study of SMS Phishing Detection

Read original: arXiv:2311.06911 - Published 5/31/2024 by Daniel Timko, Daniel Hernandez Castillo, Muhammad Lutfor Rahman

🔎

Overview

The paper examines the threat of "smishing" - a form of phishing that uses SMS (text messages) to deceive users and steal sensitive information or install malware.
The researchers conducted an online survey with 187 participants to understand the factors that influence their ability to distinguish real SMS messages from fake (smishing) ones.
The study evaluated participants' security attitudes, behavior, and knowledge, and their accuracy in identifying real vs. fake SMS messages.

Plain English Explanation

Smartphones have become incredibly popular, and unfortunately, this has also led to a rise in digital threats targeting these devices. One of these threats is "smishing" - a combination of SMS (text messages) and phishing. In a smishing attack, malicious actors send deceptive text messages to try and trick users into giving up sensitive information, losing money, or installing malware on their mobile devices.

Despite the increase in smishing attacks, there hasn't been much research into what factors help users better identify real messages from fake ones. To address this, the researchers in this study ran an online survey with 187 people. They showed the participants 16 different SMS screenshots and evaluated how factors like the participants' attention, security knowledge, and behavior influenced their ability to detect smishing messages.

The key findings were that participants had more trouble identifying real messages as legitimate (43.6% accuracy) compared to spotting fake, smishing messages (67.1% accuracy). The researchers also found that participants' attention and security behavior scores had a significant impact on their overall accuracy in detecting smishing attempts.

This study is important for developing better strategies to protect people from smishing attacks. By understanding what makes it hard for users to differentiate real from fake messages, the researchers aim to help make people more resilient against these threats and create a safer digital environment for everyone.

Technical Explanation

The researchers conducted an online survey with 187 participants to investigate the factors that influence users' ability to detect smishing (SMS phishing) attacks. They presented the participants with 16 SMS screenshots, some of which were real messages and others were fake smishing attempts.

The study evaluated several factors that could impact the participants' smishing detection accuracy, including their attention, security attitudes, behaviors, and knowledge. The researchers measured the participants' accuracy in correctly identifying real vs. fake messages and then analyzed how the different factors correlated with their performance.

The results showed that participants had significantly higher accuracy (67.1%) in identifying fake, smishing messages compared to real messages (43.6%). This suggests that users often have more difficulty distinguishing legitimate SMS communications from malicious ones. The analysis also revealed that participants' attention and security behavior scores were strong predictors of their overall smishing detection accuracy.

By understanding the specific challenges users face in identifying smishing attacks, the researchers aim to inform the development of more effective strategies and technologies to protect people from these threats. The insights from this study can help bolster users' resilience against smishing and create a safer digital environment.

Critical Analysis

The study provides valuable insights into the factors that influence users' ability to detect smishing attacks. However, there are a few limitations and areas for further research that could be addressed:

The study used a relatively small sample size of 187 participants, which may limit the generalizability of the findings. Expanding the study to a larger, more diverse population could help validate the results.
The researchers only presented participants with 16 SMS screenshots, which may not fully capture the range of real-world smishing tactics. Evaluating a broader set of smishing examples could provide a more comprehensive understanding of users' detection capabilities.
The study focused on self-reported security attitudes and behaviors, which can be subject to bias. Incorporating objective measures of security knowledge and skills could offer a more accurate assessment of users' abilities.
While the study identified attention and security behavior as important factors, it did not delve into the specific cognitive processes or heuristics that users employ when assessing the legitimacy of SMS messages. Further research into the psychological and cognitive factors at play could help refine the understanding of smishing detection.

Despite these limitations, the study represents an important step in addressing the growing threat of smishing attacks. The findings can inform the development of user-centric security solutions and educational initiatives to enhance people's resilience against these deceptive tactics.

Conclusion

This study sheds light on the significant challenges users face in distinguishing real SMS messages from malicious smishing attempts. The researchers found that participants had much higher accuracy in detecting fake, smishing messages compared to legitimate ones, suggesting that users often struggle to reliably identify real from fake communications on their mobile devices.

The study's insights into the role of attention and security behavior in smishing detection can help inform the design of more effective security measures and educational programs. By understanding the factors that influence users' ability to detect smishing attacks, researchers and practitioners can work towards creating a safer digital environment and empowering people to better protect themselves from these evolving cyber threats.

This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!

Follow @aimodelsfyi on 𝕏 →

Related Papers

🔎

A Quantitative Study of SMS Phishing Detection

Daniel Timko, Daniel Hernandez Castillo, Muhammad Lutfor Rahman

With the booming popularity of smartphones, threats related to these devices are increasingly on the rise. Smishing, a combination of SMS (Short Message Service) and phishing has emerged as a treacherous cyber threat used by malicious actors to deceive users, aiming to steal sensitive information, money or install malware on their mobile devices. Despite the increase in smishing attacks in recent years, there are very few studies aimed at understanding the factors that contribute to a user's ability to differentiate real from fake messages. To address this gap in knowledge, we have conducted an online survey on smishing detection with 187 participants. In this study, we presented them with 16 SMS screenshots and evaluated how different factors affect their decision making process in smishing detection. Next, we conducted a post-survey to garner information on the participants' security attitudes, behavior and knowledge. Our results highlighted that attention and security behavioral scores had a significant impact on participants' accuracy in identifying smishing messages. We found that participants had more difficulty identifying real messages from fake ones, with an accuracy of 67.1% with fake messages and 43.6% with real messages. Our study is crucial in developing proactive strategies to encounter and mitigate smishing attacks. By understanding what factors influence smishing detection, we aim to bolster users' resilience against such threats and create a safer digital environment for all.

5/31/2024

Assessing AI vs Human-Authored Spear Phishing SMS Attacks: An Empirical Study Using the TRAPD Method

Jerson Francia, Derek Hansen, Ben Schooley, Matthew Taylor, Shydra Murray, Greg Snow

This paper explores the rising concern of utilizing Large Language Models (LLMs) in spear phishing message generation, and their performance compared to human-authored counterparts. Our pilot study compares the effectiveness of smishing (SMS phishing) messages created by GPT-4 and human authors, which have been personalized to willing targets. The targets assessed the messages in a modified ranked-order experiment using a novel methodology we call TRAPD (Threshold Ranking Approach for Personalized Deception). Specifically, targets provide personal information (job title and location, hobby, item purchased online), spear smishing messages are created using this information by humans and GPT-4, targets are invited back to rank-order 12 messages from most to least convincing (and identify which they would click on), and then asked questions about why they ranked messages the way they did. They also guess which messages are created by an LLM and their reasoning. Results from 25 targets show that LLM-generated messages are most often perceived as more convincing than those authored by humans, with messages related to jobs being the most convincing. We characterize different criteria used when assessing the authenticity of messages including word choice, style, and personal relevance. Results also show that targets were unable to identify whether the messages was AI-generated or human-authored and struggled to identify criteria to use in order to make this distinction. This study aims to highlight the urgent need for further research and improved countermeasures against personalized AI-enabled social engineering attacks.

6/21/2024

Eyes on the Phish(er): Towards Understanding Users' Email Processing Pattern and Mental Models in Phishing Detection

Sijie Zhuo, Robert Biddle, Jared Daniel Recomendable, Giovanni Russello, Danielle Lottridge

Phishing emails typically masquerade themselves as reputable identities to trick people into providing sensitive information and credentials. Despite advancements in cybersecurity, attackers continuously adapt, posing ongoing threats to individuals and organisations. While email users are the last line of defence, they are not always well-prepared to detect phishing emails. This study examines how workload affects susceptibility to phishing, using eye-tracking technology to observe participants' reading patterns and interactions with tailored phishing emails. Incorporating both quantitative and qualitative analysis, we investigate users' attention to two phishing indicators, email sender and hyperlink URLs, and their reasons for assessing the trustworthiness of emails and falling for phishing emails. Our results provide concrete evidence that attention to the email sender can reduce phishing susceptibility. While we found no evidence that attention to the actual URL in the browser influences phishing detection, attention to the text masking links can increase phishing susceptibility. We also highlight how email relevance, familiarity, and visual presentation impact first impressions of email trustworthiness and phishing susceptibility.

9/14/2024

💬

Large Language Models Spot Phishing Emails with Surprising Accuracy: A Comparative Analysis of Performance

Het Patel, Umair Rehman, Farkhund Iqbal

Phishing, a prevalent cybercrime tactic for decades, remains a significant threat in today's digital world. By leveraging clever social engineering elements and modern technology, cybercrime targets many individuals, businesses, and organizations to exploit trust and security. These cyber-attackers are often disguised in many trustworthy forms to appear as legitimate sources. By cleverly using psychological elements like urgency, fear, social proof, and other manipulative strategies, phishers can lure individuals into revealing sensitive and personalized information. Building on this pervasive issue within modern technology, this paper aims to analyze the effectiveness of 15 Large Language Models (LLMs) in detecting phishing attempts, specifically focusing on a randomized set of 419 Scam emails. The objective is to determine which LLMs can accurately detect phishing emails by analyzing a text file containing email metadata based on predefined criteria. The experiment concluded that the following models, ChatGPT 3.5, GPT-3.5-Turbo-Instruct, and ChatGPT, were the most effective in detecting phishing emails.

6/10/2024