Phishing Attacks Root Causes

  • Hossein AbroshanEmail author
  • Jan Devos
  • Geert Poels
  • Eric Laermans
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10694)


Nowadays, many people are losing considerable wealth due to online scams. Phishing is one of the means that a scammer can use to deceitfully obtain the victim’s personal identification, bank account information, or any other sensitive data. There are a number of anti-phishing techniques and tools in place, but unfortunately phishing still works. One of the reasons is that phishers usually use human behaviour to design and then utilise a new phishing technique. Therefore, identifying the psychological and sociological factors used by scammers could help us to tackle the very root causes of fraudulent phishing attacks. This paper recognises some of those factors and creates a cause-and-effect diagram to clearly present the categories and factors which make up the root causes of phishing scams. The illustrated diagram is extendable with additional phishing causes.


Phishing Scam Root causes Behaviour 


  1. 1.
    Chang, E.H., Chiew, K.L., Sze, S.N., Tiong, W.K.: Phishing detection via identification of website identity. In: International Conference on IT Convergence and Security (ICITCS), pp. 1–4 (2013) Google Scholar
  2. 2.
    Li, S., Schmitz, R.: A novel anti-phishing framework based on honeypots. In: eCrime Researchers Summit, eCRIME 2009, pp. 1–13 (2009)Google Scholar
  3. 3.
    Harrison, B., Vishwanath, A., Rao, R.: A user-centered approach to phishing susceptibility: the role of a suspicious personality in protecting against phishing. In: 2016 49th Hawaii International Conference on System Sciences (HICSS), pp. 5628–5634. IEEE (2016)Google Scholar
  4. 4.
    Vishwanath, A., Harrison, B., Ng, Y.J.: Suspicion, cognition, and automaticity model of phishing susceptibility. Commun. Res. (2016).
  5. 5.
    Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Q. 26, xiii–xxiii (2002)Google Scholar
  6. 6.
    Tayade, P.C., Wadhe, A.P.: Review paper on privacy preservation through phishing email filter. Int. J. Eng. Trends Technol. (IJETT) 9, 4 (2014)Google Scholar
  7. 7.
    Zhuang, W., Jiang, Q., Xiong, T.: An intelligent anti-phishing strategy model for phishing website detection. In: 2012 32nd International Conference on Distributed Computing Systems Workshops, pp. 51–56 (2012)Google Scholar
  8. 8.
    Hong, J.: The state of phishing attacks. Commun. ACM 55, 74–81 (2012)CrossRefGoogle Scholar
  9. 9.
    Lynch, J.: Identity theft in cyberspace: crime control methods and their effectiveness in combating phishing attacks. Berkeley Technol. Law J. 20, 259 (2005)Google Scholar
  10. 10.
    Jakobsson, M., Ratkiewicz, J.: Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In: Proceedings of the 15th International Conference on World Wide Web, pp. 513–522. ACM, Edinburgh (2006)Google Scholar
  11. 11.
    Bergholz, A., De Beer, J., Glahn, S., Moens, M.-F., Paaß, G., Strobel, S.: New filtering approaches for phishing email. J. Comput. Secur. 18, 7–35 (2010)CrossRefGoogle Scholar
  12. 12.
    Chandrasekaran, M., Karayanan, K., Upadhyaya, S.: Towards phishing e-mail detection based on their structural properties. In: New York State Cyber Security Conference (2006)Google Scholar
  13. 13.
    Rigoutsos, I., Huynh, T.: Chung-Kwei: a pattern-discovery-based system for the automatic identification of unsolicited E-mail messages (SPAM). In: CEAS: First Conference on Email and Anti-Spam (2004)Google Scholar
  14. 14.
    Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: Proceedings of the 16th International Conference on World Wide Web, pp. 649–656. ACM, Banff (2007)Google Scholar
  15. 15.
    Toolan, F., Carthy, J.: Phishing detection using classifier ensembles. In: eCrime Researchers Summit, eCRIME 2009, pp. 1–9 (2009)Google Scholar
  16. 16.
    Herzberg, A.: DNS-based email sender authentication mechanisms: a critical review. Comput. Secur. 28, 731–742 (2009)CrossRefGoogle Scholar
  17. 17.
    Yu, W.D., Nargundkar, S., Tiruthani, N.: PhishCatch - a phishing detection tool. In: 33rd Annual IEEE International Computer Software and Applications Conference, COMPSAC 2009, pp. 451–456 (2009)Google Scholar
  18. 18.
    Hamid, I.R.A., Abawajy, J.: Hybrid feature selection for phishing email detection. In: Xiang, Y., Cuzzocrea, A., Hobbs, M., Zhou, W. (eds.) ICA3PP 2011. LNCS, vol. 7017, pp. 266–275. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  19. 19.
    Ma, L., Ofoghi, B., Watters, P., Brown, S.: Detecting phishing emails using hybrid features. In: Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, UIC-ATC 2009, pp. 493–497 (2009)Google Scholar
  20. 20.
    Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: a content-based approach to detecting phishing web sites. In: Proceedings of the 16th International Conference on World Wide Web, pp. 639–648. ACM, Banff (2007)Google Scholar
  21. 21.
    Chen, T.-C., Dick, S., Miller, J.: Detecting visually similar web pages: application to phishing detection. ACM Trans. Internet Technol. 10, 1–38 (2010)CrossRefGoogle Scholar
  22. 22.
    Rosiello, A.P., Kirda, E., Ferrandi, F.: A layout-similarity-based approach for detecting phishing pages. In: Third International Conference on Security and Privacy in Communications Networks and the Workshops, SecureComm 2007, pp. 454–463. IEEE (2007)Google Scholar
  23. 23.
    Liu, W., Deng, X., Huang, G., Fu, A.Y.: An antiphishing strategy based on visual similarity assessment. IEEE Internet Comput. 10, 58 (2006)Google Scholar
  24. 24.
    Zhou, Y., Zhang, Y., Xiao, J., Wang, Y., Lin, W.: Visual similarity based anti-phishing with the combination of local and global features. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 189–196 (2014)Google Scholar
  25. 25.
    Chen, T.-C., Stepan, T., Dick, S., Miller, J.: An anti-phishing system employing diffused information. ACM Trans. Inf. Syst. Secur. (TISSEC) 16, 16 (2014)Google Scholar
  26. 26.
    Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.C.: Client-side defense against web-based identity theft. In: NDSS. The Internet Society (2004)Google Scholar
  27. 27.
    Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, pp. 1–8. ACM, Alexandria (2007)Google Scholar
  28. 28.
    Nguyen, L.A.T., To, B.L., Nguyen, H.K., Nguyen, M.H.: A novel approach for phishing detection using URL-based heuristic. In: International Conference on Computing, Management and Telecommunications (ComManTel), pp. 298–303 (2014)Google Scholar
  29. 29.
    Wu, M., Miller, R.C., Little, G.: Web wallet: preventing phishing attacks by revealing user intentions. In: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 102–113. ACM (2006)Google Scholar
  30. 30.
    Kim, Y.-G., Cho, S., Lee, J.-S., Lee, M.-S., Kim, I.H., Kim, S.H.: Method for evaluating the security risk of a website against phishing attacks. In: Yang, C.C., et al. (eds.) ISI 2008. LNCS, vol. 5075, pp. 21–31. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  31. 31.
    Cao, Y., Han, W., Le, Y.: Anti-phishing based on automated individual white-list. In: Proceedings of the 4th ACM Workshop on Digital Identity Management, pp. 51–60. ACM, Alexandria (2008)Google Scholar
  32. 32.
    Dong, X., Clark, J.A., Jacob, J.L.: Defending the weakest link: phishing websites detection by analysing user behaviours. Telecommun. Syst. 45, 215–226 (2010)CrossRefGoogle Scholar
  33. 33.
    Likarish, P., Eunjin, J., Dunbar, D., Hansen, T.E., Hourcade, J.P.: B-APT: Bayesian anti-phishing toolbar. In: International Conference on Communications, ICC 2008, pp. 1745–1749. IEEE (2008)Google Scholar
  34. 34.
    Prakash, P., Kumar, M., Kompella, R.R., Gupta, M.: PhishNet: predictive blacklisting to detect phishing attacks. In: 2010 Proceedings IEEE, INFOCOM, pp. 1–5 (2010)Google Scholar
  35. 35.
    Whittaker, C., Ryner, B., Nazif, M.: Large-scale automatic classification of phishing pages. In: NDSS. The Internet Society (2010)Google Scholar
  36. 36.
    Bo, H., Wei, W., Liming, W., Guanggang, G., Yali, X., Xiaodong, L., Wei, M.: A hybrid system to find & fight phishing attacks actively. In: Proceedings of the 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology, vol. 1, pp. 506–509. IEEE Computer Society (2011)Google Scholar
  37. 37.
    Marchal, S., Armano, G., Grondahl, T., Saari, K., Singh, N., Asokan, N.: Off-the-Hook: an efficient and usable client-side phishing prevention application. IEEE Trans. Comput. PP, 1 (2017)MathSciNetGoogle Scholar
  38. 38.
    Braun, B., Johns, M., Koestler, J., Posegga, J.: PhishSafe: leveraging modern JavaScript API’s for transparent and robust protection. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, pp. 61–72. ACM, San Antonio (2014)Google Scholar
  39. 39.
    Dhamija, R., Tygar, J.D.: The battle against phishing: dynamic security skins. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, pp. 77–88. ACM, Pittsburgh (2005)Google Scholar
  40. 40.
    Huang, C.-Y., Ma, S.-P., Chen, K.-T.: Using one-time passwords to prevent password phishing attacks. J. Netw. Comput. Appl. 34, 1292–1301 (2011)CrossRefGoogle Scholar
  41. 41.
    Yee, K.-P., Sitaker, K.: Passpet: convenient password management and phishing protection. In: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 32–43. ACM, Pittsburgh (2006)Google Scholar
  42. 42.
    Husák, M., Cegan, J.: PhiGARo: automatic phishing detection and incident response framework. In: 2014 Ninth International Conference on Availability, Reliability and Security, pp. 295–302 (2014) Google Scholar
  43. 43.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Usenix Security, pp. 17–32. Baltimore (2005)Google Scholar
  44. 44.
    Bignell, K.B.: Authentication in an internet banking environment: towards developing a strategy for fraud detection. In: International Conference on Internet Surveillance and Protection (ICISP 2006), p. 23 (2006)Google Scholar
  45. 45.
    Steel, C.M., Lu, C.-T.: Impersonator identification through dynamic fingerprinting. Digit. Investig. 5, 60–70 (2008)CrossRefGoogle Scholar
  46. 46.
    Ramachandran, A., Feamster, N., Krishnamurthy, B., Spatscheck, O., Van der Merwe, J.: Fishing for phishing from the network stream. Technical report (2008)Google Scholar
  47. 47.
    Li, S., Schmitz, R.: A novel anti-phishing framework based on honeypots. In: 2009 eCrime Researchers Summit, pp. 1–13 (2009)Google Scholar
  48. 48.
    Han, X., Kheir, N., Balzarotti, D.: PhishEye: live monitoring of sandboxed phishing kits. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1402–1413. ACM (2016)Google Scholar
  49. 49.
    Alnajim, A., Munro, M.: An evaluation of users’ anti-phishing knowledge retention. In: International Conference on Information Management and Engineering, ICIME 2009, pp. 210–214. IEEE (2009)Google Scholar
  50. 50.
    Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 905–914. ACM (2007)Google Scholar
  51. 51.
    Yang, W., Xiong, A., Chen, J., Proctor, R.W., Li, N.: Use of phishing training to improve security warning compliance: evidence from a field experiment. In: Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp, pp. 52–61. ACM, Hanover (2017)Google Scholar
  52. 52.
    Bose, I., Leung, A.C.M.: Unveiling the mask of phishing: threats, preventive measures, and responsibilities. Commun. Assoc. Inf. Syst. 19, 24 (2007)Google Scholar
  53. 53.
    European Commission: Reform of EU data protection rules (2016)Google Scholar
  54. 54.
  55. 55.
    UK Legislation: Fraud Act 2006. UK Legislation (2006)Google Scholar
  56. 56.
    BaFin: Rundschreiben 4/2015 (BA): Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) (2015)Google Scholar
  57. 57.
  58. 58.
    Suryavanshi, N., Jain, A.: Phishing detection in selected feature using modified SVM-PSO. IJRCCT 5, 208–214 (2016)Google Scholar
  59. 59.
    Chaudhry, J.A., Chaudhry, S.A., Rittenhouse, R.G.: Phishing attacks and defenses. Int. J. Secur. its Appl. 10, 247–256 (2016)Google Scholar
  60. 60.
    Anti-Phishing Working Group: Accessed 11 Aug 2106
  61. 61.
    Ramamoorti, S., Olsen, W.: Fraud: the human factor; many discount behavioral explanations for fraud, but as the incidence of fraud continues to grow, placing the spotlight on behavioral factors may be an important approach not only to detection, but to deterrence as well. Financ. Exec. 23, 53–56 (2007)Google Scholar
  62. 62.
    Chaiken, S.: Heuristic versus systematic information processing and the use of source versus message cues in persuasion. J. Pers. Soc. Psychol. 39, 752–766 (1980)CrossRefGoogle Scholar
  63. 63.
    Mayer, R.C., Davis, J.H., Schoorman, F.D.: An integrative model of organizational trust. Acad. Manag. Rev. 20, 709–734 (1995)Google Scholar
  64. 64.
    Alesina, A., La Ferrara, E.: Who trusts others? J. Public Econ. 85, 207–234 (2002)CrossRefGoogle Scholar
  65. 65.
    Butler, J.K.: Toward understanding and measuring conditions of trust: evolution of a conditions of trust inventory. J. Manag. 17, 643–663 (1991)Google Scholar
  66. 66.
    Khodyakov, D.: Trust as a process a three-dimensional approach. Sociology 41, 115–132 (2007)CrossRefGoogle Scholar
  67. 67.
    Klein, D.B.: Knowledge and Coordination: A Liberal Interpretation. Oxford University Press, Oxford (2011)Google Scholar
  68. 68.
    Huang, J., Nicol, D.: A Formal-Semantics-Based Calculus of Trust. IEEE Internet Comput. 14, 38–46 (2010)CrossRefGoogle Scholar
  69. 69.
    Oliveira, A.: A discussion of rational and psychological decision making theories and models: the search for a cultural-ethical decision making model. Electron. J. Bus. Ethics Organ. Stud. 12, 12–13 (2007)Google Scholar
  70. 70.
    Bezerra, S., Cherruault, Y., Fourcade, J., Veron, G.: A mathematical model for the human decision-making process. Math. Comput. Model. 24, 21–26 (1996)CrossRefzbMATHGoogle Scholar
  71. 71.
    Tversky, A., Kahneman, D.: Rational choice and the framing of decisions. J. Bus. 59, S251–S278 (1986)CrossRefzbMATHGoogle Scholar
  72. 72.
    Kahneman, D., Tversky, A.: On the psychology of prediction. Psychol. Rev. 80, 237 (1973)CrossRefGoogle Scholar
  73. 73.
    Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, Hoboken (2011)Google Scholar
  74. 74.
    Lea, S., Fischer, P., Evans, K.: The psychology of scams: provoking and committing errors of judgement. Report for the Office of Fair Trading (2009).
  75. 75.
    Rusch, J.J.: The “social engineering” of internet fraud. In: Internet Society Annual Conference (1999).
  76. 76.
    Loewenstein, G.: Out of control: visceral influences on behavior. Organ. Behav. Hum. Decis. Process. 65, 272–292 (1996)CrossRefGoogle Scholar
  77. 77.
    Langenderfer, J., Shimp, T.A.: Consumer vulnerability to scams, swindles, and fraud: a new theory of visceral influences on persuasion. Psychol. Mark. 18, 763–783 (2001)CrossRefGoogle Scholar
  78. 78.
    Strack, F., Neumann, R.: “The spirit is willing, but the flesh is weak”: beyond mind-body interactions in human decision-making. Organ. Behav. Hum. Decis. Process. 65, 300–304 (1996)CrossRefGoogle Scholar
  79. 79.
    Bolles, R.C.: Theory of Motivation. HarperCollins Publishers, New York (1975)Google Scholar
  80. 80.
    Pribram, K.H.: Emotion: a neurobehavioral analysis. In: Approaches to Emotion, pp. 13–38 (1984)Google Scholar
  81. 81.
    Gano, D.L.: Comparison of common root cause analysis tools and methods. In: Apollo Root Cause Analysis-A New Way of Thinking (2007)Google Scholar
  82. 82.
    Ishikawa, K.: Introduction to Quality Control. Productivity Press, Cambridge (1990)Google Scholar
  83. 83.
    Juran, J.M., Godfrey, A.B.: Quality Handbook. Republished McGraw-Hill, New York (1999)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Ghent UniversityGhentBelgium

Personalised recommendations