Unpacking Spear Phishing Susceptibility

  • Zinaida BenensonEmail author
  • Freya Gassmann
  • Robert Landwirth
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10323)


We report the results of a field experiment where we sent to over 1200 university students an email or a Facebook message with a link to (non-existing) party pictures from a non-existing person, and later asked them about the reasons for their link clicking behavior. We registered a significant difference in clicking rates: 20% of email versus 42.5% of Facebook recipients clicked. The most frequently reported reason for clicking was curiosity (34%), followed by the explanations that the message fit recipient’s expectations (27%). Moreover, 16% thought that they might know the sender. These results show that people’s decisional heuristics are relatively easy to misuse in a targeted attack, making defense especially challenging.


Spear phishing Facebook Decisional heuristics 



We thank Nadina Hintz, Andreas Luder and Gaston Pugliese for their invaluable help in data gathering and analysis. Zinaida Benenson and Robert Landwirth were supported by the Bavarian State Ministry of Education, Science and the Arts within the scope of research association FORSEC (


  1. 1.
    Alsharnouby, M., Alaca, F., Chiasson, S.: Why phishing still works: user strategies for combating phishing attacks. Int. J. Hum. Comput. Stud. 82, 69–82 (2015)CrossRefGoogle Scholar
  2. 2.
    Anti-Phishing Working Group (APWG): How to avoid phishing scams.
  3. 3.
    Banerjee, M., Capozzoli, M., McSweeney, L., Sinha, D.: Beyond kappa: a review of interrater agreement measures. Can. J. Stat. 27(1), 3–23 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Benenson, Z., Girard, A., Hintz, N., Luder, A.: Susceptibility to URL-based Internet attacks: Facebook vs. email. In: 6th IEEE International Workshop on SEcurity and SOCial Networking (SESOC), pp. 604–609. IEEE (2014)Google Scholar
  5. 5.
    Bilge, L., Strufe, T., Balzarotti, D., Kirda, E.: All your contacts are belong to us: automated identity theft attacks an online social networks. In: 18th International Conference on World Wide Web (2009)Google Scholar
  6. 6.
    Blythe, M., Petrie, H., Clark, J.A.: F for fake: four studies on how we fall for Phish. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2011, pp. 3469–3478 (2011)Google Scholar
  7. 7.
    Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: The socialbot network: when bots socialize for fame and money. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 93–102. ACM (2011)Google Scholar
  8. 8.
    Brown, G., Howe, T., Ihbe, M., Prakash, A., Borders, K.: Social networks and context-aware spam. In: Proceedings of the 2008 ACM Conference on Computer Supported Cooperative Work, pp. 403–412. ACM (2008)Google Scholar
  9. 9.
    Canova, G., Volkamer, M., Bergmann, C., Borza, R., Reinheimer, B., Stockhardt, S., Tenberg, R.: Learn to spot phishing URLs with the Android NoPhish App. In: Bishop, M., Miloslavskaya, N., Theocharidou, M. (eds.) WISE 2015. IAICT, vol. 453, pp. 87–100. Springer, Cham (2015). Google Scholar
  10. 10.
    Caputo, D.D., Pfleeger, S.L., Freeman, J.D., Johnson, M.E.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2014)CrossRefGoogle Scholar
  11. 11.
    Cohen, J.: A coefficient of agreement for nominal scales. Educ. Psychol. Measur. 20(1), 36–47 (1960)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2006, pp. 581–590 (2006)Google Scholar
  13. 13.
    Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 79–90 (2006)Google Scholar
  14. 14.
    Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2008, pp. 1065–1074 (2008)Google Scholar
  15. 15.
    Goodin, D.: Crypto ransomware targets called by name in spear-phishing blast. Ars Technica, 4 April 2016Google Scholar
  16. 16.
    Hong, J.: The state of phishing attacks. Commun. ACM 55(1), 74–81 (2012)CrossRefGoogle Scholar
  17. 17.
    Infosec Institute: Spear Phishing: Real Life Examples. Accessed Mar 2017
  18. 18.
    Irani, D., Balduzzi, M., Balzarotti, D., Kirda, E., Pu, C.: Reverse social engineering attacks in online social networks. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 55–74. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  19. 19.
    Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)CrossRefGoogle Scholar
  20. 20.
    Jakobsson, M., Ratkiewicz, J.: Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In: 15th International Conference on World Wide Web (2006)Google Scholar
  21. 21.
    Jakobsson, M., Johnson, N., Finn, P.: Why and how to perform fraud experiments. IEEE Secur. Priv. 6(2), 66–68 (2008)CrossRefGoogle Scholar
  22. 22.
    Kahneman, D.: Thinking, Fast and Slow. Macmillan, Basingstoke (2011)Google Scholar
  23. 23.
    Kaspersky Lab Exposes Facebook Phishing Attacks: 10,000 Victims in Two Days June 2016.
  24. 24.
    Khonji, M., Iraqi, Y., Jones, A.: Phishing detection: a literature survey. IEEE Commun. Surv. Tutor. 15(4), 2091–2121 (2013)CrossRefGoogle Scholar
  25. 25.
    Kirlappos, I., Sasse, M.A.: Security education against phishing: a modest proposal for a major rethink. IEEE Secur. Priv. Mag. 10(2), 24–32 (2012)CrossRefGoogle Scholar
  26. 26.
    Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L.F., Hong, J., Blair, M.A., Pham, T.: School of Phish: a real-world evaluation of anti-phishing training. In: Symposium On Usable Privacy and Security (SOUPS) (2009)Google Scholar
  27. 27.
    Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L., Hong, J.: Lessons from a real world evaluation of anti-phishing training. Anti-Phishing Working Group (2008)Google Scholar
  28. 28.
    Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Teaching Johnny not to fall for phish. ACM Trans. Internet Technol. (TOIT) 10(2), 7 (2010)CrossRefGoogle Scholar
  29. 29.
    Lenz, R.: In Indiana phishing study, students take the bait. USA Today, 23 July 2007.
  30. 30.
    Northcutt, S.: Spear Phishing (Methods of Attack Series). Accessed Mar 2017
  31. 31.
    Oliveira, D., Rocha, H., Yang, H., Ellis, D., Dommaraju, S., Muradoglu, M., Weir, D., Soliman, A., Lin, T., Ebner, N.: Dissecting spear phishing emails for older vs young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2017 (2017)Google Scholar
  32. 32.
    Osterman Research Survey: Understanding the Depth of the Global Ransomware Problem (2016)Google Scholar
  33. 33.
    Sasse, A.: Scaring and bullying people into security won’t work. IEEE Secur. Priv. 13(3), 80–83 (2015)CrossRefGoogle Scholar
  34. 34.
    Schreier, M.: Qualitative Content Analysis in Practice. Sage Publications, Thousand Oaks (2012)Google Scholar
  35. 35.
    Seymour, J., Tully, P.: Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter. Black Hat USA (2016)Google Scholar
  36. 36.
    Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F., Downs, J.: Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 373–382. ACM (2010)Google Scholar
  37. 37.
    Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS 2007, pp. 88–99 (2007)Google Scholar
  38. 38.
    Sophos: Facebook users at risk of “rubber duck” identity attack.
  39. 39.
    Stockhardt, S., Reinheimer, B., Volkamer, M., Mayer, P., Kunz, A., Rack, P., Lehmann, D.: Teaching phishing-security: which way is best? In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 135–149. Springer, Cham (2016). CrossRefGoogle Scholar
  40. 40.
    Stringhini, G., Kruegel, C., Vigna, G.: Detecting spammers on social networks. In: 26th Annual Computer Security Applications Conference (2010)Google Scholar
  41. 41.
    Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., Bailey, M.: Users really do plug in USB drives they find. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 306–319. IEEE (2016)Google Scholar
  42. 42.
    Vaas, L.: Beware the latest tax-season spear-phishing scam. Accessed Mar 2017
  43. 43.
    Verizon 2016 Data Breach Investigations Report (2016)Google Scholar
  44. 44.
    Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L.F., Christin, N.: QRishing: the susceptibility of smartphone users to QR code phishing attacks. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 52–69. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  45. 45.
    Vishwanath, A., Herath, T., Chen, R., Wang, J., Rao, H.R.: Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decis. Support Syst. 51(3), 576–586 (2011)CrossRefGoogle Scholar
  46. 46.
    Wilson, T.D.: Strangers to Ourselves. Harvard University Press, Cambridge (2004)Google Scholar
  47. 47.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610. ACM (2006)Google Scholar
  48. 48.
    Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phinding phish: evaluating anti-phishing tools. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS) (2007)Google Scholar

Copyright information

© International Financial Cryptography Association 2017

Authors and Affiliations

  • Zinaida Benenson
    • 1
    Email author
  • Freya Gassmann
    • 2
  • Robert Landwirth
    • 1
  1. 1.Friedrich-Alexander-Universität Erlangen-NürnbergErlangenGermany
  2. 2.Universität des SaarlandesSaarbrückenGermany

Personalised recommendations