Susceptibility to Email Fraud: A Review of Psychological Perspectives, Data-Collection Methods, and Ethical Considerations

Susceptibility to Email Fraud: A Review of Psychological Perspectives, Data-Collection Methods, and Ethical Considerations

Helen S. Jones (Department of Psychology, Lancaster University, Lancaster, UK), John N. Towse (Department of Psychology, Lancaster University, Lancaster, UK) and Nicholas Race (School of Computing and Communications, Lancaster University, Lancaster, UK)
Copyright: © 2015 |Pages: 17
DOI: 10.4018/IJCBPL.2015070102
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

The authors review the existing literature on the psychology of email fraud, and attempt to integrate the small but burgeoning set of research findings. They show that research has adopted a variety of methodologies and taken a number of conceptual positions in the attempt to throw light on decisions about emails that may be in best-case scenarios, sub-optimal, or in the worst-case scenarios, catastrophic. They point to the potential from cognitive science and social psychology to inform the field, and attempt to identify the opportunities and limitations from researcher's design decisions. The study of email decision-making is an important topic in its own right, but also has the potential to inform about general cognitive processes too.
Article Preview

Introduction

The continued expansion of the internet provides a valuable source of entertainment, communication, and commerce. However, along with this comes the ever more sophisticated threat of online fraud, with reports that there are more than one million victims of consumer cybercrime every day (Norton Cybercrime report, 2013). Such fraud has obvious implications on a personal and commercial level, as well as within the criminal justice system. However, psychologically, it also offers an intriguing arena for the understanding of decision-making processes leading to online fraud victimisation, alongside a valuable environment within which to apply and test theoretical predictions for such behaviour. In this article, we attempt to map out some key contemporary issues for researchers, as well as potential directions for future work.

In order to keep the commentary concise and manageable, we restrict our remit to one specific aspect of online fraud; that of decision-making surrounding email management and phishing. A definition of phishing is not straightforward given the multitude of formats that these communications can take. Nonetheless, one broad and useful description is offered by Myers (2007):

Phishing: A form of social engineering in which an attacker, also known as a phisher, attempts to fraudulently retrieve legitimate users’ confidential or sensitive credentials by mimicking electronic communications from a trustworthy or public organisation in an automated fashion. (p. 1)

Most of these email communications are sent out to thousands of internet users, with only a small response rate necessary to make it worthwhile (economically) for the attacker. On average, successful phishing attempts have around a five percent response rate (Norton, 2014). This makes phishing a potentially more sustainable fraud than more costly and time-consuming traditional formats, such as postal and telephone fraud.

Computer science research is continually developing more advanced algorithms to detect phishing emails before they reach the user’s inbox in both traditional network-based systems (e.g. Fette, Sadeh, & Tomasic, 2007; Bergholz et al., 2010; Islam, & Abawajy, 2013), but also more recently in cloud-based systems which aim to detect phishing attacks in the cloud before they even reach the network (Salah, Alcaraz Calero, Zeadally, Al-Mulla, & Alzaabi, 2013). However, the simultaneous increased sophistication of the emails themselves means that the benefits of these newly developed approaches are often short-lived; advances in the technology developed to detect phishing attacks are often quickly mirrored in the methods used by the fraudsters to circumvent such detection algorithms. Similarly, efforts to block the phishing websites that emails direct users to, through automated heuristic filters which detect machine learned patterns (e.g. in words used on the webpage - Abu-Nimeh, Nappa, Wang, & Nair, 2007; or in URLs - Garera, Provos, Chew, & Rubin, 2007), or through manual blacklisting, face the same issues with continual technological advancement on the part of the fraudsters in line with that of the researchers. Moreover, there may be a risk that users develop a false sense of security: if they believe (erroneously) that software can capture phish, then they may treat all messages that reach their inbox undetected, and accessible linked websites, as being genuine. The inaccuracy in these filtering efforts means that it is left to the user to recognise and manage potential phishing attempts.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 7: 4 Issues (2017): 3 Released, 1 Forthcoming
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing