Article Preview
TopIntroduction
The continued expansion of the internet provides a valuable source of entertainment, communication, and commerce. However, along with this comes the ever more sophisticated threat of online fraud, with reports that there are more than one million victims of consumer cybercrime every day (Norton Cybercrime report, 2013). Such fraud has obvious implications on a personal and commercial level, as well as within the criminal justice system. However, psychologically, it also offers an intriguing arena for the understanding of decision-making processes leading to online fraud victimisation, alongside a valuable environment within which to apply and test theoretical predictions for such behaviour. In this article, we attempt to map out some key contemporary issues for researchers, as well as potential directions for future work.
In order to keep the commentary concise and manageable, we restrict our remit to one specific aspect of online fraud; that of decision-making surrounding email management and phishing. A definition of phishing is not straightforward given the multitude of formats that these communications can take. Nonetheless, one broad and useful description is offered by Myers (2007):
Phishing: A form of social engineering in which an attacker, also known as a phisher, attempts to fraudulently retrieve legitimate users’ confidential or sensitive credentials by mimicking electronic communications from a trustworthy or public organisation in an automated fashion. (p. 1)
Most of these email communications are sent out to thousands of internet users, with only a small response rate necessary to make it worthwhile (economically) for the attacker. On average, successful phishing attempts have around a five percent response rate (Norton, 2014). This makes phishing a potentially more sustainable fraud than more costly and time-consuming traditional formats, such as postal and telephone fraud.
Computer science research is continually developing more advanced algorithms to detect phishing emails before they reach the user’s inbox in both traditional network-based systems (e.g. Fette, Sadeh, & Tomasic, 2007; Bergholz et al., 2010; Islam, & Abawajy, 2013), but also more recently in cloud-based systems which aim to detect phishing attacks in the cloud before they even reach the network (Salah, Alcaraz Calero, Zeadally, Al-Mulla, & Alzaabi, 2013). However, the simultaneous increased sophistication of the emails themselves means that the benefits of these newly developed approaches are often short-lived; advances in the technology developed to detect phishing attacks are often quickly mirrored in the methods used by the fraudsters to circumvent such detection algorithms. Similarly, efforts to block the phishing websites that emails direct users to, through automated heuristic filters which detect machine learned patterns (e.g. in words used on the webpage - Abu-Nimeh, Nappa, Wang, & Nair, 2007; or in URLs - Garera, Provos, Chew, & Rubin, 2007), or through manual blacklisting, face the same issues with continual technological advancement on the part of the fraudsters in line with that of the researchers. Moreover, there may be a risk that users develop a false sense of security: if they believe (erroneously) that software can capture phish, then they may treat all messages that reach their inbox undetected, and accessible linked websites, as being genuine. The inaccuracy in these filtering efforts means that it is left to the user to recognise and manage potential phishing attempts.