It’s tax season in the US, which means many of us will receive malicious emails disguised to look like they’re from the IRS.
Millions of these type of email phishing attacks occur daily.
The malware in these emails open back doors to computer networks that provide hackers with access to people’s personal information. Some intrusions install key loggers that track what the person in typing or the sites they visit.
And a new class of “ransomware” encrypts every file on a hard driver or server, holding the data hostage until users pay an untraceable ransom in bitcoin.
“If the internet were the real world it would be the most dangerous city on earth,” says Arun Vishwanath, a cybersecurity expert who has developed a training model to help companies figure out why some employees fall for the attacks.
Vishwanath, an associate professor in the communication at the University at Buffalo, says the model is the first to account for multiple influences that contribute to the success of these attacks.
Targeted training
The model encourages a new approach to training based on individual, predictive profiles of computer users, rather than relying on the current blanket training approach for everyone—a method that previous research has shown to be of limited effectiveness because people are often victimized hours after they’ve finished their training, according to Vishwanath.
“Once we understand why certain people fall for attacks, we can target them with the appropriate training and education.”
Vishwanath’s study, published in the journal Communication Research, tested the model by actually simulating different types of phishing attacks on real-world subjects.
[This is how phishing scams trick you]
“Calling people into a lab doesn’t work for this kind of research because there is a heightened sense of awareness,” he says. “Subjects in labs look at a screen and are asked if they believe they’re looking at a phishing email. In reality, most people don’t focus on emails and appear to be far less suspicious and far more susceptible than when they are in a lab.
“Methodologically, the premise I work with is that we have to play the role of the ‘bad guys’ in order to study how and why people are victimized.”
The Suspicion, Cognition, and Automaticity Model (SCAM) explains what contributes to the origin of suspicion by accounting for a user’s email habits and two ways of processing information: heuristics, or thumb rules that lead to snap judgments about a message’s content; and a deeper, systematic processing about an email’s content.
“A fourth measure, cyber-risk beliefs, taps into the individual’s perception about risks associated with online behaviors,” he says.
Vishwanath’s model accounts for these layers and the relationships among them with each measure, providing a brush stroke that composes an overall portrait of the different reasons people fall victim to such attacks.
With phishing losses mounting at alarming rates and the level of phishing sophistication evolving in step, Vishwanath says adopting the model is critical.
Source: University at Buffalo
