Focusing on user habits key to preventing email phishing

November 11, 2015 by Bert Gambini, University at Buffalo
Focusing on user habits key to preventing email phishing

The cumulative number of successful phishing cyberattacks has risen sharply over the last decade, and in 2014 that figure surged past the total U.S. population.

To date, about 400 million breaches have yielded hackers some kind of personal information, according to Arun Vishwanath, an associate professor in the Department of Communication at the University at Buffalo and an expert in cyber deception.

"That means everyone in the country may have been breached," says Vishwanath. "Everyone. Including me and you."

Spear phishing is the biggest threat to cyber security at every level, he says. These are the tightly targeted, malware-carrying attacks that send links or attachments in what often appear to be genuine-looking email messages. Users launch the malware - intrusive software that initiates device-compromising background programs - when they click the link or open the attachment.

Businesses in the public and private sectors teach people to recognize phishing, but those efforts often fail or don't work for very long because the training ignores users' habits and instead focuses exclusively on how users process information, says Vishwanath, whose latest research on email habits and phishing outcomes is published in the Journal of Computer-Mediated Communication.

"The findings point to a joint operation of habits and , something that most social scientists have ignored," says Vishwanath. "We can't just focus on one aspect of that use, yet that's what we're doing and it explains why phishing is successful."

Information processing is about analyzing and reacting to an environment or situation. It's contextual, like trying to determine the contents of an unmarked bottle. Habits emerge from a different learning process and exist as a separate phenomenon from information processing, says Vishwanath.

Hackers ironically hit the same mark that the training designed to stop them misses. Phishing is successful because the perpetrators take advantage of people who are habitual in the way they respond.

And security levels don't play a role. Spear phishing is a people problem, and it works 17-35 percent of the time - even after people have been trained.

But Vishwanath says his research suggests that the training, which teaches people to recognize suspicious emails, is based on the presumption that the phishing problem can be accounted for by information processing.

"The training and education designed to stop phishing is all about asking what's in the bottle," he says. "It's contextual.

"In actual practice, many activities are habitual, or a combination habit and information processing."

That people's routines are ignored in training accounts for why they so quickly resume those routines - sometimes, mere hours after being trained.

"None of our interventions deal with habits, he says. "Right now our training is analogous to teaching how to drive by making them have an accident and telling them they've done so. It never explains why they've had an accident."

The issue is not a lack of awareness. Email systems, especially when accessed on mobile devices, are built to create and foster habits. They encourage users to repeatedly check for messages, establishing routines that Vishwanath says turns their devices into a casino game, with users opening emails like reckless gamblers habitually pulling the arms of slot machines without thinking of the long-term consequences.

"Routines are powerful and hard to stop," he says.

Even sophisticated email systems that flag suspicious messages don't help because users become desensitized to the warnings and quickly resume their habits.

"Altering the types of warnings issued would reflect the role of routines and make the messages more salient, but we're not doing that."

Vishwanath says the key is about making the distinction between habits and information processing, and training users to break existing patterns and rhythms.

"This is cyber hygiene," he says. "It's improving the baseline."

Explore further: Habitual Facebook users: Suckers for social media scams?

Related Stories

Habitual Facebook users: Suckers for social media scams?

September 15, 2014

Receiving an email that claims you are the recipient of a large sum of money from an unknown deceased relative immediately raises a red flag. These email scams are often trashed or filtered through spam folders. But what ...

Off the hook! Who gets phished and why

April 6, 2011

Communication researchers at four major universities have found that if you receive a lot of email, habitually respond to a good portion of it, maintain a lot of online relationships and conduct a large number of transactions ...

How we can each fight cybercrime with smarter habits

January 26, 2015

Hackers gain access to computers and networks by exploiting the weaknesses in our cyber behaviors. Many attacks use simple phishing schemes – the hacker sends an email that appears to come from a trusted source, encouraging ...

Recommended for you

Cryptocurrency rivals snap at Bitcoin's heels

January 14, 2018

Bitcoin may be the most famous cryptocurrency but, despite a dizzying rise, it's not the most lucrative one and far from alone in a universe that counts 1,400 rivals, and counting.

Top takeaways from Consumers Electronics Show

January 13, 2018

The 2018 Consumer Electronics Show, which concluded Friday in Las Vegas, drew some 4,000 exhibitors from dozens of countries and more than 170,000 attendees, showcased some of the latest from the technology world.

Finnish firm detects new Intel security flaw

January 12, 2018

A new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure said on Friday.

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.