Teju Herath, information systems professor at the Goodman School of Business, and four colleagues from American universities received a grant recently from the U.S. government’s National Science Foundation for their research on phishing.
Phishing is defined as: “an email fraud method in which perpetrators send out legitimate-looking emails in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy web sites.”
The research, co-ordinated by the State University of New York at Buffalo, plans to examine archival data to understand the nature of phishing emails, how they evolved over time, how consumers process information, and victims’ demographic characteristics and psychographics – the use of demographics to measure attitudes, values, lifestyles and opinions.
The Brock News caught up with Teju to ask her more about phishing and her research.
BN: Approximately how many people fall victim to phishing schemes?
TH: In a study we conducted in 2007-2008, approximately three per cent of our pool of participants reported that they had given out their user names and passwords in response to phishing emails. This reflects statistics from the Anti-Phishing Working Group and Statistics Canada, which estimate that some three to four percent of North Americans respond to phishing emails.
BN: What would cause people to respond to these emails?
TH: If the email looks like it comes from a source that people can relate to – such as a bank where you have an account – you’ll likely trust that email and will respond accordingly.
If the email comes from the technology department, and if it’s asking you to re-set your account, normally we do tend to trust the message because it’s the IT department’s job to oversee our accounts. They have the authority to make changes to those accounts.
In our research, we looked at the frequency of certain words being used in phishing emails. A lot of these emails use “urgency” kind of words: important, send your responses immediately, take action immediately. We do tend to respond to immediacy and authority.
Our inboxes tend to be bombarded with emails. This large email load may reduce our ability to process all these emails.
Another important finding of our research was that being technologically savvy in itself does not necessarily make you less likely to be a victim of phishing. Awareness is the key factor. If you’re aware of these kinds of scams, then you’re less likely to respond to these messages.
BN: Are there any factors that give the written word – as opposed to telephone or in-person communication – an advantage in relaying deceptive information?
TH: When you and I are talking face-to-face, and you’re trying to pull a fast one on me, there are some facial cues and body language cues that I can pick up on to tell me that it’s not a trustworthy conversation.
Email communication is not as rich as the other communication modes. It’s asynchronous. We may lack the cues that convey deception in other modes of communication, although we have more time to ponder and examine the written word.
BN: How can perpetrators use the information they extract from these phishing emails?
TH: In banking-related scams, any banking information that you provide is used to steal your identity and draw money from your bank accounts. Often, this doesn’t happen right away. The perpetrators keep that information, it is dormant for a while, but later on, after you forget all about it, you notice that your bank accounts are drawn to zero.
If you know that you responded to this false email, you can contact the bank right away and they will change your account details, freeze that account, and take any other necessary actions.
If you don’t connect the withdrawals to the false email, banks might not compensate you for the loss of your money.
In other instances, if you give out passwords and other information pertaining to your email account, perpetrators can gain access to your organizational information systems through your account, because that is a legitimate access. For example, if you’re an employee, you’ll use your work email system. People outside of your workplace don’t normally have access to that system, but they can if you give out your account information. They can then hack into other accounts in your workplace.
BN: How has phishing evolved over time?
TH: Emails used to be more text-based, but as time passed, we started seeing emails using html coding and using company logos, making the emails appear to be more legitimate and coming from the authentic source.
It’s become very easy to create a webpage. The perpetrators don’t have to be very tech savvy. When they create the back end of the site (where they’re going to grab this information), they probably have a little bit more of an understanding of technology but it’s not very difficult to do these things today.
Earlier scams targeted banks and individuals’ financial accounts. However, the new scams try to get computer account information that can be used for various illicit activities. The newer scams, called spear phishing, are targeted phishing scams that target specific individuals or companies.