Exposing the Phish: The Effect of Persuasion Techniques in Phishing E-Mails

Koddebusch, Michael

Abstract

With ever-increasing amounts of data collected from citizens and businesses in Smart City environments, public administration agencies manifest their position as central data holders. However, this great ownership of data makes them a target of cybercriminals on the hunt for illicit enrichment. The predominantly used type of cybercrime is phishing and increasingly spear phishing, a more personal, target-oriented kind of phishing. Such attacks make use of so-called persuasion techniques to lure their victims. In this study, four persuasion techniques, namely Authority, Urgency, Danger and Benefit, were tested for effectiveness in a two-phased field experiment cooperating with four German municipalities. In total, 3452 fake phishing e-mails were sent to 1276 public officials. Results show that the persuasion technique of Authority has worked best and therefore presumably poses the biggest threat to the information integrity of public sector agencies, followed by Urgency, Benefit and Danger. Additionally, the study provides insight on the potential impact of the effects of constant exposure to phishing and shows that the degree of domain-specificity of attacks impacts the susceptibility of victims.

Keywords
smart city; phishing; spear phishing; persuasion techniques; human error; cybersecurity; experiment