Skip to main content
SpringerLink
Log in

Don’t Be Deceived: The Message Might Be Fake

  • Conference paper
  • First Online:
Trust, Privacy and Security in Digital Business (TrustBus 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10442))

Included in the following conference series:

Abstract

In an increasingly digital world, fraudsters, too, exploit this new environment and distribute fraudulent messages that trick victims into taking particular actions. There is no substitute for making users aware of scammers’ favoured techniques and giving them the ability to detect fraudulent messages. We developed an awareness-raising programme, specifically focusing on the needs of small and medium-sized enterprises (SMEs). The programme was evaluated in the field. The participating employees demonstrated significantly improved skills in terms of ability to classify messages as fraudulent or genuine. Particularly with regard to one of the most widespread attack types, namely fraudulent messages with links that contain well-known domains as sub-domains of generic domains, recipients of the programme improved their recognition rates from \(56.6\%\) to \(88\%\). Thus, the developed security awareness-raising programme contributes to improving the security in SMEs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Notes

  1. 1.

    Note, that the content of this module might need to be adapted for other contexts, e.g. the U.K. provides second level domains in addition to top level domains.

  2. 2.

    Note, we mean in particular encrypted containers rather than signed and encrypted emails with attachments while one is able to verify the signature.

  3. 3.

    https://www.secuso.informatik.tu-darmstadt.de/de/secuso/forschung/ergebnisse/erkennung-betruegerischer-nachrichten-german-only/. Accessed 11 Apr 2017.

  4. 4.

    We did not include attacks where the actual who section is extended with a plausible term, as these can only be identified by using a search engine. The snag is that SME employees might have restricted Internet access while undertaking the programme.

  5. 5.

    One of these four participants made one mistake after the programme in the recognition of a fraudulent message. This message was considered relatively easy. Due to the overall recognition rate, it is likely that this is an accidental clicking mistake.

  6. 6.

    There is no bar shown for the module-4 (post) due to the small variance in answers.

  7. 7.

    secuso.org/schulung.

  8. 8.

    awareness.usd.de.

References

  1. Alnajim, A., Munro, M.: ITNG. In: 6th International Conference on Information Technology: New Generations, pp. 405–410. IEEE (2009)

    Google Scholar 

  2. Anne, A., Angela, S.M.: Users are not the enemy. Commun. ACM 42, 40–46 (1999)

    Google Scholar 

  3. Bauer, L., Bravo-Lillo, C., Cranor, L., Fragkaki, E.: Warning Design Guidelines. Carnegie Mellon University, Pittsburgh (2013)

    Google Scholar 

  4. Canova, G., Volkamer, M., Bergmann, C., Borza, R.: NoPhish: an anti-phishing education app. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 188–192. Springer, Cham (2014). doi:10.1007/978-3-319-11851-2_14

    Google Scholar 

  5. Canova, G., Volkamer, M., Bergmann, C., Borza, R., Reinheimer, B., Stockhardt, S., Tenberg, R.: Learn to spot phishing URLs with the Android NoPhish app. In: Bishop, M., Miloslavskaya, N., Theocharidou, M. (eds.) WISE 2015. IAICT, vol. 453, pp. 87–100. Springer, Cham (2015). doi:10.1007/978-3-319-18500-2_8

    Google Scholar 

  6. Canova, G., Volkamer, M., Bergmann, C., Reinheimer, B.: NoPhish app evaluation: lab and retention study. In: USEC. Internet Society (2015)

    Google Scholar 

  7. Cialdini, R.B., Cacioppo, J.T., Bassett, R., Miller, J.A.: Low-ball procedure for producing compliance: commitment then cost. J. Pers. Soc. Psychol. 36(5), 463 (1978). APA

    Article  Google Scholar 

  8. Dodge, R.C., Carver, C., Ferguson, A.J.: Phishing for user security awareness. Comput. Secur. 26(1), 73–80 (2007). Elsevier

    Article  Google Scholar 

  9. Federal Bureau of Investigation. FBI warns of dramatic increase in business e-mail scams (2016). https://www.fbi.gov/contact-us/field-offices/phoenix/news/press-releases/fbi-warns-of-dramatic-increase-in-business-e-mail-scams. Accessed 11 Apr 2017

  10. Furnell, S., Jusoh, A., Katsabas, D.: The challenges of understanding and using security - a survey of end-users. Comput. Secur. 25(1), 27–35 (2006)

    Article  Google Scholar 

  11. Greg, A., Rasmussen, R.: Global Phishing Survey: Trends and Domain Name Use in 2H2014 (2015). http://docs.apwg.org/reports/APWG_Global_Phishing_Report_2H_2014.pdf. Accessed 11 Apr 2017

  12. Kirlappos, I., Sasse, M.A.: Security education against phishing: a modest proposal for a major rethink. IEEE Secur. Priv. 10(2), 24–32 (2012)

    Article  Google Scholar 

  13. Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In: CHI, pp. 905–914. ACM (2007)

    Google Scholar 

  14. Kunz, A., Volkamer, M., Stockhardt, S., Palberg, S., Lottermann, T., Piegert, E.: Nophish: evaluation of a web application that teaches people being aware of phishing attacks. In: LNI, pp. 15–24. GI (2016)

    Google Scholar 

  15. Mansfield-Devine, S.: Securing small and medium-size businesses. Netw. Secur. 2016(7), 14–20 (2016)

    Article  Google Scholar 

  16. Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L.F., Downs, J.: Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In: CHI, pp. 373–382. ACM (2010)

    Google Scholar 

  17. Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In: SOUPS, pp. 88–99. ACM (2007)

    Google Scholar 

  18. Stockhardt, S., Reinheimer, B., Volkamer, M., Mayer, P., Kunz, A., Rack, P., Lehmann, D.: Teaching phishing-security: which way is best? In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 135–149. Springer, Cham (2016). doi:10.1007/978-3-319-33630-5_10

    Chapter  Google Scholar 

  19. Volkamer, M., Renaud, K., Reinheimer, B.: TORPEDO: tooltip-powered phishing email detection. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 161–175. Springer, Cham (2016). doi:10.1007/978-3-319-33630-5_12

    Chapter  Google Scholar 

  20. Volkamer, M., Renaud, K., Reinheimer, B., Kunz, A.: User experiences of TORPEDO: tooltip-powered phishing email detection. Comput. Secur. (2017)

    Google Scholar 

  21. Volkamer, M., Stockhardt, S., Bartsch, S., Kauer, M.: Adopting the CMU/APWG anti-phishing landing page idea for Germany. In: STAST, pp. 46–52. IEEE (2013)

    Google Scholar 

  22. Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: CHI, pp. 601–610 (2006)

    Google Scholar 

Download references

Acknowledgement

This work was developed within the project KMUAWARE which is funded by the German Federal Ministry for Economic Affairs and Energy under grant BMWi-VIA5-090168623-01-1/2015. Authors assume responsibility for the content.

Author information

Authors and Affiliations

  1. Technische Universität Darmstadt, Darmstadt, Germany

    Stephan Neumann, Benjamin Reinheimer & Melanie Volkamer

  2. Karlstad University, Karlstad, Sweden

    Melanie Volkamer

Authors
  1. Stephan Neumann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin Reinheimer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Melanie Volkamer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benjamin Reinheimer .

Editor information

Editors and Affiliations

  1. University of Malaga, Malaga, Spain

    Javier Lopez

  2. Karlstad University, Karlstad, Sweden

    Simone Fischer-Hübner

  3. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Neumann, S., Reinheimer, B., Volkamer, M. (2017). Don’t Be Deceived: The Message Might Be Fake. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2017. Lecture Notes in Computer Science(), vol 10442. Springer, Cham. https://doi.org/10.1007/978-3-319-64483-7_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64483-7_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64482-0

  • Online ISBN: 978-3-319-64483-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation