Despite sophisticated phishing email detection systems, and training and awareness programs, humans continue to be tricked by phishing emails. In an attempt to better understand why phishing email attacks still work and how best to mitigate them, we have carried out an empirical study to investigate people's thought processes when reading their emails. We used a scenario-based role-play "think aloud" method and follow-up interviews to collect data from 19 participants. The experiment was conducted using a simulated web email client, and real phishing and legitimate emails adapted to the given scenario. The analysis of the collected data has enabled us to identify eleven factors that influence people's response decisions to both phishing and legitimate emails. Furthermore, based on the user study findings, we discuss novel insights into flaws in the general email decision-making behaviors that could make people susceptible to phishing attacks.
翻译:尽管有先进的网钓电子邮件探测系统以及培训和认识方案,人类仍继续被网钓电子邮件所欺骗。为了更好地了解为什么网钓电子邮件袭击仍然有效以及如何最好地减轻这些袭击,我们开展了一项经验研究,在阅读电子邮件时调查人们的思想过程。我们使用基于假想的角色扮演“高声思考”方法和后续访谈方法从19名参与者收集数据。实验使用模拟网络电子邮件客户,以及适应特定情况的真正的网钓和合法电子邮件进行。对所收集的数据的分析使我们能够找出影响人们对网钓和合法电子邮件做出回应决定的11个因素。此外,根据用户研究结果,我们讨论了一般电子邮件决策行为缺陷的新洞察力,这可能会使人们容易被网钓到。