Phishing in an academic community: A study of user susceptibility and behavior

Thumbnail Image

Files

Phishing in an academic community A study of user susceptibility and behavior.pdf (2.73 MB)

Links to Files

https://www.tandfonline.com/doi/abs/10.1080/01611194.2019.1623343

Permanent Link

https://doi.org/10.1080/01611194.2019.1623343
 http://hdl.handle.net/11603/19222

Collections

UMBC Computer Science and Electrical Engineering Department
UMBC Faculty Collection

Author/Creator

Author/Creator ORCID

Date

2019-08-13

Type of Work

journal articles
Text

Department

Program

Citation of Original Publication

To cite this article: Alejandra Diaz, Alan T. Sherman & Anupam Joshi (2020) Phishing in an academic community: A study of user susceptibility and behavior, Cryptologia, 44:1, 53-67, DOI: 10.1080/01611194.2019.1623343

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Attribution-NonCommercial-NoDerivs 2.0 Generic

Subjects

UMBC Ebiquity Research Group

Abstract

We present an observational study on the relationship between demographic factors and phishing susceptibility at the University of Maryland, Baltimore County (UMBC). In spring 2018, we delivered phishing attacks to 450 randomly selected students on three different days (1,350 students total) to examine user click rates and demographics among UMBC’s undergraduates. Participants were initially unaware of the study. We deployed the billing problem, contest winner, and expiration date phishing tactics. Experiment 1 impersonated banking authorities; Experiment 2 enticed users with monetary rewards; and Experiment 3 threatened users with account cancelation. We found correlations resulting in lowered susceptibility based on college affiliation, academic year progression, cyber training, involvement in cyber clubs or cyber scholarship programs, time spent on the computer, and age demographics. We found no significant correlation between gender and susceptibility. Contrary to our expectations, we observed a reverse correlation between phishing awareness and student resistance to clicking. Students who identified themselves as understanding the definition of phishing had a higher susceptibility rate than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility rate than those with no knowledge whatsoever. Approximately 70% of survey respondents who opened a phishing email clicked on it, with 60% of student having clicked overall.