Phishing in an Academic Community: A Study of User Susceptibility and Behavior

Author/Creator

Author/Creator ORCID

Date

2018-01-01

Department

Computer Science and Electrical Engineering

Program

Computer Science

Citation of Original Publication

Rights

Distribution Rights granted to UMBC by the author.
Access limited to the UMBC community. Item may possibly be obtained via Interlibrary Loan thorugh a local library, pending author/copyright holder's permission.
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.

Abstract

We present an observational study on the relationship between demographic factors and phishing susceptibility. In spring 2018, we sent three phishing emails and a survey to examine user click rates and demographics within UMBC's undergraduate student population. This study, the first to investigate several demographic factors without prior user knowledge in a university setting, shows correlations between user susceptibility and college affiliation, age, cyber training levels, academic year progression, phishing awareness, cyber club or scholarship involvement, and amount of time spent on a computer. We observe no such relationship for gender. We used the Billing Problem, Contest Winner, and Expiration Date phishing tactics. From March through May 2018, we performed three experiments that delivered phishing attacks to 450 randomly-selected students on three different days (1,350 students total). Unlike other studies, to simulate real phishing scenarios the participants were initially unaware of the study. Experiment 1 impersonated banking authorities; Experiment 2 enticed users with monetary rewards; and Experiment 3 threatened users with account cancellation. We then sent a survey that collected students college affiliation, age, cyber training levels, academic year progression, phishing awareness, cyber club or scholarship involvement, and amount of time spent on a computer. We conclude that gender does not indicate student risk level (?2 =0.43,p =0.51,? = 0.05). Students within a technical field are less likely to click a link (39% students clicked), followed by Natural and Mathematical Sciences students (63% students clicked) second and Arts, Humanities and Social Sciences students most susceptible (78% students clicked) (?2 = 136.35,p < 0.0001,? = 0.05). Age (?2 = 16.25,p = 0.001,? = 0.05) and academic year progression (?2 =15.67,p =0.0013,? =0.05) influenced susceptibility as well, with younger and less educated students having higher click rates to phishing schemes than did their older and more educated counterparts. There exists a correlation in level of cyber training and decreasing click rate (?2 =19.47,p < 0.0001,? =0.05), similar to the relationship of low click rates and cyber scholarship program involvement (28% students clicked), followed by cyber club membership (53% students clicked) and no involvement at all (73% students clicked) (?2 = 19.29,p < 0.0001,? = 0.05). Time spent on the computer is a significant factor in click rates as well (Fisher0sp < 0.0001,? = 0.05). Students that spend more time on the computer after 4 hours are documented to not click the phishing links as often (4-8 88% students clicked, 8-12 70% students, 12+ 52% students clicked). Contrary to our expectations, there exists a negative relationship between phishing awareness and students' resistance to clicking a phish link (?2 = 77.46,p < 0.0001,? = 0.05). Students who identified themselves as understanding the definition of phishing had a higher susceptibility rate (80% students clicked) than their peers who are merely aware of phishing attacks (43% students clicked) and those with no knowledge whatsoever (28% students clicked).