Persuasion and Phishing: Analysing the Interplay of Persuasion Tactics in Cyber Threats

TL;DR

This paper analyzes the use of persuasion tactics in phishing emails, identifying common principles and targets to improve detection and prevention methods in cybersecurity.

Contribution

It extends previous research by analyzing entire email contents for persuasion principles and examining phishing goals and targets using an ontological model.

Findings

Distraction is the most common persuasion principle in phishing emails.

Phishing targets individuals primarily for unauthorized access and financial gain.

The study highlights the importance of understanding persuasion tactics for better detection.

Abstract

This study extends the research of Ferreira and Teles (2019), who synthesized works by Cialdini (2007), Gragg (2003), and Stajano and Wilson (2011) to propose a unique list of persuasion principles in social engineering. While Ferreira and Teles focused on email subject lines, this research analyzed entire email contents to identify principles of human persuasion in phishing emails. This study also examined the goals and targets of phishing emails, providing a novel contribution to the field. Applying these findings to the ontological model by Mouton et al. (2014) reveals that when social engineers use email for phishing, individuals are the primary targets. The goals are typically unauthorized access, followed by financial gain and service disruption, with Distraction as the most commonly used compliance principle. This research highlights the importance of understanding human persuasion in technology-mediated interactions to develop methods for detecting and preventing phishing emails before they reach users. Despite previous identification of luring elements in phishing emails, empirical findings have been inconsistent. For example, Akbar (2014) found 'authority' and 'scarcity' most common, while Ferreira et al. (2015) identified 'liking' and 'similarity.' In this study, 'Distraction' was most frequently used, followed by 'Deception,' 'Integrity,' and 'Authority.' This paper offers additional insights into phishing email tactics and suggests future solutions should leverage socio-technical principles. Future work will apply this methodology to other social engineering techniques beyond phishing emails, using the ontological model to further inform the research community.