Mumbai: Phishing emails look authentic and encourage individuals to click on seemingly harmless hyperlinks and attachments. The results are disastrous.

Victims pay a huge price—the financial tally from information loss, identity theft, service disruptions and additional security costs related to phishing is estimated to exceed $1trillion.

And, phishing accounts for more than one-third of the nearly 800% increase in cybercrimes since 2007, according to the US Government Accountability Office (GAO).

Security firms periodically put out warnings about phishing ploys but there is no foolproof way to understand why users fall for phishing scams. At least, not till now.

Now, Arun Vishwanath, an associate professor in the Department of Communication at the University of Buffalo (UB), whose research specializes in ways to stop online deception, claims to have developed a comprehensive model that accounts for the multiple influences that contribute to the success of phishing attacks.

The study, published in the latest issue of the journal Communication Research, proposes and empirically tests a theory-based model that identifies specific user vulnerabilities that arise in a given user.

“When I talk to cybersecurity experts in companies or even in the US government--and I’ve presented this to many of them --I’m told that the model provides a ready framework to understand why their employees fall prey to such attacks," Vishwanath said in a 1 April press statement.

The Suspicion, Cognition and Automaticity Model (SCAM) explains what contributes to the origin of suspicion by accounting for a user’s email habits and two ways of processing information: heuristics, or thumb rules that lead to snap judgments about a message’s content; and a deeper, systematic processing about an email’s content.

A fourth measure—cyber-risk beliefs—taps into the individual’s perception about risks associated with online behaviours, according to Vishwanath.

SCAM encourages a new approach to training that is based on individual, predictive profiles of computer users, rather than relying on the current blanket training approach for everyone, a method that previous research has shown to be of limited effectiveness because people are often victimized hours after they’ve finished their training, according to Vishwanath.

“Using this model, organizations can come up with a dynamic security policy, one that takes into account employee cyber-behaviours and allows access to systems, software and devices based on these behaviours," he said, adding, “It can also be used to develop a risk-index that assesses the overall risk threshold of individuals and groups."

Vishwanath’s study, which is part of a larger research programme to understand the people-problems of cybersecurity, tested the model by actually simulating different types of phishing attacks on real-world subjects. The point for Vishwanath is that most anti-phishing measures are trying to stop attacks under the assumption that they know why people fall prey to such attacks, rather than actually figuring out why the attacks are working.

Millions of phishing attacks occur daily, many following recurring patterns. The malware in these emails open back doors to computer networks that provide hackers with access to people’s personal information. Some intrusions install key loggers that record keystrokes or the sites they visit. And a new class of “ransomware" encrypts every file on a hard driver or server, holding the data hostage until users pay an untraceable ransom in bitcoin.

“If the Internet were the real world, it would be the most dangerous city on earth," Vishwanath says. India is already bearing the brunt of phishing, according to security firms.

India has consistently moved up the rankings for countries with the most number of financial Trojan infections—moving up from rank 5 in 2014 to rank 3 in 2015, according to a 29 March press statement by security firm, Symantec. Over 60,000 computers in India were compromised with financial Trojans in 2015 and financial institutions in India have the third-most infections only to be preceded by the US and Germany.

Globally, the financial sector was the highest-targeted sector in January with 40.2% of all spear-phishing attacks. Spear phishing, or whaling, are target phishing attacks. They are emails that appear to be from an individual or business that you know but, in reality, are not so.

FireEye’s annual ‘Advanced Threat Report 2015’ estimated that 37.5% of organizations in India were subject to continuous targeted cyber-attacks, known as Advanced Persistent Threats (APTs), in the first half of 2015. Over 50% of these attacks targeted telecom services providers and the Indian government that is working on ambitious projects such as Digital India and Smart Cities.

FireEye had earlier revealed that an APT campaign (a spear phishing one), which had targeted India and neighbouring countries such as Pakistan, Nepal and Bangladesh, was aimed at stealing confidential information.

My Reads Logout