An analysis of social engineering principles in effective phishing

Abstract

Phishing is a widespread practice and a lucrative business. It is invasive and hard to stop: a company needs to worry about all emails that all employees receive, while an attacker only needs to have a response from a key person, e.g., a finance or human resources' responsible, to cause a lot of damages. Some research has looked into what elements make phishing so successful. Many of these elements recall strategies that have been studied as principles of persuasion, scams and social engineering. This paper identifies, from the literature, the elements which reflect the effectiveness of phishing, and manually quantifies them within a phishing email sample. Most elements recognised as more effective in phishing commonly use persuasion principles such as authority and distraction. This insight could lead to better automate the identification of phishing emails and devise more appropriate countermeasures against them.