The human factor in phishing: collecting and analyzing user behavior when reading emails

Phishing emails are constantly increasing their sophistication, and typical countermeasures struggle at addressing them. Attackers target our cognitive vulnerabilities with a varied set of techniques, and each of us, not trained enough or simply in the wrong moment, can be deceived and put an entire organization in trouble. To date, no study has evaluated the behavior of users when confronted with phishing emails characterized by a diverse set of features and attack strategies. We created a system called Spamley from these observations, which has the main aim of collecting and sharing data regarding such user behavior. Spamley is also meant to disseminate awareness among users. To reach these goals, we firstly analyzed the wide scientific literature on phishing. Our analysis shows that the focus of studies on phishing has more and more shifted from technical to human-oriented aspects. Building on this analysis we designed, implemented, and deployed a system comprising a web application to test user awareness about phishing, featuring a survey to identify the most interesting characteristics of users, and fueled by a large and varied set of test emails engineered to solicit the several possible cognitive vulnerabilities we all have. We describe in details the design and implementation choices, the lessons we learned, and the way we filled the gap in the available related work. Finally, we use real data from our first 500 users to show how data collected can be used for several important analyses, including which characteristics of the emails are more relevant for which cognitive vulnerability of specific groups of users. Results obtained can guide the development of novel email clients as well as tailored training programmes. Data collected is available to the scientific community for conducting further studies on the important and still unsolved issue of email phishing.