Persuasion: How phishing emails can influence users and bypass security measures

Abstract

Abstract Phishing is a very dangerous form of social engineering with the aim to deceive people into disclosing private/confidential information. Despite widespread warnings and means to educate users to identify phishing messages, these are still a prevalent practice and a lucrative business. The authors believe that persuasion, as a style of human communication designed to influence others, has a central role in successful digital scams. Research on persuasion applied to phishing emails is scarce and tends to build on Cialdini's work alone. Only a single study has proposed a list of merged principles from three different perspectives but it has methodological limitations regarding the analysis’ performance by a single researcher and the testing of principles in a small, not validated sample of phishing emails. This paper aims to fill those gaps by building on Cialdini's, Gragg's and Stajano & Wilson's works to derive a unique list of Principles of Persuasion in Social Engineering (PPSE), resulting from the application of the relational method by two independent researchers. The PPSE are identified, by two independent researchers (Kappa > 0.789) on a sample of phishing email subject lines (N = 194), dated from 2008 to 2017 and randomly selected from a reliable phishing archive (millersmiles.co.uk). A thematic content analysis, together with the sample characterization in terms of visual elements and targeted content, revealed that the most prominent principles of persuasion in phishing emails were ‘Authority’, ‘Strong Affect’, ‘Integrity’ and ‘Reciprocation’. The larger percentage of references with the presence of visual elements was found for the ‘Strong Affect’ principle. The use of the pronouns ‘you' and ‘your’ was more evident for the categories ‘Strong Affect’ and ‘Authority’, while the employment of the pronouns ‘we, us, our’ was more frequent in the ‘Reciprocation’ principle. This paper constitutes a step further in understanding the use of principles of persuasion in phishing emails with future applications on how their recognition can be automated.