Principles of Persuasion in Social Engineering and Their Use in Phishing

  • Ana FerreiraEmail author
  • Lynne Coventry
  • Gabriele Lenzini
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


Research on marketing and deception has identified principles of persuasion that influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different taxonomies. In regard to frauds and scams, three taxonomies are often referred in the literature: Cialdini’s principles of influence, Gragg’s psychological triggers, and Stajano et al. principles of scams. It is unclear whether these relate but clearly some of their principles seem overlapping whereas others look complementary. We propose a way to connect those principles and present a merged and reviewed list for them. Then, we analyse various phishing emails and show that our principles are used therein in specific combinations. Our analysis of phishing is based on peer review and further research is needed to make it automatic, but the approach we follow, together with principles we propose, can be applied more consistently and more comprehensively than the original taxonomies.


Social engineering Principles of persuasion Phishing emails 


  1. 1.
    Mitnick, K., Simon, W.: The Art of Deception. Wiley Publishing Inc., New York (2002)Google Scholar
  2. 2.
    Cialdini, R.B.: Influence: The Psychology of Persuasion (Revision Edition). Harper Business, Dunmore (2007)Google Scholar
  3. 3.
    Quiel, S., Uebelacker, S.: The social engineering personality framework. In: Proceedings of 4th Workshop on Socio-Technical Aspects in Security and Trust (STAST 2014), Vienna, Austria, 18 July 2014, pp. 24–30 (2014)Google Scholar
  4. 4.
    Akbar, N.: Analysing persuasion principles in phishing emails. Ph.D. dissertation, Master Thesis, University of Twente, The Netherlands, October 2014Google Scholar
  5. 5.
    Gragg, D.: A multi-level defense against social engineering. Technical Report, SANS Institute - InfoSec Reading Room (2003)Google Scholar
  6. 6.
    Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011)CrossRefGoogle Scholar
  7. 7.
    Scheeres, J.W., Mills, R.F., Grimaila, M.R.: Establishing the human firewall: reducing an individual’s engineering attacks. In: Proceedings of the 3rd International Conference on Information Warfare and Security (ICIW), Omaha, USA, 24–25 April 2008Google Scholar
  8. 8.
    Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: Proceedings of the 16th Interenational Conference on World Wide Web (WWW 2007), Banff, AB, Canada, 8–12 May 2008, pp. 649–656. ACM (2007)Google Scholar
  9. 9.
    Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., Hong, J.: Teaching Johnny not to fall for phish. ACM Trans. Internet Technol. 10(2), 1–31 (2010)CrossRefGoogle Scholar
  10. 10.
    Blythe, M., Petrie, H., Clark, J.A.: F for fake: four studies on how we fall for phish. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI 2011), Vancouver, BC, Canada, 7–12 May 2011, pp. 3469–3478. ACM (2011)Google Scholar
  11. 11.
    Martin, S.J., Goldstein, N., Cialdini, R.B.: The Small BIG: Small Changes that Spark Big Influence. Grand Central Publishing, New York (2014)Google Scholar
  12. 12.
    Arnheim, R.: The gestalt theory of expression. Psychol. Rev. 56, 156–171 (1945)CrossRefGoogle Scholar
  13. 13.
    Geremek, A., Greenlee, M., Magnussen, S.: Perception Beyond Gestalt: Progress in Vision Research. Psychology Press, New York (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Ana Ferreira
    • 1
    • 2
    Email author
  • Lynne Coventry
    • 3
  • Gabriele Lenzini
    • 1
  1. 1.Interdisciplinary Centre for Security Reliability and Trust - University of LuxembourgLuxembourgLuxembourg
  2. 2.Institute of Cognitive Science and Assessment - University of LuxembourgLuxembourgLuxembourg
  3. 3.Psychology and Communication TechnologyNorthumbria UniversityNewcastle upon TyneUK

Personalised recommendations