Abstract
Phishing emails have come to stay. They have evolved and adapted to become more sophisticated and targeted so to appear more realistic and, therefore, more effective. But why does a user decide to open such emails? This paper focuses on the content of subject lines from phishing emails, a main piece which can trigger the user into deciding whether to (potentially) become a victim. The authors analyzed 788 subject lines from phishing emails collected over a one year period and found that the most common subject lines pretend to come from government or well known organizations and mostly integrate the authority and distraction principles of persuasion. The majority of subject lines include targeted keywords/expressions that provide the recipient with a feeling of social presence that heightens the realization that a message comes from a trustworthy person. This study shows that a small sentence can go a long way. An email subject line can include a high persuasive power to more successfully grab users’ attention and increase the likelihood of that email being opened and responded to.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Symantec: Internet security threat report. Technical report 21, April 2016. https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
Cloudmark Security Blog: Survey reveals spear phishing as a top security concern to enterprises (2016)
Verizon: 2015 data breach iinvestigation report. Technical report (2015). https://msisac.cisecurity.org/whitepaper/documents/1.pdf
Balakrishnan, R., Parekh, R.: Learning to predict subject-line opens for large-scale email marketing. In: 2014 IEEE International Conference on Big Data (Big Data), pp. 579–584, October 2014
Olsen, E.: New phishing research: 5 most dangerous email subjects, top 10 hosting countries. Technical report, Websense Security Labs (2013). https://blogs.forcepoint.com/security-labs/new-phishing-research-5-most-dangerous-email-subjects-top-10-hosting-countries-0
Hamid, A., Kim, T.-H.: Using feature selection and classification scheme for automating phishing email detection. Stud. Inf. Control 22(1), 61–70 (2013). ISSN 1220-1766
Islam, R., Abawajy, J.: A multi-tier phishing detection and filtering approach. J. Netw. Comput. Appl. 36(1), 324–335 (2013)
Vishwanath, A., Herath, T., Chen, R., Wang, J., Rao, H.R.: Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decis. Support Syst. 51(3), 576–586 (2011)
Harrison, B., Vishwanath, A., Jie, N., Ragov, R.: Examining the impact of presence on individual phishing victimization. In: Hawaii International Conference on System Sciences (2015)
Jakobsson, M., Tsow, A., Shah, A., Blevis, E., Lim, Y.-K.: What instills trust? A qualitative study of phishing. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 356–361. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_32
Sappleton, N., Lourenco, F.: Email subject lines and response rates to invitations to participate in a web survey and a face-to-face interview: the sound of silence. Int. J. Soc. Res. Methodol. 19(5), 611–622 (2016)
Jones, S., Payne, S., Hicks, B., Gopsill, J., Snider, C.: Subject lines as sensors: co-word analysis of email to support the management of collaborative engineering work. In: International Conference on Engineering Design 2015 (ICED 2015), July 2015
Jakobsson, M.: Understanding Social Engineering Based Scams. Springer, New York (2016). https://doi.org/10.1007/978-1-4939-6457-4
Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 36–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_4
Cialdini, R.B.: Influence: The Psychology of Persuasion (Revision Edition). Harper Business (2007)
Gragg, D.: A multi-level defense against social engineering. Technical report, SANS Institute - InfoSec Reading Room (2003)
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011)
Online-Utility.org: Text analyzer. https://www.online-utility.org/text/analyzer.jsp
Minsky, M.: Telepresence. OMNI Mag. 3, 45–51 (1980)
Acknowledgments
The authors would like to thank Professor Richard Clayton for kindly supplying the sample used in this study.
This work was supported by the project “NORTE-01-0145-FEDER-000016” (NanoSTIMA) that is financed by the North Portugal Regional Operational Programme (NORTE 2020), under the PORTUGAL 2020 Partnership Agreement, and through the European Regional Development Fund (ERDF).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Ferreira, A., Chilro, R. (2017). What to Phish in a Subject?. In: Brenner, M., et al. Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10323. Springer, Cham. https://doi.org/10.1007/978-3-319-70278-0_38
Download citation
DOI: https://doi.org/10.1007/978-3-319-70278-0_38
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70277-3
Online ISBN: 978-3-319-70278-0
eBook Packages: Computer ScienceComputer Science (R0)