Phishing in an Academic Community: A Study of User Susceptibility and Behavior

We present an observational study on the relationship between demographic factors and phishing susceptibility at the University of Maryland, Baltimore County (UMBC). In spring 2018, we delivered phishing attacks to 450 randomly-selected students on three different days (1,350 students total) to examine user click rates and demographics among UMBC's undergraduates. Participants were initially unaware of the study. Experiment 1 claimed to bill students; Experiment 2 enticed users with monetary rewards; and Experiment 3 threatened users with account cancellation. We found correlations resulting in lowered susceptibility based on college affiliation, academic year progression, cyber training, involvement in cyber clubs or cyber scholarship programs, time spent on the computer, and age demographics. We found no significant correlation between gender and susceptibility. Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness. Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing. Approximately 59 the phishing email clicked on its phishing link, and approximately 70 subjects who additionally answered a demographic survey clicked.

READ FULL TEXT VIEW PDF

Authors

page 1

page 3

page 4

page 5

10/28/2011

An empirical analysis of the relationship between web usage and academic performance in undergraduate students

The use of the internet, and in particular web browsing, offers many pot...
04/20/2020

Influence of COVID-19 confinement in students performance in higher education

This study explores the effects of COVID-19 confinement in the students ...
03/11/2021

Towards Determining the Effect of Age and Educational Level on Cyber-Hygiene

As internet related challenges increase such as cyber-attacks, the need ...
10/25/2021

An approach to optimize study programs using Discrete Event Simulation

Creating a study program for optimal academic completion is a complex as...
07/18/2019

Laptop Theft in a University Setting can be Avoided with Warnings

Laptops have become an indispensable asset in today's digital age. They ...
12/30/2018

Cyberbullying of High School Students in Bangladesh: An Exploratory Study

This study explores the cyberbullying experience of the high school stud...
02/26/2019

Protocol for an Observational Study of the Association of High School Football Participation on Health in Late Adulthood

American football is the most popular high school sport and is among the...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Typically, the most important and devastating vulnerability a company can have is its very own people [10]. The human factor, or error, is responsible for 95% of security incidents [10]. Malicious actors aim to use social engineering to exploit users into giving up valuable and confidential information [14]. We present results from a study of susceptibility of undergraduate students to phishing emails. In phishing, a fraudulent entity tries to gain user information, possibly poising as an authority.

This observational study is the first to examine age, gender, college affiliation, academic year progression, time spent on a computer, cyber club/cyber scholarship program affiliation, cyber training, and phishing awareness demographics in one study. Our motivation lies in understanding dependent variables in a student population for future training tailored to individual students. We hope our results will help businesses and colleges improve their cybersecurity practices.

As summarized in the tables and figures, our contributions are the correlations among demographics and phishing susceptibility from our observational study in which we sent phishing emails to 1,350 UMBC students. For more details, see Diaz [1].

Ii Previous Work

There have been few phishing and general cybersecurity related surveys conducted on college students in the past, focusing on the correlation between susceptibility and one or few demographics.

Farooq, et al. [8] studied 1280 participants in six different colleges throughout India, Malaysia, Nepal, Pakistan, and Thailand. They documented Internet use and its correlation to the student user susceptibility level. A year prior, Farooq, et. al. [9] also surveyed 614 university students from eight different majors to calculate their information security awareness score (ISA). They concluded that gender provides an insight on how a student learns cybersecurity skills. Men tend to gain security knowledge through self-taught means, while women tend to prefer formal training and interacting in their social circles [8].

In Tamil Nadu, India, Senthilkumar and Easwaramoorthy [15] surveyed student responses to cyber themes, such as “virus[es], phishing, fake advertisement, popup windows and other attacks in the internet” [15]. In this study, only 10 of the 379 students stated that they would report any malicious activity to their cyber crime office. Similarly, Kim [12] surveyed a group of business undergraduate students on their knowledge of cyber related topics . While the students were somewhat knowledgeable on most topics covered in NIST Standard 800-50, Kim [12] suggested training programs for all students within the college to increase student awareness. Duggan [6] conducted a comparable survey in Japan, where he surveyed a group of Japanese college students about their cybersecurity and privacy-risk knowledge based on terminology.

Dodge Jr., et al. [4] conducted an unannounced phishing test on students at the United States Military Academy to evaluate their cyber training programs. They concluded that the more educated a student was in academic year, the less likely they were to fall for the phishing scam. Similarly, Aloul [2] presented a project in which a fake website portal recorded the number of students who navigate to this phishing trap. They recorded 9% of the 11,000 students falling for the fraudulent portal.

Sheng, et al. [16] studied if age, sex, and education level influenced phishing susceptibility. They determined that higher education level, age, and being male lead to less susceptibility. Sun, et al. [17] investigated links between gender and behavior. In contrast, the research team did not find a significant difference in gender. In these two studies, the users knew that they were being tested on their ability to detect phishing attacks.

In our study we include a more expansive list of demographics than those explored in previous studies. We also focus on phishing susceptibility rather than on general cybersecurity topics, and we do not inform the participants beforehand of the phishing experiments.

Iii Experimental Methodology

We deploy three phishing experiments on randomly-selected students at UMBC. To simulate errors found commonly in phishing attempts, these phishing emails contain errors that provide clues of their illegitimacy. Subsequently, we sent a debriefing statement to all selected students, as required by our UMBC Institutional Review Board (IRB) approval. We also sent a survey to gather more demographic data to those students who had opened a phishing email.

Iii-a Subject Population

Our study takes the 11,234 undergraduate students currently enrolled at UMBC as the target pool [18]. UMBC is especially well known for science and technology. UMBC includes three colleges: the College of Arts, Humanities, and Social Sciences, the College of Engineering and Information Technology, and the College of Natural and Mathematical Sciences. Our study focuses on the student’s primary major, regardless of any subsequent major, minor, or certificate program [18].

We sent each phishing email to a randomly-selected set of 1,350 students. Each set comprised 450 students, with 150 students from each college.

We decreased the number of eligible students from 11,234 to 10,920, marking students ineligible if they had an undecided major or if they were part of the interdisciplinary studies track. Interdisciplinary Studies majors have multiple majors in potentially different colleges.

Iii-B Experiment 1: PayPal

Experiment 1 deployed the popular Billing Problem tactic [5]. The fraudulent entity claims to be PayPal, a popular online payment company. The email tries to entice the user to click on the email link by claiming to have received an order from them and therefore billing their PayPal account.

There are several red flags that indicate this email is illegitimate. Atomic Empire Designs is a fake company with invalid customer service email and phone number. The Shipping Address is vague, and the zipcode is incorrect for the Baltimore region. The email timestamp is for a future time, and the total amount of money owed does not add up to the subtotal, plus tax and shipping expenses. The last line of the email stating that “Paypal is located at …” lists an incorrect and invalid address. Another flag is the sender’s email address: any email from the PayPal business will have a “@paypal.com” address, not “gmail.com”. The link described as Order Details is also suspicious. If one hovers over the link, it does not indicate any association with PayPal; instead, it goes through a tracking url that contains a “thisisnotmalware” string.

Fig. 1: Experiment 1 PayPal email claims to bill the student’s PayPal account.
Fig. 2: Experiment 2 Quadmania email offers a free $100 gift certificate.

Iii-C Experiment 2: Quadmania

In this Experiment we make use of UMBC’s Quadmania event, the university’s major spring weekend festival, to lure the user through monetary gain [7]. The email congratulates the student on their $100 Amazon prize and asks them to click the provided link. This email adds legitimacy by using the 2018 Quadmania banner while the signature of the email proclaims it was sent by the UMBC Events Board. This name is similar to the Student Events Board (SEB) that organizes Quadmania. Futhermore, the email describes a UMCP survey. Not only was no such survey conducted, UMCP refers to the University of Maryland, College Park, which is a different school. There are grammar and spelling inconsistencies, including the keynote singer 21 Savage. When hovering over the link, The user can see the link redirects them to cnn.com after going through a tracking software. The email is sent from a “@umbcalerts.com” address, instead of a “umbc.edu” address.

Iii-D Experiment 3: DoIT

This email is a variation of the Expiration Date tactic, mimicking UMBC’s Division of Information Technology (DoIT). It claims that the user must verify their credentials to keep their UMBC account, referencing the Quadmania phish to add validity. The email threatens that the user must click and verify their identity within 48 hours.

There are several spelling and grammar errors, which are uncommon for official UMBC communications. The authority names itself “Department of Institutional Technology,” and later signs off with “UNCP DoIT”. There is no Department of Institutional Technology nor UNCP entity at UMBC. The odd quote at the end of the email is out of character and unconventional for a university’s IT department. The email address and link of this email are suspicious as well. The user can hover over the link and see that it goes to the Google homepage after going through tracking software. The email address has a “@umbcdoit.com” email address instead of a “@umbc.edu” one.

Fig. 3: Experiment 3 DoIT email threatens to suspend the student’s computer account.

Iii-E Debriefing Statement and Demographic Survey

Part of our IRB protocol requires us to send a debriefing email that informs all 1,350 selected students of the study. It also assures that we anonymized all data, kept all data confidential, and could not identify any individual.

We invited students who were part of the 1,350 target group and opened a phishing email from Experiments 1-3 to participate in a survey. After asking for consent and ensuring the survey respondents were at least 18 years of age, we asked questions on their academic year, major affiliation, gender, age, past cybersecurity training, participation in cyber clubs or cyber scholarship programs, phishing awareness, and time spent per day on the computer. We gave a brief definition of phishing and quick tips on how to identify phishing emails. We directed the users to the official UMBC phishing and spam FAQ page for more information.

Iii-F Data Collection

To track the data, we used the free application MailTracker by Hunter and the EmailTracker by cloudHQ [3][11]. Each of these programs tracked if an email recipient opened an email and whether they clicked any links. Both verify and confirm each other’s recorded data.

Iii-G Statistical Methods

We applied Fisher’s Exact test and Pearson’s Chi-Square for significance testing, and Cramer’s V to test strength of that significance, with [13]

. We used Fisher’s Exact test in lieu of the Chi-Square test when an expected value is less than 5. We defined the null hypothesis as there is no dependency between the demographic factor and student click rate. We used IBM’s SPSS to create contingency tables and calculate these statistics.

Iv Results

Fig. 4: Number of clicks on phishing emails by students in the College of Arts, Humanities, and Social Sciences (AHSS), the College of Engineering and Information Technology (EIT), and the College of Natural and Mathematical Sciences (NMS).

Of the 1,350 students randomly selected for this study, 1,246 (92%) opened a phishing email in at least one of the three experiments. We sent the debriefing statement to all 1,350 students, and the demographic survey only to those 1,246 students who opened a phishing email. Except for college affiliation, we analyzed demographics only from survey respondent data.

Iv-a Experiment 1 Results

Of the 450 students receiving the PayPal phishing email, 409 (91%) opened the email. Of those 409 students, a majority of the Arts, Humanities, and Social Sciences majors clicked the link.

We sent emails to 150 students within each college and analyzed the actions of those who opened the email. 74% of students in Arts, Humanities, and Social Sciences majors had clicked the link, with 20% in Engineering and Information Technology and 55% in Natural and Mathematical Sciences.

Iv-B Experiment 2 Results

We sent the Quadmania phishing email to 450 students, of which 419 (93%) opened the email. 349 students (83.3%) clicked the link within the email. Almost all of the Arts, Humanities, and Social Sciences majors clicked the link (95%), often within minutes of receiving the email. 74% of students in the College of Engineering and Information Technology clicked the link, while 83% in the College of Natural and Mathematical Sciences clicked.

Iv-C Experiment 3 Results

93% of students opened the third email. 68% of students in the Arts, Humanities, and 49% Social Sciences and Natural and Mathematical Sciences were fooled into clicking the link. In contrast, only 31 students (22%) in Engineering and Information Technology majors clicked.

Iv-D Survey Results

Of the 1,246 students who had the option to complete the survey, 482 students (39%) responded within a seven-day period. For each cohort, at least 100 subjects completed the survey. Figure 4 shows the click action by college membership for each experiment.

Fig. 5: Click action by demographic factors for students who opened email and returned the demographic survey form.

V Analysis

We analyze all experiments and survey results and find significant correlations in all tested demographics except gender.

Table 1 lists the number and percentages of students who clicked on phishing emails, with the results listed separately for students who were sent emails, opened emails, and answered the demographic survey.

TABLE I: Summary of experimental results. Number of students who clicked on phishing emails, among students who were sent emails, opened the emails, and answered the survey.

Approximately 59% of the subjects who opened the email clicked on the phishing link, with some fluctuations among the three experiments. By contrast, approximately 70% of the survey respondents clicked.

V-a Experiments

TABLE II: Significance of three statistical tests at separating students who click on emails, computed separately for each phishing email, at confidence level

, with given degrees of freedom (df).

We found a correlation between college affiliation and user click action. For all three experiments, the Chi-Square value exceeded . The aggregate data also had a Chi-Square value exceeding the critical value, rejecting the null hypothesis. We define the null hypothesis as there being no correlation between user susceptibility and a demographic. A low-to-medium strength of association is also present.

V-B Comparative Analysis

We show that phishing awareness, hours spent on the computer, cyber training, cyber club or cyber scholarship affiliation, age, academic year, and college affiliation are significant variables to student susceptibility.

TABLE III: Significance of three statistical tests at separating students who clicked on a phishing email, by demographic factors, at confidence level , with given degrees of freedom (df) .

The aggregated college affiliation demographic indicates that STEM majors–with Engineering and IT majors in particular–had lower click rates (EIT 65%, NMS 70%) compared to non-STEM majors (AHSS 80%). Increasing academic year progression saw a decrease in student click rate. We observed that increased time on the computer and cyber training correlated with lower click rates. Students in a cyber club or cyber scholarship program also clicked the phishing link less often than did students with no such affiliation. Within the cyber club and cyber scholarship group, students who were affiliated with a cyber scholarship program had lower click rates compared to the cyber club students.

Contrary to our expectations, in Experiments 1–3, students who were unaware of phishing attacks performed better (28% clicked) than did students who were aware (42% clicked) or who understood what phishing attacks are (80% clicked).

We found no significant correlation between gender and susceptibility, with the Chi-Square calculation less than the critical value.

Vi Discussion

We describe the campus response to our phishing emails, discuss an unexpected finding, comment on the nature of the phishing emails, identify study limitations, and present open problems.

Vi-a Campus Response

Although the PayPal email received little attention, the Quadmania phish (purportedly from SEB) created notable confusion. SEB, DoIT, and campus police issued alerts. A few hours after we sent the emails, SEB posted warnings to the student body of a phishing scheme, informing users that they did not send the Quadmania email, spreading word on the myUMBC dashboard and social media.

SEB’s quick and efficient communication reached several students within the Experiment 2 cohort. Despite these warnings, the vast majority of students had already fallen for the Quadmania scheme. Many students who were deceived by the phish reported their experiences to DoIT or SEB, prompting quick responses by SEB and DoIT to us and the student body. While we had notified DoIT in advance, not all of their staff knew about our experiment, and in hindsight, we probably should have also informed SEB in advance.

Vi-B An Unexpected Finding

As expected, we observed lower user susceptibility with college affiliation, academic year, age, cyber club and cyber scholarship affiliation, amount of time spent on the computer, and cyber training. Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness.

We have no convincing explanation for this finding, and we do not know if it is reproducible. Nevertheless, we consider two speculations. First, it is possible that the act of falling for the phishing scheme might have increased the user’s awareness about phishing. In hindsight, it might have been wiser to have asked in the post-event survey what was the level of phishing awareness the user had when they opened the phishing email. Second, it is conceivable that users who fell for the phish might be more likely to overestimate their knowledge, including about phishing.

Vi-C Limitations

Limitations of the study include student awareness of the experiment and veracity of survey responses. Especially given the commotion created by the Quadmania phish, it is possible that there was greater awareness among subjects about the possibility of phishing attacks in the third experiment than in the first two. We made no attempt to measure how accurately and honestly subjects filled out their demographic surveys.

We can analyze the correlation between demographics and suseptibility only for subjects who answered the demographic survey. It is likely that survey respondents are a somewhat biased sample of the undergraduate population—for example, survey respondents might be less cautious and more likely to act on opportunities. This bias possibly explains why survey respondents clicked on the phishing link at a higher rate than did students who merely opened the phishing email.

Vi-D Nature of Phishing Emails

As explained in Section III, we intentionally inserted many clues into each phishing email of their illegitimacy (e.g., spelling errors), and initially, we did not inform the subjects about the experiments. Our rationale was to simulate commonly occurring phishing attacks, which often contain such clues. We do not know how much, if it all, such clues affected user behavior. Similarly, we do not know how much, if at all, lack of awareness of the experiment affected user behavior. Given the high click rates, we speculate that, for many users, such clues were not a decisive factor. Similarly, given that study awareness appears to be a more subtle issue, and that many users are generally aware about the possibility of phishing attacks, we speculate that lack of awareness of study did not make a significant difference.

Alarmingly, given the high click rates for our phishing emails with many clues, we believe that most users would be even more highly susceptible to more sophisticated attacks. In a more sophisticated attack, the adversary might surveil the target and construct a compelling customized spear-phishing email free of any obvious clues.

Vi-E Open Problems

It would be interesting to understand our unexpected finding that students who reported greater phishing knowledge were more susceptible. Additional studies could explore this question and determine if our findings are reproducible. It would be useful to understand how clues and study awareness affect user behavior. It would be interesting to include faculty and staff in a study and to analyze user behaviors over several semesters. More difficult open problems are to explore causal factors in user behaviors and to devise effective ways to combat the threat of phishing attacks, including better user education, email filtering, and system design.

Vii Conclusion

Our study finds an association between several demographic factors and a student’s susceptibility to phishing attack. We observed lower susceptibility for college affiliation, academic year progression, cyber training, involvement in cyber clubs or cyber scholarship programs, amount of time spent on the computer, and age demographics. Surprisingly, despite a lower susceptibility for cyber education or IT expertise, we observed greater susceptibility for phishing awareness. We found no significant correlation for gender.

Phishing attacks are a dangerous form of social engineering that target users every day. Our study shows that user susceptibility to phishing remains a prevalent problem, even among technology-savvy students: approximately 59% of the subjects who openened the phishing email clicked on the phishing link, and approximately 70% of those subjects who also answered the demographic survey clicked. Our observational study uncovers relationships between demographic factors and susceptibility to phishing. We hope that these findings will be helpful in designing more secure systems and developing more effective cybersecurity training for users.

Acknowledgments

The authors thank Professors Bimal Sinha and Nagaraj Neerchal for their counsel on statistical tests and models. We would also like to thank Jack Seuss, Andy Johnston, Mark Cather, and the DoIT staff for their support and help throughout the project.

Sherman was supported in part by the National Science Foundation under SFS grant 1241576 and by the U.S. Department of Defense under CAE grant H98230-17-1-0349. Joshi was supported by an award from IBM.

References

  • [1] Diaz, Alejandra. ”Phishing in an Academic Community: A Study of User Susceptibility and Behavior.” Master of Science Thesis, Computer Science and Electrical Engineering Department. University of Maryland, Baltimore County, June 2018.
  • [2] Aloul, Fadi A. “The Need for Effective Information Security Awareness.” Journal of Advances in Information Technology, vol. 3, 2012, pp. 176–183.
  • [3] CloudHQ. “EmailTracker”. 2018. https://www.cloudhq.net/.
  • [4] Dodge Jr., Ronald C, et al. “Phishing for User Security Awareness.” Computers and Security, vol. 26, 2007, pp. 73–80.
  • [5] Downs, Julie S, et al. “Decision Strategies and Susceptibility to Phishing.” Carnegie Mellon University, 2006.
  • [6] Duggan, J. 2008. A Survey of Internet-based Risk Awareness among Japanese College Students. In C. Bonk, M. Lee and T. Reynolds (Eds.), Proceedings of E-Learn 2008–World Conference on E-Learning in Corporate, Government, Healthcare, and Higher Education (pp. 2158-2163). Las Vegas, Nevada, USA: Association for the Advancement of Computing in Education (AACE).
  • [7] Ellis, David. “Top 10 Types of Phishing Emails.” SecurityMetrics Blog, SecurityMetrics, 2014, blog.securitymetrics.com/2014/05/types-of-phishing-emails.html.
  • [8] Farooq, Ali, et al. 2015. Observations on Genderwise Differences among University Students in Information Security Awareness. International Journal of Information Security and Privacy 9:2, pp 60-74.
  • [9] Farooq, Ali, et al. 2016. Dimensions of Internet Use and Threat Sensitivity: An Exploratory Study among Students of Higher Education. 2016 IEEE Intl Conference on Computational Science and Engineering (CSE) and IEEE Intl Conference on Embedded and Ubiquitous Computing (EUC) and 15th Intl Symposium on Distributed Computing and Applications for Business Engineering (DCABES), pp 534-541.
  • [10] Howarth, Fran. “The Role of Human Error in Successful Security Attacks”. Security Intelligence, 2014. https://securityintelligence.com/the-role-of-human-error-in-successful-security-attacks/.
  • [11] Hunter. “MailTracker”. 2018. https://hunter.io/.
  • [12] Kim, E. B. 2013. Information Security Awareness Status of Business College: Undergraduate Students, Information Security Journal: A Global Perspective, 22:4, pp 171-179.
  • [13] McDonald, J.H. 2014. Handbook of Biological Statistics, 3rd edition. www.biostathandbook.com/index.html
  • [14] Norton. “What is Social Engineering?” Symantec, 2014. https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html
  • [15] Senthilkumar, K. et al. 2017. A Survey on Cyber Security Awareness among college students in Tamil Nady, IOP Conference Series Materials Science and Engineering 263.
  • [16] Sheng, Steve, et al. “Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions.” Carnegie Mellon University, 2010.
  • [17] Sun, Jerry Chih-Yuan, et al. “The Mediating Effect of Anti-Phishing Self-Efficacy Between College Students’ Internet Self-Efficacy and Anti-Phishing Behavior and Gender Difference.” Computers in Human Behavior, vol. 59, 2016, pp. 249–257.
  • [18] UMBC Admissions. “Student Enrollment and Persistence”. UMBC, 2018. https://umbc.app.box.com/s/1torn5ywqscyktvo48xnqdlin1rdhf2k.