| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | February 1, 2016 |
| Latest Amendment Date: | February 1, 2016 |
| Award Number: | 1624149 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Deborah Shands
CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | August 21, 2015 |
| End Date: | January 31, 2017 (Estimated) |
| Total Intended Award Amount: | $109,365.00 |
| Total Awarded Amount to Date: | $109,365.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
1500 ILLINOIS ST GOLDEN CO US 80401-1887 (303)273-3000 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
CO US 80401-1887 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): |
Special Projects - CNS, Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
One of the most severe and challenging threats to Internet security and privacy is phishing, which uses fake websites to steal users' online identities and sensitive information. Existing studies have evaluated younger users' susceptibility to phishing attacks, but have not paid sufficient attention to elderly users' susceptibility to phishing in realistic environments. As the elderly population in the United States and the world continues to grow rapidly, the elderly Internet user population also continues to grow, and seniors have become very attractive targets for online fraud.
Traditional forms of phishing have been prevalent for over a decade; in contrast, web single sign-on phishing is a more modern strategy, with unique characteristics that make it more profitable, insidious, and harder to detect than traditional phishing. The goal of this project is to systematically compare younger and older computer users' susceptibility to both the traditional and the newly emergent web single sign-on phishing. We build a comprehensive computer testbed that measures phishing susceptibility in a realistic environment. We hypothesize that older adults will differ from younger adults in terms of their susceptibility to both types of phishing, and that this susceptibility can be explained by differences in cognitive abilities, specifically executive functioning and decision-making skills.
The results of this project will advance our knowledge on how and why elderly users may fall victim to phishing, and will provide a solid basis for researchers to further design effective mechanisms to protect elderly users against phishing from both technical and cognitive perspectives.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
One of the most severe and challenging threats to Internet security and privacy is phishing, which uses fake websites to steal users' online identities and sensitive information. Existing studies have evaluated younger users' susceptibility to phishing attacks, but have not paid sufficient attention to elderly users' susceptibility to phishing in realistic environments. As the elderly population in the United States and the world continues to grow rapidly, the elderly Internet user population also continues to grow, and seniors have become very attractive targets for online fraud.
In this project, we designed and implemented a phishing toolkit that can support both the traditional phishing and the newly emergent Web Single Sign-On (SSO) phishing; we systematically compared younger and older computer users' susceptibility to both types of phishing attacks; we tested the hypothesis that older adults will differ from younger adults in terms of their susceptibility to both types of phishing, and that this susceptibility can be explained by differences in cognitive abilities, specifically executive functioning and decision-making skills.
Our toolkit can automatically construct highly insidious extreme phishing attacks with unlimited levels of phishing webpages in real time based on user interactions. The toolkit can be used by attackers to easily construct and deploy extreme phishing attacks; it can also be used by researchers to easily construct testbeds for performing phishing related user studies and exploring new phishing defense mechanisms. We started to share this toolkit with researchers who want to use or adopt it for research purposes. We designed and performed a user study with 194 participants to evaluate the effectiveness of the phishing attacks constructed from this toolkit. The results demonstrate that extreme phishing attacks are indeed highly effective and insidious as over 90% of the participants became the "victims". It is reasonable to assume that extreme phishing attacks will be widely adopted and deployed in the future, and we call for a collective effort to effectively defend against them. We also analyzed the impact of extreme phishing on existing phishing defense mechanisms, and provided suggestions to researchers and users for them to better defend against such attacks.
We sought to determine whether age is associated with increased susceptibility to phishing and whether tests of executive functioning can predict phishing susceptibility. A total of 193 cognitively intact participants, 91 younger adults and 102 older adults, were primarily recruited through a Psychology department undergraduate subject pool and a gerontology research registry, respectively. The Executive Functions Module from the Neuropsychological Assessment Battery and the Iowa Gambling Task were the primary cognitive predictors of reported phishing suspiciousness. Other predictors included age group (older vs. younger), sex, education, race, ethnicity, prior knowledge of phishing, prior susceptibility to phishing, and whether or not browsing behaviors were reportedly different in the laboratory setting versus at home. Our results revealed three statistically significant predictors for phishing suspiciousness: the main effect of education, the interactions of age group with prior awareness of phishing, and performance on the Neuropsychological Assessment Battery Mazes test. These results suggest that simple educational interventions may be effective in reducing phishing vulnerability. Although one test of executive functioning was found useful for identifying those at risk of phishing susceptibility, four tests were not found to be useful. These results failed to support our hypothesis that older adults would be more susceptible to phishing than younger adults, and they speak to the need for more ecologically valid tools in clinical neuropsychology.
Last Modified: 03/02/2017
Modified by: Chuan Yue
Please report errors in award information by writing to: awardsearch@nsf.gov.
