THE RELATIONSHIPS BETWEEN PHISHING TECHNIQUES AND THE USER PERSONALITY MODEL

by

Chat Chuchuen and Pisit Chanvarasuth Sirindhorn International Institute of Technology,

Thammasat University, Thailand Email: chat318@hotmail.com, pisit@siit.tu.ac.th

ABSTRACT

This study is related to Internet user’s vulnerabilities to phishing. In today's world, there are many evolutionary origins, including technology foresight. This allows people to contact and see each other even though the page is of different hemisphere. They could be able to buy or select things without leaving home, by using Internet as a medium in the connection. But in the cyber space does not only provide good views but also has the gaps that cause fraud or phishing too. The objectives of this study were: 1) to explore the phishing phenomenon and phishing techniques, and 2) To determine the vulnerability of an Internet user to phishing and learn typical personality traits of the internet user. In his study, it represented about phishing and their techniques which involved with DISC personality. The literature review and research framework are shown later. Finally, the statistical analysis results of the factors related to phishingtechniques and conclusion were collected and shown respectively. Results of the study showed the relationships betweenInternet user’s personality and phishing techniques.

KEYWORDSPhishing, Phishing Techniques, DISC Personality Model

INTRODUCTION

The Internet is one of the most convenient tools that many people use to communicate. With many benefits such as low cost, real-time, timeless, the trend of Internet usage is increasing drastically. Accordingly, the security threats on Internet transactions are growing in the same way as well. The examples of threats of security on Internet transactions such as hacking, virus attack or any techniques are well known. One of the conceal crimes of security on Internettransactions is “Phishing” (Evers, 2007; Workman, 2008). Phishing is the new 21st Century Crime (Gooden, 2007). The term “phishing” first emerged in 1996, but its technique was described in 1987. This word may be influenced by preaching and alludes to baits in order to “catch” sensitive information like financial data and passwords. Phishing is defined as a way of inventing a web page to deceive people to submit their personal information like passwords and financial information (McFedries, 2004).

Phishing had an effect to vulnerability of the customer but more or less may be depended on their personality traits. One reason that phishing works is that most people do not have knowledge of all the guises a given threat might take, but only react to situations that he or she has already identified as being dangerous. Another reason is that many users do not possess technical sophistication sufficient to verify whether a given email or webpage corresponds to an attempt to defraud them. The most important reason of all, though, might be that to most people, security is a secondary goal (Bailey et al., 2008; Baker, 2006; Dunn, 2007; Stallings, 1995). Fortunately, several companies have started to make anti phishing software that is capable of knowing if you are the potential victim of a crime. An anti phishing tool looks for determined things that are common in phishing, alerting the user of any danger, especially from new kind of phishing(Duntemann , Degunking, 2004; Lohman, 2006; Miller, 2007). So, phishing made an interesting topic of study.

This study attempts to find the characteristics of Internet users involved in phishing techniques. The objectivesof this study were: 1) to explore the phishing phenomenon and phishing techniques, and 2) to determine the vulnerability of an Internet user to phishing and learn typical personality traits of the internet user. Results of the study showed the relationships between Internet users personality and phishing techniques. The paper is organized as follows. The following section provides the literature review of related works. Next, the research methodology and hypotheses are presented. Finally, the conclusion and discussion were also provided.

BACKGROUND

What is Phishing?

In the computing context, It can be said that phishing may be a technique of identity thief via e-mails and links from other websites. In the financial context, phishing is a criminal creates a site which seems to belong to a legitimate business in order to gain the site visitor’s personal information after he or she submits. Then, the criminal can use that information for his/her purposes or sell it to others. Gartner analyst firm (2004) estimates that phishing cost banks and credit card companies $1.2 billion in direct losses in 2004, and that 1.4 million computer users have suffered identity theft from these activities. There have been a few recent studies that focus on phishing techniques are showed as Jagatic et al. (2007) did research by sending phishing messages to a considerable number of university students. Those messages seemed to come from their friends. Therefore, the potential victims according to this research are calculated to 80%. Moreover, 16% is the figure of those who received the messages that did not appear for their friends and From Jakobsson and Ratkiewicz (2006)study they found that there are more users who think that sub domains are legitimate than those who focus on IP addresses although they are experiment of phishing study.

Research Methodology

In this study, the use of the questionnaires is the main tool to gather data from people about their personality and their phishing knowledge. The completed questionnaire will be consisted of four parts. The first and the second parts were the general information and the personality of each respondent. The third part was the general questions for phishing. The last part was the questions which are focusing on each phishing technique. In this study, there were 400 questionnaires were used to analyze. The analysis of results was presented with descriptive and inferential statistical results. From preliminary, we analyzed for getting result of the relationships between Internet users personality and vulnerability of phishing techniques. The factor from preliminary analysis is used to test the relationships between the user personality model and phishing techniques by Pearson correlation. For the analysis, we can be separated phishing to their four techniques. According to each technique, the meaning of each will describe in following table:

TABLE 1THE DESCRIPTION OF THE PHISHING TECHNIQUES

Link Manipulation Website Forgery Spear Phishing Filter Evasion

For this techniques, misspelled URLs (Uniform Resource Identifier) or the use of sub domains are common tricks used by phishers. Another common trick is to make the anchor text for a link appear to be valid, when the link actually goes to the phishers' site. Link Manipulation will be replaced by “LINK”.

This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL. This technique will use a fake website to lure the consumer. Website Forgery will be replaced by “WEB”.

Spear phishers send e-mail that appears genuine to all the employees or members within a certain company, government agency, organization, or group. The message might look like it comes from your employer or colleagues. Spear Phishing will be replaced by “SPEAR”.

Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails. Filter Evasion will be replaced by “FIL”.

The User Personality model

This study uses DISC personality model to describe the personalities of Internet users. The following section describes DISC personality model and its categories (Bonnstetter et al., 1993).

DISC personality model

DISC is the behavioral model with four quadrants based on the work of William Moulton Marston Ph.D. (1893–1947) to examine the behavior of individuals in their environment or within a specific situation (otherwise known as environment). It therefore focuses on the styles and preferences of such behavior (Leslie, 2000; Weiner, Greene, 2008). The assessment classifies four aspects of behavior by testing a person's preferences in word associations. DISC is an acronym for:

TABLE 2THE DETAILS OF EACH PERSONALITY IN DISC PERSONALITY MODEL

Dominance(the 'D' trait)

Influence(the 'I' trait)

Steadiness(the 'S' trait)

Conscientious(the 'C' trait)

People who are dominant are full of drive. They pack their time tables with many tasks every day. Some common adjectives that can describe 'D' people are, "direct, decisive and driven". High "D" people are described as demanding, forceful, egocentric, strong willed, driving, determined, ambitious, aggressive, and pioneering.

'I' people are influential, they love people and they love attention. They are often charismatic leaders, able to command a crowd and motivate them towards a common goal They are described as convincing, magnetic, political, enthusiastic, persuasive, warm, demonstrative, trusting, and optimistic.

'S' people are steady paced, stable and extremely loyal, security and do not like sudden change. 'S' people are more passive as compared to the 'D' and 'I' people. High "S" individuals are calm, relaxed, patient, possessive, predictable, deliberate, stable, consistent, and tend to be unemotional and poker faced.

‘C’ people are often used to explain as correct, compliant and controlled personality. 'C' people are detailed, accurate and they are also systematic and often neat in appearance People with high "C" styles adhere to rules, regulations, and structure. High "C" people are careful, cautious, exacting, neat, systematic, diplomatic, accurate, and tactful.

The study of DISC personality model presents in many social science researches. It shows that if we can classify the personality of people so we can customize and fulfill their requirements. It does not only focus upon its benefit in terms of profits and value, but also upon prioritizes or customize customers. On the other hand, we can adapt this concept to prevent customers from any threats as well. Thus, this study will examine the vulnerability of Internet users. It focuses upon the relationship between the DISC personality model of Internet user and phishing techniques. The hypotheses of this study are showed as the followings;

H1 : The Dominance characteristic is positively related to Phishing techniques.H2 : The Influence characteristic is positively related to Phishing techniques.H3 : The Steadiness characteristic is positively related to Phishing techniques.H4 : The Conscientiousness characteristic is positively related to Phishing techniques.

RESULTS ANALYSIS

We collected data obtained 400 questionnaires sent back by the Internet users in Bangkok by random method. We analyzed the data by using descriptive statistics in the first part. The result was presented in percentage point. The persons who filled in the questionnaire could be categorized by many types of demographic data : Sexes (Male 52 % and Female 48 %), Ages (25 Years old upwards 58.14 %, between 18 – 25 years old 43 % and below 18 years old 13.3%), Educational levels (Undergraduate 56 % , below Undergraduate 27 % and Graduate level 17 %), and occupations (Employees 36 %, Undergraduate, Graduate 33.8 % and Student15.5 %). The DISC personality model was analyzed by descriptive statistics in the last part. According to this study, 33.5 % is in the influence personality and Steadiness personality 26.5%, followed by Dominance personality 21.5 % and the last group is Conscientiousness personality 18.5 %.

The inferential statistics was done for the second part. This was be presented by using the Pearson correlation analysis between personality traits and phishing technique. The analysis of result is presented as follow:

TABLE 1 THE PEARSON CORRELATION ANALYSIS BETWEEN DISC PERSONALITIES AND PHISHING TECHNIQUES

Correlation analysis for Link Manipulation Technique and Personality Traits

According to the statistical analysis, personality “I” has a positive relationship with Link Manipulation which related to input URL address by user and understanding of weblink or picture can be linked to fraud website. Therefore, personality “I” has a chance to be deceived but it has a few opportunities to occur because the level of significance is .026 that less than 0.05. On the other hand, personalities “D, S and C” do not have any relationship with this technique.

Correlation analysis for Website Forgery Technique and Personality Traits

From the result of statistical analysis, personality “I” has more chance to be bilked if they are in the situation which related to understanding of security on web browser and always insert personal information through the web link on e-mail whereas personalities “ D, S and C” do not have any belonging with website forgery technique.

Correlation analysis for Spear Phishing Technique and Personality Traits

According to the statistical analysis, Personality “D” has less chance to be lured if often use Spear Phishing techniques which related to input personal information for redeeming and how easier to convince to do any online activities. Personality “I” has positive relationship under situation number1 which related to the instant messenger using. Also personality “S” has positive relationship with Spear Phishing technique which related to input personal information for redeeming. While, personality “C” has opposite relationship from personalities “I and S”. Therefore, the deceivable chance of personality “C” will decrease if the technique is more used because of negative relationship.

Correlation analysis for Filter Evasion Technique and Personality Traits

From the result of statistical analysis, personality “D” has a positive relationship with Filter Evasion technique which related to always open some interesting junk mail. So, the deceivable opportunity of personality “D” will decrease if we use this technique more. While, personality “I” has a chance to be lured by Filter Evasion which related to attention on any details of website that can be caused of harmful to your computer, aware to use virus scan to detect accused pictures and, always open some interesting junk mail because of positive relationship. On the other hand, personalities “S and C” have no relationship with this technique.

Conclusion: Personality Trait and Phishing Techniques

From all above analyze tables, personality “I” are optimistic and everything will be good for them so they are deceived easily. There is support for this position that personality “I” may be the personality trait that most correlated with phishing vulnerability. Another weakness of personality “I” is they love to have fun and they love social so they are lured by the stranger. One facet of personality “D” that can make the problem is they do everything fast and very active so this introduces a possible risk into this personality. Meanwhile personality “C”, they are accurate and their decision will based on fact in addition “C" people are careful and cautious so, from many reason “C” people will not be a victim from the phishers. Similarly as personality “C”, “S” people are security and deliberate. 'S' people are more cautious compared to the 'D' and 'I' people therefore they have the lowest response to the phishers.

DISCUSSION AND CONCLUSION

Having considered the evidence, the Internet users who are identified as Influence and steadiness personality or ‘I’ and ‘D’ personalities are likely to become a victim of the mentioned phishing techniques. Phishing has become a significant problem for Internet users. It causes damages to both individuals and organizations in the form of monetary damages, indirect costs, and opportunity costs. While most of its effects are noticeable in the United States, it is expected that phishing will continue to expand all over the world. In this paper there is discussion on an approach to type of Internet users that involves with phishing techniques based on the factors. The questionnaire and the session evaluation survey reveal that the current Internet users is mostly oblivious to phishing threats. Upon being exposed to the topics and shown how to analyze a message for phishing characteristics, Internet users are able to correctly identify most of the threats

More work remains to be done. Given a predicted increase in tools available to fight phishing, it is expected that future attacks will continue to be more and more refined in users and event specificity. The validity in the context of predicting an individual’s susceptibility to various forms of phishing attacks is still unclear and it requires further research. The use of DISC personality traits to assess the likeness of falling into a phishing trap will help improve security awareness programs to the individual or groups of individuals (by personality traits).

REFERENCES

Bailey, J., Mitchell, R., & Jensen, B. (2008), “Analysis of Student Vulnerabilities to Phising”, Proceedings of the Fourteenth Americas Conference on Information Systems Toronto: Association of Information Systems, pp. 1-10.

Baker, T.D. (2006), “New Email-Based Bank Fraud via VOIP Services”, available at http://www.xeal.com/blog/index.php/2006/07/21/new_email_based_bank_fraud_ via_voip_serv.

Bonnstetter B. Suiter J, Widrick, R. (1993), The Universal Language DISC, Scottsdale, AZ: Target TrainingInternational.

Dunn, J.E. (2007), “Do-It-Yourself Phishing Kit” available at http://www.pcworld.in/news/index.jsp /artId=4915203

Duntemann J., Degunking. (2004), Your Email, Spam, And Viruses, Scottsdale, Arizona: Paraglyph Press.

Evers, J. (2007), “New Tools Enables Sophisticated Phishing Scams”, January 11, available at http://zdnetindia.com/ news/security/stories/167392.html.

Gartner Group. (2004), “Phishing Victims Likely Will Suffer Identity Theft Fraud”, May 14, 2004.

Gooden, D. (2007), “Man Hijacks 90 eBay Accounts”, March 21st, available at http://www.theregister.co.uk /2007/03/21/ebay_hijack_plea.

Jakobsson, M., Ratkiewicz, J. (2006), “Designing Ethical Phishing Experiments: A Study of (ROT13) rOnl Query Features”. In: WWW 2006.

Jagatic T, Johnson N., Jakobsson M., and Menczer F.(2007), “Social Phishing”, to appear in the Communications of the ACM. Draft preprint available at http://www.indiana.edu/_phishing/social-network-experiment/phishing-preprint.pdf.

Leslie Furlow (2000), “Job Profiling: Building a Winning Team Using Behavioral Assessment”, Journal of NursingAdministration, Vol. 30 No. 3, March, 2000.

Lohman, T. (2006), “NAB Hit by Phishing Scam”, March 9, available at http://www.itnews.com.au/ newsstory.aspx?CIaNID=30742.

McFedries, P.( 2004), “The Word Spy”, available at http://www.wordspy.com/ words/.

Miller, R. (2007), “Phishing Attacks Continue to Grow in Sophistication”. available at http://news.netcraft.com/archives/2007/01/15/phishing_attacks_continue_to_grow_in_sophistication.html.

Stallings, W. (1995), Network and Internetworked Security, Englewood Cliffs, New Jersey: Prentice Hall.

Weiner, I., & Greene, R. (2008), Handbook of Personality Assessment, Hoboken: John Wiley & Sons.

Workman, M. (2008), “Wisecrackers: A Theory-Grounded Investigation of Phishing and Pretext Social Engineering Threats to Information Security”, Journal of the American Society of Information Science and Technology, pp. 662-674.