Skip to main content
SpringerLink
Log in

Content Analysis of Persuasion Principles in Mobile Instant Message Phishing

  • Conference paper
  • First Online:
Human Aspects of Information Security and Assurance (HAISA 2023)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 674))

Abstract

The popularity of Mobile Instant Messaging (MIM) Applications (apps) presents cybercriminals with a new venue for sending deceptive messages, known as ‘Phishing’. MIM apps often lack technical safeguards to shield users from these messages. The first step towards developing anti-phishing solutions to identify phishing messages in any attack vector is understanding the nature of the attacks. However, such understanding is lacking for MIM-enabled phishing. This study provides insights into how phishers apply persuasion principles in MIM phishing. Using the deductive content analysis method and Cialdini’s six principles of persuasion, this study identified and analysed 67 examples of real-world MIM phishing attacks from various online sources. Each phishing example was coded to identify the persuasion techniques used and how they were applied. Findings reveal that the principles of social proof, liking, and authority were most widely used in MIM phishing, followed by scarcity and reciprocity. Furthermore, most of the phishing examples contained three persuasion principles, most often a combination of authority, liking, and social proof. These findings provide insights into how phishers execute phishing in MIM apps and provide a theoretical foundation for future research on the psychological aspects of phishing in MIM apps and the development of anti-phishing solutions to identity phishing in MIM.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 119.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. NCSC. https://www.ncsc.gov.uk/guidance/phishing. Accessed 25 Jan 2021

  2. Mendoza, M.Á.: https://www.welivesecurity.com/2022/06/30/costco-40th-anniversary-scam-targets-whatsapp-users/. Accessed 13 Mar 2023

  3. Kaspersky. https://www.kaspersky.com/about/press-releases/2021_phishing-in-messenger-apps-whats-new. Accessed 04 Jan 2022

  4. Stivala, G., Pellegrino, G.: Deceptive previews: a study of the link preview trustworthiness in social platforms. In: 27th Annual Conference: NDSS Network and Distributed Systems Security Symposium, San Diego (2020)

    Google Scholar 

  5. Snapchat. How Snapchat Uses Google Safe Browsing. https://help.snapchat.com/hc/en-us/articles/7012345182356-How-Snapchat-Uses-Google-Safe-Browsing. Accessed 27 May 2023

  6. WhatsApp. https://faq.whatsapp.com/2286952358121083. Accessed 27 May 2023

  7. Sheng, S., Wardman, B., Warner, G., Cranor, L.F., Hong, J., Zhang, C.: An empirical analysis of phishing blacklists. In: 6th Conference in Email and Anti-Spam ser. CEAS 2009 Mountain view, California (2009)

    Google Scholar 

  8. Smadi, S., Aslam, N., Zhang, L.: Detection of online phishing email using dynamic evolving neural network based on reinforcement learning. Decis. Support Syst. 107, 88–102 (2018). https://doi.org/10.1016/j.dss.2018.01.001

    Article  Google Scholar 

  9. FTC. https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams. Accessed 16 Mar 2020

  10. APWG. Phishing Activity Trends Report Retrieved (2019)

    Google Scholar 

  11. Albakry, S., Vaniea, K., Wolters, M.K.: What is this URL’s destination? Empirical evaluation of users’ URL reading. In: 2020 CHI Conference on Human Factors in Computing Systems, pp. 1–12. ACM, Honolulu (2020). https://doi.org/10.1145/3313831.3376168

  12. Ahmad, R., Terzis, S.: Understanding phishing in mobile instant messaging: a study into user behaviour toward shared links. In: Clarke, F., Steven, F. (eds.) International Symposium on Human Aspects of Information Security and Assurance. HAISA 2022. IFIP Advances in Information and Communication Technology, vol. 658, pp. 197–206. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-12172-2_15

  13. Goel, D., Jain, A.K.: Mobile phishing attacks and defence mechanisms: State of the art and open research challenges. Comput. Secur. 73, 519–544 (2018)

    Article  Google Scholar 

  14. Agarwal, P., Raman, A., Ibosiola, D., Sastry, N., Tyson, G., Garimella, K.: Jettisoning junk messaging in the era of end-to-end encryption: a case study of WhatsApp. In: The ACM Web Conference 2022, pp. 2582–2591. ACM, Virtual Event, Lyon France (2022)

    Google Scholar 

  15. Hadnagy, C.: Social Engineering: The Science of Human Hacking, 2nd edn. Wiley, Canada (2018)

    Book  Google Scholar 

  16. Jones, K.S., Armstrong, M.E., Tornblad, M.K., Namin, A.S: How social engineers use persuasion principles during vishing attacks. Inf. Comput. Secur. 29(2), 314–331 (2020). https://doi.org/10.1108/ICS-07-2020-0113

  17. Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 36–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_4

    Chapter  Google Scholar 

  18. Cialdini, R.B.: Influence: the psychology of persuasion, revised edition. New York, William Morrow (2006)

    Google Scholar 

  19. Uebelacker, S., Quiel, S.: The social engineering personality framework. In: 8th Workshop on Socio-Technical Aspects in Security and Trust (STAST 2014), pp. 24–30. IEEE, Australia, (2014). https://doi.org/10.1109/STAST.2014.12

  20. Gragg, D.: A multi-level defense against social engineering. SANS Read. Room 13, 1–21 (2003)

    Google Scholar 

  21. Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011). https://doi.org/10.1145/1897852.1897872

    Article  Google Scholar 

  22. Butavicius, M., Parsons, K., Pattinson, M., McCormac, A.: Breaching the human firewall: social engineering in phishing and spear-phishing emails. In: Proceedings of the Australasian Conference on Information Systems, Adelaide (2015). arXiv Prepr. arXiv 1606.00887

    Google Scholar 

  23. The Quint. https://www.thequint.com/news/india/fraudsters-dupe-over-rs-1-crore-from-serum-institute-by-posing-as-ceo-adar-poonawalla-whatsapp. Accessed 29 Apr 2023

  24. Boddy, M. https://nakedsecurity.sophos.com/2018/04/04/free-virgin-atlantic-tickets-no-its-a-WhatsApp-scam. Accessed 31 May 2022

  25. Akbar, N.: Analysing persuasion principles in phishing emails. University of Twente (2014)

    Google Scholar 

  26. Zielinska, O.A., Welk, A.K., Mayhorn, C.B., Murphy-Hill, E.: A temporal analysis of persuasion principles in phishing emails. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 60, no. 1, pp. 765–769 (2016)

    Google Scholar 

  27. Akdemir, N., Yenal, S.: How phishers exploit the coronavirus pandemic: a content analysis of COVID-19 themed phishing emails. SAGE Open 11(3), 21582440211031880 (2021). https://doi.org/10.1177/21582440211031879

    Article  Google Scholar 

  28. O’Hara, K., Massimi, M., Harper, R., Rubens, S., Morris, J.: Everyday dwelling with WhatsApp. In: 17th ACM Conference on Computer Supported Cooperative Work & Social Computing, pp. 1131–1143. ACM, Maryland USA (2014). https://doi.org/10.1145/2531602.2531679

  29. Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing: In: Tryfonas, T., Askoxylakis, I. (eds.) Human Aspects of Information Security, Privacy, and Trust: Third International Conference, HAS 2015. Lecture Notes in Computer Science, vol. 9190, pp. 36–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_4

  30. Ferreira, A., Jakobsson, M.: Persuasion in Scams. In: Jakobsson, M. (eds.)Understanding social Engineering Based Scams, pp. 29–47, Springer, New York (2016). https://doi.org/10.1007/978-1-4939-6457-4_4

  31. Windels, J. https://www.wandera.com/malware-family-whatsapp/. Accessed 20 Nov 2020

  32. McHugh, M.L.: Interrater reliability: the kappa statistic. Biochem. Medica 22(3), 276–282 (2012)

    Article  MathSciNet  Google Scholar 

  33. ActionFraud. https://www.facebook.com/actionfraud/posts/this-latest-adidas-whatsapp-scam-is-another-example-of-a-clever-homograph-attack/2021054694578900/. Accessed 30 May 2023

  34. iRadio. https://m.facebook.com/thisisiradio/posts/1927459280648472/?comment_id=1927565900637810. Accessed 30 May 2023

  35. Mossano, M., Vaniea, K., Aldag, L., Düzgün, R., Mayer, P., Volkamer, M.: Analysis of publicly available anti-phishing webpages: contradicting information, lack of concrete advice and very narrow attack vector. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 130–139 (2020)

    Google Scholar 

  36. Valecha, R., Mandaokar, P., Rao, H.R.: Phishing email detection using persuasion cues. IEEE Trans. Dependable Secur. Comput. 19(2), 747–756 (2021)

    Google Scholar 

Download references

Acknowledgement

This work is part of a PhD research sponsored by the Petroleum Technology Development Fund (PTDF)-Nigeria. There were no conflicts of interest in this study.

Author information

Authors and Affiliations

  1. Department of Computer and Information Sciences, University of Strathclyde, Glasgow, UK

    Rufai Ahmad, Sotirios Terzis & Karen Renaud

  2. Rhodes University, Makhanda, South Africa

    Karen Renaud

  3. University of South Africa, Pretoria, South Africa

    Karen Renaud

  4. Abertay University, Dundee, UK

    Karen Renaud

  5. Sokoto State University, Sokoto, Nigeria

    Rufai Ahmad

Authors
  1. Rufai Ahmad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sotirios Terzis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Karen Renaud
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rufai Ahmad .

Editor information

Editors and Affiliations

  1. University of Nottingham, Nottingham, UK

    Steven Furnell

  2. University of Plymouth, Plymouth, UK

    Nathan Clarke

Rights and permissions

Reprints and permissions

Copyright information

© 2023 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ahmad, R., Terzis, S., Renaud, K. (2023). Content Analysis of Persuasion Principles in Mobile Instant Message Phishing. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38530-8_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38529-2

  • Online ISBN: 978-3-031-38530-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation