Phishing Victimization on Internet Banking Awareness Research Paper

Executive Summary

Banking organizations are gradually leading in the adoption of digital technologies to increase convenience in service delivery. While such trends are admirable, there exists an existential threat to the sustainability of the new frameworks. The vast and almost ubiquitous nature of the internet equips both genuine and malicious activities. The paradigm of cyber threat has been a menace in the online world. The e-banking services are particularly threatened by a longstanding but evolved risk of phishing attacks. The research aims at evaluating how human cognitive skills play a central role in defending against such attacks. In the same line, the study acknowledges a Heuristic-Systematic model of processing the information as a tool to inform training strategies for E-banking consumers. Subsequently, the paper proposes an experimental research design to measure the HSM-based training program’s effectiveness in improving consumers’ defenses against phishing attacks.

Introduction

Phishing is rated as one of the most successful digital deception attacks in the cybercrimes realm. Large and small organizations and individuals have reported cases of compromised credentials that have sometimes led to extreme direct financial losses or even blackmail. There has been perpetually growth in the complexity of tricks applied in phishing scams. Some known types include Malware-based phishing, keyloggers and Screen loggers, Session Hacking, Web trojans Spear Phishing and Content Injection Phishing (Vishwanath, Harrison, & Ng, 2018). Stakeholders and experts mandated with security concerns have developed detection criteria and security firewalls against these attacks. However, the continued prevalence shows that they do not provide sufficient protection.

In March 2016, during election campaigns in America, John Podesta’s Gmail account received a phishing email. Interestingly, the scam managed to bypass their computer help desk, which saw it as a legitimate email from Google. The message was tailored to show security concerns and provided a shortened URL link for the campaign staff to secure the account by changing the password. Similar techniques have been used to hack accounts of prominent people and organizations, including Colin Powel and the Democratic National Committee.

Notably, the 21st century ushered in an intense adoption and progress of information technologies in almost every industry. The banking sector is among the leading sectors as retail banks seek to obtain a competitive edge by responding to changes in the financial market. However, the new service channels have increasingly become prone to compromise due to phishing attacks. While different motives fuel such deception, a significant portion has been to obtain financial gain from the fraudulent activity. Therefore, the banking sector has been a lucrative venture for hackers who mostly prey on unwitting and mostly uninformed consumers. While there are advanced security features and tools against such cyber threats, a significant gap exists in engaging end-users cognitive defenses. It is expected that cybercriminals will progressively adjust their techniques to lure consumers into their traps. Therefore, the study is meant to determine and evaluate consumer susceptibility to e-banking victimization through phishing attacks.

Research Aims and Objectives

The research aims at understanding the general phishing phenomenon, knowing the motivations behind the offense and the tricks used in perpetrating it. Thus, the paper will identify various research studies by reputable scholars and organizations and highlight some of their findings. The study will then narrow to how the phishing attacks are orchestrated within the banking sector. Therefore, it will relate the general phishing dynamics to the mechanisms that apply to the banking sector, specifically concerning electronic banking awareness. Subsequently, the study will be designed to evaluate the effectiveness of phishing victimization training to E-banking consumers. Notably, the research will primarily focus on how phishing perpetrators prey on unsuspecting victims as they interact with the systems. Thus, it will be centered on identifying semantic attacks where information is modified to mislead E-banking users. Therefore, the research needs to be tailored to capture the cognitive processes involved in phishing attacks. The study will answer the following questions to cover the aims mentioned above and the goals of the project;

1. What are the common phishing identifiers?
2. What identifiers are more likely to be used against e-banking consumers?
3. To what extent can new E-banking users identify phishing attack messages?
4. Does the E-banking users’ susceptibility to phishing decrease significantly after educational training?

Background

The Social-Behavioral Psychology of Phishing Attacks

With the increasing concerns about cyber threats, internet providers and web-based organizations like Google have provided advanced security features that make it hard for hackers to find technology loopholes. Subsequently, hackers have sought to use manipulative strategies to masquerade and obtain personal and financial information with malicious intent. The cyber offenders study human tendencies and information processing and sometimes employ seemingly easy tricks that get their victims off guard. In most successful incidents, a crime is avoidable if the targeted person had conducted some investigation. IT stakeholders in every sector should not overlook the dominance of psychological and behavioral manipulation over technological loopholes. According to Goel, Williams, and Dincelli (2017), “Few studies have examined the motives that phishing messages elicit” (p. 29). There exists a considerable gap in understanding how phycological mechanisms impact the effectiveness of phishing offenses. Therefore, studies on phishing victimization require a more systematic endeavor to identify, describe, analyze, and organize human factors and underlying victimization mechanisms.

Negotiations and persuasions are integral communication strategies in business or other sectors. To succeed at either the sender of the message has to ensure that they establish an authority regarding the statement’s validity. Hassandoust, Singh, and Williams (2020) assert that “within the psychological paradigm, negotiations and persuasions are won by how messages are structured and delivered to their intended audiences. Based on this consideration, scholarly recommendations propose that researchers adopt a viable mix of information processing strategies to understand consumer susceptibility to phishing attacks. Notable models involve a dual process that integrates a blend of heuristic and systematic modes. According to Hassandoust et al., (2020), “When individuals use heuristic processing, they rely on judgmental and cognitive shortcuts” (p. 3). The implication is there are factors embedded or surrounding the message that helps a person make a quick, sometimes subconscious, validity assessment.

Notably, those people who rely on heuristic processing alone remain extremely susceptible to phishing attacks. Typical cues include message length, format, subject, and source. Therefore, the safeguard is reinforced using a systematic processing mode that carefully calls for the recipient to go through the information in the message carefully. While the latter seems to be more effective in detecting malice, it is more effortful and time-consuming. Therefore, other factors influence how a person will invest cognitive resources when reading a message. Primary issues surrounding validity assessment are motivation and capability. The two aspects are narrowed down to specifics like perceptions about the importance of the decision outcome and risks, end-users’ skill level, distractions, time, and other pressures (Goel et al., 2017). Another notable contribution is that people have a threshold validity assessment level that does not necessarily reach utmost reliability and accuracy. Depending on the circumstance, a malicious phishing attempt may go unnoticed just because it attained the victim’s desired judgmental confidence. A message has to match or surpass the recipient’s sufficiency threshold to approve its validity (Harrison, 2018). However, the limit is not constant but varies depending on various environmental factors.

Dual Processing Models

The collective point is that people tend to use their cognitive faculties differently depending on the situation. They can either exclusively use heuristic or systematic modes and sometimes use them concurrently. When used together, they tend to work complementarily most through reinforcement where both come to the same conclusion but with higher confidence than when relying on one. However, attenuation may occur where their findings differ (Bayl-Smith, Sturman, & Wiggins, 2020). However, the overall impact is that a cognitive alarm is created, making the end-user more risk-averse. However, dual processing is not entirely immune to phishing— experts have been scammed despite having the necessary skills. At times, the interaction in the two modes can boost bias where one’s inaccurate conclusions are supported by the other. Nevertheless, the mix has been used extensively and effectively in social psychology and in informing marketing strategies.

The application of Heuristic-Systematic Models in Information Technology could have promising outcomes in curbing the phishing pandemic. Scholars in IT subfields such as web, search engine, and domain involvement of end-users have acknowledged the use of HSM in trust and credibility assessment (Bayl-Smith et al., 2020). Such contexts bank that for phishing to occur, there have to be several cues of deception that the end-user can identify. Understanding the HSM framework’s immediate importance is to inform and educate end-users on strategic measures to detect and avoid fraudulent phishing activities. Moreover, since the modes are not foolproof, preliminary research could help study how phishing victimization can circumvent these firewalls. For instance, where the user is equipped with the HSM modes, an offender would have to dodge various psychological units. The attacker must either draw a message that outmatches systematic processing leading to wrongful assessment, boost heuristic cues that trick the victim into making incorrect validity assessments and suppressing sufficiency thresholds such that they do not initiate HSM.

Based on the literature above, it is vital to understand how messages can be twisted to increase victimization. Hassandoust et al. (2020) theorized five heuristic and systematic messaging variables, including argument quality, level of source credibility, genre conformity time pressure, need for cognition, and effects of pretexting. On argument quality, the proposition was that a phishing attack would withstand HSM if the message is of high quality. The influence is magnified by a situation where the attacker mimics an authoritative department, thus imbuing false source credibility. In the latter case, researchers assert that higher-level source credibility is enacted through habitual communication cues such as communication formats, logos, fonts, and phrases. When consumers become accustomed to such attributes, they become vulnerable to phishing attacks, which mirror characteristics that show genre conformity. The next context has a somewhat personal touch in that it recognizes variances in personality traits. Since phishing messages have false content, people who have a higher need to comprehend information are less likely to fall victim to fraudulent notices.

Additionally, as noted earlier, systematic cognition processes are time-consuming. In this regard, Goel et al. (2017) suggest that “an attack has high chances of success when the intended victim is distracted or pressed for time” (p. 27). Usually, the cyber offender suppresses cognition by insisting on the urgency of the matter. The immediate reaction by the recipient ends ups compromised by bogus heuristic cues (Vishwanath et al., 2018). Lastly, phishing perpetrators sometimes rely on legitimate events to engineer attacks. For instance, a bank may upgrade its website and require its consumers to update their information. Subsequently, an attacker may take the opportunity to craft messages that appear to be from the bank. They then pretext false requests that help them access private information like bank accounts and passwords.

Phishing Mechanisms in E-Banking

Phishing attacks in the late 1990s were primarily email-based and banked on using genre conformity attributes like logos that masked their illegitimacy. Over time, novel programming techniques were invented, thus aiding malicious hackers by impersonating company websites. Subsequently, identity thieves managed to scam millions of people, especially those who were new to online platforms. As one of the most affected sectors, unsuspecting recipients in the banking industry received baited emails that coerced them to provide their account details. The emails have partially concealed URL that limits a consumer’s capacity to scrutinize them (Alsayed & Bilgrami, 2017). The frequent attacks on PayPal account place it as one of the most affected e-banking institutions. Typical cases are situations where users are sent links that direct them to a fake website spoofed to look like that of the targeted company. Most messages are tailored to show security concerns where the user is requested to take immediate action like reactivate an account that is supposedly suspended to prevent fraudulent activities.

Phishing attacks are perpetrated after offenders evaluate their potential targets and formulate a plan. Usually, there are six sequential stages in the phishing process (Alsayed & Bilgrami, 2017). The first one is when the perpetrators strategize on how to conduct the attack. It has already been established that phishing has more than five possible attack techniques. For financial services, the most common types include man-in-the-middle, Deceptive, Malware-based, and DNS-based phishing. They also identify and recruit their targets while mounting the ropes for the attack. Notably, the phishing subculture has been nourished by the availability of information on building fake links and assistance in carrying out the attacks. Once the mechanisms are set, the next move is to gather the victim’s personal information through emails, malware, or even by recruiting insiders (Bayl-Smith et al., 2020). Subsequently, the attackers use various tools like keystrokes, screen-loggers, and traffic sniffing to harvest the data. Once the information is collected, they determine the necessary processes in utilizing the information to acquire their intended benefits. Typical cases include authorization to particular transactions, determination of credit limits, and level of scrutiny on specific transactions, among others (Butler & Butler, 2018). They also need to focus their efforts on obtaining maximum gain and shortlist those with reasonable credit limits or other profitable traits.

When identity theft seeks to perpetrate fraudulent activities, the most common offense is hijacking a bank account and stealing funds from it. The phishing ecosystems accommodate other financial crimes such as selling credit card numbers, extortion, making unauthorized purchases, and blackmail (Butler & Butler, 2018). Recorded extreme cases include situations where the money has been used to fund terrorist groups or other malicious political agendas. The seemingly uncontrollable and vast reach of the internet helps perpetrators go away unpunished. After conducting fraud, they use to take the benefits through various money laundering processes available in the virtual market place. In recent years, there has been an exponential growth in digital currencies such as cryptocurrency and bitcoins. The non-blank and peer-to-peer transactions are hard to trace or track and give the hackers a technological edge to facilitate the cybercrimes at the comfort of their computer terminals.

As a growing cyber hazard, phishing has extreme financial and legal repercussions to the financial institutions. First, there are direct costs when the attackers manage to facilitate the fraud unnoticed. Second, the prevalence of such activities erodes consumer confidence in e-banking and move towards the more traditional physical settings. Other than the banks, they affect other organizations whose operations or contact with consumers rely on online activity growth such as software providers and ISPs (Butler & Butler, 2018). So long as consumers remain uninformed about differentiating between legitimate and spoof sites, the issue of phishing will remain a considerable threat to the survival of E-banking.

Interventions Against Phishing Attacks

Since phishing threats have been in existence for the past two decades, significant efforts have been applied in countering them. Scholars have proposed various plausible methods of mitigating these cyber threats. Notable countermeasures include web-page personalization, protection software, two-factor authentications, and increasing customer awareness (Gupta, Arachchilage, & Psannis, 2018). The proposed remedies’ success relies heavily on the coordination between all the relevant stakeholders, specifically the banks, the government, and the E-banking end-users. Strategies such as email and web page personalization are easy tactics but go a long way in protecting against cyber-attacks. The bank should liaise with its customers to create unique references that are only communicated between them. While implementation can be daunting for banks with extensive financial markets, the outcomes in several research studies show considerable effectiveness. The intention is to ensure that there is a vast difference between legitimate and cyberattacks, making it easier for users to identify scams.

Research Significance and Innovation

Significance

First, ICT experts are not immune to phishing attacks since it is a dynamic technological field that feeds on creativity and innovation. The research shows the importance of understanding cognitive processes’ weaknesses since it is the ultimate weapon used in phishing attacks. It appreciates social psychology’s role in improving the technical capability of professionals in ICT, especially those who are tasked with securing precious accounts in institutions and the government. The literature provided in the background calls for a deep understanding of heuristic-systematic dual processing. However, ICT personnel should be well versed in other proposed cognitive processing models to enhance their capacity to identify phishing attacks.

Benefits

The research acknowledges the effectiveness of some of the established countermeasures against phishing attacks. However, it insists on consumer engagement and awareness as a central security feature, especially in banks. The cybersecurity industry knows the limitless potential of cybercriminals; they keep inventing and creating new ways to bypass firewalls. While consumers may not match their IT prowess, the industry experts should equip them with cognitive skills to explicitly identify or flag conspicuous messages, potentially a phishing attack. Therefore, the research will help initiate necessary investments in learning how best to equip the consumer base with tools and skills to fight phishing crimes. Subsequently, it will imbue trust and confidence for them to participate in the virtual financial market. Markedly, e-banking has significant cost benefits on the banking sector that helps it increase its profitability.

Innovation

The research innovativeness springs in its potential to develop an educational tool for the banking sector. For instance, stakeholders could use the research to create an email extension or application prompt that is frequently updated. The intention would be to schedule monthly E-banking targeted phishing training sessions to keep the consumers alert and informed. It would also help keep the IT personnel engaged as they have to keep updating the tool to meet the educational goals of the sector as per the trends. Therefore, the research would reinforce the cybersecurity field by creating a subculture of regularly empowering online consumers to protect themselves against cyber-attacks. Once acknowledged and recommended for implementation, the new task would be to identify ways of motivating consumers to participate in the scheduled training sessions.

Research Methods

While research methods are generally grouped as either qualitative or quantitative, this research would appreciate a mixed method’s strengths. By combining them, a researcher imbues a more comprehensive coverage of the topic or problem in question. However, not all studies necessitate such an approach, and it depends highly on the researcher’s motivations. Usually, quantitative designs help to capture an extensive understanding of the phenomenon. For the proposed study, a qualitative framework would play a vital role in evaluating the target population’s position before analysis or training. The quantitative aspects would help in showing and analyzing relationships between different target groups. Notably, quantitative studies are used to help test a hypothesis. Overall, the experiment will have a fixed design since the research hedges on the background section’s theory. Typically, variables that have to be controlled and measured must be assessed using a quantitative approach.

Experimental Design

It would serve the purpose of the study to conduct pretest-posttest experimental research. Since the research seeks to compare trained and untrained e-banking users, a randomized two-block approach would fit the context. The randomized aspects help to imbue internal validity and ensure that the selected groups are relatively equivalent. Pretest-posttest designs are standard when testing the effect of a variable, which is the educational training. Two randomized blocks are categorized into the experimental group and the control group. The latter is provided with general information about cybersecurity, while the other group is educated with relevant information about phishing. Rather than keeping one group entirely engaged, they are both exposed to alternative curriculums to keep the groups equal.

It would be convenient to use mock or deceptive experiments to capture a real-world scenario. However, the existing literature shows that such studies tend to spring legal and ethical controversies. Other studies have focused on using images to see whether the participants recognize phishing messages to escape this loophole. However, since the need to mirror real-life scenarios remains central in research, the best approach is to use a web application tool (Jensen, Dinger, Wright, & Thatcher, 2017). It confers a more interactive framework that can help participants access more information about a message. For instance, one can access a link and determine to assess its credibility by scrutinizing the URL. Therefore, the research should be a web-based survey where the participants are presented with a mixed but equal number of phishing and legitimate emails from the bank. The task will be to mark an email as either legitimate or phishing, where a correct answer will be accorded one mark. The sample group should be new E-banking users from a selected bank.

The researchers will use thematic coding to frame the phishing emails to accommodate the heuristic and systematic dual processing. The first aspect will include technical attributes that mirror existing phishing attacks, including URLs, sender addresses, graphics, language, and graphics. Second, the researcher will then tailor the messages to accommodate personal attributes that make an individual either susceptible to an attack or quickly identify one. Recommended characteristics include authority, curiosity, social proof, technical background, past experiences, and risk perceptions. The third thematic context is enticements inform of promising benefits including discounts, an invitation to an event, and opportunities. Lastly, the messages will

Ethical Aspects

As noted earlier, previous researchers have identified that ethical concerns triggered by deceptive experiments. A primary concern is that some emails are intense and can cause psychological damage to the person or a response that triggers detrimental repercussions to the study’s progress (Hassandoust et al., 2020). For instance, an uninformed participant may contact a lawyer who, on further investigation, pursues a legal course against the researchers. Therefore, before conducting the research, it is crucial to make sure that the participants are aware. It is also critical to ensure that the application maintains autonomy and secures the privacy of the participants. They must have the freedom to choose to participate or not without any consequences.

Statistical Test

The research should adopt various statistical tests to assess the attainment of the research objective. It should begin with the simplest form, which calculates the direct difference between pretest and post-test results. Subsequently, the researcher should conduct a more sophisticated test to determine whether the observed discrepancies confer any significance. A relatively simple variant in this scope is the paired t-test. The test is instrumental in determining whether the mean difference between the pretests and posts tests for both control and experimental groups is significant. From the mean difference, another notable statistical measure is the standard deviation. An exceptional statistical tool that utilizes the standard deviation is the Cohen’s d formula. When used, the procedure will help assess the training’s educational effect between the two randomized blocks.

Conclusion

The prevalence of phishing attacks has been a longstanding menace in the online community. With the increasing adoption of the internet as a virtual working space, there is an inherent need to combat or reduce the rate of successful phishing activities. Subsequently, researchers have conducted extensive research on countermeasures. Common strategies seem to be a battle of IT skills where large companies with vast resources invest in developing multilayered firewalls. However, phishing is a unique type of cyber-attack because it feeds on technological prowess and human cognition weaknesses. Therefore, despite the relentless battles by cybersecurity personnel against hackers, research shows that the first-line defense is equipping the end-users’ cognitive abilities. It is from this perspective that Information technology merges with social-behavioral psychology. Out of the possible mental processing models, a blend between heuristic and systematic processing shows promising outcomes in understanding and curbing the phishing dynamics.

Despite a rich literature framework on phishing technicalities, people remain significantly prone to attacks. Therefore, it is the responsibility of organizations that contact their customers through digital platforms to equip them with the necessary knowledge and skills. Consequently, it requires collaborations between researchers and organizational and government authorities to facilitate innovations that create cyber armor for online consumers. In the same regard, the research seeks to induce an innovative sense in the banking sector by providing an opportunity to make a technological subculture that perpetually reinforces embanking consumers’ cognitive formidability against phishing attacks.

Notably, the motive behind most phishing activities is to facilitate fraudulent activities. Therefore, the surge in adoption of E-banking services has created a lucrative venture for malicious hackers. Other than direct costs to the account holder and the bank. The threat destabilized a promising field by creating distrust among the users. Consequently, banks lose the opportunity to reduce costs, and the end-users fail to attain the convenience confer by virtual transactions. Therefore, to curb these shortcomings, the proposed research will be designed to impart more knowledge on phishing directed to banks. It will show the plausibility of informed training strategies in equipping E-banking users with the confidence and skills to circumvent phishing offenders’ tricks. Since mock experiential designs are controversial, the research will use a web-based survey tool to measure an HSM-informed curriculum’s significance in training E-banking recruits. It will utilize statistical tools like the paired t-test and Cohen’s d formula.

References

Alsayed, A., & Bilgrami, A. (2017). E-banking security: Internet hacking, phishing attacks, analysis and prevention of fraudulent activities. International Journal of Emerging Technology and Advanced Engineering, 7(1), 109−115.

Bayl-Smith, P., Sturman, D., & Wiggins, M. (Eds.). (2020). Cue utilization, phishing feature and phishing email detection. In International conference on financial cryptography and data security (pp. 56−70). Cham, Switzerland: Springer.

Butler, R., & Butler, M. (2018). Assessing the information quality of phishing-related content on financial institutions’ websites.Information & Computer Security, 26(5), 514−532. Web.

Goel, S., Williams, K., & Dincelli, E. (2017). Got phished? Internet security and human vulnerability. Journal of the Association for Information Systems, 18(1), 22−44. Web.

Gupta, B. B., Arachchilage, N. A., & Psannis, K. E. (2018). Defending against phishing attacks: Taxonomy of methods, current issues and future directions. Telecommunication Systems, 67(2), 247−267. Web.

Harrison, B. (2018). Does Anti-phishing training protect against organizational cyber-attacks? An empirical assessment of training methods and employee readiness(Doctoral dissertation, State University of New York at Buffalo). Web.

Hassandoust, F., Singh, H., & Williams, J. (2020). The role of contextualization in individuals’ vulnerability to phishing attempts.Australasian Journal of Information Systems, 24. Web.

Jensen, M. L., Dinger, M., Wright, R. T., & Thatcher, J. B. (2017). Training to mitigate phishing attacks using mindfulness techniques. Journal of Management Information Systems, 34(2), 597−626. Web.

Vishwanath, A., Harrison, B., & Ng, Y. J. (2018). Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research, 45(8), 1146−1166. Web.