Elmer Lastdrager spent six years studying various aspects of phishing for his PhD at the University of Twente. This included analysing 700,000 phishing emails. ‘The recipients of these emails decide if they are trustworthy primarily based on the content, sender and length of the email, but pay little attention to the technical aspects.’ Lastdrager will be awarded a PhD for his research on 9 February.
Every year, attackers send billions of phishing emails. Elmer Lastdrager studied various aspects of this phenomenon for his PhD research at the University of Twente. ‘One important weapon that attackers use is to create a sense of urgency, as in Click now, or your debit card will be blocked!’ Lastdrager says. This is a transparent trick, but effective nonetheless. Receivers of emails that trigger their sense of urgency respond more positively and are more likely to ignore warning signs (such as a message on the computer that clicking this link could be dangerous). ‘Another well-known but effective method is to claim authority. This is why attackers like to use the names of respected financial institutions, for example,’ he continues.
Recognizing the danger
Lastdrager explains that it is childishly simple to recognize a phishing email. ‘Always check the sender’s email address first. A bank will never use a Gmail address to write to you. And check what the link you are supposed to click on actual links to – without actually clicking on it of course!’ Lastdrager’s research has revealed that in practice, consumers usually ignore these ‘technical aspects’ of phishing emails. ‘They usually decide if an email is trustworthy based on the content, sender and length of the email,’ he goes on.
It is relatively easy to learn to recognize phishing emails. Lastdrager himself developed a short training programme in which 8 to 13-year-old children can learn to recognize phishing emails in 40 minutes. Unfortunately, the lessons learned are forgotten easily, as has also been revealed in other research; four weeks after the training programme, the children were getting the same scores as they got beforehand. This is why Lastdrager advocates giving permanent attention to this issue.
700,000 messages
The Fraud Helpdesk, where people can report phishing emails in the Netherlands, receives an average of 70,000 phishing emails each month. Sixty-four per cent of these are from private email addresses. Lastdrager analysed 700.000 of these emails and tried to find patterns in this enormous dataset. One pattern he found is that attackers tend to reuse the same messages several times. The phishing emails that were reported at least five times to the Fraud Helpdesk were reused 3.6 times on average, with an average intervening period of 49 days.
The phishing emails were fairly evenly distributed throughout the day, with a small peak at around 1 p.m. Lastdrager also found that attackers send most messages at the beginning of the week. On Fridays, and even more so in the weekends, there is a lot less phishing traffic. Users prove to open most emails during working days, including those from their private email addresses. The highest peak is on Monday morning.
The majority of the messages (70 to 83%) sent in the Netherlands concern the financial sector, such as messages claiming to be from banks. Lastdrager compared these with the largest available data set from the US. A striking difference with the Netherlands is that phishing emails in the US use the names of stores, internet providers and telecom companies much more often.
Among the reasons provided to the Fraud Helpdesk for suspecting a phishing email, 69% say that they do not have a relationship with the company the email claims to represent.
Research
Lastdrager will defend his doctoral dissertation entitled From fishing to phishing on Friday, 9 February. The public defence will take place at 16:30 in the Prof.dr. G. Berkhoff Hall in the Waaier building on the University of Twente campus. Lastdrager was supervised by Pieter Hartel (Services, Cybersecurity and Safety research group) and Marianne Junger (Industrial Engineering and Business Information Systems research group). He currently works for SIDN Labs, the research department of the company SIDN which operates the .nl domain.
