•  
  •  
 

Abstract

Information manipulation for deception continues to evolve at a remarkable rate. Artificial intelligence has greatly reduced the burden of combing through documents for evidence of manipulation; but it has also enabled the development of clever modes of deception.

In this study, we modeled deception attacks by examining phishing emails that successfully evaded detection by the Microsoft 365 filtering system. The sample population selected for this study was the University of North Texas students, faculty, staff, alumni and retirees who maintain their university email accounts. The model explains why certain individuals and organizations are selected as targets, and identifies potential counter measures and counter attacks.

Over a one-year period, 432 phishing emails with different features, characters, length, context and semantics successfully passed through Microsoft Office 365 filtering system. The targeted population ranged from 18 years old up to those of retirement age; ranged across educational levels from undergraduate through doctoral levels; and ranged across races. The unstructured data was preprocessed by filtering out duplicates to avoid overemphasizing a single attack.

The term frequency-inverse document frequency (TF-IDF) and distribution of words over documents (topic modeling) were analyzed. Results show that staff and students were the main target audience, and the phishing email volume spiked in the summer and holiday season. The TF-IDF analysis showed that the phishing emails could be categorized under six categories: reward, urgency, job, entertainment, fear, and curiosity.

Analysis showed that attackers use information gap theory to bait email recipients to open phishing emails with no subject line or very attractive subject line in about thirty percent of cases. Ambiguity remains the main stimulus used by phishing attackers, while the reinforcements used to misinform the targets range from positive reinforcements (prize, reward) to negative reinforcements (blackmail, potential consequences).

Digital Object Identifier (DOI)

10.35492/docam/8/2/8

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.