Characterizing the Evolution of Psychological Factors Exploited by Malicious Emails

TL;DR

This paper tackles the problem of understanding how psychological factors (PFs) exploited by malicious emails evolve over time. It introduces a reconciliation framework to reduce 46 PFs from prior work to a concise set of 20 PFs and presents a general methodology to characterize PF evolution, including a rigorous scoring scheme for implicit vs explicit exploitation. Applying this approach to a case study of $1{,}260$ malicious emails from 2004–2024 reveals that all PFs are exploited, with nine PFs increasingly targeted—primarily in an implicit fashion—and notable co-exploitation patterns among PF clusters, especially involving Cognition, Authority, Trust, and Workload. The findings offer concrete defense guidance, emphasizing training and defenses that address frequently co-exploited PFs and Inherent PFs, and point to future work in forecasting PF trends and extending the framework to other cyber social engineering contexts.

Abstract

Cyber attacks, including cyber social engineering attacks, such as malicious emails, are always evolving with time. Thus, it is important to understand their evolution. In this paper we characterize the evolution of malicious emails through the lens of Psychological Factors, PFs, which are humans psychological attributes that can be exploited by malicious emails. That is, attackers who send them. For this purpose, we propose a methodology and apply it to conduct a case study on 1,260 malicious emails over a span of 21 years, 2004 to 2024. Our findings include attackers have been constantly seeking to exploit many PFs, especially the ones that reflect human traits. Attackers have been increasingly exploiting 9 PFs and mostly in an implicit or stealthy fashion. Some PFs are often exploited together. These insights shed light on how to design future defenses against malicious emails.

Figures (5)

• Figure 1: Summary of the reconciliation of the 46 PFs (columns 1 and 4) into the 20 PFs, including two being renamed (in green) and 4 being preserved (in blue). A filled circle in the original PFs (i.e., columns 1 and 4) indicates that a PF has been studied quantitatively and an empty circle indicates otherwise; the "+" ("-") sign indicates that a higher PF value means a higher (lower) susceptibility to cyber social engineering attacks (e.g., malicious emails) longtchi2024internet. "Ind." is short for Individual, and "Percept." is short for perceptual. Superscripts of the reconciled PFs indicate the PF family to which it belongs (1 for Inherent PFs, 2 for Social PFs, and 3 for Situational PFs).
• Figure 2: Frequency of PFs exploited by malicious email from 2004 to 2024.
• Figure 3: Plots of occurrences of PFs over the 21 years where Ind. is short for Individual.
• Figure 4: Plots of individual PFs, showing which PFs have been increasingly, decreasingly, and constantly exploited by malicious emails during the 21 years.
• Figure 5: Correlation between the PFs, where positive corrections are highlighted in green (with a greener color indicating a higher positive correlation) and negative corrections are highlighted in red (with a deeper red indicating a higher negative coefficient).