Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Quantifying Psychological Sophistication of Malicious Emails

Theodore Longtchi, Rosana Montañez Rodriguez, Kora Gwartney, Ekzhin Ear, David P. Azari, Christopher P. Kelley, Shouhuai Xu

TL;DR

This work tackles the challenge of defending against cyber social engineering by quantifying the psychological sophistication of malicious emails. It introduces a two-dimensional framework built on Psychological Techniques (PTechs) and Psychological Tactics (PTacs) to decompose email content into low-level cues and high-level framing, respectively. Using a case study of 1,036 malicious emails and a structured calibration/grading pipeline, the authors demonstrate that phishing emails are generally more sophisticated than other types and reveal patterns in PTech/PTac usage and their correlations. The framework’s findings—such as the prominence of Attention Grabbing and Impersonation, and the role of social-event contextualization—inform targeted defenses and motivate an automated tool for real-time sophistication assessment. The study also provides a Krippendorff’s Alpha–based method for measuring inter-rater agreement and highlights avenues for extending the framework to other cyber-social engineering domains.

Abstract

Malicious emails including Phishing, Spam, and Scam are one significant class of cyber social engineering attacks. Despite numerous defenses to counter them, the problem remains largely open. The ineffectiveness of current defenses can be attributed to our superficial understanding of the psychological properties that make these attacks successful. This problem motivates us to investigate the psychological sophistication, or sophistication for short, of malicious emails. We propose an innovative framework that accommodates two important and complementary aspects of sophistication, dubbed Psychological Techniques, PTechs, and Psychological Tactics, PTacs. We propose metrics and grading rules for human experts to assess the sophistication of malicious emails via the lens of these PTechs and PTacs. To demonstrate the usefulness of the framework, we conduct a case study based on 1,036 malicious emails assessed by four independent graders. Our results show that malicious emails are psychologically sophisticated, while exhibiting both commonalities and different patterns in terms of their PTechs and PTacs. Results also show that previous studies might have focused on dealing with the less proliferated PTechs such as Persuasion and PTacs such as Reward, rather than the most proliferated PTechs such as Attention Grabbing and Impersonation, and PTacs such as Fit and Form and Familiarity that are identified in this study. We also found among others that social events are widely exploited by attackers in contextualizing their malicious emails. These findings could be leveraged to guide the design of effective defenses against malicious emails.

Quantifying Psychological Sophistication of Malicious Emails

TL;DR

This work tackles the challenge of defending against cyber social engineering by quantifying the psychological sophistication of malicious emails. It introduces a two-dimensional framework built on Psychological Techniques (PTechs) and Psychological Tactics (PTacs) to decompose email content into low-level cues and high-level framing, respectively. Using a case study of 1,036 malicious emails and a structured calibration/grading pipeline, the authors demonstrate that phishing emails are generally more sophisticated than other types and reveal patterns in PTech/PTac usage and their correlations. The framework’s findings—such as the prominence of Attention Grabbing and Impersonation, and the role of social-event contextualization—inform targeted defenses and motivate an automated tool for real-time sophistication assessment. The study also provides a Krippendorff’s Alpha–based method for measuring inter-rater agreement and highlights avenues for extending the framework to other cyber-social engineering domains.

Abstract

Malicious emails including Phishing, Spam, and Scam are one significant class of cyber social engineering attacks. Despite numerous defenses to counter them, the problem remains largely open. The ineffectiveness of current defenses can be attributed to our superficial understanding of the psychological properties that make these attacks successful. This problem motivates us to investigate the psychological sophistication, or sophistication for short, of malicious emails. We propose an innovative framework that accommodates two important and complementary aspects of sophistication, dubbed Psychological Techniques, PTechs, and Psychological Tactics, PTacs. We propose metrics and grading rules for human experts to assess the sophistication of malicious emails via the lens of these PTechs and PTacs. To demonstrate the usefulness of the framework, we conduct a case study based on 1,036 malicious emails assessed by four independent graders. Our results show that malicious emails are psychologically sophisticated, while exhibiting both commonalities and different patterns in terms of their PTechs and PTacs. Results also show that previous studies might have focused on dealing with the less proliferated PTechs such as Persuasion and PTacs such as Reward, rather than the most proliferated PTechs such as Attention Grabbing and Impersonation, and PTacs such as Fit and Form and Familiarity that are identified in this study. We also found among others that social events are widely exploited by attackers in contextualizing their malicious emails. These findings could be leveraged to guide the design of effective defenses against malicious emails.
Paper Structure (26 sections, 7 equations, 12 figures, 3 tables, 1 algorithm)

This paper contains 26 sections, 7 equations, 12 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. The Concepts of PTechs and PTacs
  3. Framework
  4. Selecting PTechs and PTacs
  5. Defining Sophistication Metrics
  6. Preparing Data
  7. Calibration
  8. Grading
  9. Analysis
  10. Case Study
  11. Selecting PTechs and PTacs
  12. Instantiating Sophistication Metrics
  13. Preparing Data
  14. Calibration
  15. The Designing Grading Rules Sub-Process
  16. ...and 11 more sections

Figures (12)

  • Figure 1: Overview of the framework, where the calibration process is iterative.
  • Figure 2: The Calibration Process includes two sub-processes: Designing Grading Rules and Training, where the latter has four steps---priming, testing, evaluation, and resolution.
  • Figure 3: Grading Aid Examples. The screenshot of a page in the grading aid document demonstrates how to count Incentives & Motivators cues in emails. For each email, it shows the different counts for cues of Incentives & Motivators, and which cues constitute incentives and which cues constitute motivators. The To field of the emails is redacted for privacy-protection purposes. Note the emails used in the grading aid are not used in the Calibration or Grading processes.
  • Figure 4: A modified screenshot showing how a grader sees the survey on the Qualtrics platform. At the top there are options such as restarting the survey. A progress bar indicates the progress with respect to the number of emails for the session (usually 100 emails per session). E129 indicates the ID of the email that is currently being graded. The 8 PTechs are on the left side, and the 7 PTacs are on the right side, both having sliders and text boxes to input counts and grades respectively. The PTacs rating scale is at the bottom right (under the PTacs) to remind graders of what constitutes a grade from 1 to 5. The popup window (a separate window superimposed in this screenshot at the bottom left) portrays the screenshot of the email that is being graded. The popup screen changes to the next random email, but does not change the position of the window. A grader must grade all 8 PTechs and 7 PTacs before proceeding to the next email.
  • Figure 5: The total number of outliers for each PTech (orange color) and PTac (blue color).
  • ...and 7 more figures

Theorems & Definitions (1)

  • Definition 1: sophistication of malicious email