Chapter 10

Phishing

Slides

Kumaraguru, Ponnurangam, et al. “Lessons from a real world evaluation of anti-phishing training.” 2008 eCrime Researchers Summit. IEEE, 2008.
- Sending fake phishing messages to employees is based on this and other PhishGuru work.

How to Lose a Fortune with Just One Bad Click - Attacker was able to send an email from google.com which was correctly signed by Google. Getting an email fron Google caused the victim to feel safe and like the represenative on the phone was real.
The Day I Put $50,000 in a Shoe Box and Handed It to a Stranger I never thought I was the kind of person to fall for a scam. - Account from a journalist who fell for an Amazon scam.
Pluralistic: How I got scammed - account of Cory Doctorow who is a security researcher and was successfully scammed by someone pretending to be his bank

Timeshare fraud run by Mexican cartels - provides details about how much money is to be made, and how some of these scams are run
How digital detectives deciphered Stuxnet, the most menacing malware in history - account of how (presumably) the US caused Iran’s uranium enrichment plants to become very expensive to run
KnowBe4 video story of someone who fell for a very convincing phishing scam - Video, Blog Post

“Why phishing works.” by Dhamija, Rachna, J. Doug Tygar, and Marti Hearst.
Warning Design Guidelines by Lujo Bauer, Cristian Bravo-Lillo, Lorrie Cranor, and Elli Fragkaki
Egelman, Serge, Lorrie Faith Cranor, and Jason Hong. “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings.”
Bravo-Lillo, Cristian, et al. “Your attention please: Designing security-decision UIs to make genuine risks harder to ignore.”
Arduin, Pierre‐Emmanuel. “A cognitive approach to the decision to trust or distrust phishing emails. " International Transactions in Operational Research 30.3 (2023): 1263-1298.