Detecting Deceptive Patterns in Phishing Emails Matthew Barba-Rodriguez

Advisers: Lauren M. Stuart, Drs. Julia M. Taylor and Victor Raskin Problem Statement

Identify cues for/patterns of deception within phishing emails to help users detect deceptive requests

This material is based upon work supported by the National Science Foundation under grant #1062970. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Threatening

Account Irregularities

Assurance

Spelling Errors

Phishing

Valid

Motivation • Email users become more

aware of phishing emails • Prevents private data from

being accessed by unauthorized users

• Saves individuals and corporations a lot of money

During the 1st quarter of 2014 the Anti-Phishing Work Group reported an increase of 6,941 unique phishing email reports from January to March.

What Has Been Done?

Lexical Analysis

Part-of-Speech Tagging

Named Entity Recognition

Normalization of Words to Lower Case

Stemming

Stop Word Removal

TF-IDF

Header Analysis

Text Analysis

IP-Based URLs

Age of Linked-to Domain

HTML Email

Number of Links

Number of Dots

Redirecting Site

January February March Number of unique phishing websites detected

42,828 38,175 44,212

Number of unique phishing e-mail (campaigns) received by APWG from consumers

53,984 56,883 60,925

Number of brands targeted by phishing campaigns

384 355 362

Country hosting the most phishing websites

USA USA USA

PhishNet-NLP PLIFER Tools

Start

Assurance “We have the best security systems”

Unable to Process

Information “Error in your

billing information”

False Information “We have your

credit card info.”

No Reason Given

Threatening “Account

Suspension”

Assurance End

Repetition of Statements

Irregularities in Account

“1 or more attempts to login”

Dear valued PayPalï ¿ 1\/2 member : PayPalï ¿ 1\/2 is committed to maintaining a safe environment for its community of buyers and sellers . To protect the security of your account , PayPal employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal system for unusual activity . Recently , our Account Review Team identified some unusual activity in your account . In accordance with PayPal 's User Agreement and to ensure that your account has not been compromised , access to your account was limited . Your account access will remain limited until this issue has been resolved . This is a fraud prevention measure meant to ensure that your account is not compromised . In order to secure your account and quickly restore full access , we may require some specific information from you for the following reason : We would like to ensure that your account was not accessed by an unauthorized third party . Because protecting the security of your account is our primary concern , we have limited access to sensitive PayPal account features .

Pattern Organization

Anti Phishing 1st Quarter Report for 2014

Part of Sample of a Phishing Email