Achieving a consensual definition of phishing based on a systematic review of the literature

Crime Science, Sep 2014

Background Phishing is a widely known phenomenon, but currently lacks a commonly accepted definition. As a result, many studies about phishing use their own definition. The lack of a common definition prevents knowledge accumulation and makes analysing studies or aggregating data about phishing a difficult task. Method To develop a definition, we used existing definitions as input and combined them using crime science theories as the theoretical framework. A systematic review of the literature up to August 2013 was conducted, resulting in 2458 publications mentioning the word phishing. All journal articles, together with both highly cited and recent conference papers were selected, giving a total of 536 peer-reviewed publications (22%) to be manually reviewed. This resulted in 113 distinct definitions to be analysed. Results An analysis identified key concepts that were found in most definitions and formed the building blocks for a consensual definition. We propose a new definition that is based upon current ones, which defines phishing in a comprehensive way and - in our opinion - addresses all important elements of phishing: ‘phishing is a scalable act of deception whereby impersonation is used to obtain information from a target’. Conclusions A consensual definition allows future research to be aligned and it facilitates the interpretation and comparison of existing research. The findings suggest that the routine activity approach can be applied to the digital world. Finally, the ‘scalability’ concept of our definition provides a new theoretical notion to digital crime that is independent of the employed channel.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

https://link.springer.com/content/pdf/10.1186%2Fs40163-014-0009-y.pdf

Achieving a consensual definition of phishing based on a systematic review of the literature

Elmer EH Lastdrager 0 0 Services , Cybersecurity and Safety Group, University of Twente , Drienerlolaan 5, Enschede, OV, Netherlands Background: Phishing is a widely known phenomenon, but currently lacks a commonly accepted definition. As a result, many studies about phishing use their own definition. The lack of a common definition prevents knowledge accumulation and makes analysing studies or aggregating data about phishing a difficult task. Results: An analysis identified key concepts that were found in most definitions and formed the building blocks for a consensual definition. We propose a new definition that is based upon current ones, which defines phishing in a comprehensive way and - in our opinion - addresses all important elements of phishing: 'phishing is a scalable act of deception whereby impersonation is used to obtain information from a target'. Conclusions: A consensual definition allows future research to be aligned and it facilitates the interpretation and comparison of existing research. The findings suggest that the routine activity approach can be applied to the digital world. Finally, the 'scalability' concept of our definition provides a new theoretical notion to digital crime that is independent of the employed channel. - Background The term phishing is currently widely used with thousands of mentions in the scientific literature, lots of media coverage and widespread attention from organisations such as banks and law enforcement agencies. However, this prompts a question: what exactly is phishing? In some publications, the phenomenon of phishing is explicitly defined; in some, it is described by means of an example, while others assume that the reader already knows what phishing is. Many authors propose their own definition of phishing, leading to a large number of different definitions in the scientific literature. With no scientific consensus, other sources could provide a standard definition. The first point of reference for finding the definition of a word would be a dictionary. Four definitions from prominent English dictionaries are shown in Table 1. Additionally, it lists the definition of the Anti-Phishing Working Group (APWG), a non-profit foundation that keeps track of phishing. The APWG definition is rather lengthy compared to the dictionary definitions. The five definitions vary in the level of detail and the scope of the phenomenon. For example, whereas the American Heritage definition includes phone calls, the others do not. In addition, the goal of phishing differs in the definitions, ranging from financial account details (Collins, APWG) to the more general personal information (Oxford, MerriamWebster, American Heritage). There is greater consensus about the origin of the term phishing; it was first used around 19951996 (James 2005; Khonji et al. 2013; Press 2013; Purkait 2012) and is a variation on the word fishing, something hackers commonly did (James 2005; McFedries 2006; Press 2013; Purkai 2012). Collins English Dictionary (2013), UK The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online. The practice of using fraudulent e-mails and copies of legitimate websites to extract financial data from computer users for purposes of identity theft. Merriam-Webster (2013), A scam by which an e-mail user is duped into USA revealing personal or confidential information which the scammer can use illicitly. American Heritage Dictionary (2013), USA Anti-Phishing Working Group (2013) To request confidential information over the Internet or by telephone under false pretenses in order to fraudulently obtain credit card numbers, passwords, or other personal data. Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers personal identity data and financial account credentials. Social engineering schemes use spoofed e-mails purporting to be from legitimate businesses and agencies, designed to lead consumers to counterfeit websites that trick recipients into divulging financial data such as usernames and passwords. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using systems to intercept consumers online account user names and passwords and to corrupt local navigational infrastructures to misdirect consumers to counterfeit websites (or authentic websites through phisher-controlled proxies used to monitor and intercept consumers keystrokes). In common with fishing, phishing is about setting out hooks, hoping to get a bite. The lack of a standard definition of phishing has been observed previously (Abu-Nimeh et al. 2007; Al-Hamar et al. 2011; Khonji et al. 2013). This causes several problems for scientists, practitioners and consumers. For scientists, it is difficult to compare research on phishing in a meaningful way. Aggregating re (...truncated)


This is a preview of a remote PDF: https://link.springer.com/content/pdf/10.1186%2Fs40163-014-0009-y.pdf

Elmer EH Lastdrager. Achieving a consensual definition of phishing based on a systematic review of the literature, Crime Science, 2014, pp. 9, Volume 3, Issue 1, DOI: 10.1186/s40163-014-0009-y