Achieving a consensual definition of phishing based on a systematic review of the literature
Elmer EH Lastdrager
0
0
Services
, Cybersecurity and Safety Group,
University of Twente
, Drienerlolaan 5, Enschede, OV,
Netherlands
Background: Phishing is a widely known phenomenon, but currently lacks a commonly accepted definition. As a result, many studies about phishing use their own definition. The lack of a common definition prevents knowledge accumulation and makes analysing studies or aggregating data about phishing a difficult task. Results: An analysis identified key concepts that were found in most definitions and formed the building blocks for a consensual definition. We propose a new definition that is based upon current ones, which defines phishing in a comprehensive way and - in our opinion - addresses all important elements of phishing: 'phishing is a scalable act of deception whereby impersonation is used to obtain information from a target'. Conclusions: A consensual definition allows future research to be aligned and it facilitates the interpretation and comparison of existing research. The findings suggest that the routine activity approach can be applied to the digital world. Finally, the 'scalability' concept of our definition provides a new theoretical notion to digital crime that is independent of the employed channel.
-
Background
The term phishing is currently widely used with thousands
of mentions in the scientific literature, lots of media
coverage and widespread attention from organisations such
as banks and law enforcement agencies. However, this
prompts a question: what exactly is phishing? In some
publications, the phenomenon of phishing is explicitly
defined; in some, it is described by means of an example,
while others assume that the reader already knows what
phishing is. Many authors propose their own definition of
phishing, leading to a large number of different definitions
in the scientific literature.
With no scientific consensus, other sources could
provide a standard definition. The first point of
reference for finding the definition of a word would be
a dictionary. Four definitions from prominent English
dictionaries are shown in Table 1. Additionally, it lists the
definition of the Anti-Phishing Working Group (APWG),
a non-profit foundation that keeps track of phishing.
The APWG definition is rather lengthy compared to
the dictionary definitions. The five definitions vary in
the level of detail and the scope of the phenomenon.
For example, whereas the American Heritage definition
includes phone calls, the others do not. In addition,
the goal of phishing differs in the definitions, ranging
from financial account details (Collins, APWG) to the
more general personal information (Oxford,
MerriamWebster, American Heritage). There is greater
consensus about the origin of the term phishing; it was first
used around 19951996 (James 2005; Khonji et al.
2013; Press 2013; Purkait 2012) and is a variation on
the word fishing, something hackers commonly did
(James 2005; McFedries 2006; Press 2013; Purkai 2012).
Collins English
Dictionary (2013), UK
The fraudulent practice of sending emails
purporting to be from reputable companies
in order to induce individuals to reveal
personal information, such as passwords and
credit card numbers, online.
The practice of using fraudulent e-mails and
copies of legitimate websites to extract
financial data from computer users for
purposes of identity theft.
Merriam-Webster (2013), A scam by which an e-mail user is duped into
USA revealing personal or confidential information
which the scammer can use illicitly.
American Heritage
Dictionary (2013), USA
Anti-Phishing Working
Group (2013)
To request confidential information over the
Internet or by telephone under false
pretenses in order to fraudulently obtain
credit card numbers, passwords, or other
personal data.
Phishing is a criminal mechanism employing
both social engineering and technical
subterfuge to steal consumers personal
identity data and financial account
credentials. Social engineering schemes use
spoofed e-mails purporting to be from
legitimate businesses and agencies, designed
to lead consumers to counterfeit websites
that trick recipients into divulging financial
data such as usernames and passwords.
Technical subterfuge schemes plant
crimeware onto PCs to steal credentials
directly, often using systems to intercept
consumers online account user names and
passwords and to corrupt local navigational
infrastructures to misdirect consumers to
counterfeit websites (or authentic websites
through phisher-controlled proxies used to
monitor and intercept consumers keystrokes).
In common with fishing, phishing is about setting out
hooks, hoping to get a bite.
The lack of a standard definition of phishing has been
observed previously (Abu-Nimeh et al. 2007; Al-Hamar
et al. 2011; Khonji et al. 2013). This causes several
problems for scientists, practitioners and consumers. For
scientists, it is difficult to compare research on phishing
in a meaningful way. Aggregating re (...truncated)