Research: Phishing Victims' Doubts on Response Confirmed

Drexel University

The cybersecurity refrain when encountering phishing emails invariably advises: "don't click on that link" and "report that email" — but new research from Drexel University and Arizona State University has revealed a problematic reality: Most major companies do little to support reporting and few take action to shut down phishing sites disguised as their own after they have been reported.

Recently presented at the International Symposium on Research in Attacks, Intrusions and Defense (RAID), an extensive investigation into reporting resources and processes — including an empirical test of their efficacy — revealed that less than half of Fortune 100 companies offer any channel for reporting these scams. And an experiment, to test the companies' response to reports of phishing attacks impersonating their websites, found that nearly 30% of reported websites were never accessed as part of an investigation and only 3% of the were ever blocked from access.

Most phishing emails include links to download malware or visit fake webpages that mimic popular sites. Recipients may be tricked into attempting to log in to the sites, divulging their account information to the bad actors behind them. Variations on this cyberattack, called smishing, which involves sending malicious links in text messages; and vishing, which uses voicemails, are also becoming more prevalent .

Despite ever-evolving cybersecurity techniques to detect and block the malicious scams, many still make it through countermeasures and into inboxes. In 2022 the FBI received more reports of phishing than any other type of cybercrime — totaling an 11-fold increase since 2018.

Because of this evasiveness, most companies provide cybersecurity training to help employees identify and instruct them to report phishing emails as a last line of defense.

When phishing emails are reported, the companies that are being impersonated in them can take steps to mitigate the scam, including updating their security systems, re-securing compromised email accounts and reporting the fraud to federal authorities and report any website listed in the email so that it can be taken down, or "block listed."

But research suggests that the rate of phishing attack reporting is strikingly low. A 2020 study by researchers at Arizona State showed that phishing sites are visited an average of 27 times before being reported.

In hopes of improving participation in anti-phishing measures, cybersecurity researchers from Drexel University's College of Computing & Informatics sought to better understand the reporting ecosystem that has generated such a low rate of participation. Their report, which is one of the first comprehensive studies to look at the attitudes and actions around phishing reporting, uncovered the challenges and concerns people face when reporting, as well as shortcomings in how the reports are handled.

"Although users are constantly trained and instructed on how to identify and report phishing emails, the reaction they receive in the actions taken — or, more often, not taken — by the companies to which they report creates a negative feedback that discourages them from reporting future emails," said Eric Sun, PhD , an assistant professor in Drexel's College of Computing & Informatics who helped to lead the research. "Our research sheds a light on what it's like to be a reporter and a company that receives a phishing report in hopes of improving this cybersecurity environment."

The team approached its analysis from three perspectives, seeking to understand:

  • The options the cybersecurity ecosystem provides to individuals who wish to report phishing attacks
  • The actual experience in preparing to report a phishing attack
  • The post-reporting response — what happens to phishing websites after reporting and what feedback is conveyed to reporters

It found that although there is a great deal of room for improvement in the guidance information and feedback provided by companies and enforcement institutions, individual reporting of phishing attacks remains a crucial part of cybersecurity efforts.

What are the options for reporting?

After conducting an extensive search and filtering out official guidance offered by .gov, .org sites and the websites of the top 100 brand-name U.S. companies (Fortune 100), the team identified 575 webpages providing guidance about phishing attacks.

An analysis of those resources showed that there are five main channels for reporting phishing: email, built in reporting button in email software, SMS text, online reporting forms, and direct contact through a phone call or live chat.

The team identified eight government agencies and two anti-phishing organizations providing information and guidance about phishing: Federal Trade Commission (FTC), Internal Revenue Service (IRS), Cybersecurity & Infrastructure Security Agency (CISA), FBI Internet Crime Complaint Center (IC3), Department of Homeland Security (DHS), Department of Justice (DOJ), Federal Communications Commission (FCC), Government Information and Services, Anti-Phishing Working Group (APWG), and Phishing.org.

While all offered security advice on reporting phishing, only half of them actually provided dedicated channels for reporting phishing.

A summary of the advice offered by these agencies and organizations show that they primarily direct victims to one or several of 12 options: FTC, IRS, CISA, FCC, IC3, police, state attorney general's office, APWG, the national SMS reporting number (7726), Google, the impersonated company, their internet service provider.

"Understandably, many organizations play a role in mitigating, investigating and enforcing laws against cybercrime, this can also raise confusion when it comes to reporting crimes like phishing," said Gail-Joon Ahn, PhD, a professor at Arizona State University who helped to lead the research. "We found that due to this enforcement environment, a great deal of the reporting advice offered online is inconsistent or conflicting."

The team's analysis of reporting resources provided by Fortune 100 companies revealed that only 65 of them provide guidance to their customers on how to report a phishing attack. Only 44 of them provided channels for directly reporting a phishing attack impersonating — or "spoofing" — the company's website, despite the prevalence of security advice recommending reporting such deceptions to those companies.

"We're constantly advised to avoid clicking on phishing links and to report them, especially to the spoofed companies," Sun said. "Our finding that only 65 of the Fortune 100 companies provide advice for reporting phishing attacks — and less than half of them offer actual reporting channels — is particularly striking given these companies have more resources and are expected to be more committed to handling such reports."

Through this analysis the group teased out four challenges common to both government/organizations and the Fortune 100 companies that may be discouraging people from reporting phishing attacks:

  • Reporting procedures for email phishing attacks typically do not require critical information, such as email headers (including sender and recipient details, timestamps, or IP addresses).
  • Different reporting channels offer different and sometimes conflicting or outdated advice. For example, some companies instruct victims to report the phishing, others just advise them to delete it without reporting.
  • Security advice requests people report the same phishing to too many places (i.e. FTC, IC3, and APWG).
  • Reporters generally do not receive feedback other than an auto-reply email confirming receipt of the report.

What's it like to report a phishing attack?

In addition to understanding the existing reporting resources and guidance, the team tried to better understand the experience and sentiments of people who report phishing attacks.

To do it they recruited 89 U.S.-based participants to individually go through the process of locating reporting information and filing a report of a phishing attack. Surveying the participants after this short process provided a snapshot of peoples' experience, attitudes and concerns about reporting.

Of the 89 participants, 15 decided not to report the phishing email. Most suggested it wasn't worth the time they'd spend on it, or that nothing would be done with the report. Others noted that they would only file a report if it reached a certain threshold — receiving the same phishing email multiple times, for example.

Drops in reporting compliance were also observed when participants were advised to report the attack to multiple channels (e.g. the company and a government agency) — only half would follow the advice. Among participants with cybersecurity experience, only 39% indicated they would report it to multiple channels as requested. About half of the participants expressed a negative attitude about the reporting, including noting a lack of confidence that it would make a difference, or that they would receive a response.

"While it might not be all that surprising that there are some negative feelings about reporting, given the time commitment and perceived lack of results, we also discovered that about a third of respondents have limited knowledge about phishing reporting and a quarter were unaware that there were places to report phishing attacks," said Adam Doupé, PhD, an associate professor at Arizona State, who helped to lead the research. "These are indicators that more could be done to educate the public about responding to phishing attacks."

What happens after phishing is reported?

In the final step of their investigation the team looked at how companies and organizations responsible for dealing with phishing sites respond to reports. What they found indicates that concerns expressed by reporters about lack of response and communication are not unfounded.

The researchers used two observable actions as indicators of companies' responsiveness to the reports: what happened to the reported phishing websites? And what feedback did the reporter receive?

They created a set of test phishing websites — in accordance with ethical research requirements and with prior notification of domain registrar and hosting service provider — spoofing the site of each Fortune 100 company. Over the course of two months, the team reported 14 times to each of the 39 companies that provided instructions for doing so. In addition, they reported all of the sites to the national SMS phishing reporting number (7726, the alphanumeric translation of "SPAM").

During their experiments, the team found that reporting phishing attacks can be quite challenging. For instance, while some companies required them to forward phishing emails to a dedicated reporting address, the emails were often blocked due to the company's own security measures. The filters flagged these emails as potentially harmful, stating, "A signature was detected that could either be a virus or a spam score over the maximum threshold," thus preventing the reports from reaching the intended destination.

Following the reports, the researchers tracked how many of the sites were accessed — an indicator that the companies were investigating the report — and how many were ultimately blocked.

They found that 29 of the 39 companies accessed 184 of the reported sites, 10 companies did not access the sites at all. Only 3.3% of the sites reported via email to companies, per their instructions, were blocked. But the sites that were reported via 7726 were visited within seven hours of the report and more than 73% were blocked.

Of the 39 companies to which reports were filed, only 19 responded to the reporter and 15 of those responses were auto-replies. The reporter received no responses indicating a resolution — whether the phishing website had been taken down, for example.

"Our findings seem to confirm participants' views that some companies may not care enough about the reports," Ahn said. "In addition to the overall low response rate and lack of confirmation of a resolution, only four companies ever sent us a response indicating that the sites we had reported were indeed phishing sites."

How can the vibe around phishing reporting be improved?

Taking their ample findings into consideration, the researchers suggest that to begin improving the phishing reporting ecosystems, companies and organizations responsible for addressing phishing attacks first need to become better communicators.

"Our research has identified a number of concerns from users, but the most significant is the outcome of reporting," Sun said. "Many users are willing to report phishing attempts, but the lack of feedback is a key reason why they often don't. Users are unsure if they are reporting through the correct channels and methods, whether their reports are being taken seriously, or if their actions are making a difference."

Even automated responses would be an improvement, according to Sun, if they provide updates on actions being taken and the status of the reported site. Such correspondence would validate the reporters' efforts and help to show that they are appreciated, which he suggests could encourage future reporting.

The next step the researchers recommended is providing clear and consistent security advice about how and where to report different types of phishing attacks. This would help to alleviate concerns about choosing the right reporting channel and reduce the effort and time involved in the process.

Sun notes that despite ongoing developments in cybersecurity technology, robust reporting, and a prompt response to block phishing sites, combined with detection technology, will continue to be the most reliable line of defense against these attacks.

"Phishing reporting is one of the few areas where end users — who bear the brunt of the harm in phishing attacks — can actively fight back and make a difference," Sun said. "It is crucial to encourage people to report phishing attacks because technology alone will not stem the tide."

/Public Release. This material from the originating organization/author(s) might be of the point-in-time nature, and edited for clarity, style and length. Mirage.News does not take institutional positions or sides, and all views, positions, and conclusions expressed herein are solely those of the author(s).View in full here.