Phishing is a cyber-criminal activity where a social engineer baits its target for information and passwords by masquerading as a trustworthy party. Before it was popular on the Internet, phishing was performed by phone, and the technique was referred to as vishing [ 1 ]. The current method of phishing over the Internet is most often carried out in the form of an e-mail or pop-up directing the target to a page similar to the page target is well familiar with, this page usually will prompt the user to enter their credentials either to log in to engage in a fabricated scenario, the rest is history. Mail-out is another phishing technique social engineers use to gather information. An example of a mail-out is a survey given to employees of an organization where they are asked to answer a few questions of ‘their company's IT department’. Mail-out is a technique that can also be used to spread malware, usually attached to the files sent out to the target [ 2 ]. Interestingly enough, attached files don’t even have to be executable from the first look. It means that a file with any kind of extension can conceal a potential threat of data breach which is a very unwanted event for any business, state institution or simply a private individual.

display of their flaws.

The aim of the study is research and efficiency analysis of known phishing attacks detection methods, The object of research is the process of detecting phishing attacks.

The subject of research is methods for phishing attacks detection.

Thus, the task is to analyse known methods for phishing attacks detection both human and technology based, provide method to assess such systems’ effectiveness in given scenarious and discuss potential flaws associated with deployment and utilization of such systems.

2022 Copyright for this paper by its authors.

Phishing attacks can be divided into two categories, which are human based social engineering which includes real-life direct physical interaction with its human victim through phone, and also technologybased social engineering such as online social networks impersonation, website phishing scams, and email phishing [ 3 ]. For the past decades, numerous researchers all around the world have been studying ways to detect and prevent social engineering attacks. Figure 1 illustrates the taxonomy of phishing detection methods known to date. The following few paragraphs of the article will focus on discussing both types of phishing detection methods as well as the approaches information security specialists could take advantage of on their way to preventing the leak of sensitive data.

Human based detection methods involve human intervention in detecting and preventing phishing attacks. Human based detection focuses more on the judgment of humans to determine whether the activities that they have encountered are in any way related to social engineering attacks. Historically it was the first and for some time the only available at the time method to detect social engineering attacks due to the absence of automated systems, it is therefore quite well researched. Currently, there are three approaches that can be classified in human based mitigation. Those are policy, auditing, and also education, training and awareness approaches that will be discussed in the following paragraphs. The importance of these approaches is well highlighted in studies [ 3-10 ] that have researched phishing attacks mitigation methods using human decision-making.

Education, training and awareness (ETA) approach in detecting social engineering is one of the best researched approaches in human based mitigation. Many works including [ 3 ] emphasized that employee education is important to ensure the policies, procedures and standards that have been developed in the organization are to be deployed effectively. It is also suggested that ETA must be implemented especially for the newly employed staff in their orientation phase right after onboarding ends. ETA is best implemented by developing interactive social engineering awareness websites for staff training promoting personnel awareness of social engineering attack vectors. This interactive learning and education game-based system proved to be an effective education tool in providing the users of this system with knowledge and experience in spotting social engineering and its attack patterns [ 4 ]. It is also the modular-based design of the environment that can be particularly handy as the system is to be updated with the latest trends and additional techniques of social engineering attacks in hours as opposed to days needed to develop a brand new platform. This method proves to be vital as most victims fall for phishing attacks because they lack knowledge about the attack vectors and are ignorant of passive warnings from security tools regarding phishing attacks. There is no doubt security training if done right help employees enhance their classification accuracy and teach them to take necessary action in preventing them more often.

Well established organizations are known to enforce certain rules developed to help personnel in detecting and preventing social engineering attacks including phishing. These rules are usually directed by policies that guide personnel on how to analyze and make a decision whether the situation they encountered is indeed a social engineering attack or a legitimate activity. Their further actions should also be part of a well-documented procedure to make sure the staff doesn’t become the reason of data breach or having a malicious actor in the organization’s corporate network. Most important bits of data in policies modern organizations simply can’t function without are the following. Clear desk policy to prevent password or sensitive information being left lying about; paper shredder usage procedure to undermine dumpster diving attempts; identification checking policy (implementation of caller ID technology for phone calls and service personnel); rules of defining sensitive information in an organization, authorization and access control policy, data classification policy and security policies [ 5 ]. As proposed by the Colorado Department of Education in [ 6 ], Audit controls and effective security safeguards are part of normal operational management processes to mitigate, control, and minimize risks that can negatively impact business operations and expose sensitive data.

Auditing is complimentary to the policy-based approach as mentioned in works [ 5,7 ]. While auditing is often used to inspect or examine processes or systems to ensure compliance with requirements, our interest towards auditing lies in testing the level of user awareness or exposure to social engineering attacks [ 8 ]. This approach is frequently used to ensure the effectiveness of policies and ETA conducted in an organization against attacks. One key difference between processes and ETA + Policy auditing lies in the nature of phishing attacks. Since new attack vectors are emerging quite often, it makes perfect sense to carry out auditing procedures with higher frequency than those that assess processes or systems.

Approaches mentioned in previous paragraphs are the most fundamental and common countermeasures in detecting and preventing social engineering attacks including phishing. Policy, auditing and ETA for users and employees in the organizations are a must as social engineering preys on psychological traits in exploiting their victims [ 9 ].

We can’t argue that other technology based detection solutions help users to recognize the attacks, but at the end of the day, it depends solely on the decision-making and action taken by those very users so that they classify the situation they encountered as suspicious and take necessary measures as pointed out in procedures for dealing with potential social engineering attacks. Human judgment is undoubtedly somehow subjective and even with good knowledge, awareness and policy against this type of threat, social engineers can find multiple ways to convince their victims and exploit human psychology to gain information or access to sensitive information causing data leaks or other malicious activity. Therefore, there is a need for technology based mitigation methods as complimentary to human based mitigation to increase the overall detection and prevention accuracy.

According to Kevin Mitnick, another problem is that the most popular targets for social engineering exploitation are new employees. Mitnick argues this is because new employees and interns are one of the weakest links in an organization. They may not yet have completed ETAs and do not possess sufficient knowledge about the company’s sensitive information assets, as well as they are not familiar with all the staff within the organization or relevant business processes they became a part of. As one would expect, they can be easily fooled. What appears even more striking is that according to [ 10 ] even with the best security education, awareness and training programs in place, new employees will always represent a threat. Therefore, the best approach information security officers might take to avoid such a scenario would be to limit new employees’ access to sensitive organizational assets. The challenge here is that by doing so, staff that has just been on-boarded would simply become incapable of carrying out their duties as there would be an obstacle to accessing the information and resources that are required to get the job done.

Another set of methods used for detecting and preventing phishing attacks takes advantage of a wide range of technology based solutions. Technology based mitigation methods entered the equation as soon as phishing become more widespread and users were in urgent need of both email filtering solutions and website checkers to do some analytical job for them in the background. Since then it’s been a constant bout between hackers and security specialists that both developed more and more sophisticated methods to outperform one another. Technology based mitigation methods have been well-researched in detecting and preventing social engineering attacks in the last decade. Several categories represent this method. In the next few paragraphs of this work an overview of the following phishing technology based detection methods will be presented: 1. heuristic detection; 2. artificial intelligence and machine learning powered solutions; 3. biometrics; 4. social honeypots.

First and foremost, there’s a variety of heuristic methods that detect phishing patterns with the help of digital signatures or other identifiers, object properties, etc. In [ 11 ] phishing detection by heuristics is defined as software that is deployed on the server or client side to inspect payloads of different protocols via diverse algorithms. Protocol list includes HTTP, HTTPS, SMTP, POP3 or any arbitrary protocol used to deliver content/emails to Internet users. Algorithms could be represented as any method to detect and if configured so block phishing attempts automatically.

In [ 12 ], the authors suggested an anti-phishing approach that examines webpage irregularities. The method collects anomalies from a variety of sources, including URLs, page titles, cookies, login forms, DNS data, and SSL certificates, among others. If a set of universal heuristic examinations are recognized, as a result of comparing to a massive dataset of known malicious patterns, such software might detect zero-day phishing attacks. Some may say that it doesn’t really give this approach a competitive advantage over blacklists. Since blacklists require exact matches to detect phishing websites, the exact same phishing attacks need to be examined first to blacklist them [ 13 ].

However, as heuristic methods focus on signatures comprised of similar patterns, they are more prone to identify malicious payload never seen before with higher probability which makes them more flexible but at the same time creates a risk of misidentifying legitimate websites and producing false positives disrupting normal workflow and unwanted system overhead. Mainstream mail clients and web browsers have already begun to equip their services with phishing protection technologies, such as heuristic based detectors that help at identifying phishing attacks. What is more, phishing detection based on heuristics is incorporated in countless antiviruses so in a world where hackers didn’t tweak their attacks it would be a matter of time before a perfect set of signatures could be created and used to identify any potential threat. Secondly, there are more modern and powerful methods that only get better with time - artificial intelligence and machine learning powered solutions. Algorithms they use learn from massive databases of known phishing websites, emails or even SMS and therefore can spot a suspicious entry with quite a high accuracy. Study [ 14 ] considers the phishing detection problem as an AI-based classification problem wherein the result of the decision-making phase leads to detecting if a given website is either a legitimate or a phishing website. In essence AI’s job is to conduct analisys of ever-changing phishing patterns, determine the combinations of characteristics that should be used to successfully identify malicious activity and filter out data that is no longer useful. Thus, consideration of the AI algorithms as the basis for developing viable phishing detection models to combat phishing threats in their evolving nature was made in [ 15 ].

In short, many AI-based solutions take advantage of systematized knowledge about significant characteristics that have proven to be efficient in spotting elements phishing websites are prone to possess as [ 16 ] suggests. Most commonly used characteristics or features as well as phishing website attributes that can be used for phishing detection with high accuracy are featured in Table 1.

Determining heuristic and artificial intelligence + machine learning powered methods efficiency for phishing detection in theory is determined by correctly weighted set of attributes and their individual entropy. Since it is exactly the job of AI and ML to determine most accurate estimate of each attribute importance and hence assign higer weight to it, for this work we will come up with initial values based on existing knowledge and as such obtained results will reflet the effectiveness of the most primitive heuristic-based phishing detection system in percentage from 0% to 100%.

To get each individual attribute entropy, slightly modified Shannon’s concept will be taken up. Formula 1 is used to calculate it

Hattribute  p1 logs (1 / p1)  p2 logs (1 / p2 )  ...  ps logs (1 / ps ) , where p1, p2... ps are the probabilities of attribute having unique values, s is the number of unique values for a given attribute.

Sample distribution of attributes’ weights and unique values with their probabilities can be used as such given in Table 2 and Table 3 respectively. Effectiveness of a system is a product of all weighet attributes’ entropies. Formula 2 is used to calculate it.

k E   w H

i i i1 where Hi and wi are entrophy and a weight of a given attribute respectively, k is the number of attributes considered for a given system.

Eventually, having extended the list of attributes and their probable values and probabilities, the data can be fed into machine learning model for it to determine the weights of each attribute so that peak efficiency can be reached. What is more, this approach of system efficiency assessment can be used to determine attributes which no longer provide any use for phishing elements detection.

The reason ML approaches became popular for phishing detection is because they made it a simple classification problem. Training of ML model for a learning-based detection system requires the data at hand must-have features that are related to phishing and legitimate website classes mentioned earlier. Previous studies show that detection accuracy is high as robust ML techniques are used; those are kNearest Neighbor (KNN), Random Forest, and Support Vector Machine (SVM) to name a few. Figure 2 [ 17 ] illustrates one of the scenarios used to train a ML model to differentiate phishing websites from legitimate ones. Each algorithm has a little-to-no influence on the common approach taken for machine learning: a dataset of entries containing phishing has to be used anyway. In [ 18 ] it was discovered that the Random Forest model proved to deliver the best performance in a given setting. This algorithm is a collection of Decision trees with each tree differing slightly from the other. A prediction is made by averaging the result obtained from all individual Decision Trees. This helps to reduce the problem of overfitting, a problem peculiar to the Decision Tree Algorithm.

Thirdly, since social engineers are frequently attempting to impersonate a trustworthy party by creating a fake profile and mimicking its identity through visual appearance, use of lingo and knowledge of internal business processes a method that can counteract physical impersonation is using biometrics (1) (2) as it does not rely on the perceived identity of a person, but rather distinguishes someone using their unique biological traits such as fingerprint, voice or facial recognition [ 19 ].

Our increasing reliance on the Internet for much of our day-to-day operations has created the ideal setting for fraudsters to launch targeted phishing assaults [ 22 ]. It is nowhere to hide from so measures must be taken to alleviate risks of data breaches and loss of companies’ informational assets as a result of employee carelessness. In this work, phishing was discussed as one of the most sophisticated types of social engineering attacks that takes advantage of human psychological weaknesses. Phishing attacks have been a threat to both organizations and individuals for a very long time and although it has been a known threat with many cases of security incidents involving social engineering, to date there has not been a clear answer on how to deal with this threat and thoroughly mitigate it.

For a long time, it has been proposed that any social engineering threat can be prevented through the use of security policies, ETA of employees and establishing a security culture within the organization and regular audits. Taking into consideration the nature of such attacks nowadays – more complex solutions have to be used. It has been discussed that human based detection methods are simply no longer enough on their own as naive adoption of best security practices does not guarantee good security posture of the organization.

It has been shown that various technology-based solutions exist to automate phishing detection. These technological systems can lessen the impact of human weakness in detecting attacks as they occur. Among the measures presented were those that used heuristic detection, systems powered by AI and ML, biometrics and social honeypots that can be used to progressively learn about and adapt to ever-changing social engineering tactics. However, relying on technology also has its drawbacks in terms of cost, management and maintenance.

An approach to assess technology-based systems effectiveness in terms of website phishing elements detection has been offered. Since it has website attributes that are most often analysed in search of phishing patterns at it’s foundation – the system can be improved by extending the list af attributes, their values and probably combinations of other factors.

The threat of social engineering and thus phishing can never be totally eliminated as long as an organization requires human beings to do the job systems are not yet capable of. Using technologybased solutions can lessen the burden on humans in providing security, though a balance must be achieved where there is no total reliance on either of those methods as both have their own issues and weaknesses. Moving forward, the best thing that can be done to combat social engineering and phishing in particular is to continue researching how organizations are being exploited, use honeypots to learn more about attackers’ behavior, improve existing security standards and develop new solutions to detect and mitigate existing and emerging threats.