An Empirical Evaluation of the Current State of Phishing Comprehension in Pakistan

Abstract

Phishing attacks are increasingly being used to get sensitive information from users or to persuade them into performing a certain action. Successful phishing attacks employ principles of influence as weapons. The design of effective training/awareness materials for reducing the risk of phishing requires understanding a culture’s demographics and their baseline comprehension. However, limited work exists on understanding the phishing landscape of Pakistan. This paper presents a first attempt at investigating the current state of phishing comprehension in Pakistan by exploring the phishing susceptibility of Pakistani population. An online web application consisting of 12 interactive emails, SMS, and websites (both phishing and legitimate) which leveraged 6 principles of influence was developed. The application was used to conduct an online study on 519 participants from all over Pakistan. The results showed that the phishing comprehension of Pakistani population is low with a phish identification accuracy of 57%. Email seems to be the most effective phishing medium for this culture. Moreover, the Pakistani population is most vulnerable to authority principle and least susceptible to urgency/scarcity principle. Gender did not impact phishing comprehension. However, age and educational background/occupation of the participants had a significant impact on their ability to identify phishing. The identified gaps in comprehension can help researchers in designing effective phishing training/awareness tools tailored for this culture.