SoK: The past decade of user deception in emails and today’s email clients’ susceptibility to phishing techniques

Abstract

User deception in emails is still one of the biggest security risks companies and end-users face alike. Attackers try to mislead their victims when assessing whether emails are dangerous to interact with, e.g., by using techniques based on dangerous links, dangerous attachments, or both. In this work, we present a systematic literature research of deception techniques discussed in the scientific literature of the last decade. We systematize the deception techniques, focusing on techniques that use misleading sender, link, and/or attachment information. We identify 23 deception techniques which we classify as either those that email clients should protect users against (13) and those that email clients cannot protect against and thus should be addressed in security awareness measures (10). We propose a security rating for the susceptibility of email clients to these 13 deception techniques and perform an empirical evaluation to analyze the susceptibility of seven representative email clients (web, mobile apps, desktop apps) to these deception techniques. The results of our evaluation indicate that most email clients are in need of improvement to defend against the deception techniques. Hardening email clients against these deception techniques is necessary to increase the resistance against them — without unnecessarily burdening users.