A Phishing Model and Its Applications to Evaluating Phishing Attacks

Phishing is a growing threat to Internet users and causes billions of dollars in damage every year. In this paper, we present a theoretical yet practical model to study this threat in a formal manner. While it is folklore knowledge that a successful phishing attack entails creating messages that are indistinguishable from the natural, expected messages by the intended victim, this concept has not been formalized. Our model captures phishing in terms of this indistinguishability between the natural and phishing message distributions. To the best of our knowledge, this is the first study that places phishing on a concrete theoretical framework and offers a new perspective to analyze this threat. We propose metrics to analyze the success probability of a phishing attack taking into account the input used by a phisher and the work involved to create deceptive email messages. Finally, we describe and study a new class of phishing attacks called collaborative spear phishing that may stem from the latest threat posed by the Epsilon email breach in the recent past and point out fundamental flaws in the current email-based marketing business model. In this sense, our study is very timely and presents new and emerging trends in phishing.