What we learned about ‘Who Falls for SMiSh?” U.S. Demographic Vulnerabilities to SMiShing

Oct 26th 11:30-12:30 WWH 335

As adoption of mobile phones has skyrocketed, so have scams involving them. The text method is called “SMiShing,” (aka “SMShing”, or “smishing”) in which a fraudster sends a phishing link via Short Message Service (SMS) text to a phone. However, no data exists on
who is most vulnerable to SMiShing. Prior work in phishing (its e-mail cousin) indicates that this is likely to vary by demographic and contextual factors. In our first-of-its-kind study, using a simulation method that is commonly used and produces valid results, we collect this data from N=1007 U.S. adult mobile phone users. Younger people and college students emerge in this sample as the most vulnerable. Participants struggled to correctly identify legitimate messages and were easily misled when they knew they had an account with the faked
message entity. Counterintuitively, participants with higher levels of security training and awareness were less correct in rating possible SMiSh. We recommend next steps for researchers, regulators and telecom providers, such as displaying trust indicators for SMS senders.

Sarah Tabassum, a 3rd-year Ph.D. student at the Department of Software and Information Systems within the College of Computing and Informatics at the University of North Carolina at Charlotte (UNCC). My research revolves around the intersection of usable privacy and security and Human-Computer Interaction (HCI). I am deeply enthusiastic about exploring the intricacies of human factors within the field of privacy and security, with the ultimate aim of creating solutions that enhance user experiences and protect sensitive information.