Phishing Attacks Over Time: A Longitudinal Study

In this paper we examine phishing emails received over a thirteen-year period and evaluate how they have changed on a number of characteristics. Using a dual-path model of persuasion, we categorize some characteristics as central (such as persuasiveness) and some as peripheral (such as message appearance), and hypothesize that both types of characteristics should be more prominent as phishing attacks have evolved and matured. Surprisingly, results show phishing emails are not more sophisticated over time. We comment on these results, discuss implications for IT security research, and describe future research directions.