Phishing Attacks Root Causes Hossein Abroshan (&) , Jan Devos, Geert Poels , and Eric Laermans Ghent University, 9000 Ghent, Belgium {hossein.abroshan,jang.devos, geert.poels,eric.laermans}@ugent.be Abstract. Nowadays, many people are losing considerable wealth due to online scams. Phishing is one of the means that a scammer can use to deceitfully obtain the victim’s personal identification, bank account information, or any other sensitive data. There are a number of anti-phishing techniques and tools in place, but unfortunately phishing still works. One of the reasons is that phishers usually use human behaviour to design and then utilise a new phishing tech- nique. Therefore, identifying the psychological and sociological factors used by scammers could help us to tackle the very root causes of fraudulent phishing attacks. This paper recognises some of those factors and creates a cause-and- effect diagram to clearly present the categories and factors which make up the root causes of phishing scams. The illustrated diagram is extendable with additional phishing causes. Keywords: Phishing Á Scam Á Root causes Á Behaviour 1 Introduction Human life has significantly changed as a result of online services including e-shopping and e-banking, etc. Although these services offer great convenience, they are accompanied by an increase in cybercrimes and present new security threats. An online phishing is a cybercrime to steal credentials from users, such as login and credit card details, “by masquerading as trustworthy entities in electronic communication” [1]. Then the attacker usually uses the collected information to sign into the genuine reputable website, such as those that are used for internet banking, to steal from the victim’s online account [2]. In recent years, many researchers have focused on phishing attacks in order to offer an anti-phishing solution for protecting sensitive financial data from phishers. However, phishing still works, and every day brings with it new phishing websites and techniques which steal personal credentials. By reviewing the existing anti-phishing techniques, we understand that most of them are trying to technically detect and/or prevent phishing attacks. We are of the opinion that focusing on the human psychological and sociological factors that attackers use to scam people would be an effective way to fundamentally tackle phishing attacks. We believe that current anti-phishing solutions are useful though insuf ficient, as phishers always use people’s psychological weaknesses to design new types of phishing attacks. Several studies [3, 4] have already identified some of the © Springer International Publishing AG, part of Springer Nature 2018 N. Cuppens et al. (Eds.): CRiSIS 2017, LNCS 10694, pp. 187–202, 2018. https://doi.org/10.1007/978-3-319-76687-4_13