How email phishing scams can exploit Pacific culture

Phishing emails targeting government workers in a Pacific Island nation fooled more people when they were in the local language and asked for help, a Waipapa Taumata Rau, University of Auckland study showed.

The study, which tested four styles of scam emails, was led by Professor Giovanni Russello’s team at the School of Computer Science in partnership with the government of the unidentified nation.

Phishing is a type of online scam where attackers pretend to be someone you trust, such as a friend, company, or government agency, to trick you into clicking a link, downloading an attachment or giving away personal information.

In the study, 2,000 government workers received fake phishing emails over four months. The emails were written either in English or the local language, and all participants were fluent in both. The goal was to see how language affected whether people clicked on the links.

The four emails:

• `AiiExpress’ looked like a shipping notification from a delivery company
• `Jet Pacific’ appeared to be from an airline offering deals
• `Budget’ said ‘Sione’ had invited you to review a budget document
• `Church’ was a request to review a church document

In the local language, more than 30 percent of workers clicked on the link in the `church’ email. That was the highest rate and more than double the rate for the English version of the same email.

“The highest risk was posed by the two emails in the local language that seemed to come from individuals and asked for help,” says Dr Eric Spero, a research fellow working in Russello’s team.

Many participants said they had greater trust in emails in their local language, assuming scammers wouldn’t use it. Others believed their government email system would block anything dangerous.

“This shows how culture and language affect online threats,” says Russello. “Scammers can exploit the fact that Pacific cultures are focused on helping others, and use the local language for extra authenticity.

“The desire to support one’s own community is very admirable. The study highlights the need to protect that desire from malicious phishing by putting more attention to both targeted training and filtering”.

The study suggests that phishing awareness campaigns should consider language and cultural values, especially in places where local languages are not well supported by commercial spam filters.

The project arose after a 2023 symposium organised by Russello and hosted by the University where speakers from Pacific Island nations highlighted cybersecurity threats.

The study will be published at the USENIX Symposium on Usable Privacy and Security in Seattle in August. The research team also included Isa Seow, Lucas Betts, Eddie Fuatimau, Associate Professor Danielle Lottridge (University of Auckland) and Professor Robert Biddle (Carleton University).