Student Research Lagniappe
11.21.2025
11:30 AM – 1:30 PM | PFT 1246
Doubly Dangerous: Evading Phishing Reporting Systems by Leveraging Email Tracking Techniques
Abstract
Given the significant threat posed by email as a highly prevalent phishing attack vector, we undertake the first study focused on real-world phishing email reporting systems. Our key idea in performing this study is to repurpose email tracking, a well-known privacy threat vector, for profiling and evading anti-phishing systems employed by popular email services. Our results show that the reporting systems of all major email services we tested are vulnerable to evasive phishing attacks affecting more than 2 billion users worldwide. We propose several countermeasures that email service operators can adopt to help ameliorate this issue in the future. We disclosed our findings to the affected email providers which resulted in remedial changes and a vulnerability reward.
Anish Chand
Lousiana State University
"Please don't send that bot anything": A Mixed-methods Study of Personal Impersonation Attacks Targeting Digital Payments on Social Media
Abstract
Personal impersonation attacks on social media are an emerging form of social engineering
that exploit trust within interpersonal relationships to redirect digital payments.
Unlike brand impersonation, these attacks target everyday users, leveraging real-time
public interactions to deceive victims into transferring funds to attacker-controlled
accounts. In this paper, we present the first in-depth study of PROSPER (Payment Re-routing
on Social media via Personal Impersonation) attacks, focusing on their operational
tactics, scale, and impact. Using a mixed-methods approach, we tracked 181 PROSPER
attacks over a 3-month period, uncovering 70 distinct digital payment accounts and
revealing human-in-the-loop scam operations alongside automated bots, as well as longstanding
campaigns involving reused payment accounts.
Our quantitative analysis highlights the scale and persistence of these attacks, while
our qualitative analysis provides deeper insights into attacker evasion strategies,
victim targeting methods, and how victims are particularly vulnerable to these schemes.
Based on these findings, we propose actionable recommendations for social media platforms
and payment providers, including UI enhancements, stricter account handle management
policies, and the sharing of blacklist information to mitigate these attacks and protect
users from financial exploitation.
