Malicious emails including Phishing, Spam, and Scam are one significant class of cyber social engineering attacks. Despite numerous defenses to counter them, the problem remains largely open. The ineffectiveness of current defenses can be attributed to our superficial understanding of the psychological properties that make these attacks successful. This problem motivates us to investigate the psychological sophistication, or sophistication for short, of malicious emails. We propose an innovative framework that accommodates two important and complementary aspects of sophistication, dubbed Psychological Techniques, PTechs, and Psychological Tactics, PTacs. We propose metrics and grading rules for human experts to assess the sophistication of malicious emails via the lens of these PTechs and PTacs. To demonstrate the usefulness of the framework, we conduct a case study based on 1,036 malicious emails assessed by four independent graders. Our results show that malicious emails are psychologically sophisticated, while exhibiting both commonalities and different patterns in terms of their PTechs and PTacs. Results also show that previous studies might have focused on dealing with the less proliferated PTechs such as Persuasion and PTacs such as Reward, rather than the most proliferated PTechs such as Attention Grabbing and Impersonation, and PTacs such as Fit and Form and Familiarity that are identified in this study. We also found among others that social events are widely exploited by attackers in contextualizing their malicious emails. These findings could be leveraged to guide the design of effective defenses against malicious emails.

翻译：包括钓鱼邮件、垃圾邮件和诈骗邮件在内的恶意邮件是网络社会工程攻击的一个重要类别。尽管已有众多防御措施予以应对，但该问题在很大程度上仍未得到解决。当前防御措施效果有限，可归因于我们对这些攻击得以成功的心理特性理解尚浅。这一问题促使我们研究恶意邮件的心理复杂度（简称复杂度）。我们提出了一个创新框架，该框架容纳了复杂度的两个重要且互补的方面，称为心理技术（PTechs）和心理策略（PTacs）。我们提出了相应的度量标准和分级规则，供人类专家通过这些PTechs和PTacs的视角来评估恶意邮件的复杂度。为了证明该框架的实用性，我们基于由四位独立评分员评估的1,036封恶意邮件进行了案例研究。我们的结果表明，恶意邮件在心理上是复杂的，同时在PTechs和PTacs方面表现出共性和不同的模式。结果还表明，先前的研究可能侧重于处理普及度较低的心理技术（如说服）和心理策略（如奖励），而非本研究中识别出的普及度最高的心理技术（如吸引注意力和伪装）和心理策略（如契合与形式及熟悉感）。我们还发现，攻击者广泛利用社会事件来为其恶意邮件构建情境。这些发现可用于指导设计针对恶意邮件的有效防御措施。