Church-linked phishing emails in Pacific languages have high success rates

A new study reveals phishing emails, written in Pacific languages and framed as community or church requests for help, are among the most convincing for Pasifika recipients.

Conducted by the University of Auckland, the research titled Language as Lure: A Naturalistic Study on Pasifika Phishing Susceptibility is led by Professor Giovanni Russello, the Head of the School of Computer Science.

The study’s authors, which include Russello, Eric Spero, Isa Zheng Xin Seow, Lucas Betts, Eddie Fuatimau, and Danielle Lottridge, partnered with the government of an unidentified Pacific nation to send simulated phishing emails to 2000 government employees over a four-month period.

Russello says the research was inspired by a recent spate of “smishing” incidents in South Auckland. Smishing involves senders pretending to be from reputable companies in fraudulent text messages, aiming to convince recipients to reveal personal information such as passwords or credit card numbers.

Russello says that spam filters and other AI-based security tools, typically trained on large datasets, are less effective for languages like Sāmoan. In their four-month research test, participants received one of four emails each month: two personal requests and two commercial offers.

The emails were written in both English and the local language. They found the most effective was the local-language message asking the recipient to review a church agenda before a Sunday meeting.

Listen to Giovanni Russello's full interview below.

More than 30 per cent of recipients clicked the link, over twice the rate for the English version. Many participants expressed a preference for emails in their native language, believing that scammers would not use their local language or that government systems would filter out malicious content.

Russello relates this trend to a theory called the “foreign language effect”, where thinking in one's first language draws on cultural background and values. “If you're thinking in your local language, then all your cultural background that you bring with you such as [how you grew] up, interacting with your elders, that comes up,” he says.

“There was a strong connotation about helping others. This is how we explain what in the local language with the compound factor of requests for help was a higher trigger for the people that received this email.”

An example of a scam text regarding missing parcels. Photo/PMN News

The role of AI in scamming

Artificial intelligence (AI) is another factor that has simplified the creation of such scams. Russello says large language models (LLMs) enable attackers to quickly generate convincing local-language messages, dramatically increasing the scale of phishing campaigns.

“They can impersonate people very easily. The reach of the attackers is much larger than it was before. Also, the amount of emails or attacks, generally, is larger. For phishers or attackers, they need one out of a million to get through.”

He also warns that phishing is not just about financial gain, as personal data is also a valuable “currency”. Russello advises individuals to keep their smartphones “lean and mean”, removing unnecessary apps that could leak personal information.

Russello advises removing unnecessary apps that clutter phone space. Photo/Unsplash

Human element: Last line of defence

While technical solutions are important, Russello says that humans are always the last line of defence rather than relying on security software. He recommends culturally-tailored phishing awareness training, as generic, English-only programmes overlook the specific nuances that scammers exploit.

“Whoever tells you that they have a bullet-proof solution, basically, they’re lying. There is always a percentage of stuff going through, and there is always a human element that needs to be exploited in order for an attack to be successful, especially in phishing.

“So you need to kind of focus on this aspect and you need to know your people. There are some general aspects that people need to be aware of. But then you need to have a more localised one. This is not just for the Pacific community, this is something that has a broader scope and reach.”

Keeping up to date is key, especially in protection your personal data from hackers, scammers or phishers. Photo/Unsplash

‘Anybody can be a victim’

Russello also urges victims of scams not to feel ashamed, stressing that “anybody can be a victim” and even experts can be deceived. He advises reporting scams to help others avoid falling prey, as sharing information can protect the wider community.

“So there is no shame. The other thing is try to reach out for help because, especially in New Zealand, there are organisations that will try to help if they can. So reach out to them. Even if they're not able to help, make them aware that there is this attack, because you can then help others not fall victim to this kind of attack.

“There is nothing to be ashamed of. You can get angry with yourself or with the scammer, of course. But after that, reach out for help and share the information, so that you can help the community, protect your community.”

The study, the first simulated phishing campaign to focus on Pasifika communities, will be presented at the USENIX Symposium on Usable Privacy and Security in Seattle, United States, this month.