SOUPS 2025 Technical Sessions

Pig-butchering scams have emerged as a complex form of fraud that combines elements of romance, investment fraud, and advanced social engineering tactics to systematically exploit victims. In this paper, we present the first qualitative analysis of pig-butchering scams, informed by in-depth semi-structured interviews with N=26 victims. We capture nuanced, first-hand accounts from victims, providing insight into the lifecycle of pig-butchering scams and the complex emotional and financial manipulation involved. We systematically analyze each phase of the scam, revealing that perpetrators employ tactics such as staged trust-building, fraudulent financial platforms, fabricated investment returns, and repeated high-pressure tactics, all designed to exploit victims’ trust and financial resources over extended periods. Our findings reveal an organized scam lifecycle characterized by emotional manipulation, staged financial exploitation, and persistent re-engagement efforts that amplify victim losses. We also find complex psychological and financial impacts on victims, including heightened vulnerability to secondary scams. Finally, we propose actionable intervention points for social media and financial platforms to curb the prevalence of these scams and highlight the need for non-stigmatizing terminology to encourage victims to report and seek assistance.

SMS phishing poses a significant threat to users, especially older adults. Existing defenses mainly focus on phishing detection, but often cannot explain why the SMS is malicious to lay users. In this paper, we use large language models (LLMs) to detect SMS phishing while generating evidence-based explanations. The key challenge is that SMS is short, lacking the necessary context for security reasoning. We develop a prototype called SmishX which gathers external contexts (e.g., domain and brand information, URL redirection, and web screenshots) to augment the chain-of-thought (CoT) reasoning of LLMs. Then, the reasoning process is converted into a short explanation message to help users with their decision-making. Evaluation using real-world SMS datasets shows SmishX can achieve an overall accuracy of 98.8%, outperforming existing methods. Through user studies (N=175), we show that SmishX's explanation can significantly improve users' phishing detection efficacy across age groups. Its usability is rated "excellent" by participants (SUS score 82.6). We conclude by discussing open challenges in resolving human-AI disagreements and safely handling AI errors.

Insider threats account for a significant portion of security breaches. One strategy to mitigate this threat is effective offboarding practices. However, existing standards from ISO, NIST, and BSI provide limited actionable guidance on offboarding, leaving it an underexplored aspect of IT security. In this paper, we collected offboarding advice from these standards and conducted qualitative interviews with 15 professionals directly responsible for managing or overseeing offboarding in their organizations. We identified gaps and usability issues in current practices and highlighted the need for structured, usability-focused solutions. To support organizations in addressing these challenges, we reviewed and consolidated the offboarding advice contained in multiple standards into a collection of offboarding actions, integrating them with insights from our study.

Public and academic discourse on the safety of conversational agents using generative AI, particularly chatbots, often centers on fairness, trust, and risk. However, there is limited insight into how users differentiate these perceptions and what factors shape them. To address this gap, we developed a survey instrument based on previous work. We conducted an exploratory study using factor analysis and latent class analysis on survey responses from n=123 participants in the U.S. to offer an initial attempt at measuring and delineating the dimensionality of these safety perceptions. Latent class analysis revealed three distinct user groups with sometimes counterintuitive perception patterns: The Hesitant Skeptics, The Cautious Trusters, and The Confident Adopters. We find that greater usage frequency of AI chatbots is associated with higher trust and fairness perceptions but lower perceived risk. Some demographic traits like sexual orientation, income, and ethnicity also had strong and significant effects on group membership. Our findings highlight the need for more refined measurement approaches and a more nuanced perspective on users' AI safety perceptions regarding trust, fairness, and risk, particularly in capturing the kinds of experiences and interactions that lead users to develop their perceptions.

Incident response is a manually-intensive process whereby security analysts detect and respond to security events. In this study, we explore whether large language models (LLMs) can fully automate—or otherwise assist with—the final step of an incident response investigation: summarizing findings for stakeholders, auditors, and legal experts. We run a series of experiments with 18 security analysts and 50 real-world incidents to understand (1) whether LLMs can autonomously reason about security events and produce high-quality summaries; (2) whether LLMs can collaboratively assist security analysts with summarization; and (3) what overall benefits and risks security analysts foresee with integrating LLMs into incident summarization. We find that current LLMs may lack the security reasoning necessary to operate autonomously, producing summaries that omit critical details in 35% of cases and/or inject factual inaccuracies in 42% of cases. However, when used collaboratively, LLMs reduce the effort required from analysts to produce a summary, while improving the readability and consistency of summaries. We explore opportunities for improving the security reasoning of LLMs as well as other potential applications for incident response.

Over the past decade, web browsers have expanded far beyond their traditional role as standalone applications. Today, browsers are also integrated into a wide range of consumer products—including smart TVs, e-readers, gaming consoles, and even cars—where they serve as secondary features for users. However, while users can rely on the transparent security practices and frequent updates of standalone browsers, integrated browsers often lack these guarantees.

In this paper, we assess the security of integrated browsers from two perspectives: their obsolescence and the completeness of their security policy implementations. To overcome the challenges posed by closed-source firmware and hardware, we developed a crowdsourcing framework that leverages dynamic analysis to examine the security properties of browsers integrated into consumer products. Using this framework, we conducted a study in which participants tested their personal devices, resulting in 76 enrollments across 53 unique products and 68 unique software versions. Our findings reveal that while security policies are generally fully supported, many embedded browsers rely on outdated engines—some already obsolete at product release. By reproducing publicly disclosed vulnerabilities, we illustrate that users face considerable and hidden security risks due to the presence of unpatched flaws.

Smart home technologies offer convenience and security, but also raise privacy challenges shaped by cultural norms and household dynamics. We conducted an iterative Grounded Theory study using semi-structured interviews to examine how privacy is understood and managed in smart homes. Our initial data collection included participants from both the U.S. and Saudi Arabia, which highlighted a range of privacy tensions influenced by cultural expectations. Based on these insights, we focused subsequent data collection on Saudi households to explore how privacy concerns are navigated in specific religious and social contexts. Our findings show that privacy in Saudi homes is collectively negotiated and shaped by factors such as family hierarchies, interpersonal roles, and cultural obligations. Cameras, in particular, are perceived not merely as tools, but also as socially present entities, leading to behavioral adaptations and negotiated device usage. These insights underscore the importance of designing culturally responsive smart home technologies that align with local norms while supporting privacy and usability. By situating privacy within everyday household practice, this study contributes to broader discussions on culturally embedded design and privacy-aware innovation for smart homes.

Non-Consensual Image Disclosure Abuse (NCIDA) occurs when one person posts, or threatens to post, sensitive images of another person online with the intent to extort, humiliate, or harm. Though much is known about NCIDAs, almost nothing is known about how law enforcement agencies (LEAs) work with social media companies to address them, especially outside the West. Through discussions with Pakistani law enforcement, and legal experts, and analysis of LEA requests submitted to Meta platforms, we find that platforms are reasonably proactive in responding to NCIDA-related requests. However, their decisions are seem to be heavily influenced by their universal content-moderation policies, which are determined by Western norms that prioritize sexually explicit content but neglect content considered sensitive in other cultures. Our findings contribute a nuanced understanding of the communication between LEAs and social media companies in combating NCIDA, and lead to recommendations for platforms and government policy in mitigating NCIDA.

Privacy labels are concise, standardized representations of privacy policies that are required for apps on both the iOS and Android app stores. However, prior research shows that users find current app privacy labels confusing and are unable to correctly identify data practices based on these labels. This work explores how understandings of technical terms impact comprehension of app privacy labels. We conduct a pair of online user studies—a qualitative user study (n=46) and a large-scale quantitative study (n=383) in which we identify terms used in privacy labels that are widely misunderstood and explore common misunderstandings. We also formulate evidence-based recommendations for how to improve app privacy labels.

"TikTok, Do Your Thing" is a viral trend where users attempt to identify strangers they see in public via information crowd-sourcing. The trend started as early as 2021 and users typically engage with it for romantic purposes (similar to a "Missed Connections" personal advertisement). This practice includes acts of surveillance and identification in the public sphere, although by peers rather than governments or corporations. To understand users' reactions to this trend we conducted a qualitative analysis of 60 TikTok videos and 1,901 user comments. Of the 60 videos reviewed, we find 19 individuals were successfully identified. We also find that while there were comments expressing disapproval (n=310), more than double the number expressed support (n=883). Supportive comments demonstrated genuine interest and empathy, reflecting evolving conceptions of community and algorithmic engagement. On the other hand, disapproving comments highlighted concerns about inappropriate relationships, stalking, consent, and gendered double standards. We discuss these insights in relation to the normalization of interpersonal surveillance, online stalking, and as an evolution of social surveillance to offer a new perspective on user perceptions surrounding interpersonal surveillance and identification in the public sphere.