RESISTANCE TO PHISHING ATTACKS

Phishing is a cybercrime in which an attacker sends an email that appears to be from a trusted source and asks the recipient to provide personal information such as login credentials and debit/credit card numbers.

PHISH ME IF YOU CAN: IMPROVING EMPLOYEES’ RESISTANCE TO PHISHING ATTACKS THROUGH EXPERIMENTAL PHISHING SIMULATIONS 

In 2019, phishing was ranked by FBI’s Internet Crime Complaint Center (IC3) as the number one cybercrime by victim count. Phishing emails that pass through the anti-phishing tools and software typically ask employees to click on malicious links or provide login credentials. Wandera (2017) reports that about 85% of institutions have been victims of a phishing attack. Likewise, the SANS threat landscape survey shows that phishing is the most significant threat that organizations have experienced. Automated anti-phishing solutions are not yet sufficient to alleviate phishing threats. This has led researchers and specialists to emphasize on the importance of users’ education and training in regards to phishing attacks.

Phishing simulations tests are among the methods used to increase employees’ awareness of phishing attacks and to understand users’ susceptibility to phishing emails. The purpose of the simulation is to test employees’ resistance to phishing attacks, make employees aware of recent phishing emails, and train employees on how to detect phishing attacks. This study is aimed to provide theoretical and practical implications that help organizations improve the resistance of employees to phishing attacks.

Design and procedure

As part of the experiment, four phishing emails were developed.  The emails were different in a) quality (high vs low), and b) theme used (fear vs reward). Moreover, the emails were developed to a) distinguish what motivates users to click (in this case fear vs. reward), b) identify how knowledgeable the users are regarding the key components of phishing emails, and c) educate employees on how to detect a phishing email. The two themes were rewarded and redesigned to feature high and low-quality characteristics. The sentiment of the two different quality emails was kept similar to the same theme. The reward emails were positive in sentiment and the fear emails were negative in sentiment. The absolute value of the fear and reward emails was also similar.

At the end of the campaign, we collected data from the phishing server and sent a debriefing email for every employee who fell victim for the phishing email. The debriefing email was customized for each of the four phishing emails and gave clues to the employee on how they could have spotted the phishing email.

Results

The phishing emails were sent to about 3,709 employees. The main results showed that employees were more likely to fall victim to a reward-based phishing email than for a fear-based phishing email. In addition, the highest risk group was the new hires. This highlights the importance of including sophisticated phishing training as part of new employees’ orientation and training.

Contribution

This research contributes to the literature in several ways. First, the experiment and simulation capture actual behavior from real employees rather than intentions and self-reported data to measure phishing susceptibility.

This study also contributes to theory and literature by incorporating argument framing, theme, quality, and relevance to the design of phishing simulation emails. The study provides practical implications on identifying risk groups, improving phishing simulation test practices, refining training material, and improving resistance to phishing emails.