Identity Theft — Empirical evidence from a Phishing Exercise

International Conference on Cyber Warfare and Security, 2022

The research results published in this article are oriented toward two areas: phishing email analysis and education for defense against the threats of phishing emails. The first topic builds on previous research primarily by analyzing changes in captured phishing emails over an interval of 4 weeks, half a year after the previous experiment. In this section, a statistical survey of phishing emails from both experiments is carried out and emails are segmented into categories focused on business, charity, asset transfer, and fund offers. The results of both experiments are then compared and validated. Based on this comparison and validation, a conclusion is made on trends and development in the phishing email domain in the last half a year. The second focus of our research is analysis of the existing education and testing systems for phishing emails. Based on the results of the analysis, a suitable system for university education and training against phishing and other malicious email ...

Computers & Security, 2023

Employees are often the victims of phishing attacks, posing a threat to both themselves and their organizations. In response, organizations are dedicating resources, time, and employee effort to train staff to identify simulated phishing attacks. However, the real-world effectiveness of these training effort s in large enterprises remains largely unexplored. To address this, we carried out a controlled experiment in an Israeli financial institution with approximately 5,0 0 0 employees. The experiment included three simulated phishing emails, and we examined how different factors influence the phishing Click-Through Rate (CTR). Our findings suggest that employees are more likely to engage with phishing simulation emails that use personalized phrasing. We also found that phishing CTR varies between business units, and that the timing of training before the simulated email did not significantly affect phishing CTR. Furthermore, it became clear that training prior to phishing simulations and adopting a data-driven approach that includes process, variable and measure analysis, can enhance organizational awareness of phishing. Although advanced technologies can mitigate some phishing attacks, our research indicates that employee awareness and proactive behavior will continue to play a critical role in the foreseeable future. The paper concludes by providing guidelines to information security officers on establishing effective organizational awareness to prevent phishing attacks.

One of the most difficult challenges in information security today is phishing. Phishing is a difficult problem to address because there are many permutations, messages, and value propositions that can be sent to targets. Spear phishing is also associated with social engineering, which can be difficult for even trained or savvy employees to detect. This makes the user the critical point of entry for miscreants seeking to perpetrate cyber crimes such as identity theft and ransomware propagation, which cause billions of dollars in losses each year. Researchers are exploring many avenues to address this problem, including educating users and making them aware of the repercussions of becoming victims of phishing. The purpose of this study was to interview security professionals to gain better insight on preventing users and employees from succumbing to phishing attack. Seven subject-matter experts were interviewed, revealing nine themes describing traits that identify users as vulnerable to attack or strongly resistive to attack, as well as training suggestions to empower users to resist spear phishing attacks. Suggestions are made for practitioners in the field and future research.

Policija i sigurnost

information (personal or official) for financial gain. That is one of the oldest cyber threats. There is a wide range of phishing attack techniques, and the most frequent one is performed via electronic mail. Due to major changes in conducting business in the last pandemic, which entail remote work, fast digital transformation and the increase of ICT technologies, the statistics show that phishing attacks are on the rise. Employees who lack developed awareness of phishing attacks, responsibility and knowledge represent a potential danger to the entire organisation. This paper describes the research on e-mail phishing recognition in business organisations in Primorje-Gorski kotar County. The research showed that employees are not aware of phishing attacks to a sufficient extent and that all the habits contributing to the IT security level regarding these attacks are not satisfying. To protect against such attacks, organisations should, in addition to implementing safety technical mea...

2021

In the recent years, remote work is prevalent due to climate change (air pollution due to massive wildfire, flood) healthcare concerns (i.e. corona virus) and advancement of technological communication tools which are paving the way for cyber attackers to grab user attention. Email phishing is anticipated as a major problem and consistent in targeting the modern, increasingly remote workforce. There have been substantial researches conducted in defending phishing by developing Spam filters, detection mechanisms and security training programs. Will it be another way to conduct research in phishing email aspect: analyzing phishing attack attempts and projecting attacks; measuring human’s susceptibility and perception to those? This survey objective is to conduct a review of evolving trend of Phishing research from early stage to date on finding out research directions with a goal of designing effective user-based phishing study. In addition, this survey’s motivation is to highlight li...

IFIP Advances in Information and Communication Technology, 2013

Using a role play scenario experiment, 117 participants were asked to manage 50 emails. To test whether the knowledge that participants are undertaking a phishing study impacts on their decisions, only half of the participants were informed that the study was assessing the ability to identify phishing emails. Results indicated that the participants who were informed that they were undertaking a phishing study were significantly better at correctly managing phishing emails and took longer to make decisions. This was not caused by a bias towards judging an email as a phishing attack, but instead, an increase in the ability to discriminate between phishing and real emails. Interestingly, participants who had formal training in information systems performed more poorly overall. Our results have implications for the interpretation of previous phishing studies, the design of future studies and for training and education campaigns, as it suggests that when people are primed about phishing risks, they adopt a more diligent screening approach to emails.

Communications in Computer and Information Science, 2018

Reports continue to testify that the problem of phishing remains pertinent in many industries today. This descriptive study investigated 126 university students' responses to various forms of phishing emails and other security-related behaviours through a self-designed questionnaire. The majority of the participants reported having an average experience in using computers and the Internet. Most participants chose to respond to phishing emails purportedly originating from Facebook and university contexts thus supporting that users are more likely to fall victim to phishing if the message is of interest or has relevance to their context. However, susceptibility was significantly reduced when users were presented with emails that imitate well-known South African banking institutions. This may suggest that users are either aware of phishing schemes that impersonate banking institutions, or they feel uncomfortable giving up personal information when they feel more at risk to be affected financially. The results from this study offer insights on behavioural aspects that can assist the information security community in designing and implementing more efficient controls against phishing attacks. Furthermore, this study suggests that researchers should consider exploring the behaviour of social media users as they can be vulnerable to phishing.

Cognizance Journal of Multidisciplinary Studies (CJMS), 2024

This paper investigates the essential role of employee awareness in mitigating phishing risks within the workplace. Through an analysis of educational aspects of phishing awareness training, the study emphasizes the importance of equipping employees with the knowledge and skills necessary to recognize and respond to phishing attempts effectively. It further explores the integration of technological solutions to enhance employee training and improve the organization's overall security posture. The research highlights the significance of risk management in proactively identifying and addressing phishing threats. Findings indicate that a comprehensive approach combining thorough training, advanced technology, and proactive risk management strategies significantly reduces the likelihood of phishing attacks. By reinforcing employee understanding of cyber threats, organizations can minimize potential damages and strengthen their overall cyber-security defenses. This study underscores the need for continuous engagement and training to adapt to the evolving landscape of cybercrime.

Bulletin of Electrical Engineering and Informatics, 2025

Nowadays, cybersecurity is crucial. Therefore, cybersecurity awareness should be a concern for businesses, particularly critical infrastructure organizations. The results of this study, using simulated phishing attacks, indicate that in the first attempt, workers of a Thai railway firm received a phony email purporting to inform recipients of a special deal from a reputable retailer of information technology (IT) equipment. The findings showed that 10.9% of the 735 workers fell for the scam. This demonstrates a good level of awareness regarding cyber dangers. The workers who were duped by the initial attack received awareness training. Next, a second attempt was carried out. This time, the strategy was for the workers to change their passwords through an email notification from the fake IT staff. According to the findings, 1.4% of the workers fell victim to both attacks (different email content), and a further 8.0% of the workers who did not fall victim to the first attack were deceived. Furthermore, after the statistical analysis, it was confirmed that there is a difference in the relationship between the workers and the two phishing attack simulations using different content. As a result, this study has demonstrated that different types of content can affect levels of awareness.

Phishing is a social engineering tactic that targets internet users in an attempt to trick them into divulging personal information. When opening an email, users are faced with the decision of determining if an email is legitimate or an attempt at phishing. Although software has been developed to assist the user, studies have shown they are not foolproof, leaving the user vulnerable. Multiple training programs have been developed to educate users in their efforts to make informed decisions; however, training that conveys the real world consequences of phishing or training that increases a user's fear level have not been developed. Conveying real world consequences of a situation and increasing a user's fear level have been proven to enhance the effects of training in other fields. Ninety-six participants were recruited and randomly assigned to training programs with phishing consequences, training programs designed to increase fear, or a control group. Preliminary results indicate that training helped users identify phishing emails; however, little difference was seen among the three groups. Future analysis will include a factor analysis of personality and individual differences that influence training efficacy.