Bait the hook to suit the phish, not the phisherman: A field experiment on security networks of teams to withstand spear phishing attacks on online social networks

In this paper, we present our research in progress of a field experiment conducted to observe the impact of collective security behavior of teams when being targeted with a spear phishing attack on online social networks. To observe the shaping of security networks in teams, fifteen different honeypot profiles were created to send spear phishing messages after an initial bonding of eight weeks to the target group of 76 people. The experiment simulated a regular communication on online social networks of three teams of an international organization. The team members were entangled in personal and individual chats on an online social network to later react to an unexpected and unforeseen spear phishing message. As previous research has shown, various aspects influence the spear phishing susceptibility, but the collective security behavior has currently been neglected. This work plans to evaluate how security networks are being formed, the factors relevant to shape those networks and efforts to protect against spear phishing attacks

Reviewing Cybersecurity Awareness Training Tools Used to Address Phishing Attack at the Workplace

Public sector data and sensitive information are a prime target for cyberattacks. There are numerous popular security tools used across the globe to achieve automated network protection. This study reviews the following tools within the current study: KnowBe4, PhishingBox, PhishInsight, PhishThreat, PhishMe, and Gophish. The rationale behind the detailed review is comparing and contrasting various cybersecurity awareness training tools used to address phishing attacks at the workplace. The selected tools can be used as assessment or enhancement awareness tools; this depends on each tools settings and system due to its integrated models and flexibility. Furthermore, social engineering attacks are recurrently evolving, so different security tools strengths and weaknesses could help pick the right instrument for spotting and responding to digital attacks. As a result, this study discusses the drawbacks of the selected tools that can guide developers and services providers in improving the existing phishing awareness tools

Reviewing Cybersecurity Awareness Training Tools Used to Address Phishing Attack at the Workplace

Public sector data and sensitive information are a prime target for cyberattacks. There are numerous popular security tools used across the globe to achieve automated network protection. This study reviews the following tools within the current study: KnowBe4, PhishingBox, PhishInsight, PhishThreat, PhishMe, and Gophish. The rationale behind the detailed review is comparing and contrasting various cybersecurity awareness training tools used to address phishing attacks at the workplace. The selected tools can be used as assessment or enhancement awareness tools; this depends on each tools settings and system due to its integrated models and flexibility. Furthermore, social engineering attacks are recurrently evolving, so different security tools strengths and weaknesses could help pick the right instrument for spotting and responding to digital attacks. As a result, this study discusses the drawbacks of the selected tools that can guide developers and services providers in improving the existing phishing awareness tools

South Africans’ susceptibility to phishing attacks

PURPOSE : The purpose of the study is to assess the phishing susceptibility of individuals in South Africa, across industries related to financial services, education, legal services, and fraud- and forensic businesses. DESIGN/METHODOLOGY/APPROACH : This was an empirical, quantitative research study that collected anonymised data on simulated phishing attacks, using a survey. The results were statistically analysed to identify factors that were significantly related to the phishing score generated. FINDINGS : This was the first South African study to develop a phishing susceptibility score. The following demographic categories demonstrated a higher likelihood of phishing susceptibility: the legal industry; Gen Z and Alpha; females; and participants with matric as the highest educational level. The only two variables that were found to be significantly related to the phishing susceptibility score were gender (with females more susceptible) and the variable relating to prior reporting of phishing attacks (rendering such reporters less susceptible). RESEARCH LIMITATIONS/IMPLICATIONS : The data collected from the online survey represents the perceptions of the individual respondents. The results of this research are valuable, not only to the participants in this study but also to organisations within other industries, as it highlights phishing susceptibility risks. ORIGINALITY/VALUE : This study provides insight into factors influencing phishing susceptibility. For future research purposes, this study could be replicated within other industries in South Africa.https://journals.co.za/journal/sajaarhj2024AuditingNon

"It may take ages":understanding human-centred lateral phishing attack detection in organisations

Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes

Targeted Attacks: Redefining Spear Phishing and Business Email Compromise

In today's digital world, cybercrime is responsible for significant damage to organizations, including financial losses, operational disruptions, or intellectual property theft. Cyberattacks often start with an email, the major means of corporate communication. Some rare, severely damaging email threats - known as spear phishing or Business Email Compromise - have emerged. However, the literature disagrees on their definition, impeding security vendors and researchers from mitigating targeted attacks. Therefore, we introduce targeted attacks. We describe targeted-attack-detection techniques as well as social-engineering methods used by fraudsters. Additionally, we present text-based attacks - with textual content as malicious payload - and compare non-targeted and targeted variants

An Analysis of Phishing Susceptibility Through the Lens of Protection Motivation Theory

Users of communication tools are vulnerable to a cyberattack called phishing which aims to trick a recipient into giving away information or access that the attacker should not have. There is a great need to protect the recipient from becoming a victim of phishing. Protection can be done a multitude of ways; however, the human will be last barrier of entry when all digital protection fails. This is why anti-phishing training is used to enable email users to see the difference between real email and phishing attacks. This research explores the use of Protection Motivation Theory (PMT) to analyse phishing susceptibility by interviewing ten employees in a large financial company. The analysis spanned all aspects of the original Protection Motivation Theory and sought to answer the research question: “How do employees in a company protect themselves against phishing attacks?”. Furthermore, the study investigated the relationship between the experiences of the participants and what the theory suggested would increase protection motivation. The analysis resulted in findings that were consistent with PMT on the positive effects of rewards for employees to increase protection motivation. Furthermore, a low response cost led to a positive effect where employees had the freedom to properly examine the emails they received and handle them accordingly. Last finding that was consistent with PMT was the positive effect of high efficacy which led to the enabling of employees to make their own decisions based on their experience and knowledge. Surprisingly, findings also contradicted some core aspects of PMT. These include the perception of vulnerability and severity in combination with fear appeal. Although the perception of vulnerability and severity was high, the fear appeal was very low. This is inconsistent with PMT as high perception of vulnerability and severity should lead to high fear appeal. Most importantly, these findings suggest that fear appeal is not as necessary as research has proposed and that protective behaviour in the absence of fear appeal can be replaced by a protective mindset. These findings point to important implications both in theory and in practice. The theoretical implications include the support of rewards and response cost positively affecting protection motivation if rewards are high and response cost is low. Another implication is that fear appeal contrary to peer-reviewed research might not be as important if the company itself focus on security and promote a healthy method of dealing with phishing attacks. The final theoretical implication is the protection behaviour that is a protective mindset. The concept correlates with multiple different behaviours that promote secure behaviour; however, it does so by analysing the need of fear appeal and promote research which investigates protective behaviours without the need for PMT’s version of fear appeal. The practical implication of this study includes the promotion of a healthy protective mindset which can be achieved by anti-phishing training, phishing simulations, and voluntary high awareness when looking at emails. Furthermore, findings show that the financial company studied in this thesis provide a great understanding of secure behaviour and the requirements to achieve it. However, this is done by forcing training whilst experiencing organisational support and incentives to do well. Although it could seem harsh, this has worked well, and should continue to work well

Don’t click : towards an effective anti-phishing training. A comparative literature review

Email is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be designed sustainably and effectively to minimize the vulnerability of employees to phishing attacks. In this paper, we survey and categorize works that consider different elements of such programs via a clearly laid-out methodology, and identify key findings in the technical literature. Overall, we find that researchers agree on the answers to many relevant questions regarding the utility and effectiveness of anti-phishing training. However, we identified influencing factors, such as the impact of age on the success of anti-phishing training programs, for which mixed findings are available. Finally, based on our comprehensive analysis, we describe how a well-founded anti-phishing training program should be designed and parameterized with a set of proposed research directions

Teknologi og organisasjon i likevekt

Denne oppgaven utforsker utviklingen av cyberfysiske systemer med utgangspunkt i kraftsystemet, og forskningen på cyberfysisk systemsikring av smartnett. Dette perspektivet kombineres med sosiotekniske perspektiver på ulykker, hvor organisasjon og teknologi sees i samspill og gjensidighet med hverandre. Oppgaven tilnærmer seg derfor cyberfysisk systemsikring av kraftsystemer fra et sosioteknisk perspektiv gjennom følgende problemstilling: - Hvordan kan utviklingen av cyberfysiske systemer vise seg som sosiotekniske utfordringer for risiko og sikkerhet i organisasjoner? For å svare på denne problemstillingen tar oppgaven for seg sosioteknisk litteratur og teorier. Dette settes så i sammenheng med resultatene fra en litteraturstudie av 20 artikler om cyberfysisk systemsikring av smartnett. Gjennom en kvalitativ analyse fremhever dette studiet egenskaper ved risiko, systemsvikt og sikkerhet i cyberfysiske systemer slik presentert i forskningslitteraturen på cyberfysisk systemsikring. Det mest fremtredende funnet fra litteraturstudiet er å vise forskningslitteraturens fokus på nye tekniske sårbarheter som har oppstått i skjæringspunktet mellom digital og fysisk teknologi og nye angrepsstrategier som utnytter sårbarheter, og tilhørende sikkerhetsbarrierer som kan forhindre dette. Cyberfysisk utvikling viser seg i en forstand som nye tekniske utfordringer for organisasjoner, hvor tettere koblinger og komplekse interaksjoner gjør systemene vanskeligere å forstå og håndtere. Denne utviklingen blir også forverret i samspill med usikkerhet og tvetydighet knyttet til trusselbildet systemene står overfor. Vektleggingen av tekniske forhold i cyberfysisk systemsikring er nødvendig for utviklingen og sikringen av systemene, men systemene er stadig avhengig av mennesker og organisasjoner som designer, implementerer og drifter systemene. Oppgaven argumenterer for at sårbarheter, risiko og sikkerhet er konsepter som konstrueres av mennesker og grupper i organisasjoner, og former og formes av organisasjonens omgivelser. Den mest sentrale sosiotekniske utfordringen som diskuteres er: fremstillingen av systemene som cyberfysiske, kan potensielt neglisjere menneskelige og organisatoriske faktorer som samspiller med teknologiens utvikling og drift. Det argumenteres også for at det cyberfysiske systemperspektivet er teknosentrisk, og derfor plasseres ikke organisasjon og teknologi i likevekt

Social Engineering and Organisational Dependencies in Phishing Attacks

© IFIP International Federation for Information Processing 2019. Phishing emails are a widespread cybersecurity attack method. Their breadth and depth have been on the rise as they target individuals and organisations with increased sophistication. In particular, social engineering in phishing focuses on human vulnerabilities by exploiting established psychological and behavioural cues to increase the credibility of phishing emails. This work presents the results of a 56,000-participant phishing attack simulation carried out within a multi-national financial organisation. The overarching hypothesis was that strong cultural and contextual factors impact employee vulnerability. Thus, five phishing emails were crafted, based on three of Cialdini’s persuasion principles used in isolation and in combination. Our results showed that Social proof was the most effective attack vector, followed by Authority and Scarcity. Furthermore, we examined these results in the light of a set of demographic and organisational features. Finally, both click-through rates and reporting rates were examined, to provide rich insights to developers of cybersecurity educational solutions