Bait the hook to suit the phish, not the phisherman: A field experiment on security networks of teams to withstand spear phishing attacks on online social networks

In this paper, we present our research in progress of a field experiment conducted to observe the impact of collective security behavior of teams when being targeted with a spear phishing attack on online social networks. To observe the shaping of security networks in teams, fifteen different honeypot profiles were created to send spear phishing messages after an initial bonding of eight weeks to the target group of 76 people. The experiment simulated a regular communication on online social networks of three teams of an international organization. The team members were entangled in personal and individual chats on an online social network to later react to an unexpected and unforeseen spear phishing message. As previous research has shown, various aspects influence the spear phishing susceptibility, but the collective security behavior has currently been neglected. This work plans to evaluate how security networks are being formed, the factors relevant to shape those networks and efforts to protect against spear phishing attacks

Suspicion in Phishing and Organization Risk

Phishing emails are communications that are sent out in mass and are designed with the goal of obtaining sensitive information, installing malware on a user\u27s machine, or gaining access to a network. Training users about the dangers of phishing emails is common in organizations, but users will still frequently fall victim to phishing attacks. Organizations may feel that they are doing the necessary actions, such as providing user security training, to mitigate the risk of users\u27 lack of secure behavior. Organizations are faced with the challenge of the human element; the most undependable and uncontrollable part of an information system. As time has progressed, corporations are beginning to understand that they must put measures and controls into their security IT to mitigate the possible problems that arise from human interaction with IT. This research attempts to explore suspicion as it relates to emails and how-to better train individuals to recognize illegitimate emails

"It may take ages":understanding human-centred lateral phishing attack detection in organisations

Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes

The psychology of internet fraud victimisation:A systematic review

Existing theories of fraud provide some insight into how criminals target and exploit people in the online environment; whilst reference to psychological explanations is common, the actual use of established behavioural theories and/or methods in these studies is often limited. In particular, there is less understanding of why certain people/demographics are likely to respond to fraudulent communications. This systematic review will provide a timely synthesis of the leading psychologically based literature to establish the key theories and empirical research that promise to impact on anti-fraud policies and campaigns. Relevant databases and websites were searched using terms related to psychology and fraud victimisation. A total of 44 papers were extracted and 34 included in the final analysis. The studies range in their scope and methods; overall, three main factors were identified: message (n = 6), experiential (n = 7), and dispositional (n = 21), although there was some overlap between these (for example, mapping message factors onto the dispositional traits of the victim). Despite a growing body of research, the total number of studies able to identify specific psychological processes associated with increased susceptibility to online fraud victimisation was limited. Messages are targeted to appeal to specific psychological vulnerabilities, the most successful linking message with human factors, for example, time-limited communications designed to enact peripheral rather than central information processing. Suggestions for future research and practical interventions are discussed.Publisher PDFPeer reviewe

An investigation of phishing awareness and education over time: When and how to best remind users

Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures – administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months

An Analysis of Phishing Susceptibility Through the Lens of Protection Motivation Theory

Users of communication tools are vulnerable to a cyberattack called phishing which aims to trick a recipient into giving away information or access that the attacker should not have. There is a great need to protect the recipient from becoming a victim of phishing. Protection can be done a multitude of ways; however, the human will be last barrier of entry when all digital protection fails. This is why anti-phishing training is used to enable email users to see the difference between real email and phishing attacks. This research explores the use of Protection Motivation Theory (PMT) to analyse phishing susceptibility by interviewing ten employees in a large financial company. The analysis spanned all aspects of the original Protection Motivation Theory and sought to answer the research question: “How do employees in a company protect themselves against phishing attacks?”. Furthermore, the study investigated the relationship between the experiences of the participants and what the theory suggested would increase protection motivation. The analysis resulted in findings that were consistent with PMT on the positive effects of rewards for employees to increase protection motivation. Furthermore, a low response cost led to a positive effect where employees had the freedom to properly examine the emails they received and handle them accordingly. Last finding that was consistent with PMT was the positive effect of high efficacy which led to the enabling of employees to make their own decisions based on their experience and knowledge. Surprisingly, findings also contradicted some core aspects of PMT. These include the perception of vulnerability and severity in combination with fear appeal. Although the perception of vulnerability and severity was high, the fear appeal was very low. This is inconsistent with PMT as high perception of vulnerability and severity should lead to high fear appeal. Most importantly, these findings suggest that fear appeal is not as necessary as research has proposed and that protective behaviour in the absence of fear appeal can be replaced by a protective mindset. These findings point to important implications both in theory and in practice. The theoretical implications include the support of rewards and response cost positively affecting protection motivation if rewards are high and response cost is low. Another implication is that fear appeal contrary to peer-reviewed research might not be as important if the company itself focus on security and promote a healthy method of dealing with phishing attacks. The final theoretical implication is the protection behaviour that is a protective mindset. The concept correlates with multiple different behaviours that promote secure behaviour; however, it does so by analysing the need of fear appeal and promote research which investigates protective behaviours without the need for PMT’s version of fear appeal. The practical implication of this study includes the promotion of a healthy protective mindset which can be achieved by anti-phishing training, phishing simulations, and voluntary high awareness when looking at emails. Furthermore, findings show that the financial company studied in this thesis provide a great understanding of secure behaviour and the requirements to achieve it. However, this is done by forcing training whilst experiencing organisational support and incentives to do well. Although it could seem harsh, this has worked well, and should continue to work well

An investigation of phishing awareness and education over time: When and how to best remind users

Security awareness and education programmes are rolled out in more and more organisations. However, their effectiveness over time and, correspondingly, appropriate intervals to remind users’ awareness and knowledge are an open question. In an attempt to address this open question, we present a field investigation in a German organisation from the public administration sector. With overall 409 employees, we evaluated (a) the effectiveness of their newly deployed security awareness and education programme in the phishing context over time and (b) the effectiveness of four different reminder measures – administered after the initial effect had worn off to a degree that no significant improvement to before its deployment was detected anymore. We find a significantly improved performance of correctly identifying phishing and legitimate emails directly after and four months after the programme’s deployment. This was not the case anymore after six months, indicating that reminding users after half a year is recommended. The investigation of the reminder measures indicates that measures based on videos and interactive examples perform best, lasting for at least another six months

RAIDER: Reinforcement-aided Spear Phishing Detector

Spear Phishing is a harmful cyber-attack facing business and individuals worldwide. Considerable research has been conducted recently into the use of Machine Learning (ML) techniques to detect spear-phishing emails. ML-based solutions may suffer from zero-day attacks; unseen attacks unaccounted for in the training data. As new attacks emerge, classifiers trained on older data are unable to detect these new varieties of attacks resulting in increasingly inaccurate predictions. Spear Phishing detection also faces scalability challenges due to the growth of the required features which is proportional to the number of the senders within a receiver mailbox. This differs from traditional phishing attacks which typically perform only a binary classification between phishing and benign emails. Therefore, we devise a possible solution to these problems, named RAIDER: Reinforcement AIded Spear Phishing DEtectoR. A reinforcement-learning based feature evaluation system that can automatically find the optimum features for detecting different types of attacks. By leveraging a reward and penalty system, RAIDER allows for autonomous features selection. RAIDER also keeps the number of features to a minimum by selecting only the significant features to represent phishing emails and detect spear-phishing attacks. After extensive evaluation of RAIDER over 11,000 emails and across 3 attack scenarios, our results suggest that using reinforcement learning to automatically identify the significant features could reduce the dimensions of the required features by 55% in comparison to existing ML-based systems. It also improves the accuracy of detecting spoofing attacks by 4% from 90% to 94%. In addition, RAIDER demonstrates reasonable detection accuracy even against a sophisticated attack named Known Sender in which spear-phishing emails greatly resemble those of the impersonated sender.Comment: 16 page