Hunting phish: an exploration of the human-based detection and management of phishing attacks

Phishing communications aimed at deceiving people pose a severe threat for organisations, necessitating the need to focus on preventing potential victims from falling for phishing, as well as the formulation of policies and the development of solutions to enable quick responses to ongoing attacks. With the above in mind, this thesis aims to explore phishing features in human-facing interventions as well as the organisational response to phishing attacks. I started with an exploration of the phishing features related to URLs since they are one of the most robust features of phishing communication. To this end, I conducted a structured review of URL-based phishing features that appear in publications targeting human-facing and automated anti-phishing approaches to obtain a more comprehensive feature list and create a cross-community foundation for future research. I find that research on automation has utilised most of the features, but features were minimally explored in the human-facing anti-phishing research. Features that are rarely used in human-facing phishing work are still be utilised by experts, suggesting that average users could potentially use them too if they were presented in a usable way. Thus, I designed a usable URL feature report that aims to make experts' information sources accessible to non-experts to help general users judge URLs accurately. This report was designed iteratively with experts and average users before being evaluated in an online study. I show that the report supports users in accurately judging URLs' safety. In order to explore the organisational response to phishing attacks, I conducted a case study to investigate the processes of handling phishing reports, teams' interactions to improve defences, and the hindrance to a fast and effective response. The observed work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access and specialised knowledge. Sudden large campaigns can overwhelm the Help Desk with reports, significantly impacting staff's workflow and hindering the effective application of mitigations and the potential for learning. The results from the several studies conducted throughout this thesis highlight the need for users' awareness; such awareness would aid them in avoiding clicking phishing URLs and would also help organisations to manage the impact. Indeed, the majority of the existing research on phishing is directed towards the goal of improving proactive measures rather than reactive measures; however, it is necessary to focus on strengthening every element in the phishing life cycle. My work shows that there are still many opportunities to add tool-based support into the process, both at the end-user level and in support of organisational IT staff

Using Clustering Algorithms to Automatically Identify Phishing Campaigns

Attackers attempt to create successful phishing campaigns by sending out trustworthy-looking emails with a range of variations, such as adding the recipient name in the subject line or changing URLs in email body. These tactics are used to bypass filters and make it difficult for the information system teams to block all emails even when they are aware of an ongoing attack. Little is done about grouping emails into campaigns with the goal of better supporting staff who mitigate phishing using reported phishing. This paper explores the feasibility of using clustering algorithms to group emails into campaigns that IT staff would interpret as being similar. First, we applied Meanshift and DBSCAN algorithms with seven feature sets. Then, we evaluated the solutions with the Silhouette coefficient and homogeneity score and find that Mean Shift outperforms DBSCAN with email origin and URLs based features. We then run a user study to validate our clustering solution and find that clustering is a promising approach for campaign identification