Phishing in Organizations: Findings from a Large-Scale and Long-Term Study

In this paper, we present findings from a largescale and long-term phishing experiment that we conducted in collaboration with a partner company. Our experiment ran for 15 months during which time more than 14,000 study participants (employees of the company) received different simulated phishing emails in their normal working context. We also deployed a reporting button to the company’s email client which allowed the participants to report suspicious emails they received. We measured click rates for phishing emails, dangerous actions such as submitting credentials, and reported suspicious emails. The results of our experiment provide three types of contributions. First, some of our findings support previous literature with improved ecological validity. One example of such results is good effectiveness of warnings on emails. Second, some of our results contradict prior literature and common industry practices. Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing. And third, we report new findings. In particular, we are the first to demonstrate that using the employees as a collective phishing detection mechanism is practical in large organizations. Our results show that such crowd-sourcing allows fast detection of new phishing campaigns, the operational load for the organization is acceptable, and the employees remain active over long periods of time.

[1]  Damon McCoy,et al.  Measuring the Effectiveness of Embedded Phishing Exercises , 2017, CSET @ USENIX Security Symposium.

[2]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[3]  Deanna D. Caputo,et al.  Spear phishing in a barrel: Insights from a targeted phishing campaign , 2019, J. Organ. Comput. Electron. Commer..

[4]  L. Reinerman-Jones The Enduring Mystery of the Repeat Clickers , 2019 .

[5]  Jason R. C. Nurse,et al.  Baiting the hook: factors impacting susceptibility to phishing attacks , 2016, Human-centric Computing and Information Sciences.

[6]  Ryan T. Wright,et al.  A comparison of features in a crowdsourced phishing warning system , 2021, Inf. Syst. J..

[7]  Nicola Zannone,et al.  Don’t Forget the Human: a Crowdsourced Approach to Automate Response and Containment Against Spear Phishing Attacks , 2020, 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[8]  Gürkan Gür,et al.  Don’t click: towards an effective anti-phishing training. A comparative literature review , 2020, Human-centric Computing and Information Sciences.

[9]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[10]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[11]  T. Truta,et al.  Impact of security awareness training on phishing click-through rates , 2017, 2017 IEEE International Conference on Big Data (Big Data).

[12]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[13]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[14]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[15]  Tyler Moore,et al.  Evaluating the Wisdom of Crowds in Assessing Phishing Websites , 2008, Financial Cryptography.

[16]  Youssef Iraqi,et al.  Phishing Detection: A Literature Survey , 2013, IEEE Communications Surveys & Tutorials.

[17]  Carolyn Penstein Rosé,et al.  CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites , 2011, TSEC.

[18]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[19]  Adam Doupé,et al.  Inside a phisher's mind: Understanding the anti-phishing ecosystem through phishing kit analysis , 2018, 2018 APWG Symposium on Electronic Crime Research (eCrime).

[20]  John A. Clark,et al.  F for fake: four studies on how we fall for phish , 2011, CHI.

[21]  Adam N. Joinson,et al.  Exploring susceptibility to phishing in the workplace , 2018, International Journal of Human-Computer Studies.

[22]  Tian Lin,et al.  Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content , 2019, ACM Trans. Comput. Hum. Interact..

[23]  Chuan Yue,et al.  Phishing suspiciousness in older and younger adults: The role of executive functioning , 2017, PloS one.

[24]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[25]  Yan Shoshitaishvili,et al.  Scam Pandemic: How Attackers Exploit Public Fear through Phishing , 2020, 2020 APWG Symposium on Electronic Crime Research (eCrime).

[26]  Bonnie Brinton Anderson,et al.  What Do We Really Know about How Habituation to Warnings Occurs Over Time?: A Longitudinal fMRI Study of Habituation and Polymorphic Warnings , 2017, CHI.

[27]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[28]  Steve Mansfield-Devine The imitation game: how business email compromise scams are robbing organisations , 2016 .

[29]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[30]  Kristen K. Greene,et al.  User Context : An Explanatory Variable in Phishing Susceptibility , 2018 .

[31]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[32]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[33]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[34]  Rick Wash,et al.  Who Provides Phishing Training?: Facts, Stories, and People Like Me , 2018, CHI.

[35]  Alexandra Kunz,et al.  User experiences of TORPEDO: TOoltip-poweRed Phishing Email DetectiOn , 2017, Comput. Secur..

[36]  Malcolm Robert Pattinson,et al.  The design of phishing studies: Challenges for researchers , 2015, Comput. Secur..

[37]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[38]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[39]  Adam Doupé,et al.  Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale , 2020, USENIX Security Symposium.

[40]  Fang Chen,et al.  A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing , 2017, SOUPS.

[41]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[42]  Lina Zhou,et al.  Phishing environments, techniques, and countermeasures: A survey , 2017, Comput. Secur..

[43]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[44]  Robert LaRose,et al.  Understanding online safety behaviors: A protection motivation theory perspective , 2016, Comput. Secur..

[45]  Florian Schaub,et al.  Put Your Warning Where Your Link Is: Improving and Evaluating Email Phishing Warnings , 2019, CHI.

[46]  B. B. Gupta,et al.  A Survey of Phishing Email Filtering Techniques , 2013, IEEE Communications Surveys & Tutorials.

[47]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[48]  Nicola Zannone,et al.  Testing the effectiveness of tailored phishing techniques in industry and academia: a field experiment , 2020, ARES.

[49]  Dirk Fox,et al.  Phishing , 2021, Datenschutz und Datensicherheit - DuD.

[50]  Christopher Krügel,et al.  There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits , 2008, WOOT.

[51]  Arun Vishwanath,et al.  Telematics and Informatics , 2022 .

[52]  Xiao Han,et al.  PhishEye: Live Monitoring of Sandboxed Phishing Kits , 2016, CCS.