Spear Phishing Simulation in Critical Sector: Telecommunication and Defense Sub-sector

Phishing is an attack that uses social engineering techniques to steal users’ confidential information like passwords and banking information. It happens when cyber criminals disguised as a trusted entity and deceived users to click on fake links in e-mail received by the user. Cyber criminals also act to target phishing attacks from individuals to organizations that are specific to the country's critical sector, and this is known as a spear phishing. In fact, the telecommunication sector is one of the main targets of cyber criminals using spear phishing attacks to obtain user-sensitive information. The main objective of this work is to identify the level of cyber security in the organization under the telecommunication sector and defense sub-sector by using existing general simulation procedure. The procedure is adapted and modified according to the organization’s working environment. The first simulation was conducted on June 4, 2018 involving 39 employees. Findings showed that all respondents did not respond to the spear phishing e-mails received. In fact, the results of the questionnaire conducted after the end of the simulation found that all respondents were able to identify all indicators on spear phishing e-mails quickly and easily. This proves that the level of awareness and knowledge of cyber security of the population is high. The second simulation was conducted in stages, from October 29 to November 15, 2018 using a different approach. Of the 39 e-mails sent, 12 respondents (31%) responded to the received e-mail by clicking on the link in the e-mail content. Based on the results of this second simulation, this spear phishing attack was successfully implemented and proved that the new simulation procedure can be used in the telecommunication sector and defense sub-sector.

[1]  Vittorio Rosato,et al.  Managing the Complexity of Critical Infrastructures: A Modelling and Simulation Approach , 2017 .

[2]  Tracey Caldwell Spear-phishing: how to spot and mitigate the menace , 2013 .

[3]  Keyur Shah PHISHING: AN EVOLVING THREAT , 2015 .

[4]  Abhishek Singhal,et al.  A literature survey on social engineering attacks: Phishing attack , 2016, 2016 International Conference on Computing, Communication and Automation (ICCCA).

[5]  Michael E. Locasto,et al.  An interdiscplinary study of phishing and spear-phishing attacks , 2015 .

[6]  Jason Bennett Thatcher,et al.  Defending against Spear Phishing: Motivating Users through Fear appeal Manipulations , 2016, PACIS.

[7]  Antesar M. Shabut,et al.  A literature review on phishing crime, prevention review and investigation of gaps , 2016, 2016 10th International Conference on Software, Knowledge, Information Management & Applications (SKIMA).

[8]  Zhenkai Liang,et al.  Phishing-Alarm: Robust and Efficient Phishing Detection via Page Component Similarity , 2017, IEEE Access.

[9]  Alastair Nottingham,et al.  Underlying finite state machine for the social engineering attack detection model , 2017, 2017 Information Security for South Africa (ISSA).

[10]  Jason Earl Thomas Individual Cyber Security: Empowering Employees to Resist Spear Phishing to Prevent Identity Theft and Ransomware Attacks , 2018 .

[11]  Zinaida Benenson,et al.  Unpacking Spear Phishing Susceptibility , 2017, Financial Cryptography Workshops.

[12]  E. Anita,et al.  A survey on data breach challenges in cloud computing security: Issues and threats , 2017, 2017 International Conference on Circuit ,Power and Computing Technologies (ICCPCT).

[13]  Hein S. Venter,et al.  Social engineering attack framework , 2014, 2014 Information Security for South Africa.

[14]  Edgar R. Weippl,et al.  Advanced social engineering attacks , 2015, J. Inf. Secur. Appl..

[15]  Sanjay Goel,et al.  Got Phished? Internet Security and Human Vulnerability , 2017, J. Assoc. Inf. Syst..