Spear phishing in organisations explained

Purpose The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient. Design/methodology/approach Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails. Findings Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient’s years of service within the organisation is taken into account. Practical implications This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect. Originality/value The innovative aspect relates to explaining spear phishing using four socio-demographic variables.

[1]  Jeffrey Pfeffer,et al.  Organizational Demography: Implications for Management , 1985 .

[2]  Naveen Donthu,et al.  Measuring Hofstede's Five Dimensions of Cultural Values at the Individual Level: Development and Validation of CVSCALE , 2011 .

[3]  Agnetha Broos,et al.  Gender and Information and Communication Technologies (ICT) Anxiety: Male Self-Assurance and Female Hesitation , 2005, Cyberpsychology Behav. Soc. Netw..

[4]  Christopher B. Mayhorn,et al.  American and Indian Conceptualizations of Phishing , 2013, 2013 Third Workshop on Socio-Technical Aspects in Security and Trust.

[5]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[6]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[7]  W. Mobley,et al.  An evaluation of precursors of hospital employee turnover. , 1978, The Journal of applied psychology.

[8]  Jinkook Lee,et al.  Consumer Vulnerability to Fraud: Influencing Factors , 1997 .

[9]  Markus Jakobsson,et al.  Phishing IQ Tests Measure Fear, Not Ability , 2007, Financial Cryptography.

[10]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[11]  M. Mitchell Waldrop,et al.  How to hack the hackers: The human side of cybercrime , 2016, Nature.

[12]  M. E. Kabay,et al.  Computer Security Handbook , 2002 .

[13]  Mathias Ekstedt,et al.  Investigating personal determinants of phishing and the effect of national culture , 2015, Inf. Comput. Secur..

[14]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[15]  Seyed Ebrahim Jafari Kelarijani,et al.  Length of service and commitment of nurses in hospitalsof Social Security Organization (SSO) in Tehran , 2014, Caspian journal of internal medicine.

[16]  Mathias Ekstedt,et al.  An Empirical Investigation of the Effect of Target-Related Information in Phishing Attacks , 2014, 2014 IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations.

[17]  Xin Luo,et al.  Social Engineering: The Neglected Human Factor for Information Security Management , 2011, Inf. Resour. Manag. J..

[18]  M. Benson,et al.  Fraud victimization: Risky business or just bad luck? , 1997 .

[19]  Y. Shenhav,et al.  Organizational Demography and Inequality , 1992 .

[20]  Marianne Junger,et al.  Priming and warnings are not effective to prevent social engineering attacks , 2017, Comput. Hum. Behav..

[21]  Sujeet Shenoi,et al.  Security and Privacy Protection in Information Processing Systems , 2013, IFIP Advances in Information and Communication Technology.

[22]  J. Miles,et al.  Applying regression & correlation : a guide for students and researchers , 2001 .

[23]  R. Clarke,et al.  UNDERSTANDING CRIME DISPLACEMENT: AN APPLICATION OF RATIONAL CHOICE THEORY , 1987 .

[24]  Carrie Wherry Waters,et al.  ESTIMATES OF FUTURE TENURE, SATISFACTION, AND BIOGRAPHICAL VARIABLES AS PREDICTORS OF TERMINATION , 1976 .

[25]  Alf Crossman,et al.  The relationships of age and length of service with job satisfaction: an examination of hotel employees in Thailand , 2003 .

[26]  Hennie A. Kruger,et al.  Considering the influence of human trust in practical social engineering exercises , 2014, 2014 Information Security for South Africa.

[27]  S. Eckstein The Belmont Report: ethical principles and guidelines for the protection of human subjects of research , 2003 .

[28]  Ryan T. Wright,et al.  Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance , 2014, Inf. Syst. Res..

[29]  Rob McCusker,et al.  Transnational organised cyber crime: distinguishing threat from reality , 2007 .

[30]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[31]  S. Furnell Phishing: can we spot the signs? , 2007 .

[32]  Vinay Nadkarni,et al.  Low-Dose, High-Frequency CPR Training Improves Skill Retention of In-Hospital Pediatric Providers , 2011, Pediatrics.

[33]  Joseph G. Eisenhauer,et al.  DEMOGRAPHY OF RISK AVERSION , 2001 .

[34]  Sheryl B. Ball,et al.  Risk aversion and physical prowess: Prediction, choice and bias , 2010 .

[35]  Elmer Lastdrager,et al.  Achieving a consensual definition of phishing based on a systematic review of the literature , 2014, Crime Science.

[36]  Kyung Wha Hong,et al.  Keeping Up With The Joneses , 2013 .

[37]  Miles S. Kimball,et al.  Preference Parameters and Behavioral Heterogeneity: An Experimental Approach in the Health and Retirement Survey , 1995 .

[38]  Joni Hersch,et al.  SMOKING, SEAT BELTS, AND OTHER RISKY CONSUMER DECISIONS: DIFFERENCES BY GENDER AND RACE , 1996 .

[39]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[40]  M. Ross,et al.  Contrary to Psychological and Popular Opinion, There Is No Compelling Evidence That Older Adults Are Disproportionately Victimized by Consumer Fraud , 2014, Perspectives on psychological science : a journal of the Association for Psychological Science.

[41]  Douglas P. Twitchell Social Engineering and its Countermeasures , 2009 .

[42]  Charles Vlek,et al.  Utility, Probability, and Human Decision Making , 1975 .

[43]  J. Concato,et al.  A simulation study of the number of events per variable in logistic regression analysis. , 1996, Journal of clinical epidemiology.

[44]  R. Cialdini,et al.  Consistency-based compliance across cultures☆ , 2007 .

[45]  Irene M. Y. Woon,et al.  Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior , 2006 .

[46]  G. Gigerenzer How to Make Cognitive Illusions Disappear: Beyond “Heuristics and Biases” , 1991 .

[47]  Gert Jan Hofstede,et al.  Cultures and Organizations: Software of the Mind, 3rd ed. , 2010 .

[48]  Wolter Pieters,et al.  The persuasion and security awareness experiment: reducing the success of social engineering attacks , 2015, Journal of Experimental Criminology.

[49]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[50]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[51]  Pieter H. Hartel,et al.  How "Digital" is Traditional Crime? , 2013, 2013 European Intelligence and Security Informatics Conference.

[52]  Pieter H. Hartel,et al.  Telephone-based social engineering attacks: An experiment testing the success and time decay of an intervention , 2016, SG-CRC.

[53]  Titus Oshagbemi,et al.  Is length of service related to the level of job satisfaction , 2000 .

[54]  G. Hofstede Culture′s Consequences: Comparing Values, Behaviors, Institutions and Organizations Across Nations , 2001 .

[55]  John M. Boyle,et al.  Victimization of Persons by Fraud , 1995 .

[56]  Kenneth S. Law,et al.  Power-Distance, Gender and Organizational Justice , 2000 .

[57]  P. Grabosky Virtual Criminality: Old Wine in New Bottles? , 2001 .

[58]  William B. Riley,et al.  Asset Allocation and Individual Risk Aversion , 1992 .