An Empirical Investigation of the Effect of Target-Related Information in Phishing Attacks

Analyzing the role of target-related information in a security attack is an understudied topic in the behavioral information security research field. This paper presents an empirical investigation of the effect of adding information about the target in phishing attacks. Data was collected by conducting two phishing experiments using a sample of 158 employees at five Swedish organizations. The first experiment included a traditional mass-email attack with no target-related information, and the second experiment was a targeted phishing attack in which we included specific information related to the targeted employees' organization. The results showed that the number of organizational employees falling victim to phishing significantly increased when target-related information was added in the attack. During the first experiment 5.1 % clicked on the malicious link compared to 27.2 % of the second phishing attack, and 8.9 % of those executed the binary compared to 3.2 % of the traditional phishing attack. Adding target-related information is an effective way for attackers to significantly increase the effectiveness of their phishing attacks. This is the first study that has showed this significant effect using organizational employees as a sample. The implications of the results are further discussed.

[1]  Hannes Holm,et al.  Cyber security for a Smart Grid - What about phishing? , 2013, IEEE PES ISGT Europe 2013.

[2]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[3]  J. G. Mohebzada,et al.  Phishing in a university community: Two large scale phishing experiments , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[4]  Q. Mcnemar Note on the sampling error of the difference between correlated proportions or percentages , 1947, Psychometrika.

[5]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[6]  R. Warner Applied Statistics: From Bivariate through Multivariate Techniques [with CD-ROM]. , 2007 .

[7]  Junshan Tan,et al.  Countermeasure Techniques for Deceptive Phishing Attack , 2009, 2009 International Conference on New Trends in Information and Service Science.

[8]  Thomas R. Peltier Social Engineering: Concepts and Solutions , 2006, Inf. Secur. J. A Glob. Perspect..

[9]  Scott D. Applegate Social Engineering: Hacking the Wetware! , 2009, Inf. Secur. J. A Glob. Perspect..

[10]  Thomas Peltier,et al.  Social Engineering: Concepts and Solutions , 2006 .

[11]  Maria Papadaki,et al.  Social engineering: assessing vulnerabilities in practice , 2009, Inf. Manag. Comput. Secur..

[12]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[13]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[14]  Mathias Ekstedt,et al.  Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture , 2014, Comput. Secur..

[15]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[16]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[17]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[18]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[19]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[20]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[21]  Einar Snekkenes,et al.  Measuring Resistance to Social Engineering , 2005, ISPEC.

[22]  Steven Furnell,et al.  Assessing end-user awareness of social engineering and phishing , 2006 .