Authors: Pavol Sokol, Martin Glova, Terézia Mézešová, Regina Hučková
Abstract
This paper focuses on one of the forms of social engineering – phishing and spear phishing. The
essence of the spear phishing is its personality. It focuses on specific individuals and e-mails are
personalised, making it more credible. Within the paper, we provide the results of research, in
which we tested about 10,000 users. The test has shown some interesting results; especially how
more personalised phishing attack can increase the number of victims. Based on these results, in
this paper we provide some recommendations for protection against this type of social engineering.
Introduction
Cyberspace offers new opportunities, but it is also a source of new threats for both, individuals
and for organizations. Therefore, network security has become an increasingly important part
of modern society. ENISA Threat Landscape 2016 (ENISA, 2017) states current threat landscape.
Several forms of social engineering occur in the threat landscape. In social engineering, an attacker
uses their victims to act in a particular way. Highest placed form of social engineering is phishing
(6th place). The Oxford English Dictionary defines a phishing as „the fraudulent practice of sending
emails purporting to be from reputable companies, in order to induce individuals to reveal personal
information, such as passwords and credit card numbers, online” (Oxford, 2009). Phishing can be
also defined as “a form of social engineering in which an attacker, also known as a phisher,
attempts to fraudulently retrieve legitimate users’ confidential or sensitive credentials by mimicking
electronic communications from a trustworthy or public organization in an automated fashion“
(Jakobsson, 2016).
Mitigation of the phishing attacks is difficult as they are aimed at exploiting people (end users
of a system) (Khonji et al., 2013). For example, as evaluated in Sheng at al. (2010), people who
were trained with the best performing awareness program, still failed to detect 29% of phishing
attacks. On the other hand, software detection techniques are evaluated against bulk phishing
attacks. Therefore, their performance against targeted forms of phishing is practically unknown.
These limitations were a direct cause of security breaches in several organisations, including
leading information security providers (Higgins, 2015). In the specialised cases, the phishing
targets narrow spectrum of email addresses that are related to each other. In that case, we talk about spear phishing. Caputo et al. (2014) showed “very high click rate at spear phishing e-mails‘ links
(around 60%) which could be affected by the difficulty of detecting the spear phishing elements.”
For the aforementioned reasons, we decided to run a phishing test within an academic organization
with two categories of users (victims) – students and employees. We analysed current status
of phishing and spear phishing on a sample of about 10.000 users of the organization. In this paper,
we address the following three research questions within the phishing test:
analysis of the impact of language and graphic design of the fraudulent web pages and
emails to the phishing campaign,
analysis of possibilities of implementing central security measures against phishing and
analysis of reaction time with regard to lowering impact of the phishing campaign.
This paper is organised into five sections. Section II focuses on the review of published research
related to security awareness in phishing and lessons learned from phishing test. Section III outlines
the methodology in the phishing test. Section IV presents the results of phishing test and discusses
the important points. The last section contains conclusions and our suggestions for the future
research.
