An empirical investigation of the effect of target-related information in phishing attacks
2014 (English)In: IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations EDOCW 2014: 1-2 September 2014 Ulm, Germany: Proceedings / [ed] Georg Grossmann; Sylvain Hallé; Dimka Karastoyanova; Manfred Reichert; Stefanie-Rinderle-Ma, IEEE Computer Society, 2014, p. 357-363Conference paper, Published paper (Refereed)
Abstract [en]
Analyzing the role of target-related information in a security attack is an understudied topic in the behavioral information security research field. This paper presents an empirical investigation of the effect of adding information about the target in phishing attacks. Data was collected by conducting two phishing experiments using a sample of 158 employees at five Swedish organizations. The first experiment included a traditional mass-email attack with no target-related information, and the second experiment was a targeted phishing attack in which we included specific information related to the targeted employees' organization. The results showed that the number of organizational employees falling victim to phishing significantly increased when target-related information was added in the attack. During the first experiment 5.1 % clicked on the malicious link compared to 27.2 % of the second phishing attack, and 8.9 % of those executed the binary compared to 3.2 % of the traditional phishing attack. Adding target-related information is an effective way for attackers to significantly increase the effectiveness of their phishing attacks. This is the first study that has showed this significant effect using organizational employees as a sample. The implications of the results are further discussed.
Place, publisher, year, edition, pages
IEEE Computer Society, 2014. p. 357-363
Series
International Enterprise Distributed Object Computing Conference (EDOC), ISSN 2325-6583, E-ISSN 2325-6605
Keywords [en]
direct observations, experiments, phishing, security behavior, Social engineering
National Category
Communication Systems
Research subject
Technology; Information Systems
Identifiers
URN: urn:nbn:se:his:diva-10136DOI: 10.1109/EDOCW.2014.59ISI: 000411853300050Scopus ID: 2-s2.0-84919772804ISBN: 978-1-4799-5470-4 (print)ISBN: 978-1-4799-5467-4 (electronic)OAI: oai:DiVA.org:his-10136DiVA, id: diva2:758536
Conference
1st International Workshop on Compliance, Evolution and Security in Cross-Organizational Processes, Ulm, Germany, September 01-05, 2014; Int'l workshop in the scope of the 18th Int'l IEEE Enterprise Distributed Object Computing Conference (EDOC 2014)
Note
Alt. ISSN: 1541-7719
2014-10-272014-10-272023-02-20Bibliographically approved