Organizations are increasingly under threat from cybercriminals attempting to infiltrate their computer systems by exploiting the behaviour of employees via targeted, fraudulent emails. This practice is commonly known as spear phishing.
Organizations attempt to raise awareness of spear phishing emails amongst their staff through the use of simulated phishing tests. This involves the organization sending simulated, targeted phishing emails to several employees and monitoring the resultant ‘click-rate.’ Despite an increased focus on training and awareness approaches, employees continue to be vulnerable to phishing attacks.
In this article, Emma Williams and her colleagues from the University of Bath in the United Kingdom investigated employee susceptibility to targeted phishing emails. The authors conducted two studies, Study One and Study Two, in organizational settings.
The aim of Study One was to examine whether the presence of authority and urgency cues within simulated spear phishing emails differentially impacted employee susceptibility to open these emails within a work context. Phishing simulation data from a large UK public sector organization was analyzed. Across all email types, there was a mean click rate of 19.44%. This result showed that significantly higher click-rates were found for phishing simulations that contained authority and urgency cues.
The aim of Study Two was to examine whether factors external to the phishing message itself are likely to impact susceptibility to spear phishing within the workplace. To address this aim, the authors employed a focus group methodology to explore employee perceptions of susceptibility to spear phishing emails. The results focused on four different themes:
- Trust or suspicion: In this theme, the authors analyzed factors impacting employee trust in an email such as:
- The authenticity (which requires taking actions such as examining the sender address for errors);
- The familiarity (familiarity with the sender or topic of emails received);
- Expectations (communications that were expected or considered routine were less likely to trigger suspicion) and;
- Work context (specifically, the impact of being busy).
- Perceptions of spear phishing risk: In this theme, the authors analyzed factors impacting employee perceptions of spear phishing such as:
- Exposure to external emails (receiving an external email would trigger suspicion);
- Centralized inboxes (the use of a centralized inbox were perceived as increasing exposure to potential phishing emails) and;
- Risk awareness.
- How susceptibility is managed: In this theme, the authors analyzed a number of assistance mechanisms and aides that employee used to manage spear phishing risk such as:
- Warnings and banners (the provision of security alerts was considered to increase awareness of particular threats);
- Reporting (the ease of reporting potential phishing emails);
- Peer verification (the role of peer support in verifying emails) and;
- Avoidance (avoiding engaging in activities that may increase the risk of falling victim to a phishing attack).
- Knowledge and training: In this theme, the authors highlighted a number of factors regarding the degree of knowledge that employees have about both spear phishing and phishing in general such as:
- Technical understanding (the uncertainty regarding what spear phishing encompasses);
- Understanding the security centre (the uncertainty regarding technical security systems);
- Information overload and;
- Perceptions of training (training content is not sufficiently processed to ensure that it can be easily recalled when required).
This paper highlights the complex nature of susceptibility to phishing within the workplace. It is necessary first to understand the underlying causes and mechanisms driving response behaviour. According to the authors, the “one-size-fits-all” approach is unlikely to be sufficient and should be re-evaluated.
Cite: Williams, E. J., Hinds, J., Joinson, A. N. (2018). Exploring susceptibility to phishing in the workplace. International Journal of Huma-Computer Studies, 120, 1-13.