Phish Me If You Can: Using Simulations to Improve Employees’ Resistance to Phishing Attacks

Mohamed Abdelhamid is Assistant Professor of Information Systems. Below is the summary of his recent research.

Phishing is what is known as a cybercrime. It occurs when an attacker sends an email that appears to be from a trusted source. The fake email asks the recipient to provide personal information, such as a user name, password, or debit/credit card numbers. In 2019, phishing was ranked by the FBI’s Internet Crime Complaint Center (IC3) as the number one cybercrime. Many computers have anti-phishing software installed, but sometimes phishing emails get through, anyway. When that happens, the bogus messages typically ask recipients to click on malicious links or provide their login credentials. Wandera (2017) reports that about 85% of institutions have been victims of a phishing attack. Likewise, a survey by SANS found that phishing is the most significant threat faced by organizations. Automated anti-phishing solutions are not yet good enough to prevent phishing threats. This has led researchers and specialists to conclude that the best way to defeat phishing is through the education and training of computer users.

Phishing simulations tests are used to teach employees about phishing and to understand how susceptible they are to phishing attacks. The purpose of such a simulation is to test employees’ resistance to phishing attacks, make them aware of recent phishing emails, and train them how to detect phishing attacks. The present study is designed to gain information that can help organizations improve their employees’ ability to resist phishing attacks.

Design and procedure

As part of the experiment, four phishing emails were developed. The emails differed in terms of a) quality (high vs low), and b) the theme used (fear vs reward). The fake emails were developed to a) find out what motivates users to click (in this case, fear vs. reward), b) identify how much the users know regarding the key components of phishing emails, and c) teach employees how to recognize a phishing email when then see one. The bogus emails were designed to feature either “high quality” or “low quality” characteristics. The “reward” emails were positive in sentiment and the “fear” emails were negative in sentiment.

At the end of the study, we determined which employees had been fooled by the fake phishing emails. Each of these employees wa sent a debriefing email that explained they had been taking part in an experiment and also showed them how they could have spotted the phishing email.

Results

The phishing emails were sent to about 3,709 employees. We found that employees were more likely to be deceived by a reward-based phishing email than by a fear-based phishing email. In addition, we determined that the group of employees most likely to be deceived were the new hires. This shows the importance of making sure that every new employee’s orientation includes detailed training on how to recognize phishing emails.

Contribution

This research contributes to the literature in several ways. First, it focused on actual behavior from real employees; many other studies in this area merely ask employees whether they would recognize a phishing email and what they would do about it. Second, the study provides practical implications by showing employers how to identify employees most likely to be deceived by phishing risk groups, and also how to improve phishing simulation tests, refine training material, and improve employees’ resistance to phishing emails.