In an era dominated by digital interactions, phishing campaigns have evolved to exploit not just technological vulnerabilities but also human traits. This study takes an unprecedented deep dive into large-scale phishing campaigns aimed at Meta’s users, offering a dual perspective on the technical mechanics and human elements involved. Analysing data from over 25,000 victims worldwide,...
Measuring technical and human factors of a large-scale phishing campaign
The human factor in phishing: collecting and analyzing user behavior when reading emails
Phishing emails are constantly increasing their sophistication, and typical countermeasures struggle at addressing them. Attackers target our cognitive vulnerabilities with a varied set of techniques, and each of us, not trained enough or simply in the wrong moment, can be deceived and put an entire organization in trouble. To date, no study has evaluated the...
Exploring the evidence for email phishing training: A scoping review
Background: Phishing emails are a pervasive threat to the security of confidential information. To mitigate this risk, a range of training measures have been developed to target the human factors involved in phishing email susceptibility. Despite the widespread use of anti-phishing training programs, there is no clear understanding of the extent to which these approaches...
Fortifying healthcare: An action research approach to developing an effective SETA program
Organizations continue to use security education training and awareness (SETA) programs to reduce the number of cybersecurity incidents related to phishing. A large healthcare organization contacted the authors to share that they continued to struggle with the efficacy of their traditional training program and to ask whether we could design a better program. Using an...
Content analysis of persuasion principles in mobile instant message phishing
The popularity of Mobile Instant Messaging (MIM) Applications (apps) presents cybercriminals with a new venue for sending deceptive messages, known as ‘Phishing’. MIM apps often lack technical safeguards to shield users from these messages. The first step towards developing anti-phishing solutions to identify phishing messages in any attack vector is understanding the nature of the...
Encouraging organisational information security incident reporting
21st-century organisations can only learn how to respond effectively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employees about their incident reporting obligations. However, there is little research...
Is the key to phishing training persistence?: Developing a novel persistent intervention
Most previous phishing interventions have employed discrete training approaches, such as brief instructions aimed at improving phishing detection. However, these discrete interventions have demonstrated limited success. The present studies focused on developing an alternative to discrete training by providing college-age adults with a persistent classification aid that guided them on what characteristics a phishing email...
“Employees who don’t accept the time security takes are not aware enough”: The CISO view of human-centred security
In larger organisations, the security controls and policies that protect employees are typically managed by a Chief Information Security Officer (CISO). In research, industry, and policy, there are increasing efforts to relate principles of human behaviour interventions and influence to the practice of the CISO, despite these being complex disciplines in their own right. Here...
Perfecting your phish simulations — The 85% sweet spot for optimal learning
I don’t normally choose Phishing as a research topic because I think the literature is saturated with insights. However, I see that many companies struggle with a few important details when it comes to Phishing simulations: What is the optimal Phishing simulation click rate and what it entails How to achieve the optimal Phishing simulation...
Repeat clicking: A lack of awareness is not the problem
Although phishing is the most common social engineering tactic employed by cyber criminals, not everyone is equally susceptible. An important finding emerging across several research studies on phishing is that a subset of employees is especially susceptible to social engineering tactics and is responsible for a disproportionate number of successful phishing attempts. Sometimes referred to...
“Repeat Offenders” in cyber security – Black hat Europe executive summit 2021 keynote
What is the problem with so-called “repeat offenders” We can answer that question in two ways. The easy way, and the right way. Let’s start with the simple answer. Many people would say that the problem with “repeat offenders” is repeat incidents, or at least repeat near misses. I know that’s the topic of discussion...
The enduring mystery of the repeat Clickers
Individuals within an organization who repeatedly fall victim to phishing emails, referred to as Repeat Clickers, present a significant security risk to the organizations within which they operate. The causal factors for Repeat Clicking are poorly understood. This paper argues that this behavior afflicts a persistent minority of users and is explained as either the...
How to deal with individuals who repeatedly fail phishing simulations
In most companies, a small percentage of employees repeatedly fail phishing simulations. These “repeat responders” should be addressed through frequent phishing exercises to build muscle memory in identifying a phish. The cybersecurity team should work to identify what other resources are needed to reduce the tendency for repeat responders, i.e., identify process or technology updates...
Phishing for long tails: Examining organizational repeat clickers and protective stewards
Organizational cybersecurity efforts depend largely on the employees who reside within organizational walls. These individuals are central to the effectiveness of organizational actions to protect sensitive assets, and research has shown that they can be detrimental (e.g., sabotage and computer abuse) as well as beneficial (e.g., protective motivated behaviors) to their organizations. One major context...
Social phishing
Phishing is a form of social engineering in which an attacker attempts to fraudulently acquire sensitive information from a victim by impersonating a trustworthy third party. Phishing attacks today typically employ generalized “lures.” For instance, a phisher misrepresenting himself as a large banking corporation or popular on-line auction site will have a reasonable yield, despite...
An ideal approach for detection and prevention of phishing attacks
Phishing is a treacherous attempt to embezzle personal information such as bank account details, credit card information, social security number, employment details, and online shopping account passwords and so on from internet users. Phishing, or stealing of sensitive information on the web, has dealt a major blow to Internet security in recent times. These attacks...
Client-Side Counter Phishing Application Using Adaptive Neuro-Fuzzy Inference System
Phishing is an online scam which involves identity theft of unsuspecting users, by which an attacker steals the personal information of users, such as user ID or password. E-mails, instant messaging and web pages are used in carrying out such attacks, out of which Phishing using e-mails is the most dominant method. E-mails containing hyperlinks...
Detect phishing by checking content consistency
Phishing is a form of cybercrime used to lure a victim to reveal his/her sensitive personal information to fraudulent web pages. To protect users from phishing attacks, many anti-phishing techniques have been proposed to block suspicious web pages, which are identified against registered lacklists, or checked by search engines. However, such approaches usually have difficulty...
Real time detection of phishing websites
Web Spoofing lures the user to interact with the fake websites rather than the real ones. The main objective of this attack is to steal the sensitive information from the users. The attacker creates a ‘shadow’ website that looks similar to the legitimate website. This fraudulent act allows the attacker to observe and modify any...
Social network security: issues, challenges, threats, and solutions
Networks are very popular in today’s world. Millions of people use various forms of social networks as they allow individuals to connect with friends and family, and share private information. However, issues related to maintaining the privacy and security of a user’s information can occur, especially when the user’s uploaded content is multimedia, such as...