Abstract
Organizations are experiencing more and more sophisticated attacks specifically targeting their employees and customers. These attacks exploit tailored information on the victim or organization to increase their credibility. To date, no study has evaluated the role of 'traditional' phishing cognitive effects in these advanced settings. In this paper, we run a field experiment targeting 747 subjects employed in two organizations (a university and a large international consultancy company) to evaluate the interaction between phishing persuasion techniques and the success rate in a highly-tailored setting. For this purpose, we exploit well-established user notification methods to devise enhanced attack delivery techniques, and evaluate how such techniques affect success rate of our phishing campaigns. We find that the effect of 'traditional' attack techniques is widely mitigated in highly-tailored phishing settings, suggesting that current user training and detection techniques may be off-target for more sophisticated attacks. However, we find that the means by which the attack is delivered to the victim matter, and can greatly (up to three times) boost the effect of the base attack.
| Original language | English |
|---|---|
| Title of host publication | ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security |
| Publisher | Association for Computing Machinery, Inc |
| ISBN (Electronic) | 9781450388337 |
| DOIs | |
| Publication status | Published - 25 Aug 2020 |
Publication series
| Name | ACM International Conference Proceeding Series |
|---|
Funding
Acknowledgments. This work is supported by the ITEA3 programme through the DEFRAUDIfy project funded by Rijksdienst voor Ondernemend Nederland (grant no. ITEA191010). This work is supported by the ITEA3 programme through the DEFRAUDIfy project funded by Rijksdienst voor Ondernemend Nederland (grant no. ITEA191010).
Keywords
- Field experiment
- Persuasion techniques
- Tailored phishing