The Peculiar Case of Tailored Phishing against SMEs: Detection and Collective DefenseMechanisms at a Small IT Company

Pavlo Burda, Abdul Malek Altawekji, Luca Allodi, Nicola Zannone

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

Samenvatting

Phishing attacks are increasingly more sophisticated, with attackers exploiting publicly available information on their targets to personalize their attacks. Although an increasing body of research has investigated the effectiveness of tailored phishing campaigns, researchers have primarily focused on large enterprises. Company size, composition, and resource availability (e.g., of security experts or a phishing response team handling incidents) play an important role in the studied dynamics. However, whether the same also applies to small and medium-sized enterprises (SMEs), which typically do not have those resources, is unclear. On the other hand, studying SME security is hard as they generally have no expertise in-house to run the required experiments. This work provides a first study filling this gap by investigating the effectiveness of tailored phishing campaigns against an SME IT company in Europe. To this end, we conducted a field experiment targeting 30 employees at an SME and, subsequently, interviewed nine employees to understand the cognitive processes underlying the detection and response of our phishing campaign as well as the group defense mechanisms at the SME. Our findings show that expectation mismatch was the primary method for detecting our phishing email and that the collective defense mechanism enabled a surprisingly prompt response and containment of the attack, possibly, due to the network dynamics of a small company.

Originele taal-2Engels
TitelProceedings - 8th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2023
UitgeverijInstitute of Electrical and Electronics Engineers
Pagina's232-243
Aantal pagina's12
ISBN van elektronische versie9798350327205
DOI's
StatusGepubliceerd - 2023
Evenement8th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2023 - Delft, Nederland
Duur: 3 jul. 20237 jul. 2023

Congres

Congres8th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2023
Land/RegioNederland
StadDelft
Periode3/07/237/07/23

Bibliografische nota

Publisher Copyright:
© 2023 IEEE.

Vingerafdruk

Duik in de onderzoeksthema's van 'The Peculiar Case of Tailored Phishing against SMEs: Detection and Collective DefenseMechanisms at a Small IT Company'. Samen vormen ze een unieke vingerafdruk.

Citeer dit