Social engineering and organisational dependencies in phishing attacks

Ronnie Taib; Kun Yu; Shlomo Berkovsky; Piers Bayl-Smith; Mark Wiggins

doi:10.1007/978-3-030-29381-9_35

Social engineering and organisational dependencies in phishing attacks

Ronnie Taib, Kun Yu, Shlomo Berkovsky, Piers Bayl-Smith, Mark Wiggins

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

24 Citations (Scopus)

Abstract

Phishing emails are a widespread cybersecurity attack method. Their breadth and depth have been on the rise as they target individuals and organisations with increased sophistication. In particular, social engineering in phishing focuses on human vulnerabilities by exploiting established psychological and behavioural cues to increase the credibility of phishing emails. This work presents the results of a 56,000-participant phishing attack simulation carried out within a multi-national financial organisation. The overarching hypothesis was that strong cultural and contextual factors impact employee vulnerability. Thus, five phishing emails were crafted, based on three of Cialdini’s persuasion principles used in isolation and in combination. Our results showed that Social proof was the most effective attack vector, followed by Authority and Scarcity. Furthermore, we examined these results in the light of a set of demographic and organisational features. Finally, both click-through rates and reporting rates were examined, to provide rich insights to developers of cybersecurity educational solutions.

Original language	English
Title of host publication	Human-Computer Interaction – INTERACT 2019
Subtitle of host publication	17th IFIP TC 13 International Conference, Proceedings, Part I
Editors	David Lamas, Fernando Loizides, Lennart Nacke, Helen Petrie, Marco Winckler, Panayiotis Zaphiris
Place of Publication	Switzerland
Publisher	Springer, Springer Nature
Pages	564-584
Number of pages	21
ISBN (Electronic)	9783030293819
ISBN (Print)	9783030293802
DOIs	https://doi.org/10.1007/978-3-030-29381-9_35
Publication status	Published - 2019
Event	17th IFIP TC.13 International Conference on Human-Computer Interaction – INTERACT 2019 - Paphos, Cyprus Duration: 2 Sept 2019 → 6 Sept 2019 http://interact2019.org/

Publication series

Name	Lecture Notes in Computer Science
Number	11746
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	17th IFIP TC.13 International Conference on Human-Computer Interaction – INTERACT 2019
Abbreviated title	INTERACT 2019
Country/Territory	Cyprus
City	Paphos
Period	2/09/19 → 6/09/19
Internet address	http://interact2019.org/

Keywords

cybersecurity
phishing
social engineering
simulation
behavioral study

Access to Document

10.1007/978-3-030-29381-9_35

Cite this

Taib, R., Yu, K., Berkovsky, S., Bayl-Smith, P., & Wiggins, M. (2019). Social engineering and organisational dependencies in phishing attacks. In D. Lamas, F. Loizides, L. Nacke, H. Petrie, M. Winckler, & P. Zaphiris (Eds.), Human-Computer Interaction – INTERACT 2019: 17th IFIP TC 13 International Conference, Proceedings, Part I (pp. 564-584). (Lecture Notes in Computer Science; No. 11746). Springer, Springer Nature. https://doi.org/10.1007/978-3-030-29381-9_35

Taib, Ronnie ; Yu, Kun ; Berkovsky, Shlomo et al. / Social engineering and organisational dependencies in phishing attacks. Human-Computer Interaction – INTERACT 2019: 17th IFIP TC 13 International Conference, Proceedings, Part I. editor / David Lamas ; Fernando Loizides ; Lennart Nacke ; Helen Petrie ; Marco Winckler ; Panayiotis Zaphiris. Switzerland : Springer, Springer Nature, 2019. pp. 564-584 (Lecture Notes in Computer Science; 11746).

@inproceedings{f07059a77ed54e9fab28f85a287018a4,

title = "Social engineering and organisational dependencies in phishing attacks",

abstract = "Phishing emails are a widespread cybersecurity attack method. Their breadth and depth have been on the rise as they target individuals and organisations with increased sophistication. In particular, social engineering in phishing focuses on human vulnerabilities by exploiting established psychological and behavioural cues to increase the credibility of phishing emails. This work presents the results of a 56,000-participant phishing attack simulation carried out within a multi-national financial organisation. The overarching hypothesis was that strong cultural and contextual factors impact employee vulnerability. Thus, five phishing emails were crafted, based on three of Cialdini{\textquoteright}s persuasion principles used in isolation and in combination. Our results showed that Social proof was the most effective attack vector, followed by Authority and Scarcity. Furthermore, we examined these results in the light of a set of demographic and organisational features. Finally, both click-through rates and reporting rates were examined, to provide rich insights to developers of cybersecurity educational solutions.",

keywords = "cybersecurity, phishing, social engineering, simulation, behavioral study",

author = "Ronnie Taib and Kun Yu and Shlomo Berkovsky and Piers Bayl-Smith and Mark Wiggins",

year = "2019",

doi = "10.1007/978-3-030-29381-9_35",

language = "English",

isbn = "9783030293802",

series = "Lecture Notes in Computer Science",

publisher = "Springer, Springer Nature",

number = "11746",

pages = "564--584",

editor = "David Lamas and Fernando Loizides and Lennart Nacke and Helen Petrie and Marco Winckler and Panayiotis Zaphiris",

booktitle = "Human-Computer Interaction – INTERACT 2019",

address = "United States",

note = "17th IFIP TC.13 International Conference on Human-Computer Interaction – INTERACT 2019, INTERACT 2019 ; Conference date: 02-09-2019 Through 06-09-2019",

url = "http://interact2019.org/",

}

Taib, R, Yu, K, Berkovsky, S, Bayl-Smith, P & Wiggins, M 2019, Social engineering and organisational dependencies in phishing attacks. in D Lamas, F Loizides, L Nacke, H Petrie, M Winckler & P Zaphiris (eds), Human-Computer Interaction – INTERACT 2019: 17th IFIP TC 13 International Conference, Proceedings, Part I. Lecture Notes in Computer Science, no. 11746, Springer, Springer Nature, Switzerland, pp. 564-584, 17th IFIP TC.13 International Conference on Human-Computer Interaction – INTERACT 2019, Paphos, Cyprus, 2/09/19. https://doi.org/10.1007/978-3-030-29381-9_35

Social engineering and organisational dependencies in phishing attacks. / Taib, Ronnie; Yu, Kun; Berkovsky, Shlomo et al.
Human-Computer Interaction – INTERACT 2019: 17th IFIP TC 13 International Conference, Proceedings, Part I. ed. / David Lamas; Fernando Loizides; Lennart Nacke; Helen Petrie; Marco Winckler; Panayiotis Zaphiris. Switzerland: Springer, Springer Nature, 2019. p. 564-584 (Lecture Notes in Computer Science; No. 11746).

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - Social engineering and organisational dependencies in phishing attacks

AU - Taib, Ronnie

AU - Yu, Kun

AU - Berkovsky, Shlomo

AU - Bayl-Smith, Piers

AU - Wiggins, Mark

PY - 2019

Y1 - 2019

N2 - Phishing emails are a widespread cybersecurity attack method. Their breadth and depth have been on the rise as they target individuals and organisations with increased sophistication. In particular, social engineering in phishing focuses on human vulnerabilities by exploiting established psychological and behavioural cues to increase the credibility of phishing emails. This work presents the results of a 56,000-participant phishing attack simulation carried out within a multi-national financial organisation. The overarching hypothesis was that strong cultural and contextual factors impact employee vulnerability. Thus, five phishing emails were crafted, based on three of Cialdini’s persuasion principles used in isolation and in combination. Our results showed that Social proof was the most effective attack vector, followed by Authority and Scarcity. Furthermore, we examined these results in the light of a set of demographic and organisational features. Finally, both click-through rates and reporting rates were examined, to provide rich insights to developers of cybersecurity educational solutions.

AB - Phishing emails are a widespread cybersecurity attack method. Their breadth and depth have been on the rise as they target individuals and organisations with increased sophistication. In particular, social engineering in phishing focuses on human vulnerabilities by exploiting established psychological and behavioural cues to increase the credibility of phishing emails. This work presents the results of a 56,000-participant phishing attack simulation carried out within a multi-national financial organisation. The overarching hypothesis was that strong cultural and contextual factors impact employee vulnerability. Thus, five phishing emails were crafted, based on three of Cialdini’s persuasion principles used in isolation and in combination. Our results showed that Social proof was the most effective attack vector, followed by Authority and Scarcity. Furthermore, we examined these results in the light of a set of demographic and organisational features. Finally, both click-through rates and reporting rates were examined, to provide rich insights to developers of cybersecurity educational solutions.

KW - cybersecurity

KW - phishing

KW - social engineering

KW - simulation

KW - behavioral study

UR - http://www.scopus.com/inward/record.url?scp=85072862692&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-29381-9_35

DO - 10.1007/978-3-030-29381-9_35

M3 - Conference proceeding contribution

SN - 9783030293802

T3 - Lecture Notes in Computer Science

SP - 564

EP - 584

BT - Human-Computer Interaction – INTERACT 2019

A2 - Lamas, David

A2 - Loizides, Fernando

A2 - Nacke, Lennart

A2 - Petrie, Helen

A2 - Winckler, Marco

A2 - Zaphiris, Panayiotis

PB - Springer, Springer Nature

CY - Switzerland

T2 - 17th IFIP TC.13 International Conference on Human-Computer Interaction – INTERACT 2019

Y2 - 2 September 2019 through 6 September 2019

ER -

Taib R, Yu K, Berkovsky S, Bayl-Smith P, Wiggins M. Social engineering and organisational dependencies in phishing attacks. In Lamas D, Loizides F, Nacke L, Petrie H, Winckler M, Zaphiris P, editors, Human-Computer Interaction – INTERACT 2019: 17th IFIP TC 13 International Conference, Proceedings, Part I. Switzerland: Springer, Springer Nature. 2019. p. 564-584. (Lecture Notes in Computer Science; 11746). doi: 10.1007/978-3-030-29381-9_35

Social engineering and organisational dependencies in phishing attacks

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this