Recognizing and Defending Against Phishing Attacks in Large Organizations

Sammanfattning: As technology keeps integrating further into our personal and professional lives, digital security is a growing concern for our individual and public safety. Email phishing is the most common attack vector, often utilized by malicious actors to trick victims into taking irresponsible actions that benefit the attackers. Phishing attacks targeting large organizations have demonstrated the ability to incur costs that reach great magnitudes. Justifiably, many organizations invest in defense solutions against such attacks. This research investigates the different attack and defense strategies that can affect the success rates for phishing attacks. A retrospective data analysis is performed, on the interaction data of employees with simulated training campaigns, at an organization running a security training program for the last three years, and survey and interview studies with the employees are conducted. The results show that personal qualities such as attachment to the organization, and technological ability have an effect on the employees’ susceptibility to phishing attacks. Attack strategies which exploit human emotions, such as fear through the use of authority, and curiosity through the use of current events, are effective at inducing higher interaction rates. Educational training programs are deemed successful at reducing the employees’ susceptibility to phishing attacks. However, such programs should be implemented carefully to avoid resource waste and produce the sought after results. We determine that a holistic defense strategy should combine multiple security layers, by utilizing technical solutions such as email filters to reduce the number of attempts that are viewed by the employees, with well designed educational solutions, such as the training programs, to reduce the number of interactions with phishing emails, and reporting features to mitigate the potential losses incurred from successful attacks.