Social engineering: assessing vulnerabilities in practice

Bakhshi, Taimur; Papadaki, Maria; Furnell, Steven

doi:10.1108/09685220910944768

Cited by 23 publications

(22 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One reason for this lack of behavioural studies is that it is challenging to convince organizational managers to participate in studies in which their employees' actual behaviour is being measured. In the experiment conducted by Bakhshi et al (2009), a phishing mail was sent out to organizational employees as a mean to provide empirical evidence of how many employees succumb to social engineering. The experiment was ceased after approximately 3.5 h. During that period of time, 23 percent of recipients were fooled by the attack.…”

Section: Introductionmentioning

confidence: 99%

Using phishing experiments and scenario-based surveys to understand security behaviours in practice

Flores

Holm

Svensson

et al. 2014

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Threats from social engineering can cause organisations severe damage if they are not considered and managed. In order to understand how to manage those threats, it is important to examine reasons why organisational employees fall victim to social engineering. In this paper, the objective is to understand security behaviours in practice by investigating factors that may cause an individual to comply with a request posed by a perpetrator. In order to attain this objective, we collect data through a scenario-based survey and conduct phishing experiments in three organisations. The results from the experiment reveal that the degree of target information in an attack increases the likelihood that an organisational employee fall victim to an actual attack. Further, an individual's trust and risk behaviour significantly affects the actual behaviour during the phishing experiment. Computer experience at work, helpfulness and gender (females tend to be less susceptible to a generic attack than men), has a significant correlation with behaviour reported by respondents in the scenario-based survey. No correlation between the performance in the scenario-based survey and experiment was found. We argue that the result does not imply that one or the other method should be ruled out as they have both advantages and disadvantages which should be considered in the context of collecting data in the critical domain of information security. Discussions of the findings, implications and recommendations for future research are further provided.

show abstract

Section: Introductionmentioning

confidence: 99%

Using phishing experiments and scenario-based surveys to understand security behaviours in practice

Flores

Holm

Svensson

et al. 2014

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

show abstract

“…As suggested by Bakhshi et al (2009), many users lack a baseline level of security awareness that is useful to protect them online. Naive users, who are not well-versed…”

Section: Discussionmentioning

confidence: 99%

Examining the effectiveness of phishing filters against DNS based phishing attacks

Purkait¹

2015

Information &Amp; Computer Security

View full text Add to dashboard Cite

Purpose -This paper aims to report on research that tests the effectiveness of anti-phishing tools in detecting phishing attacks by conducting some real-time experiments using freshly hosted phishing sites. Almost all modern-day Web browsers and antivirus programs provide security indicators to mitigate the widespread problem of phishing on the Internet. Design/methodology/approach -The current work examines and evaluates the effectiveness of five popular Web browsers, two third-party phishing toolbar add-ons and seven popular antivirus programs in terms of their capability to detect locally hosted spoofed websites. The same tools have also been tested against fresh phishing sites hosted on Internet. Findings -The experiments yielded alarming results. Although the success rate against live phishing sites was encouraging, only 3 of the 14 tools tested could successfully detect a single spoofed website hosted locally. Originality/value -This work proposes the inclusion of domain name system server authentication and verification of name servers for a visiting website for all future anti-phishing toolbars. It also proposes that a Web browser should maintain a white list of websites that engage in online monetary transactions so that when a user requires to access any of these, the default protocol should always be HTTPS (Hypertext Transfer Protocol Secure), without which a Web browser should prevent the page from loading.

show abstract

“…In a study conducted by [9] a phishing mail was sent out to organizational employees asking them to follow a link to an external web site and install a claimed software update. The experiment showed that 23 % of recipients were fooled by the attack.…”

Section: Literature Reviewmentioning

confidence: 99%

“…In fact, through a literature review we only found one study [6] that have examined if adding target-related information significantly increases the success of phishing. Furthermore, only [9] [10] have been conducted within an professional organization with employees that are not aware that they are participating in an security experiment in which their actual behavior is being observed. One explanation for this is that obtaining data of employees' actual behavior is a challenging endeavor [11].…”

mentioning

confidence: 99%

An Empirical Investigation of the Effect of Target-Related Information in Phishing Attacks

Holm

Flores

Nohlberg

et al. 2014

2014 IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations

View full text Add to dashboard Cite

Analyzing the role of target-related information in a security attack is an understudied topic in the behavioral information security research field. This paper presents an empirical investigation of the effect of adding information about the target in phishing attacks. Data was collected by conducting two phishing experiments using a sample of 158 employees at five S wedish organizations. The first experiment included a traditional mass-email attack with no target-related information, and the second experiment was a targeted phishing attack in which we included specific information related to the targeted employees' organization. The results showed that the number of organizational employees falling victim to phishing significantly increased when target-related information was added in the attack. During the first experiment 5.1 % clicked on the malicious link compared to 27.2 % of the second phishing attack, and 8.9 % of those executed the binary compared to 3.2 % of the traditional phishing attack. Adding target-related information is an effective way for attackers to significantly increase the effectiveness of their phishing attacks. This is the first study that has showed this significant effect using organizational employees as a sample. The implications of the results are further discussed.

show abstract

Social engineering: assessing vulnerabilities in practice

Cited by 23 publications

References 4 publications

Using phishing experiments and scenario-based surveys to understand security behaviours in practice

Using phishing experiments and scenario-based surveys to understand security behaviours in practice

Examining the effectiveness of phishing filters against DNS based phishing attacks

An Empirical Investigation of the Effect of Target-Related Information in Phishing Attacks

Contact Info

Product

Resources

About