A Toolkit for Security Awareness Training Against Targeted Phishing

  • Simone Pirocca
  • Luca Allodi
  • Nicola ZannoneEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12553)


The attack landscape is evolving, and attackers are employing new techniques to launch increasingly targeted and sophisticated social engineering attacks that exploit human vulnerabilities. Many organizations provide their employees with security awareness training to counter and mitigate such threats. However, recent studies have shown that current embedded phishing training programs and tools are often ineffective or incapable of addressing modern, tailored social engineering attacks. This paper presents a toolkit for the deployment of sophisticated, tailored phishing campaigns at scale (e.g., to deploy specific training within an organization). We enable the use of highly customizable phishing email templates that can be instantiated with a large range of information about the specific target and a semi-automated process for the selection of the phishing domain name. We demonstrate our tool by showing how tailored phishing campaigns proposed in previous studies can be enhanced to increase the credibility of the phishing email, effectively addressing the very limitations identified in those studies.

Supplementary material


  1. 1.
    dnstwist. Accessed 13 July 2020
  2. 2.
    Gophish - Open-Source Phishing Framework. Accessed 13 July 2020
  3. 3.
    nslookup(1) - Linux man page. Accessed 13 July 2020
  4. 4.
    Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.: Seven months’ worth of mistakes: a longitudinal study of typosquatting abuse. In: Network and Distributed System Security Symposium. Internet Society (2015)Google Scholar
  5. 5.
    Allodi, L., Chotza, T., Panina, E., Zannone, N.: The need for new anti-phishing measures against spear-phishing attacks. IEEE Secur. Priv. 18(2), 23–34 (2020)CrossRefGoogle Scholar
  6. 6.
    Bullee, J.-W.: Experimental social engineering: investigation and prevention. Ph.D. thesis, University of Twente (2017)Google Scholar
  7. 7.
    Burda, P., Allodi, L., Zannone, N.: Don’t forget the human: a crowdsourced approach to automate response and containment against spear phishing attacks. In: Proceedings of Workshop on Attackers and Cyber-Crime Operations. IEEE (2020)Google Scholar
  8. 8.
    Burda, P., Chotza, T., Allodi, L., Zannone, N.: Testing the effectiveness of tailored phishing techniques in industry and academia: a field experiment. In: International Conference on Availability, Reliability and Security. ACM (2020)Google Scholar
  9. 9.
    Burns, A., Johnson, M., Caputo, D.: Spear phishing in a barrel: insights from a targeted phishing campaign. J. Organ. Comput. Electron. Commer. 29, 24–39 (2019)CrossRefGoogle Scholar
  10. 10.
    Hadnagy, C.: Social Engineering: The Science of Human Hacking. Wiley, Hoboken (2018)CrossRefGoogle Scholar
  11. 11.
    Hu, H., Wang, G.: End-to-end measurements of email spoofing attacks. In: USENIX Security Symposium, pp. 1095–1112. USENIX Association (2018)Google Scholar
  12. 12.
    Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)CrossRefGoogle Scholar
  13. 13.
    Jensen, M., Dinger, M., Wright, R., Thatcher, J.: Training to mitigate phishing attacks using mindfulness techniques. J. Manage. Inf. Syst. 34(2), 597–626 (2017)CrossRefGoogle Scholar
  14. 14.
    Karumbaiah, S., Wright, R.T., Durcikova, A., Jensen, M.L.: Phishing training: a preliminary look at the effects of different types of training. In: Proceedings of the 11th Pre-ICIS Workshop on Information Security and Privacy, pp. 1–10 (2016)Google Scholar
  15. 15.
    Kucherawy, M., Zwicky, E.: Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489, IETF (2015)Google Scholar
  16. 16.
    Le Blond, S., Uritesc, A., Gilbert, C., Chua, Z.L., Saxena, P., Kirda, E.: A look at targeted attacks through the lense of an \(\{\)NGO\(\}\). In: 23rd \(\{\)USENIX\(\}\) Security Symposium, \(\{\)USENIX\(\}\) Security 14, pp. 543–558 (2014)Google Scholar
  17. 17.
    National Institute of Standards and Technology. Framework for improving critical infrastructure cybersecurity. Technical report (2018)Google Scholar
  18. 18.
    Oliveira, D., et al.: Dissecting spear phishing emails for older vs young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In: Conference on Human Factors in Computing Systems, pp. 6412–6424. ACM (2017)Google Scholar
  19. 19.
    Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long “taile” of typosquatting domain names. In: USENIX Security Symposium, pp. 191–206. USENIX Association (2014)Google Scholar
  20. 20.
    Tsow, A., Jakobsson, M.: Deceit and Deception: A Large User Study of Phishing. Technical report TR649, Indiana University (2007)Google Scholar
  21. 21.
    Wash, R., Cooper, M.M.: Who provides phishing training? Facts, stories, and people like me. In: Conference on Human Factors in Computing Systems, pp. 1–12. ACM (2018)Google Scholar
  22. 22.
    Wash, R., Rader, E.: Influencing mental models of security: a research agenda. In: Proceedings of New Security Paradigms Workshop, pp. 57–66 (2011)Google Scholar
  23. 23.
    Wright, R.T., Jensen, M.L., Thatcher, J.B., Dinger, M., Marett, K.: Research note-influence techniques in phishing attacks: an examination of vulnerability and resistance. Inf. Syst. Res. 25(2), 385–400 (2014)CrossRefGoogle Scholar
  24. 24.
    Wright, R.T., Marett, K.: The influence of experiential and dispositional factors in phishing: an empirical investigation of the deceived. J. Manage. Inf. Syst. 27(1), 273–303 (2010)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.University of TrentoTrentoItaly
  2. 2.Eindhoven University of TechnologyEindhovenThe Netherlands

Personalised recommendations