Abstract
In an attempt to stop phishing attacks, an increasing number of organisations run Simulated Phishing Campaigns to train their staff not to click on suspicious links. Organisations can buy toolkits to craft and run their own campaigns, or hire a specialist company to provide such campaigns as a service. To what extent this activity reduces the vulnerability of an organisation to such attacks is debated in both the research and practitioner communities, but an increasing number of organisations do it because it seems common practice, and are convinced by vendors’ claims about the reduction in clickrates that can be achieved. But most are not aware that effective security is not just about reducing clickrates for simulated phishing messages, that there are many different ways of running such campaigns, and that there are security, legal, and trust issues associated with those choices. The goal of this paper is to equip organisational decision makers with tools for making those decisions. A closer examination of costs and benefits of the choice reveals that it may be possible to run a legally compliant campaign, but that it is costly and time-consuming. Additionally, the impact of Simulated Phishing Campaigns on employees’ self-efficacy and trust in the organisation may negatively affect other organisational goals. We conclude that for many organisations, a joined-up approach of (1) improving technical security measures, (2) introducing and establishing adequate security incident reporting, and (3) increasing staff awareness through other means may deliver better protection at lower cost.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Some phishing messages are also referred to as spam. Spam includes any kind of unsolicited messages, so phishing messages are a sub-set of spam messages - and indeed many staff do not distinguish and use the “spam messages” instead of phishing.
- 2.
Note that on the other hand, not all message with incorrect spelling and grammatical errors are phishing messages - with increasing digitalization and widespread use of social networking, and increasing awareness of conditions such as dyslexia, much non-malicious written communication contains such errors; when attackers impersonate some senders, it can even be interpreted as a sign of authenticity.
- 3.
It is important to check the sender’s e-mail address and not just rely on the sender’s name, because the latter is very easy to alter.
- 4.
Stajano, Wilson: Understanding Scam Victims: Seven principles for system security. Communications of the ACM 2011, 54(3):70–75.
- 5.
Again, the same tactics are used by senders of legitimate messages .
- 6.
Kumaraguru, Sheng, Acquisti, Cranor, Hong: Teaching Johnny not to fall for phish, ACM Transactions on Internet Technology 2010, 10 (2):1–31.
- 7.
Burns, Johnson, Caputo: Spear phishing in a barrel: Insights from a targeted phishing campaign. in Journal of Organizational Computing and Electronic Commerce 29(1):24–39.
- 8.
Benenson, Gassmann, Landwirth: Unpacking Spear Phishing Susceptibility. Financial Cryptography Workshops 2017: 610–627.
- 9.
Wholesale general whitelisting means that phishers can take the same approach and can be sure that their phishing messages reach the recipient.
- 10.
This can still be used by phishers if this information is leaked.
- 11.
After the security audit, whitelisting is not helpful, because with an adequate security level of the security audit, most of the phishing campaign messages would be blocked and thus would present no risk to the organisation and its staff. This, again has a negative effect on how well the collected data reflects the organisation’s actual vulnerability.
- 12.
If an external email service provider is used, this change may not be possible at all.
- 13.
Burns, Johnson, Caputo: Spear phishing in a barrel: Insights from a targeted phishing campaign. in Journal of organisational Computing and Electronic Commerce 29(1):24–39.
- 14.
- 15.
The latter quickly becomes another security problem. Because these sensitive data must not be transferred.
- 16.
This is particularly true in the case of Objective 3, and any other evaluation would also have limitations. Here, it may make sense to use different study forms for the evaluation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Volkamer, M., Sasse, M.A., Boehm, F. (2020). Analysing Simulated Phishing Campaigns for Staff. In: Boureanu, I., et al. Computer Security. ESORICS 2020. Lecture Notes in Computer Science(), vol 12580. Springer, Cham. https://doi.org/10.1007/978-3-030-66504-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-66504-3_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-66503-6
Online ISBN: 978-3-030-66504-3
eBook Packages: Computer ScienceComputer Science (R0)