Phishing and Spam: A Pilot Experiment

36 Pages Posted: 31 Oct 2017

See all articles by Roderic Broadhurst

Roderic Broadhurst

Australian National University (ANU); ANU Cybercrime Observatory

Katie Skinner

Australian National University (ANU) - Cybercrime Observatory; Australian National University (ANU), Students

Nick Sifniotis

(ANU) - Cybercrime Observatory; Australian National University (ANU), Students

Stephanie Orlando

(ANU) - Cybercrime Observatory ; Australian National University (ANU), Students

Donald Maxim

(ANU) - Cybercrime Observatory ; Australian National University (ANU), Students; Australian National University (ANU) - Cybercrime Observatory

Grigori Ougrinovski

Independent

Date Written: November 1, 2016

Abstract

In an exploratory pilot study 61 participants recruited during a university orientation week were exposed to social engineering directives in the form of fake email attacks that attempted to elicit personal information. Participants in a ‘Hunter’ condition were asked to remain to remain vigilant and report any suspicious content to researchers in the ANU Cybercrime Observatory. Participants in the ‘Passive’ condition received no such instruction.

The first two attacks replicated mass generic phishing attempts in which use of names, personal greetings, and personal information were absent. The first generic attack required participants to respond to the email with personal information, and the second attack provided a ‘compromised’ link for participants to click. The third attack that was launched simulated a spear phishing attempt. In this attempt, the fake emails were tailored with participants’ personal information obtained from social media in an attempt to entice participants to click links and enter personal details. The tailored emails impersonated trusted companies or contexts.

As hypothesised participants were more susceptible to the specially targeted or spear phishing attacks than generic phishing attacks. ‘Hunter’ participants were more susceptible to all attacks compared to ‘Passive’ participants. This finding was contrary to our second hypothesis that alert participants would be more circumspect than those not so primed. “Hunter” participants however, were under-prepared and limited by a single instruction a few months prior to the dispatch of fake emails.

Gender differences were also observed with females more likely to be susceptible in all conditions.

The ease with which personal information was collected and potentially used against participants, combined with participants’ higher susceptibility to targeted attacks, makes spear phishing a continuing threat. Crime prevention awareness combined with basic knowledge about spear phishing methods can reduce the risk of deception.

Keywords: Phishing

Suggested Citation

Broadhurst, Roderic and Skinner, Katie and Sifniotis, Nick and Orlando, Stephanie and Maxim, Donald and Ougrinovski, Grigori, Phishing and Spam: A Pilot Experiment (November 1, 2016). Available at SSRN: https://ssrn.com/abstract=3062331 or http://dx.doi.org/10.2139/ssrn.3062331

Roderic Broadhurst (Contact Author)

Australian National University (ANU) ( email )

Canberra, Australian Capital Territory 2601
Australia

ANU Cybercrime Observatory ( email )

Canberra, Australian Capital Territory 0200
Australia

Katie Skinner

Australian National University (ANU) - Cybercrime Observatory ( email )

Acton, ACT 2601
Australia

Australian National University (ANU), Students ( email )

Canberra
Australia

Nick Sifniotis

(ANU) - Cybercrime Observatory ( email )

Acton, ACT 2601
Australia

Australian National University (ANU), Students ( email )

Canberra
Australia

Stephanie Orlando

(ANU) - Cybercrime Observatory ( email )

Acton, ACT 2601
Australia

Australian National University (ANU), Students ( email )

Canberra
Australia

Donald Maxim

(ANU) - Cybercrime Observatory ( email )

Acton, ACT 2601
Australia

Australian National University (ANU), Students ( email )

Canberra
Australia

Australian National University (ANU) - Cybercrime Observatory ( email )

Acton, ACT 2601
Australia

Grigori Ougrinovski

Independent ( email )

No Address Available

Register to save articles to
your library

Register

Paper statistics

Downloads
37
Abstract Views
281
PlumX Metrics