Phishing and Spam: A Pilot Experiment

In an exploratory pilot study 61 participants recruited during a university orientation week were exposed to social engineering directives in the form of fake email attacks that attempted to elicit personal information. Participants in a ‘Hunter’ condition were asked to remain to remain vigilant and report any suspicious content to researchers in the ANU Cybercrime Observatory. Participants in the ‘Passive’ condition received no such instruction.

The first two attacks replicated mass generic phishing attempts in which use of names, personal greetings, and personal information were absent. The first generic attack required participants to respond to the email with personal information, and the second attack provided a ‘compromised’ link for participants to click. The third attack that was launched simulated a spear phishing attempt. In this attempt, the fake emails were tailored with participants’ personal information obtained from social media in an attempt to entice participants to click links and enter personal details. The tailored emails impersonated trusted companies or contexts.

As hypothesised participants were more susceptible to the specially targeted or spear phishing attacks than generic phishing attacks. ‘Hunter’ participants were more susceptible to all attacks compared to ‘Passive’ participants. This finding was contrary to our second hypothesis that alert participants would be more circumspect than those not so primed. “Hunter” participants however, were under-prepared and limited by a single instruction a few months prior to the dispatch of fake emails.

Gender differences were also observed with females more likely to be susceptible in all conditions.

The ease with which personal information was collected and potentially used against participants, combined with participants’ higher susceptibility to targeted attacks, makes spear phishing a continuing threat. Crime prevention awareness combined with basic knowledge about spear phishing methods can reduce the risk of deception.

Keywords: Phishing

Suggested Citation: Suggested Citation

Broadhurst, Roderic and Skinner, Katie and Sifniotis, Nick and Orlando, Stephanie and Maxim, Donald and Ougrinovski, Grigori, Phishing and Spam: A Pilot Experiment (November 1, 2016). Available at SSRN: https://ssrn.com/abstract=3062331 or http://dx.doi.org/10.2139/ssrn.3062331