Testing the effectiveness of tailored phishing techniques in industry and academia: a field experiment

Abstract

Organizations are experiencing more and more sophisticated attacks specifically targeting their employees and customers. These attacks exploit tailored information on the victim or organization to increase their credibility. To date, no study has evaluated the role of 'traditional' phishing cognitive effects in these advanced settings. In this paper, we run a field experiment targeting 747 subjects employed in two organizations (a university and a large international consultancy company) to evaluate the interaction between phishing persuasion techniques and the success rate in a highly-tailored setting. For this purpose, we exploit well-established user notification methods to devise enhanced attack delivery techniques, and evaluate how such techniques affect success rate of our phishing campaigns. We find that the effect of 'traditional' attack techniques is widely mitigated in highly-tailored phishing settings, suggesting that current user training and detection techniques may be off-target for more sophisticated attacks. However, we find that the means by which the attack is delivered to the victim matter, and can greatly (up to three times) boost the effect of the base attack.