The Peculiar Case of Tailored Phishing against SMEs: Detection and Collective DefenseMechanisms at a Small IT Company

Phishing attacks are increasingly more sophisticated, with attackers exploiting publicly available information on their targets to personalize their attacks. Although an increasing body of research has investigated the effectiveness of tailored phishing campaigns, researchers have primarily focused on large enterprises. Company size, composition, and resource availability (e.g., of security experts or a phishing response team handling incidents) play an important role in the studied dynamics. However, whether the same also applies to small and medium-sized enterprises (SMEs), which typically do not have those resources, is unclear. On the other hand, studying SME security is hard as they generally have no expertise in-house to run the required experiments. This work provides a first study filling this gap by investigating the effectiveness of tailored phishing campaigns against an SME IT company in Europe. To this end, we conducted a field experiment targeting 30 employees at an SME and, subsequently, interviewed nine employees to understand the cognitive processes underlying the detection and response of our phishing campaign as well as the group defense mechanisms at the SME. Our findings show that expectation mismatch was the primary method for detecting our phishing email and that the collective defense mechanism enabled a surprisingly prompt response and containment of the attack, possibly, due to the network dynamics of a small company.