fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Large-scale Phishing Study Shows Who Bites the Bait More Often

Large-scale Phishing Study Shows Who Bites the Bait More Often

A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices.

The study was conducted by researchers at ETH Zurich in collaboration with an unnamed company that did not inform the participants about the simulated phishing program.

To conduct the test, the researchers sent fake phishing emails to participants’ regular work email and deployed an email client button that allowed them to report suspicious emails easily.

Also Read: How To Delete Security Camera Footage: 5 Different Ways

Experiment overview
Experiment overview
Source: Arxiv.org

The four goals of the study were to determine:

  1. Which employees fall for phishing
  2. How vulnerability evolves over time
  3. How effective embedded training and warnings are
  4. Whether employees can do anything to help in phishing detection.

Gender is irrelevant

The demographics were diverse and allowed the researchers to look into an element presented as a crucial susceptibility determining factor.

One finding that contradicts existing studies is that gender does not correlate with phishing susceptibility.

Instead, the study found that younger and older people are more prone to clicking on phishing links, so age is a key factor.

Moreover, those who use specialized software for repetitive tasks are more likely to fall for phishing traps compared to those who do not need computers for their day-to-day jobs.

Study participant demographics
Study participant demographics
Source: Arxiv.org

Repeated clickers

The so-called “repeated clickers” highlighted in previous research also appear here with 30.62% of those who opened a simulated phishing email, clicked on additional emails. Furthermore, 23.91% of those performing a dangerous action (enabling macros, submitting credentials), did it more than once.

Also Read: Top 10 Reliable IT Companies in Singapore

An interesting finding in the ETH study is that employees who are continuously exposed to phishing eventually fall for it, as 32.1% of the study participants clicked on at least one dangerous link or attachment.

This finding underlines the importance of having effective email security and anti-phishing filters in place, as constant exposure leads to numbness and risky actions even by resilient employees.

Training is overrated

Warnings on suspicious emails were found to be effective, but this effectiveness didn’t grow as the warning messages got more detailed, which is a new finding.

Effect of warnings and their verbosity in phishing response
Effect of warnings verbosity in phishing response
Source: Arxiv.org

One finding that goes against commonly used security practices is that the researchers found that voluntary embedded training in simulated phishing exercises is ineffective.

“Interestingly, contradicting prior research results and a common industry practice, we found that the combination of simulated phishing exercises and voluntary embedded training (i.e., employees were not required to complete the training) not only failed to improve employee’s phishing resilience, but it actually even the made employees more susceptible to phishing” explains the research paper.

Crowd-sourcing is feasible

Employees in the tested company were given a ‘Report Phishing’ button on their email client to report suspicious messages.

The study found that 90% of the employees reported six or fewer suspicious emails, but some remained very active throughout the experiment.

As such, the researchers conclude that there is no “reporting fatigue,” suggesting that crowd-sourcing anti-phishing data is feasible.

Cumulative email reports over time
Cumulative email reports over time
Source: Arxiv.org

In terms of the effectiveness of such as system, the analysts looked into reaction time and flagging accuracy.

The user reports were accurate in 68% for phishing and 79% if spam is accounted for as well, while the most prolific reporters reached an accuracy of over 80%.

The time for these reports to be submitted after reception is 5 minutes for 10% of the total volume and half an hour for 35% of the total number of reports.

Time taken to report suspicious emails
Time taken to report suspicious emails
Source: Arxiv.org

“To apply these numbers to a hypothetical company of 1,000 employees where 100 of them are targeted by a phishing campaign, we would have between 8 and 25 reports of the email by employees—of which one within 5 minutes with high probability, and a larger number within 30 minutes,” details the paper.

These findings show that utilizing a corporate-wide crowd-sourced phishing detection service could significantly reduce the threat of phishing attacks.

It is also important to note that such a system wouldn’t produce a sizable operational workload as a result, so a corporation implementing crowd sourced phishing protection wouldn’t incur much additional burden.

Of course, phishing is a complicated topic involving many crucial factors beyond the scope of studies like this one, so these findings cannot be considered concrete evidence of good or bad practices or universally applicable rules.

However, considering the central role that phishing continues to play in the entire spectrum of modern cyber-attacks, one owes to build upon these findings by experimenting further to develop more effective anti-phishing measures.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us