Playing 鈥済otcha鈥 games is an ineffective way for organizations to combat their employees鈥 vulnerability to so-called 鈥渟pear phishing鈥 emails, according to a new study.
Spear phishing emails incorporate personal elements tailored to specific individuals in attempts to get victims to volunteer personal financial information or click on a link and download malicious software. A Cisco study showed that spear phishing email can generate $150,000 in profits per million emails.
One strategy that some organizations use to combat spear phishing emails is to send their own spear phishing emails to employees, and then counsel employees who fall victim to the ruse with information so they don鈥檛 repeat the mistake.
鈥淲e hypothesized that if users are provided with training immediately following an error in judgment, they will be less likely to make the same error when presented again with a similar judgment,鈥 write the authors owhich is published in the January/February issue of IEEE Security & Privacy. They found that approach was flawed.
The researchers sent three waves of phishing messages to workers at a Washington, D.C.-based, medium-sized organization. Those who clicked on the links were sent to a web page with different information about how to avoid being fooled again by phishing messages (with a control group receiving no information). But the researchers found that many employees left the web page before they could possibly read the information.
鈥淚n reports to the information security office and help desk, participants expressed concern that the training webpage might have been part of the spear phishing attempt; consequently, many participants closed the training page without reading any text on the page,鈥 reads the article.
鈥淎ll links want to be clicked,鈥 said , dean of Vanderbilt鈥檚 Owen Graduate School of Management and one of the authors of the study. The co-writers are Deanna D. Caputo and Jesse D. Freeman, both of the MITRE Corporation; and Shari Lawrence Pfleeger of Dartmouth College.
Once employees vulnerable to spear phishing are identified, it may be prudent to give them repeated and different exposure to anti-spear phishing training.
鈥淢aking embedded training effective in a corporate setting is more difficult than earlier studies suggest,鈥 Johnson and his co-authors write. 鈥淥ur results indicate that immediate feedback 鈥 doesn鈥檛 suffice to reduce click rates or increase reporting if it is never read.鈥