Fake e-mails are the most common way for cybercriminals to obtain sensitive data or to smuggle in malware. Some companies use phishing campaigns to test and improve their employees' resistance to such attacks. In such campaigns, employees receive simulated phishing emails. The report by the scientists of the Karlsruhe Institute of Technology (KIT) and the Ruhr-University Bochum (RUB) discusses phishing campaigns under the aspects of security, law and the human factor.
One click can cause a lot of damage
Fake e-mails appear often credible: their senders pretend to be known service providers, colleagues or superiors. Their aim: to entice unsuspecting recipients to click on a link in order to steal account data and passwords or install malware. It only takes one employee to believe a phishing attack to cause great damage. To test how their employees react to phishing e-mails, some companies and institutions use phishing campaigns by external service providers. With the knowledge of the company management, fake phishing mails are sent to the employees.
"The campaigns aim to deceive employees consciously in order to protect them from real dangers and to create an awareness of the problem, but there is often uncertainty about what is legally, safety-related and ethically justifiable," say the scientists. These three aspects are examined by the two professors Dr. Melanie Volkamer, head of the Secuso - Security, Usability and Society research group at KIT, and Dr. Franziska Boehm from the Center for Applied Law of KIT together with the Bochum professor for Human-Centred Security at the Horst Görtz Institute for IT Security, Dr. Martina Angela Sasse. Their research report, which is freely accessible online, describes different forms and objectives of phishing campaigns and related questions in the context of IT and information security, questions of employee and data protection, and questions of trust culture and self-efficacy of employees. It focuses on the significance and vulnerabilities of the campaigns and provides information for IT and information security officers, among others.
Disadvantages of campaigns
"Phishing campaigns entail a number of security problems, and they strongly influence the trust and error culture in a company; there are also legal issues to be considered," says Boehm, who, in addition to her professorship at KIT, is also head of the Department of Intellectual Property Rights in Distributed Information Infrastructures at the Leibniz Institute for Information Infrastructure. "Starting a campaign without informing the employees beforehand is simply unfair and does not contribute to trust in the management," says Sasse, who is a researcher at the Cluster of Excellence "Cyber Security in the Age of Large-scale Attackers", Casa for short, and has degrees in industrial psychology and computer science. Learning that one has been taken in by phishing messages has a bad effect on self-efficacy: "Employees notice that they have no control over the situation and react with resignation, they don't even try to recognize phishing messages anymore," the authors note.
"But when the employees know that the campaign is running, they may be curious and click on an email, assuming that nothing can happen, because the email is fake. But since real phishing mails are still circulating, the level of protection is lowered," says Volkamer, who is conducting research at the Competence Center for Applied Security Technology in Karlsruhe, one of three competence centers for cyber security in Germany. The problem is exacerbated when an employee notices that he has clicked on a dangerous link and does not dare to report it. The IT specialist stresses that companies should therefore have an obligation to report IT security incidents before a phishing campaign starts.
Investing time and money differently
In the case of an announced campaign, it was to be expected that employees would critically question far more messages and be over-cautious, resulting in increased time and performance pressure, which would also have a negative effect on confidence in the management. "Security is often perceived as a burden and a nuisance anyway. A major problem with phishing campaigns, in our view, is that they give even more negative connotations to the issue, because in the end it is the management that is attacking their employees," says Sasse. The authors suggest that companies seeking to strengthen their IT security should invest time and money primarily in improving technical security measures, and then train their employees in identifying and detecting phishing messages despite having the latest security software and operating system.
Melanie Volkamer, Martina Angela Sasse, Franziska Boehm: Phishing-Kampagnen zur Mitarbeiter-Awareness: Analyse aus verschiedenen Blickwinkeln: Security, Recht und Faktor Mensch, Repository Kitopen 2020, DOI: 10.5445/IR/1000119662
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.