Phishing susceptibility rate for multinational organizations

Abstract

This master's thesis focuses on phishing as phenomenon, and specifically comparing the effectiveness of phishing emails that ask for credentials on a fake login page versus (Data entry attack) those that just require the victim to click a link (Click only attack). It also explores the effectiveness of phishing emails written in English when the recipients are non-native English speakers (NNES). Phishing is defined as a scalable act of deception to obtain information, but it may involve different methods and goals. Phishing methods such as smishing (via SMS) and vishing (fake phone calls). Spear phishing targets a specific individual or small group, while whaling focuses on high-value targets. Phishing attacks can aim to gather information or inject malware into computer systems, and common tactics include impersonating trusted entities and creating fake login pages. Countermeasures against phishing attacks are necessary, as they account for 95% of successful attacks. A comprehensive approach is required, including technical countermeasures, information security policies and anti-phishing train-ing. As part of their anti-phishing training, cybersecurity department of one multinational organization has sent simulated phishing emails to their users. They have started to suspect that certain types of phishing emails, and with certain language (English or local language), are more successful than others. They have wanted to get concrete evidence for their suspicion to be able to enhance their anti-phishing training. To our knowledge, there have not been previous studies for this topic in a similar setting. A simulated phishing study was conducted on employees of the company. The employees received five phishing emails in either English or their local language, and then either Click only or Data entry phishing attack. The anti-phishing training system tagged participants as susceptible if they clicked the link or provided their credentials. This master’s thesis reveals that click only phishing attacks are more successful than data entry attacks. Additionally, we found that phishing emails in participants' native or local language have a higher success rate compared to those in English, supporting previous findings and suggesting that attackers using the local language achieve greater success.