‘Spear phishers’ proving hard to neutralize

Hacker typing on a laptop

Playing “gotcha” games is an ineffective way for organizations to combat their employees’ vulnerability to so-called “spear phishing” emails, according to a new study.

Spear phishing emails incorporate personal elements tailored to specific individuals in attempts to get victims to volunteer personal financial information or click on a link and download malicious software. A Cisco study showed that spear phishing email can generate $150,000 in profits per million emails.

One strategy that some organizations use to combat spear phishing emails is to send their own spear phishing emails to employees, and then counsel employees who fall victim to the ruse with information so they don’t repeat the mistake.

“We hypothesized that if users are provided with training immediately following an error in judgment, they will be less likely to make the same error when presented again with a similar judgment,” write the authors of Going Spear Phishing: Exploring Embedded Training and Awareness,which is published in the January/February issue of IEEE Security & Privacy. They found that approach was flawed.

Johnson (Vanderbilt)

The researchers sent three waves of phishing messages to workers at a Washington, D.C.-based, medium-sized organization. Those who clicked on the links were sent to a web page with different information about how to avoid being fooled again by phishing messages (with a control group receiving no information). But the researchers found that many employees left the web page before they could possibly read the information.

“In reports to the information security office and help desk, participants expressed concern that the training webpage might have been part of the spear phishing attempt; consequently, many participants closed the training page without reading any text on the page,” reads the article.

“All links want to be clicked,” said M. Eric Johnson, dean of Vanderbilt’s Owen Graduate School of Management and one of the authors of the study. The co-writers are Deanna D. Caputo and Jesse D. Freeman, both of the MITRE Corporation; and Shari Lawrence Pfleeger of Dartmouth College.

Once employees vulnerable to spear phishing are identified, it may be prudent to give them repeated and different exposure to anti-spear phishing training.

“Making embedded training effective in a corporate setting is more difficult than earlier studies suggest,” Johnson and his co-authors write. “Our results indicate that immediate feedback … doesn’t suffice to reduce click rates or increase reporting if it is never read.”