Spear phishing in organisations explained

• Published in: Information and computer security Vol. 25; no. 5; pp. 593 - 613
• Main Authors: Bullee, Jan-Willem, Montoya, Lorena, Junger, Marianne, Hartel, Pieter
• Format: Journal Article
• Language: English
• Published: Bingley Emerald Group Publishing Limited 13.11.2017
• Subjects: Age; Age factors; Bias; Case studies; Cybercrime; Cybersecurity; Data collection; Deception; Demographic variables; Demographics; Demography; Electronic mail; Electronic mail systems; Employees; Experiments; Field study; Fraud; Heuristic; Human error; Network security; Older people; Phishing; Psychology; Sociodemographics; Victimization; Websites
• ISSN: 2056-4961; 2056-497X
• DOI: 10.1108/ICS-03-2017-0009

PurposeThe purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient.Design/methodology/approachTwo types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails.FindingsNineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient’s years of service within the organisation is taken into account.Practical implicationsThis research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect.Originality/valueThe innovative aspect relates to explaining spear phishing using four socio-demographic variables.