Go home now Header Background Image
Search
Submission Procedure
share: |
Special Issues
Submission Procedure
Aims and Scope
Board of Editors
What's New
 
Follow us
 
Articles by Topics
Articles by Author
Geographical Mashup
List of Topics
 
Printed Publications
 
Volume 26 (2020)
Volume 25 (2019)
Issue 1
Issue 2
Issue 3
Issue 4
Issue 5
Issue 6
Issue 7
Issue 8
Issue 9
Issue 10
Issue 11
Issue 12
Issue 13
Volume 24 (2018)
Volume 23 (2017)
Volume 22 (2016)
Volume 21 (2015)
Volume 20 (2014)
Volume 19 (2013)
Volume 18 (2012)
Volume 17 (2011)
Volume 16 (2010)
Volume 15 (2009)
Volume 14 (2008)
Volume 13 (2007)
Volume 12 (2006)
Volume 11 (2005)
Volume 10 (2004)
Volume 9 (2003)
Volume 8 (2002)
Volume 7 (2001)
Volume 6 (2000)
Volume 5 (1999)
Volume 4 (1998)
Volume 3 (1997)
Volume 2 (1996)
Volume 1 (1995)
Volume 0 (1994)
 
Collection of other papers
Volume 25 / Issue 11

available in:   PDF (397 kB) PS (1 MB)
 
get:  
Similar Docs BibTeX   Write a comment
  
get:  
Links into Future
 
DOI:   10.3217/jucs-025-11-1458

 

Testing the Human Backdoor: Organizational Response to a Phishing Campaign

Anže Mihelič (University of Maribor, Slovenia)

Matej Jevšček (Faculty of organization studies in Novo mesto, Slovenia)

Simon Vrhovec (University of Maribor, Slovenia)

Igor Bernik (University of Maribor, Slovenia)

Abstract: To exploit the human as the "back door" to compromising well-protected information systems of organizations, phishing-type attacks are becoming increasingly sophisticated. There is however a significant lack of real-world studies of phishing campaigns in industrial settings even though it is a wide-spread way to hack information systems of organizations and many notorious cyberattacks started with some sort of a human exploitation. To fill this void, we conducted a case study in a large Central European manufacturing company Manco (fake company name) and observed the targeted employees' and IT department staff's response to a phishing campaign. Even though the IT department staff reacted very fast (their procedures started fifteen minutes after the first phishing e-mail was sent), results suggest significant data leakage and a high potential for successful malware installation. The observed click rate was 69.4 percent and real personal data submission rate was at least 49.0 percent. The average response time of targets (i.e., time between sending the phishing e-mail and visiting the phishing website) was 20 minutes, from 25 seconds to 203 minutes. The results suggest that a phishing campaign can be successful even if the targeted organization's response time is very short. Also, the phishing campaign may not be effective only due to the susceptibility of targets but also due to the investigative techniques of the first responders.

Keywords: case study, cyber-attack, detection, response, social engineering, spear phishing

Categories: K.6.1, K.6.5, L.4.0, L.5