Is context really relevant in phishing attacks?

Recently NIST published a report highlighting that “employees are more likely to click on links and attachments when the premise of the email matches their work responsibilities”. Therefore, according to NIST, context is a critical factor in discriminating why users wither click or don’t click on a phishing email.

At Cefriel we have worked extensively on the Social Engineering threat and the Human Factor vulnerabilities and we obtained insights that actually show the opposite, or at least that “context” is one of the enablers, but not the main one. In the latest 8 years and we developed a methodology aimed at testing human behaviours against a spear-phishing attack simulation, in which an attacker attempts to trick company personnel into performing actions that could put company assets at risk, ensuring ethical respecting compliance to laws and regulation. Moreover, Cefriel is actively contributing to scientific coordination of the H2020 DOGANA project, which is aimed at defining a standard framework for performing such type of tests.

A significant number of assessments using the Cefriel’s Social-driven Vulnerability Assessment (SDVA) methodology were performed in large enterprises (more than 40,000 employees in more than 20 companies) to try to gain an understanding of (or at least to have an idea about) the level of risk.

According to the methodology, each phishing simulation is attempting to get the employee to click on a link inside the email, visiting an unknown website (which may be malicious exposing the organisation to a drive-by-infection attack) and then get the employee to insert her credentials into a login form (as an example of critical corporate asset).

In these assessments, the spear-phishing attack simulations relied on generic hooks (i.e., related to general topics that may be attractive for users, such as special offers or discounts for employees). Most of the attacks were just slightly contextualized to the specific company (through colors, logos, templates and proper styles of communication), but did not include any specific context for the recipient. However, the attack simulations were effective, demonstrating the not always the context is a critical factor for phishing success. Probably just an interesting general topic which allow to gain an advantage to the end user, such as a promotion to get discounts, it is a good hook for convincing an employee to click on a link.

Nevertheless, the average results are quite impressive and confirm that phishing attacks actually work quite well even without a strong contextualization. In these assessments, one employee out of three (34 percent) followed the link contained in a phishing email, and one out of four (24 percent) also inserted company credentials in the web site form.

Cefriel SDVA Results Overview

The chart shows a comparison of the results of the assessments, plotting the success rate of each of the two step described above for the involved sample: percentage of employees who click on a link inside the email on the x-axis and who insert the company credentials on the y-axis. Each circle represents an assessment performed in a company, its radius represents the size of the company (logarithmic) and the color represents the industry sector.

Cefriel SDVA Time Analysis Results Overview

These results are even more impressive when correlated to the temporal factor. According to these results, a phishing campaign is characterised by an impulsive behaviour of the employee that causes a rapid growth of the success rate in the early phases, reaching a 50 percent effective rate in only 20 minutes. That means that the available time frame for an effective reaction from the information security function is quite short. Especially in big enterprises, there seems to be a lack of formalised processes that allow enabling countermeasures based on users’ reports and, frequently, a poor level of employee knowledge with regard to how to report a security incident.