Advanced
search

To read this content please select one of the options below:

Spear phishing in organisations explained

Jan-Willem Bullee (Faculteit Elektrotechniek Wiskunde en Informatica, Universiteit Twente, Enschede, The Netherlands)
Lorena Montoya (Faculteit Elektrotechniek Wiskunde en Informatica, Universiteit Twente, Enschede, The Netherlands)
Marianne Junger (Faculteit Gedrags- Management- en Maatschappijwetenschappen, Universiteit Twente, Enschede, The Netherlands)
Pieter Hartel (Faculty of Electrical Engineering, Mathematics and Computer Science,Delft University of Technology, Delft, The Netherlands)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 13 November 2017

1923

Abstract

Purpose

The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient.

Design/methodology/approach

Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails.

Findings

Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient’s years of service within the organisation is taken into account.

Practical implications

This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect.

Originality/value

The innovative aspect relates to explaining spear phishing using four socio-demographic variables.

Keywords

Acknowledgements

The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TREsPASS).

This publication reflects only the author’s views and the Union is not liable for any use that may be made of the information contained herein.

Furthermore, the authors would like to thank Wouter Bakker, Berber Bokkes, Shannon Cleijne, Wouter Horlings and Koen Zandberg for their efforts in the data collection. In addition, a special thank goes to Human Resource Manager Cathelijne de Carpentier Wolf - de Vin for providing relevant data.

Citation

Bullee, J.-W., Montoya, L., Junger, M. and Hartel, P. (2017), "Spear phishing in organisations explained", Information and Computer Security, Vol. 25 No. 5, pp. 593-613. https://doi.org/10.1108/ICS-03-2017-0009

Publisher

:

Emerald Publishing Limited

Copyright © 2017, Emerald Publishing Limited

Related articles

Manage cookies

We’re listening — tell us what you think

Join us on our journey