WRTG 393

Phishing Awareness training session

A potential solution to detect online scams

Briefing paper

8/11/2022
 Executive Summary

Today, cybersecurity is always at the front-line of following preference. Well-known data contravention
has taught that protecting data and personally identifiable information must be preference. “One of the
most frequent threats to organizations is phishing”. It is an online fraud that targets the consumer by
sending them e-mails as professional source. Phishing frauds account for 80% of security events. Since
cyber-attacks depend on human frailness instead of stability of the systems, they can be hard to counter.

 
There are various kinds of phishing, which means more security vulnerabilities. Hackers can get access
to users’ personal information. Phishing operates primarily through alteration and depends on human
interaction, for example user or any employee mistakenly click on a malicious link or provide
information to a hacker. Both larger and smaller scale organizations are the target of phishing attacks
daily.  
 
Information technology offers different Phishing face-to-face awareness training sessions for the
employee. Phishing awareness training has two especially important parts “awareness education and
phishing testing.” Solutions planned to help and improve employee awareness of phishing. Online
training should be discouraged because of its ineffectiveness. Face-to face session increases the
effectiveness of training, and employees’ engagement with session increases as they are updated with
the new tactics, techniques, and procedures (TTPs) of phisher attackers. Security awareness programs
operationalize TTPs and give them learning importance. 

The Problem

 Most of the organizations are under the threat of phishing attack. It is a genuine problem all around the
world. Attackers wanted to invade the computers systems of the organization this can only be achieved
if the “fraud email” or “malicious links” sent by them is clicked by the employees. The purpose of the
email is to convince the employe to click on the links or “download the malicious attachment” which
results in the transfer of the personal data of the organizations which may include organizations funds,
other finances, and employees’ information etc. The main problem is awareness campaign during the
COVID-19 situation; mostly organizations conducted “phishing attack awareness session” online which
is not considered to be useful as employee do not take much interest and ineffective. Phishing is an
important topic to be discussed in the workplace and employees should be aware of scams. “In 2015,
with the highest number experienced by organizations in the financial sector (a total number of 795).
This same report also showed that approximately 1 in 10 employees of such organizations clicked on
links or opened attachments contained within sanctioned phishing email tests.”

“The integrated information processing model of phishing susceptibility (IPPM)” model says that the
employees click the email because they are influenced by the content that is present in the email. This
content is basically responsible for manipulating human behaviors. Hackers are more likely to include
that kind of content that can persuade the employees. They use more tips and tricks, so the employees
are confused with fraud and actual emails. As the decades have passed new kinds of phishing are
introduced.

Phishing has its many types including Angler phishing, Email phishing, Spear phishing etc. which
means more security vulnerabilities.  
 
Information technology is a professional and important field. Our field employees are facing some
cybersecurity issues that are spear phishing, in which fake emails are sent to specific individuals or
organizations to get access to their confidential data. The IT (Information Technology) department
organized many online cybersecurity training about awareness, but it is an ineffective way to
communicate with employees. It is time consuming as well as it is expensive. It cannot overcome human
error. Even if two to three hour of online session is conducted it will be still ineffective because online
employees do not participate actively and do not listen to the guide properly, so it becomes a useless
activity. Although phishing awareness training is necessary for the employees.  
  
“Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply
one lesson to an entire organization whether it’s 20 people or 20,0000 and expect it to stick. It has to
be targeted based on age, department, and tech-literacy. Age is especially important.”

Here Figure no.1 shows the whole process of phishing attack that how a hacker sends an email to the
victim.
 “Figure no 1. Phishing attack (https://cybercoastal.com/)”

Both larger and smaller scale organizations are the target of phishing attack on the daily basis.

A Possible Solution

Information Technology (IT) field must organize face-to-face training sessions to deal with phishing and
other online scamming. The IT field must create some strategic plans and implement them for the
employees. Employees engaging activities should be organize so that, they can actively and effectively
participate in the session because without proper phishing awareness training employee will be
unfamiliar with these kinds of frauds and the organization must face phishing attack which leads to data
breaching. Phishing awareness training has two especially important parts “awareness education and
phishing testing”. 

 1. Awareness education: Educating employees about phishing is necessary. First tell them what
phishing is, then step by step educate and help them in identifying phishing by emails or text. 
Face-to-face phishing training is the only way to engage the employees by action of phishing
simulation. 

Reading manuals and attending long sessions do not sound effective. To keep your employees engaged
in real world experiences by providing them with a simulation approach. It will help them in recognizing
the fraud and actual emails. The main purpose of the training should identify the organization's weak
points (either employees who fail to recognize the threat or those who highly make target).  

 2. Phishing Testing: Phishing testing is necessary to measure the effectiveness of the awareness training
session. Phishing simulation can be measured based on click rate of the employees. This data run tells
the progress of the employees. There are three approaches that could help in phishing detection,
“Heuristic and machine learning, Proactive phishing URL detection, phishing based black and white
list”.

Here is the figure no.2 that shows these phishing detection approaches by using “machine learning
technique”.
 
“Fig no.2. Detecting phishing websites using machine learning technique (https://journals.plos.org/)”

Here are some ways to detect phishing frauds in email messages. 

 
1. Emails that are poorly written have spelling and grammatical mistakes. 
2. includes doubtful links and attachments. 
3. Requesting for confirmation of personal information. 
4. Includes a fake invoice. 
5. Email that says they have noticed unusual login activity. 
6. Wanting you to click on the link to make payment online.
7.  Domain name will be misspelled.
8. Message will create urgency.
9. Message will be from public domain not from the authentic domain.
 
Artificial Intelligence (AI) is working on “machine learning for the detection of phishing websites”. An
input is given to the “machine learning model” that predicts the phishing attack. 

Here is the figure no.3 that shows a detail process that how “AI-enabled phishing attacks detection
techniques” are helpful in cybersecurity.
“Figure no.3. A comprehensive survey of AI-enabled phishing attacks detection techniques
(https://link.springer.com/)”

Conclusion:

Phishing is an online scam in which an email is sent to the organization and if that malicious link is
clicked by someone that can even destroy a company or organization career because hackers will steal
all the personal information of the company. Employees should have to be aware of phishing attacks,
they must learn an important term. Most of the companies prefer online awareness session to train their
employees but it is an ineffective way to teach to the employees it is just the wastage of time because
employees do not take much interest so; it is an ineffective way to communicate with your employees.
For the best solution, companies should have to conduct face-to-face awareness sessions and surveys.
Phishing awareness training has two especially important parts “awareness education and phishing
testing”.  Phishing education includes identification of fake emails that is sent by the hacker and
phishing testing includes the test that is conducted to check the progress of employees in identification
of fraud emails and the activeness of the employees.

References

1.Abdul Basit, Maham Zafar, Xuan Liu, Abdul Rehman Javed, Zunera Jalil & Kashif Kifayat.(2021).
A comprehensive survey of AI-enabled phishing attacks detection techniques. Telecommun Syst 76,
139–154
https://link.springer.com/article/

2.Chaudhry, J. A., Chaudhry, S. A., & Rittenhouse, R. G. (2016). Phishing attacks and defenses.
International Journal of Security and Its Applications, 10(1), 247–256.
https://www.researchgate.net/publication/

3. By: Abdul-Hussein, Rawaa Mohammed; Mohammed, Ahmed H.; Kadhim, Amal Abbas. (2022).
Detecting Phishing Cyber Attack Based on Fuzzy Rules and Differential Evaluation. Vol. 11 Issue 2,
p543-551
https://www.temjournal.com/content/

4. Jensen ML, Dinger M, Wright RT, Thatcher JB. (2017). Training to mitigate phishing attacks using
mindfulness techniques. J Manage Inf Syst 34(2):597–626
https://www.tandfonline.com/

5. Ashit Kumar Dutta. (2021). Detecting phishing websites using machine learning technique.
https://journals.plos.org/plosone/article

6. Emma J.Williams, Joanne Hinds, Adam N.Joinson. (2018). Exploring susceptibility to phishing in the
workplace.
https://www.sciencedirect.com/science/article

7. Carroll, F., Adejobi, J.A. & Montasari, R. (2022). How Good Are We at Detecting a Phishing Attack?
Investigating the Evolving Phishing Attack Email and Why It Continues to Successfully Deceive
Society. SN COMPUT. SCI. 3, 170.
https://doi.org/10.1007/s42979-022-01069-1

__________________________________________________________________________________