Phishing in Large Organizations

Researchers

Daniele Lain (ETH)
Kari Kostiainen (ETH)
Prof. Srdjan Capkun (ETH)

Industry partner

Die Post

Description

Phishing emails are deceptive messages made for data stealing and malware propagation. In this type of attack, miscreants pose as legitimate organizations (e.g., banks and financial institutions, delivery companies, shopping websites), and send emails crafted to look like the impersonated organization’s. These emails try to solicit a sense of urgency by prompting users to act swiftly, such as changing compromised passwords. Links in these emails lead to deceptive websites that often include login pages to try and trick the user into submitting their credentials. Other means for the attack can be opening malicious attachments or drive-by downloads of malware.

Phishing is a real threat to corporations: employees falling for phishing and revealing corporate credentials can be the first step for further attacks and data breaches. Phishing leads to significant economic losses: estimates put the yearly cost of phishing attacks in the order of millions of dollars for companies that fall victim. For this reason, it is of paramount importance to understand the most effective ways to protect users from phishing attacks.

In this project, in partnership with the Swiss Post, we aim to understand phishing in large organizations from the point of view of employees and IT departments. For employees, our studies and measurements are improving how phishing training is delivered and understood, and we are developing novel user interfaces to help people spot potential attacks. For IT departments and defenders, we are analyzing novel countermeasures to deploy in organizations for early detection of phishing attacks and what the next generation of (AI-powered) phishing attacks might look like.

Publications

Daniele Lain, Kari Kostiainen, and Srdjan Capkun. “Phishing in organizations: Findings from a large-scale and long-term study.” IEEE Symposium on Security and Privacy (S&P), 2022. [PDF]

Daniele Lain, Tarek Jost, Sinisa Matetic, Kari Kostiainen, and Srdjan Capkun. “Content, Nudges, and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training”. ACM Conference on Computer and Communications Security (CCS), 2024 (Distinguished Paper Award). [PDF]