ABSTRACT
With ever-increasing amounts of data collected from citizens and businesses in Smart City environments, public administration agencies manifest their position as central data holders. However, this great ownership of data makes them a target of cybercriminals on the hunt for illicit enrichment. The predominantly used type of cybercrime is phishing and increasingly spear phishing, a more personal, target-oriented kind of phishing. Such attacks make use of so-called persuasion techniques to lure their victims. In this study, four persuasion techniques, namely Authority, Urgency, Danger and Benefit, were tested for effectiveness in a two-phased field experiment cooperating with four German municipalities. In total, 3452 fake phishing e-mails were sent to 1276 public officials. Results show that the persuasion technique of Authority has worked best and therefore presumably poses the biggest threat to the information integrity of public sector agencies, followed by Urgency, Benefit and Danger. Additionally, the study provides insight on the potential impact of the effects of constant exposure to phishing and shows that the degree of domain-specificity of attacks impacts the susceptibility of victims.
- Hossein Abroshan, Jan Devos, Geert Poels, and Eric Laermans. 2021. Phishing Happens Beyond Technology: The Effects of Human Behaviors and Demographics on Each Step of a Phishing Process. IEEE Access 9(2021), 44928–44949.Google ScholarCross Ref
- Anwaar AlDairi and Lo’ai Tawalbeh. 2017. Cyber security attacks on smart cities and associated mobile technologies. In Procedia Comput. Sci., Vol. 109. Elsevier, Madeira, 1086–1091.Google Scholar
- Sara Alromaihi, Wael Elmedany, and Chitra Balakrishna. 2018. Cyber security challenges of deploying IoT in smart cities for healthcare applications. In 2018 6th Int. Conf. Futur. Internet Things Cloud Work.IEEE, Barcelona, 140–145.Google ScholarCross Ref
- Anti-Phishing Working Group. 2022. Phishing Activity Trends Report - 3rd Quarter 2021. Technical Report. 9 pages.Google Scholar
- Brandon Atkins, Wilson Huang, and Others. 2013. A study of social engineering in online frauds. Open J. Soc. Sci. 1, 03 (2013), 23.Google ScholarCross Ref
- Zubair A Baig, Patryk Szewczyk, Craig Valli, Priya Rabadia, Peter Hannay, Maxim Chernyshev, Mike Johnstone, Paresh Kerai, Ahmed Ibrahim, Krishnun Sansurooah, and Others. 2017. Future challenges for smart cities: Cyber-security and digital forensics. Digit. Investig. 22(2017), 3–13.Google ScholarDigital Library
- Aurélien Baillon, Jeroen De Bruin, Aysil Emirmahmutoglu, Evelien Van De Veer, and Bram Van Dijk. 2019. Informing, simulating experience, or both: A field experiment on phishing risks. PLoS One 14, 12 (2019), e0224216.Google ScholarCross Ref
- Doina Banciu, Mirelille Radoi, and Stefan Belloiu. 2020. Information security awareness in Romanian public administration: an exploratory case study. Stud. Informatics Control 29, 1 (2020), 121–129.Google ScholarCross Ref
- British Broadcasting Corporation. 2021. Cyber-attack on Irish health service ’catastrophic’. Retrieved January 20th, 2022 from https://www.bbc.com/news/world-europe-57184977Google Scholar
- Jan-Willem Bullee, Lorena Montoya, Marianne Junger, and Pieter Hartel. 2017. Spear phishing in organisations explained. Inf. Comput. Secur. 25, 5 (2017), 593–613.Google ScholarDigital Library
- Bundesamt für Sicherheit in der Informationstechnik (BSI). 2021. Die Lage der IT-Sicherheit in Deutschland 2021. (2021).Google Scholar
- Bundesamt für Sicherheit in der Informationstechnik (BSI). 2022. Methoden der Cyber-Kriminalität. Retrieved 17.01.2022 from https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/methoden-der-cyber-kriminalitaet_node.htmlGoogle Scholar
- Raffaele Carli, Mariagrazia Dotoli, Roberta Pellegrino, and Luigi Ranieri. 2013. Measuring and managing the smartness of cities: A framework for classifying performance indicators. In 2013 IEEE Int. Conf. Syst. man, Cybern. IEEE, Manchester, 1288–1293.Google ScholarDigital Library
- Janet Chan and Lyria Bennett Moses. 2017. Making sense of big data for security. Br. J. Criminol. 57, 2 (2017), 299–319.Google Scholar
- Junaid Ahsenali Chaudhry, Shafique Ahmad Chaudhry, and Robert G Rittenhouse. 2016. Phishing attacks and defenses. Int. J. Secur. Its Appl. 10, 1 (2016), 247–256.Google Scholar
- Neda Chehlarova, Georgi Tsochev, Monka Kotseva, and Radoslav Miltchev. 2021. Digital Competencies Of Public Administration Employees Related To Cybersecurity. In 2021 12th Natl. Conf. with Int. Particip. IEEE, Sofia, 1–4.Google Scholar
- Melissa K Chinyemba and Jackson Phiri. 2018. An investigation into information security threats from insiders and how to mitigate them: A case study of Zambian public sector. J. Comput. Sci. 14, 10 (2018), 1389–1400.Google ScholarCross Ref
- Hafedh Chourabi, Taewoo Nam, Shawn Walker, J Ramon Gil-Garcia, Sehl Mellouli, Karine Nahon, Theresa A Pardo, and Hans Jochen Scholl. 2012. Understanding smart cities: An integrative framework. In 2012 45th Hawaii Int. Conf. Syst. Sci. IEEE, Maui, Hawaii, 2289–2297.Google ScholarDigital Library
- Cofense Inc.2021. Phishing Attack Prevention & Awareness Training for Government Agencies. Retrieved 17.01.2022 from https://cofense.com/solutions/industry/government/#:~:text=Other reports reveal that government,of 1 in 2%2C418 emails.Google Scholar
- Renata Paola Dameri. 2013. Searching for smart city definition: a comprehensive proposal. Int. J. Comput. Technol. 11, 5 (2013), 2544–2551.Google ScholarCross Ref
- Flávio de São Pedro Filho, Norma Maria Coelho Vieira, Fabricio Moraes de Almeida, Cléofas Aristoteles Nogueira, Franklin Soares Rodrigues, Antoni Barreto de Matos, and Maria José Aguilar Madeira. 2018. Public Management Focused to the Smart City. Int. J. Adv. Eng. Res. Sci. 5, 4 (2018), 237451.Google Scholar
- Kevin C Desouza and Benoy Jacob. 2017. Big data in the public sector: Lessons for practitioners and scholars. Adm. Soc. 49, 7 (2017), 1043–1064.Google ScholarCross Ref
- George Drivas, Leandros Maglaras, Helge Janicke, and Sotiris Ioannidis. 2019. Cybersecurity assessment of the public sector in greece. In ECCWS 2019 18th Eur. Conf. Cyber Warf. Secur. ACPIL, Coimbra, 162.Google Scholar
- Oren Eytan. 2021. Municipal Cyberattacks: A New Threat Or Persistent Risk?Retrieved 18.01.2022 from https://www.forbes.com/sites/forbestechcouncil/2021/06/22/municipal-cyberattacks-a-new-threat-or-persistent-risk/?sh=3018c12a3ffbGoogle Scholar
- Federal Bureau of Investigation. 2021. Internet Crime Report 2020. Technical Report. Washington D.C.30 pages.Google Scholar
- Concor Gallagher. 2021. HSE confirms data of 520 patients published online. Retrieved 19.01.2022 from https://www.irishtimes.com/news/crime-and-law/hse-confirms-data-of-520-patients-published-online-1.4578136Google Scholar
- Sanjay Goel, Kevin Williams, and Ersin Dincelli. 2017. Got phished? Internet security and human vulnerability. J. Assoc. Inf. Syst. 18, 1 (2017), 2.Google ScholarCross Ref
- William J Gordon, Adam Wright, Ranjit Aiyagari, Leslie Corbo, Robert J Glynn, Jigar Kadakia, Jack Kufahl, Christina Mazzone, James Noga, Mark Parkulo, and Others. 2019. Assessment of employee susceptibility to phishing attacks at US health care institutions. JAMA Netw. open 2, 3 (2019), e190393—-e190393.Google Scholar
- Giuseppe Grossi, Albert Meijer, and Massimo Sargiacomo. 2020. A public management perspective on smart cities:‘Urban auditing’for management, governance and accountability. Public Manag. Rev. 22, 5 (2020), 633–647.Google ScholarCross Ref
- Ali A Guenduez, Tobias Mettler, and Kuno Schedler. 2020. Technological frames in public administration: What do public managers think of big data?Gov. Inf. Q. 37, 1 (2020), 101406.Google ScholarCross Ref
- Alok Gupta, Karthik Kannan, and Pallab Sanyal. 2018. Economic experiments in information systems. MIS Q. 42, 2 (2018), 595–606.Google ScholarDigital Library
- Elvira Ismagilova, Laurie Hughes, Nripendra P Rana, and Yogesh K Dwivedi. 2020. Security, privacy and risks within smart cities: Literature review and development of a smart city interaction framework. Inf. Syst. Front. (2020), 1–22.Google Scholar
- Christopher M Kelley, Kyung Wha Hong, Christopher B Mayhorn, and Emerson Murphy-Hill. 2012. Something smells phishy: Exploring definitions, consequences, and reactions to phishing. In Proc. Hum. Factors Ergon. Soc. Annu. Meet., Vol. 56. SAGE Publications, Los Angeles, 2108–2112.Google ScholarCross Ref
- Myroslav Kryshtanovych, Volodymyr Ortynskyi, Oleksandr Zakharyash, Natalya Maziy, and Orest Krasivskyy. 2021. The Impact of Threats on the Cybersecurity System of Public Administration in the Context of the Development of Financial Technologies. In 2021 11th Int. Conf. Adv. Comput. Inf. Technol. IEEE, Deggendorf, 510–513.Google Scholar
- Elmer E H Lastdrager. 2014. Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Sci. 3, 1 (2014), 1–10.Google ScholarCross Ref
- James G March. 1994. Primer on decision making: How decisions happen. Simon and Schuster.Google Scholar
- Maria-Lluisa Marsal-Llacuna, Joan Colomer-Llinàs, and Joaquim Meléndez-Frigola. 2015. Lessons in urban monitoring taken from sustainable and livable cities to better address the Smart Cities initiative. Technol. Forecast. Soc. Change 90 (2015), 611–622.Google ScholarCross Ref
- Ines Mergel, R Karl Rethemeyer, and Kimberley Isett. 2016. Big data in public affairs. Public Adm. Rev. 76, 6 (2016), 928–937.Google ScholarCross Ref
- Merriam-Webster Dictionary. 2022. Spear Phishing. Retrieved 22.01.2022 from https://www.merriam-webster.com/dictionary/spear phishingGoogle Scholar
- Hessam Moeini, Wenxi Zeng, I-Ling Yen, and Farokh Bastani. 2019. Toward data discovery in dynamic Smart city applications. In 2019 IEEE 21st Int. Conf. High Perform. Comput. Commun. IEEE 17th Int. Conf. Smart City; IEEE 5th Int. Conf. Data Sci. Syst. IEEE, Zhangjiajie, 2572–2579.Google ScholarCross Ref
- Kathryn Parsons, Marcus Butavicius, Paul Delfabbro, and Meredith Lillie. 2019. Predicting susceptibility to social influence in phishing emails. Int. J. Hum. Comput. Stud. 128 (2019), 17–26.Google ScholarDigital Library
- Pooja Patel, Dawn M Sarno, Joanna E Lewis, Mindy Shoss, Mark B Neider, and Corey J Bohil. 2019. Perceptual representation of spam and phishing emails. Appl. Cogn. Psychol. 33, 6 (2019), 1296–1304.Google ScholarCross Ref
- Proofpoint Inc.2021. People-Centric Cybersecurity. Technical Report. 5 pages.Google Scholar
- Tashfiq Rahman, Rohani Rohan, Debajyoti Pal, and Prasert Kanthamanon. 2021. Human Factors in Cybersecurity: A Scoping Review. In 12th Int. Conf. Adv. Inf. Technol.ACM, Bangkok, 1–11.Google Scholar
- Thomas Rehbohm, Kurt Sandkuhl, and Thomas Kemmerich. 2019. On Challenges of Cyber and Information Security Management in Federal Structures-The Example of German Public Administration. In BIR Workshops. 1–13.Google Scholar
- M Angela Sasse and Ivan Flechais. 2005. Usable security: Why do we need it? How do we get it?O’Reilly.Google Scholar
- Frank Stajano and Paul Wilson. 2011. Understanding scam victims: seven principles for systems security. Commun. ACM 54, 3 (2011), 70–75.Google ScholarDigital Library
- Statistisches Bundesamt. 2019. Wirtschaftsrechnungen - Private Haushalte in der Informationsgesellschaft – Nutzung von Informations- und Kommunikationstechnologien. Technical Report. Berlin. 54 pages.Google Scholar
- Edyta Karolina Szczepaniuk, Hubert Szczepaniuk, Tomasz Rokicki, and Bogdan Klepacki. 2020. Information security assessment in public administration. Comput. Secur. 90(2020), 11.Google ScholarDigital Library
- Tessian Ltd.2022. Must-Know Phishing Statistics: Updated 2022. Retrieved 17.01.2022 from https://www.tessian.com/blog/phishing-statistics-2020/Google Scholar
- Liesbet Van Zoonen. 2016. Privacy concerns in smart cities. Gov. Inf. Q. 33, 3 (2016), 472–480.Google ScholarCross Ref
- Watson. 2021. Das sind die neusten (beunruhigenden) Fakten zum Hackerangriff auf Rolle VD. Retrieved 18.01.2022 from https://www.watson.ch/digital/romandie/919499689-das-sind-die-neusten-fakten-zum-hackerangriff-auf-rolle-vd#h4_1Google Scholar
- Emma J Williams, Joanne Hinds, and Adam N Joinson. 2018. Exploring susceptibility to phishing in the workplace. Int. J. Hum. Comput. Stud. 120 (2018), 1–13.Google ScholarCross Ref
- Emma J Williams and Danielle Polage. 2019. How persuasive is phishing email? The role of authentic design, influence and current events in email judgements. Behav. Inf. Technol. 38, 2 (2019), 184–197.Google ScholarCross Ref
- Michael Workman. 2008. Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. J. Am. Soc. Inf. Sci. Technol. 59, 4 (2008), 662–674.Google ScholarCross Ref
- Jordan Wright. 2017. GoPhish - Open-Source Phishing Framework. Retrieved 16.01.2022 from https://getgophish.com/Google Scholar
- Zeitungsverlag Neue Westfälische GmbH & Co. KG. 2021. Massive Hackerattacke auf Witten - Verwaltung nicht erreichbar. Retrieved 19.01.2022 from https://www.nw.de/nachrichten/zwischen_weser_und_rhein/23112241_Massive-Hackerattacke-auf-Witten-Verwaltung-nicht-erreichbar.htmlGoogle Scholar
- Moti Zwilling, Galit Klien, Dusan Lesjak, Łukasz Wiechetek, Fatih Çetin, and Nejat Basım. 2022. Cyber Security Awareness, Knowledge and Behavior: A Comparative Study. J. Comput. Inf. Syst. 62(2022), 82–97.Google ScholarCross Ref
Index Terms
- Exposing the Phish: The Effect of Persuasion Techniques in Phishing E-Mails
Recommendations
How Experts Detect Phishing Scam Emails
CSCWPhishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails ...
Mitigating Phishing Attacks: An Overview
ACM SE '19: Proceedings of the 2019 ACM Southeast ConferenceSocial engineering is the process of getting a person to provide a service or complete a task that may give away private or confidential information. Phishing is the most common type of social engineering. In phishing, an attacker poses as a trustworthy ...
Phish-IDetector: Message-Id Based Automatic Phishing Detection
ICETE 2015: Proceedings of the 12th International Joint Conference on e-Business and Telecommunications - Volume 4Phishing attacks are a well known problem in our age of electronic communication. Sensitive information
like credit card details, login credentials for account, etc. are targeted by phishers. Emails are the most
common channel for launching phishing ...
Comments