Hunting Phish: An Exploration of the Human-Based Detection and Management of Phishing Attacks
Abstract
Phishing communications aimed at deceiving people pose a severe threat for organisations, necessitating the need to focus on preventing potential victims from falling for phishing, as well as the formulation of policies and the development of solutions to enable quick responses to ongoing attacks. With the above in mind, this thesis aims to explore phishing features in human-facing interventions as well as the organisational response to phishing attacks.
I started with an exploration of the phishing features related to URLs since they are one of the most robust features of phishing communication. To this end, I conducted a structured review of URL-based phishing features that appear in publications targeting human-facing and automated anti-phishing approaches to obtain a more comprehensive feature list and create a cross-community foundation for future research. I find that research on automation has utilised most of the features, but features were minimally explored in the human-facing anti-phishing research. Features that are rarely used in human-facing phishing work are still be utilised by experts, suggesting that average users could potentially use them too if they were presented in a usable way. Thus, I designed a usable URL feature report that aims to make experts' information sources accessible to non-experts to help general users judge URLs accurately. This report was designed iteratively with experts and average users before being evaluated in an online study. I show that the report supports users in accurately judging URLs' safety.
In order to explore the organisational response to phishing attacks, I conducted a case study to investigate the processes of handling phishing reports, teams' interactions to improve defences, and the hindrance to a fast and effective response. The observed work patterns are a distributed cognitive process requiring multiple distinct teams with narrow system access and specialised knowledge. Sudden large campaigns can overwhelm the Help Desk with reports, significantly impacting staff's workflow and hindering the effective application of mitigations and the potential for learning.
The results from the several studies conducted throughout this thesis highlight the need for users' awareness; such awareness would aid them in avoiding clicking phishing URLs and would also help organisations to manage the impact. Indeed, the majority of the existing research on phishing is directed towards the goal of improving proactive measures rather than reactive measures; however, it is necessary to focus on strengthening every element in the phishing life cycle. My work shows that there are still many opportunities to add tool-based support into the process, both at the end-user level and in support of organisational IT staff.