Testing the Security Awareness Using Open-Source Tools - Spear Phishing

Karina Filipczak
The psychological aspect of a human and the flaws of modern day technology are the lead culprits to the success and longevity of phishing. This case study is set to test the waters and identify weak spots of digital security in one of the biggest fintechs of Estonia. Using AWS and open-source tools like Nginx and MySQL, a virtual environment was created within the company. To send out phishing emails, a phishing framework called GoPhish was used, and different scenarios were built to suit the psychological weaknesses of all the targeted departments. As the first attempt of the phishing within the company, it has been made aware of its security weaknesses and how to target potential attacks with more due-diligence approach in the future. The outcome of the study clearly demonstrated the gap between human and technological cooperation in fighting against spear phishing, which leaves the room for future improvement. Almost 70% of the emails ended up tagged as “spam” without reaching the victims, which posed a greater limitation to potentially higher results of the study. Nonetheless, the emails that went through hooked 20% of the staff. In comparison to Verizon Data Breach Investigations Report from 2016, mentioned throughout the course of the paper, the numbers of the affected staff were similar to the results of this case study. The main factors that could have jeopardized the validity of the findings are maturation of this very test, gmail filtering and experimenter bias. The future work for the company, based on the findings, is going to entail the enhancement of security awareness programmes as well as betterment of internal and universally-used external digital tools.
Graduation Thesis language
Graduation Thesis type
Master - Cyber Security
Sten Mäses, Raimundas Matulevičius
Defence year