How to Conduct Email Phishing Experiments

Kaspar Jüristo
Phishing attacks are on the rise and more sophisticated than ever before inflicting major financial damage on businesses. Simulated phishing attacks are of growing interest in academia, however, the studies are mainly focusing on the specific angles of the phenomenon, e.g. ethical considerations; and not on the implementation itself. Author was not able to find consolidated guidelines that would walk through the whole process of conducting email phishing experiments. The aim of this study is to explore how to conduct simulated phishing experiments and to create consolidated guidelines that companies could easily implement on the example of Company X1. The research questions postulated for this study are: What should companies consider when conducting phishing experiments? What is the correlation between the phishing email difficulty level and the click through rate? How people react to simulated email phishing experiments? Both quantitative and qualitative research methods
were applied to find answers to the research questions. Firstly, based on the existing studies, guidelines on how to conduct phishing experiments in companies were created. Secondly, phishing experiment (Experiment I) was designed and conducted among 53 participants applying a crossover research design. The employees were randomly divided into two groups (Group K) and (Group L); and they were sent in two distinct time periods two emails which
corresponded to the different difficulty levels (Type X and Type Y). During the first campaign Group K was sent Type X email and Group L was sent Type Y email and during the second campaign it was vice versa. Type X email messages were designed to be targeted, grammatically correct and with relevant content. Type Y email messages were designed to be general and with visible grammar mistakes. Additionally, a spear phishing experiment (Experiment II) was conducted among two participants applying a single-subject quasi-experimental research design. The third type of emails (Type Z) that were sent out during the
spear phishing experiment were personalized and relevant based on the pre-conducted research about the two targets. Thirdly, qualitative interviews were designed and conducted with the employees who participated in the simulated phishing experiments to investigate how they react to such experiments and to improve the guidelines based on their feedback.
This research confirmed that the proposed guidelines are sufficient for conducting phishing experiments in a company setting. The results of this research show that 23% of the employees clicked on the link embedded to the more complex (Type X) phishing email and 11% of the employees clicked on the link embedded to the simpler (Type Y) email. Furthermore, Type Y emails were reported as phishing emails more frequently (22,6%), whereas Type X, emails were reported less (18,9%). The spear phishing experiment was successful,
and the participants did not recognize the deceptiveness of the simulated phishing emails.
This research shows that the phishing success rate is higher when the content is targeted and relevant. The employee awareness level about reporting phishing was low and the main stimuli for clicking on phishing links was curiosity. The findings of this study imply that people react positively to phishing experiments if these are conducted in a manner that it does not pose psychological damage or distress for the participants.
Graduation Thesis language
Graduation Thesis type
Master - Cyber Security
Sten Mäses, Olaf M. Maennel, Raimundas Matulevičius
Defence year