Phishing Simulation Literature Review

Phishing simulation and training are broad concepts that have several different aspects. Our research revolves around why phishing training and simulation are important[5] and narrows further into what is currently being done to prevent phishing attacks[4, 2] and how we can build on the tools and tactics available to better protect companies from phishing attacks[3, 1].

Training and awareness programs are crucial for helping users recognize and respond to phishing threats, since user behavior is why phishing attacks are so effective. Individuals often have a tendency to act on urgency or curiosity, which leads to them clicking on suspicious links or providing sensitive information without verifying the source. With the exception of some, the majority of users underestimate how sophisticated the tactics being used are and only look for red flags like poor grammar or strange email addresses. In order to lower the number of victims, training programs should include regular sessions that cover various phishing methods, such as email, SMS, and social engineering tactics. It’s important to emphasize the need to verify the authenticity of requests for sensitive information. The training knowledge should be applied through a simulated phishing attack which will improve users’ ability to identify real threats.[5]

Gophish is a free and open-source phishing platform. It allows users to create phishing templates in many formats, such as email or Word documents, and send them to targets. Additionally, Gophish can receive reports of phishing emails on a report email and track who has clicked on and submitted data to phishing links. Because of this platform, the time needed to create our own web server and analytics platform can be saved. Using Gophish to conduct simulated phishing attacks allows us to focus on making an effective phishing campaign and making sense of the gathered information. [2]

This article discusses how the University of Washington is moving the Knowbe4 platform for security awareness and training. Along with many other organizations, they started to use knowbe4 in order to improve their security posture. Knowbe4 provides simulated phishing attack tools as well as AI-generated training based on the results of phishing. On top of being useful, knowbefore4 is also one of the most affordable products and services for phishing simulation. Where knowbe4 falters is that it still relies on significant input from systems and security personnel at respective companies. We can do more than just offer a tool; we can provide a complete service. [1]

Real-world phishing websites are typically crafted to imitate legitimate sites, enticing users to enter sensitive information such as usernames, passwords, and credit card details. For instance, attackers often create mirror sites of popular banking or email platforms, using the collected data to commit fraud or unauthorized access. A well-documented example is the "Google Docs" phishing scam of 2017, where users were tricked into entering their credentials on a fake Google login page, leading to account compromise. While these tactics are common and have been extensively studied, our research remains relevant because phishing techniques evolve with technology. The ability to conduct simulations tailored to specific educational institutions and businesses ensures that our project will address the unique vulnerabilities of each client, which cannot be fully mitigated by generic studies of past phishing attacks. [3]

Automated phishing detection systems, such as those using machine learning models, have been successfully implemented by organizations like Google and Microsoft to filter phishing emails in real-time. These systems analyze patterns in email metadata, body content, and links to flag suspicious messages. For example, Microsoft’s "SmartScreen" technology helps detect phishing attempts by comparing incoming email links against a dynamic database of known phishing URLs. Despite the progress in automated detection, our project’s relevance lies in testing the effectiveness of these systems in specific client infrastructures. No single detection system can catch every phishing attempt, and by conducting targeted simulations, our research will expose new areas for improvement, especially in the context of educational institutions that may lack robust cybersecurity defenses. Thus, existing technologies complement rather than inhibit our studies. [4]

References

1. Washington University in St. Louis, "Introducing KnowBe4 Training and Awareness Program," Information Security & Privacy Office. [Online]. Available: https://informationsecurity.wustl.edu/guidance/introducing-knowbe4-training-and-awareness-program/.
2. "Gophish," Gophish Phishing Framework. [Online]. Available: https://getgophish.com/. [Accessed: 30-Sept-2024].
3. "What You Need to Know About the New Google Docs Scam," NordVPN. [Online]. Available: https://nordvpn.com/blog/what-you-need-to-know-about-the-new-google-docs-scam/.
4. "Microsoft Defender SmartScreen," Microsoft Learn. [Online]. Available: https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/.
5. E. Park, J. Kwon, M. Kang, S. Han, and J. Shin, "AI-enhanced phishing detection method: A comparison of various models and features," ScienceDirect, vol. 116, Sept. 2023. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0167404823005813.