Personalized Persuasion: Quantifying Susceptibility to Information Exploitation in Spear-phishing Attacks

Many cyberattacks begin with a malicious email message, known as spear phishing, targeted at unsuspecting victims. Although security technologies have improved significantly in recent years, spear phishing continues to be successful due to the bespoke nature of such attacks. Crafting such emails requires attackers to conduct careful research about their victims and collect personal information about them and their acquaintances. Despite the widespread nature of spear-phishing attacks, little is understood about the human factors behind them. This is particularly the case when considering the role of attack personalization on end-user vulnerability. To study spear-phishing attacks in the laboratory, we developed a simulation environment called SpearSim that simulates the tasks involved in the generation and reception of spear-phishing messages. Using SpearSim, we conducted a laboratory experiment with human subjects to study the effect of information availability and information exploitation end-user vulnerability. The results of the experiment show that end-users in the high information-availability condition were 2.97 times more vulnerable to spear-phishing attacks than those in the low information-availability condition. We found that access to more personal information about targets can result in attacks involving contextually meaningful impersonation and narratives. We discuss the implications of this research for the design of anti-phishing training solutions.