Abstract
Lateral phishing attacks can be devastating for users and organisational IT teams as these originate from legitimate, but compromised, email accounts that benefit from the implicit trust between sender and recipients. In this paper, we begin to explore the human-centred space of lateral phishing attacks through interviews with 5 security practitioners and 17 employees from the UK and India. We report how security practitioners predominantly rely on employees to alert them to compromised accounts, and how this can create a delay during which the attack can continue. Our interviews with employees, on the other hand, found that individuals may not be reliable; they struggled to detect slight changes to messages, and over-relied on markers that cannot identify lateral attacks. We discuss the symbiotic relationship between security practitioners and employees for combatting lateral phishing attacks within organisations, and present recommendations for improving resistance to these attacks.
| Original language | English |
|---|---|
| Title of host publication | EuroUSEC '23 |
| Subtitle of host publication | proceedings of the 2023 European Symposium on Usable Security |
| Place of Publication | New York |
| Publisher | Association for Computing Machinery (ACM) |
| Pages | 344-355 |
| Number of pages | 12 |
| ISBN (Electronic) | 9798400708145 |
| DOIs | |
| Publication status | Published - 16 Oct 2023 |
| Event | The 2023 European Symposium on Usable Security - Copenhagen, Denmark Duration: 16 Oct 2023 → 17 Oct 2023 https://eurousec23.itu.dk/ |
Conference
| Conference | The 2023 European Symposium on Usable Security |
|---|---|
| Abbreviated title | EuroUSEC 2023 |
| Country/Territory | Denmark |
| City | Copenhagen |
| Period | 16/10/23 → 17/10/23 |
| Internet address |
Keywords
- Organisations
- Lateral phishing
- Phishing
- Reporting
- Cybersecurity practitioners