DIGITAL LIBRARY
TRAINING THE EMPLOYEES TO MEET PHISHING ATTACKS
1 University of Library Studies and Information Technologies (BULGARIA)
2 La Scuola universitaria professionale della Svizzera italiana (SUPSI) (SWITZERLAND)
About this paper:
Appears in: ICERI2021 Proceedings
Publication year: 2021
Pages: 7164-7168
ISBN: 978-84-09-34549-6
ISSN: 2340-1095
doi: 10.21125/iceri.2021.1608
Conference name: 14th annual International Conference of Education, Research and Innovation
Dates: 8-9 November, 2021
Location: Online Conference
Abstract:
Black cybercrime statistic for 2021 says $17,700 is lost every minute due to a phishing attack. Phishing attacks account for more than 80% of reported security incidents. They are the entry points for one-third of all attacks (IRIS). The “Phishing Is No Longer Just Email: It’s Social” according to the Akamai report. Phishing is responsible for around 93% of security breaches.

Phishing is a type of social engineering where an attacker sends a screwed-up message designed to mislead a victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure. Social Engineering is one of the most powerful means an attacker can use against a given entity (private citizen, industry, government, ...). SE baseline strategy starts with information gathering simply collect as much information as possible about the victim of the attack, a human. The human attack vector (HAV) will represent the key element to launch the second stage of the attack, a technical attack vector (TAV) that will lead to the ultimate exploitation. All institutions such as SMEs, large industries, government bodies, associations, … are basically exposed by their own personnel.

Training and awareness activities represent a strategic investment for every company, as it will be reflected in a decrease of the risks of cyberattacks, with a clear benefit in terms of business continuity, corporate reputation, the privacy of employees and customers, competitor analysis, and (last but surely not least) avoiding financial losses (ransom, fraud, damage, …).

This paper deals with a variety of training for the employees. The training is classified by way of delivering: at the workplace or intensive training, online or offline, by the way of providing the new knowledge about the attacks: by video lectures and examples, by simulations or by games. Training can even be conducted under stress, presenting a real situation and with appropriate penalties. The choice and method of training depend on the organization. The goal is one - to acquaint employees with potential problems and to present the workplace from cyberattacks, in private phishing.

The training design could be delivered by the universities. Their experience in training is important for their success. It could straighten the cooperation between universities and industry.
Keywords:
Phishing attacks, social engineering, training, awareness.