Phishing: A Field Experiment

Phishing is a method that hackers use to fraudulently acquire sensitive or private information from a victimby impersonating a real entity [1]. Phishing can be defined as the act of soliciting or stealing sensitiveinformation such as usernames, passwords, bank account numbers, credit card numbers, and socialsecurity or citizen ID numbers from individuals using the Internet [2]. Phishing often involves some kindof deception. The results from a study of Jagatic et al. (2007) indicate that Internet users are four timesmore likely to become phishing victims if they receive a request from someone appearing to be a knownfriend or colleague. The Anti-Phishing Work Group indicates that at least five percent of users respondedto phishing scams and about two million users gave away their information to spoofed websites [3]. Thisresults in direct losses of $1.2 billion for banks and credit card companies (Dhamija, 2006).In order to understand how phishing can be conducted, the researcher set up a phishing experiment inone of Thailand’s higher education institutions. The subjects were MBA students. A phishing email wassent to the subjects, and the message led the subject to visit the phishing website. One hundred seventystudents became victims. The data collection included a survey, an interview, and a focus group. Theresults indicated that phishing could be easily conducted, and the result can have a great impact on thesecurity of an organization. Organizations can use and apply the lessons learned from this study toformulate an effective security policy and security awareness training programs.