EVALUATION OF PHISHING ATTACKS AGAINST A HIGHER EDUCATION PUBLIC INSTITUTION

Abstract

While security vendors have documented trends in phishing attacks across numerous industries, there remains a gap in available data for phishing attacks against higher education institutions. This researcher studied phishing attacks delivered over the course of one year against the University of North Carolina at Charlotte. Research questions include: What were the component characteristics of phishing attacks against the university? Which phishing attacks were successful? What possible countermeasures can be implemented to prevent such attacks? A Phishing Susceptibility Framework is proposed; the framework has two main sections – the Attacker Gambit that exhibits motivation and methodology, and the Victim Profile that reveals victim susceptibility and root weaknesses. Each section has three main elements that illustrate core components affecting the efficacy of a phishing attack. The purpose of this framework is to identify vulnerable end user segments as risk flash points for management to be aware of when safeguarding against phishing attacks. Results of the study determined attacker motivation skewed heavily toward financial gain and Business Email Compromise gift card attacks were most effective. Multivariate analysis determined Authority, Kindness and Urgency stressors all had positive correlation with compromised users and we concluded that a combination of these stressors indicated an improved efficacy of BEC gift card gambits against susceptible end users within the organization. This research contributes to the overall body of knowledge specific to phishing attacks against a higher education institution and provides valuable information for other higher education institutions which are likely to see similar attacks.