Email load and stress impact on susceptibility to phishing and scam emails

(1)

Email load and stress impact on

susceptibility to phishing and scam emails

Emils Rozentals

Information Security, master's level (120 credits) 2021

Luleå University of Technology

Department of Computer Science, Electrical and Space Engineering

(2)

ABSTRACT

Research Question How does the email load and stress affect the susceptibility to phishing and scam emails?

Methodology The study was conducted with a Qualitative research approach. Semi-structured interviews were selected for the data gathering. Thematic Analysis was used to analyze Empirical data.

Theoretical Framework This research studied if a high email load affects the likelihood of falling victim to phishing and scam attacks. Research was studied through a theoretical lens of stress, since high email load is subjective for each individual and stress rate can show better how people are perceiving their email load.

Conclusions Findings suggest that high email load for the majority of people in this study, does increase the susceptibility towards phishing and scam emails. Furthermore, those people with higher email load who are processing their emails heuristically evaluated their stress rates higher than those with high email load who are processing their emails systematically.

Therefore, the results indicate that there is a relation between high email load, stress and susceptibility to phishing and scam emails. In this study, it was found that majority of respondents described high stress as a factor that played a role in their susceptibility of falling victim to phishing and scam emails.

Keywords Phishing, scam, email load, stress, workload, COVID-19

(3)

ABBREVIATIONS

CEO - Chief Executive Officer CTO - Chief Technical Officer ISP - Internet Service Provider SSL - Secure Socket Layer TLS - Transport Layer Security

SCAM framework - Suspicion, Cognition, Automaticity Model GCS - Generalized Communicative Suspicion

NIST - National Institute of Standards and Technology ISO - International Organization for Standardization IP address - Internet Protocol address

COVID-19 - Corona Virus Disease 2019 caused by SARS-CoV-2

(4)

CHAPTER 1: INTRODUCTION

1.1 Background of the Study

Studies, such as Aldawood, Skinner and Alashoor (2020) and Bullee and Junger (2020) agree that one of the biggest threats for the companies nowadays are social engineering attacks, more specifically, phishing and scam attacks. Therefore, employees are thought to be the first defense line or contrary - the weakest link in the security chain (Alharthi and Regan, 2020; Jain et al., 2016). In other words, people are the greatest threat for companies nowadays (Al-Mohannadi et al., 2018). The success rates of phishing and spear-phishing attacks over the years have increased (Bhardwaj et al., 2020) and therefore it is important to have well educated employees with a high awareness level of risks (Alharthi and Regan, 2020).

Because cybercriminals are constantly coming up with new, creative ways on how to fool people (Vayansky and Kumar, 2018) it has raised a question about how to better protect sensitive information in companies, their employees and networks. For this reason, several studies have been carried out to determine why people actually are falling for phishing and scam attacks to better understand characteristics and reasons behind. Researchers have identified that there are many factors that play a role in susceptibility to phishing, for example, gender (Halevi, Memon and Nov, 2015; Sun et al., 2016; Abdelhamid, 2020), age (Oliveira et al., 2017), different personal traits like risk tolerance (Chen, YeckehZaare and Zhang, 2018) and information processing style (Vishwanath et al., 2018). Yet there are other factors that have not been fully studied, for instance, email load (Sommestad and Karlzén, 2019).

(7)

Email has been the main communication tool in the companies for years, meaning the received, read and sent message amount is growing every year (Stich et al., 2019) and it has been growing even more during the global pandemic of COVID- 19 that started in 2020 (Teevan et al., 2021). Email load in general has been found to increase the stress levels people are experiencing (Stich et al., 2019; Akbar et al., 2019;

Mark, Voida and Cardello, 2012). Moreover, the pandemic in the world has also made its footprint in the information security field. People are mandated to isolate and work from home, likely, from not as secure network environment as it would be in the office (Ramadan et al., 2021). This down-pressing situation when people cannot meet their relatives, travel for a vacation or simply hang out with friends, has also left an impact on their mental state (Shah et al., 2021). Study by Shah et al. (2021) shows that approximately 58% of people have increased indications of high stress during the pandemic.

It is not fully understood whether email load increases susceptibility to phishing and scam emails (Sommestad and Karlzén, 2019). Additionally, how stress, driven from increased email load and other side effects, is impacting the likelihood of falling victim for such attacks. This study tries to fill the gap in this block of knowledge.

1.2 Research Problem

Studies, such as Tiwari (2020) have found that authority, urgency in the malicious emails as well as different personal traits leave a significant impact towards susceptibility to phishing and scam emails. Study was based on a survey, therefore, the future research proposal by the author was to conduct a simulated phishing attack (Tiwari, 2020). Sommestad and Karlzén (2019) meta-analysis study that looked into

(8)

different reasons that increase the risk of falling victim for the phishing and scam emails found that there are few studies made that analyze how email load influences the susceptibility to phishing. To address this lack of empirical studies made on the email load influence (Sommestad and Karlzén, 2019), phishing could be simulated as proposed by Tiwari (2020) but followed up with interview questions around email load to better understand how and if it influences the susceptibility to phishing attacks (Sommestad and Karlzén, 2019). To measure high email load and understand why people may click on malicious links, research could be expanded and addressed through the perspective of stress, since email load is subjective and it would not bring an accurate representation if looking only at the number of emails, instead how people perceive email load. As such, the research question for this thesis is as follows “*How does the email load and stress affect the susceptibility to phishing and scam emails?”.

1.3 Scope of the research

The research was conducted in a controlled environment, namely, in a company with approximately 130 employees. Physical location of the company is Zurich, Switzerland. Company employs people from different countries in Europe, Asia and America. Majority of employees are in the age group from 30 to 45. The main purpose of this study was to understand if and how does the email load and stress affect the likelihood of falling victim to phishing and scam emails. The data gathered through the interviews were analyzed through the theoretical lens of stress, as defined by Kyriacou (2001) - the experience of unpleasant, negative emotions, such as anger, anxiety, tension, frustration or depression.

(9)

1.4 Structure of the Study

The research report consists of six chapters that are described in this section.

Chapter 1 - Introduction, covers the background of study to better understand reasoning why this research was important. It also briefly highlights the ongoing challenges that the study field is facing. Furthermore, it argues why this research was important and relevant as well as gives a scope of research made.

Chapter 2 - Theoretical background, covers theory part of the research.

Concepts of social engineering, more specifically, phishing, spear phishing and scam are explained. Next, a small overview of tools that can be used to mimic phishing attacks are presented to better understand how they work and how they can help.

Chapter continues with the gathered literature overview of different aspects and characteristics of users who are more likely to fall victims of phishing and scam emails.

Lastly, this chapter defines what stress means in this research and covers the previous studies about causes of work stress.

Chapter 3 - Methodology, describes a research process and methodology used to conduct the study. It also argues the reasons why the selected method is used. Chapter starts with an overview of Qualitative research approach and continues with the description of technique used to select interviewees. Next, it describes the interviewee selection phase and environment more in detail. It also highlights the ethical concerns and actions made when the study began. Chapter ends with a detailed description of the interview and transcript process as well as the Thematic Analysis of gathered empirical data used to answer the research question.

Chapter 4 - Analysis of Empirical data, represents several themes discovered from interviews with respondents whilst doing thematic analysis. After interviews were

(10)

transcribed and coded, different common themes were identified. In this chapter answers from interviewees that belong to the recognized themes are shown.

Chapter 5 - Discussion, contains a discussion of the Empirical findings presented in Chapter 4. Chapter starts with a brief recap of the whole study and then moves to a more detailed discussion of Empirical data analysis, comparing results with the existing literature presented in Chapter 2.

Chapter 6 - Conclusion, contains a summary of empirical findings and theoretical contributions. It also points out several limitations of the research as well as suggestions for the possible future research are made.

(11)

CHAPTER 2: THEORETICAL BACKGROUND

This chapter outlines the theoretical part of the study to fully understand the upcoming method used. It starts with the general overview of phishing concepts. Next, it presents and explains different tools that can be used to mimic phishing attacks.

Further, it outlines a gathered literature of studies made on reasons why people are failing to recognize phishing and scam emails. Lastly, the chapter concludes with the definition of stress, what it means in this study, and theory on how the email load is affecting the stress levels for people.

2.1 Concepts of phishing

The attacks when cybercriminals are targeting people, using psychological manipulation techniques are known as social engineering (Jain et al., 2016). Oxford English Dictionary defines social engineering as: “The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes” (Oxford Dictionary on Lexico.com). Because social engineering is taking advantage of human behavior and their emotions, detection and mitigation of social engineering attacks is difficult (Kaushalya, Randeniya and Liyanage, 2018).

It is thought that networks and computer systems over the years have improved and security measures have become relatively reliable (Aldawood and Skinner, 2018).

Therefore, to compromise such systems, it has become a more technical and complex task. For this reason cybercriminals are often making use of social engineering to bypass technical controls by exploiting vulnerable users (Alharthi and Regan, 2020) or

(12)

the “weak link in information security” (Mouton et al., 2014) in order to break into the company's network and steal classified information or even launch a greater attack.

Studies, such as Al-Mohannadi et al. (2018), Mouton et al. (2014) and Kaushalya, Randeniya and Liyanage (2018) agree that the biggest threat for companies nowadays is the internal users, hence, employees themselves who are likely to infect systems unconsciously by browsing some sketchy webpage, downloading infected files or giving away their credentials. There are several subtypes of social engineering, namely, baiting, pretexting, tailgating, quid pro quo and phishing (Kaushalya, Randeniya and Liyanage, 2018). This research is focusing specifically on phishing attacks.

Phishing in general is an email based attack where criminals are using several techniques to trick users into believing that the email comes from a legitimate source, for example, a bank, social networking company or a colleague from a company where the person is employed (Bhardwaj et al., 2020). By definition of Oxford English Dictionary it is: “The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” (Oxford Dictionary on Lexico.com). When using phishing attacks, cybercriminals usually are trying to retrieve from targets information such as usernames and passwords, home addresses, credit card details and other sensitive information (Bhardwaj et al., 2020). Nowadays, the complexity of phishing attacks has risen since criminals are using more sophisticated techniques to trick the user by completely spoofing legitimate websites (Vayansky and Kumar, 2018).

As mentioned, phishing happens through an email. Phishing email delivered to the end user can contain logos and graphics from legitimate companies, convincing the user that the email is real (Vayansky and Kumar, 2018). The concept of phishing is fairly simple - phishing email is delivered to a victim, containing some sort of a weblink

(13)

which is usually in the form of a button; when clicked on the link, victim is taken to a malicious website that is spoofed and looks identical to real one; victim is asked to provide personal information, for example, credit card details, username and password;

once submitted, information is stored on cybercriminal's server (Vayansky and Kumar, 2018). Furthermore, spear-phishing is more tailored to specific groups of people.

Principles of spear-phishing are the same as regular phishing, however, cybercriminals are usually doing some deeper research about potential victims before the attack, gathering publicly available information on the internet, such as their workplace, bank, or websites they visit (Vayansky and Kumar, 2018).

In general, the success rates of phishing and spear-phishing attacks over the years have been increasing (Bhardwaj et al., 2020) especially during the COVID-19 pandemic when phishing attacks peaked (Chokhonelidze, Basilaia and Kantaria, 2020).

Because cybercriminals are implementing new and creative approaches to phishing attacks, making them more qualitative, it is becoming more difficult to distinguish them from real emails (Vayansky and Kumar, 2018).

2.2 Tools used to test employees

Social engineering is one of the biggest threats to companies at the present (Luse and Burkman, 2020). Moreover, phishing attacks are becoming more sophisticated every year (Kanhere et al., 2020). Therefore, it is vital for the companies to educate their employees about threats and increase their security awareness level. One approach is to have regular security awareness trainings that can help to refresh knowledge about threats and techniques that cybercriminals are using (Vayansky and Kumar, 2018).

Another approach, which usually complements security awareness trainings, is real

(14)

simulated phishing attacks made by the company's IT department. Through simulated attacks, companies test and can see how good their employees are prepared for such attacks (Särökaari, 2020). It also helps to tailor security trainings that fit more for the specific company or even separate people groups.

There are several open-source and paid solutions that are available for companies to test their workers. Among the more popular open-source penetration frameworks there are Gophish, King Phisher and Phishing Frenzy (Pirocca, Allodi and Zannone, 2020). There are also more advanced social engineering frameworks that require license, for example, Lucy and Phishing Box.

All of the above mentioned phishing frameworks in general have similar objectives - simulate a phishing attack to see how employees are responding. All of them support features like phishing email creation, modification, statistic gathering and attack scheduling. Still, each framework has its own limitations and companies should choose one that fits the best for them. Usually these testing frameworks can be installed on a local, on-premises server as well as cloud based server. Furthermore, landing pages, where a victim is taken once clicked on the link, can be equipped with a purchased domain name and SSL/TLS certificate (Kanhere et al., 2020).

Tools like these are useful to see the real situation in the company and prepare their employees even better for social engineering attacks.

For this study the Gophish framework was used because the research author was already familiar with this tool and it suited well for the set research objectives - to select participants for the interviews.

(15)

2.3 Related work

User security awareness training in companies is gaining popularity. On one hand, those companies that want to comply with security standards, like ISO 27001 series, NIST 800-53 are mandated to have such user awareness training on a regular basis (ISO - ISO/IEC 27001 — Information security management, 2021; Joint Task Force Interagency Working Group, 2020). On the other hand, studies are showing that more often the biggest threat for the companies are their own employees (Aldawood, Skinner and Alashoor, 2020). This can be explained by the fact that the success rates of social engineering attacks are rising every year and have gone up even more during the global pandemic in 2020 when cybercriminals took an advantage of spreading misleading and malicious emails about COVID-19 and vaccination (Chokhonelidze, Basilaia and Kantaria, 2020). To ensure that the employees are well aware of risks, some firms even have gone one step further and have integrated gamification in their training process to make the whole experience more interesting and more memorable (Corradini, 2020). Organizations have also improved their security policies in order to secure their business continuity to fight against social engineering threats (Aldawood and Skinner, 2018).

Presenting basics on how to recognize malicious emails is one thing, however, more importantly it is to understand exactly what motivates employees to click on the links of phishing and scam emails. Over time, there have been several researches made to determine characteristics like age (Oliveira et al., 2017), gender (Halevi, Memon and Nov, 2015; Sun et al., 2016; Abdelhamid, 2020), human behavior like risk tolerance (Chen, YeckehZaare and Zhang, 2018) and information processing style (Vishwanath et al., 2018) of the vulnerable user when it comes to taking such security risks.

However, there are many, yet unknown and even changing factors that can leave an

(16)

impact on giving a concrete answer on which group of people is the most vulnerable so that companies can pay more attention, for example, by giving them more detailed educational courses or restricting their access to some parts of the network (Sommestad and Karlzén, 2019).

In 2018 Vishwanath et al. created a framework called SCAM (Suspicion, Cognition, and Automaticity Model). In order to be able to explain the reasons why people are falling for phishing attacks, SCAM framework proposes two separate aspects - habitual email use and cognitive information processing. The first part of SCAM framework is referring to habitual email use, where Vishwanath et al. (2018) analyzed one group of people that is processing their emails systematically and other, heuristically. This is a habit that develops over the time. It was found that people with the developed systematic email processing habits are less likely to fall victims to phishing emails, whilst those who review their emails heuristically are in a higher risk group (Vishwanath et al., 2018). This concept is also correlating with user beliefs of their cyber risks. For example, the group of people which tends to think their cyber actions are relatively risky are more often processing their emails systematically (Vishwanath et al., 2018). On the other hand, those in denial who think their cyber actions are relatively safe, are more likely to process their emails heuristically, hence, more often becoming victims of phishing attacks (Vishwanath et al., 2018). The second part of the SCAM framework is about cognitive mediation and how it influences the habitual use of emails. It was concluded that habitual email use is related to the person's capabilities to control their behavior, and the cognitive processing is highly influenced by person’s cyber-risk beliefs (Vishwanath et al., 2018), meaning, habits of email use are more often taking over the cognitive processing abilities. Similar results were found in earlier study by Halevi, Memon and Nov (2015). Those who felt more secure were

(17)

more likely to fall victims of phishing and scam attacks (Halevi, Memon and Nov, 2015).

In 2016 Harrison, Vishwanath and Rao study found that Generalized Communicative Suspicion (GCS) has a correlation with susceptibility to phishing. GCS is a phenomenon that describes a state in which a person believes to be able to recognize a deception in face-to-face conversations (Harrison, Vishwanath and Rao, 2016).

During the study, GCS was not only found to be correlating with the susceptibility to phishing but also to the way how people are processing online information like emails - either systematically or heuristically (Harrison, Vishwanath and Rao, 2016). It was concluded that people with higher levels of GCS are suffering from uncertainty and trust issues and they are processing online information systematically (Harrison, Vishwanath and Rao, 2016). On the other hand, people with lower GCS levels are processing online information heuristically and therefore are more likely to fall for phishing and scam attacks (Harrison, Vishwanath and Rao, 2016).

Many researchers agree that gender is also playing a role towards susceptibility to phishing (Halevi, Memon and Nov, 2015; Sun et al., 2016; Abdelhamid, 2020).

Study conducted by Halevi, Memon and Nov (2015) looked into different aspects of why people are falling for phishing. One of the findings was that female participants were more vulnerable to phishing than their male counterparts (Halevi, Memon and Nov, 2015). Male participants were able to recognize malicious emails better and their security awareness level scored greater overall (Halevi, Memon and Nov, 2015).

Similar findings were discovered by Sun et al. (2016) study where research objectives were to test anti-phishing self-efficacy, internet self-efficacy and anti-phishing behavior between male and female participants. Furthermore, a more recent study was conducted in a health concern by Abdelhamid (2020) which also showed the same

(18)

results - the female participants were more likely to fall for phishing attacks than their male counterparts.

Another aspect that is associated with susceptibility to phishing is age group.

During the research made by Oliveira et al. (2017), it was found that older people are more likely to become victims of phishing attacks, specifically older women. These findings project similar results found in Halevi, Memon and Nov research made in 2015. Another more recent study concluded that younger adults are more careful and suspicious when it comes to recognizing malicious emails (Chen, YeckehZaare and Zhang, 2018). The same study also demonstrated that different characteristics of personality and cyber-risk beliefs have an impact on likelihood of falling victim. False- positive and false-negative decisions were tested and results indicated that people who are intolerant to risky actions are more likely to identify legitimate email as malicious, contrary to those who are more tolerant to risks (Chen, YeckehZaare and Zhang, 2018).

To sum up, there are many factors that determine whether a person is susceptible to phishing and scam emails and there might be even aspects that people have not yet thought of.

2.3.1 Stress

High email load is a subjective for each individual. For one person high email load can be 20 messages per day and for other 100 messages per day. One natural way of how to look at the email load is stress, because high email load has been proven to increase stress level (Stich et al., 2019; Akbar et al., 2019; Mark, Voida and Cardello, 2012) and therefore it is relevant part to understand how email load is being perceived.

(19)

Stress defined by Kyriacou (2001) is experience of unpleasant, negative emotions, such as anger, anxiety, tension, frustration or depression. Similar definition is offered by Skaalvik and Skaalvik (2016). It has also been found that stress makes negative impact on person’s self-esteem (Galanakis et al., 2020). Stress can be caused from several factors, such as tight deadlines, heavy workload, high demands, personal issues and others (Chen and Miller, 1997). In simple words, stress is the reflection of cognitive processes leaving an impact on how people are responding to ordinary as well as extraordinary conditions in their life (Robinson, 2018). It is individuals psychological state of mind that changes perception of the environment they are in and emotional experiences of it (Cox, 2007). In order to understand how people perceive the world, Cox (2007) suggests to focus on individuals emotional answers.

2.3.2 Stress caused by email load, isolation and remote work

Since this study examines the research through the theoretical lens of stress as defined by Kyriacou (2001), it is important to understand how stress correlates with the email load and what are the side effects that can increase stress.

Nowadays when the majority of a company's workflow, job delegation, contract negotiation and communication with partners and clients relies on emails, the load of received, read and sent emails is growing every year (Stich et al., 2019). Especially during the ongoing pandemic situation in the world when even those people who did not use email that much are now mandated to work from home and use email as their daily communication channel with their colleagues (Teevan et al., 2021).

(20)

Many researches show that increased email load and nowadays even overload leaves a strong impact on the stress level people are experiencing (Stich et al., 2019;

Akbar et al., 2019; Mark, Voida and Cardello, 2012). It has been found that high email load increases psychological strains as well as negative emotion development.

Furthermore, it leaves an impact on employees' performance in work related tasks that can further turn into anxiety (Stich et al., 2019).

Several studies have found clear relation between stress levels and email amount. For instance, Mano and Mesch (2010) study found that fewer emails per day decreases stress level employees are experiencing. Another study revealed that dismissing emails for five days and focusing purely on the work tasks lowered the overwhelming feelings of stress (Mark, Voida and Cardello, 2012), suggesting that emails in general are increasing the stress for employees. Stich et al. study conducted in 2019 found similar results as well.

Still, there are other aspects that influence people's stress level considering emails. For example, time spent answering messages. Akbar et al. (2019) study found that people have lower stress if they are answering emails slowly. Hence, demand for a quicker communication increases measures of stress.

Another finding related to the email load is that interruptions during the ongoing work increase stress levels. Study tested two techniques for processing emails - regular or instant response and batching, meaning when emails are checked all in once, several times per day. During this research a thermal camera was used to measure the stress level. It was concluded that if batching technique is not used, there are more interruptions that lead to higher stress levels (Akbar et al., 2019). The authors also found that stress can additionally be caused by high demand and commitments at work,

(21)

deadlines or tension at home (Akbar et al., 2019). Even multitasking increases stress levels, which is a common work style these days.

Based on the discussions found in previous studies, it seems that there is a correlation between high email load that leads to greater demands, multitasking and higher stress level.

Isolation during the global pandemic of COVID-19 has also left an impact on human behavior (Shah et al., 2021). Lack of social interaction with colleagues was found to correlate with stress levels people are facing. During Shah et al. (2021) research, 57.4% of participants had clear signs of high stress levels. Seemingly a simple conversation during a coffee break or a quick talk before a face-to-face meeting makes people feel more comfortable and less tense. As during the global pandemic of COVID- 19 these activities are not possible, stress and the feeling of being isolated is certainly increased to majority of people (Teevan et al., 2021). Furthermore, people who do not feel the support from their managers, for instance, by having a face-to-face conversation, more often experience negative emotion development that leaves an impact on their physical and mental state (Teevan et al., 2021). In short, currently with the ongoing global pandemic of COVID-19 situation people are feeling more stressed than ever. This is caused not only by the increased email load but also from the lack of social interaction with their colleagues and isolation.

(22)

CHAPTER 3: METHODOLOGY

In this chapter a research process and methodology used to conduct the study is described. It also argues the reasons why exactly this specific method was used.

Chapter starts with an overview of Qualitative research approach. It continues with the description of the process of how the respondents for the interviews were selected. Next it describes more in detail the selection phase and environment used. It also highlights the ethical concerns and actions made when the study began. Chapter ends with a detailed description of the interview and transcript process as well as the Thematic Analysis of gathered empirical data used to answer the research question.

3.1 Qualitative Research Approach

A qualitative research approach in general is used to study some phenomenon, typically focusing on people's behavior and experience (Basias and Pollalis, 2018). A qualitative approach does not cover numerical, mathematical or statistical studies, which is contrary to quantitative research approach that looks into frequency of specific phenomenon. It can also be described as series of interpretive techniques that usually are trying to find an answer to a research question through decoding and translating theory of a particular phenomenon (Basias and Pollalis, 2018). Moreover, qualitative research questions are formulated with How, What, Where and When types of questions (Hennink, Hutter and Bailey, 2020). Therefore, because the question of this study is

“How does the email load and stress affect the susceptibility to phishing and scam emails?”, it was decided that a qualitative approach is the most suitable and should be used to make this research by conducting semi-structured interviews.

(23)

3.2 Selecting interviewees

Sampling or participant selection in qualitative research usually is small and focused, hence, non-random and is purposeful (Merriam, 2009). In order to select participants for the interviews in this research, the Quota Sampling method was used.

Inspiration for this part of research was taken from a suggestion of the future research by Tiwari (2020), where the author proposed conducting a real-life simulated phishing attack in a company.

According to Dudovskiy (2018), the Quota Sampling method can be used to gather data from a specific group of people that represents definite characteristics in the population. In this study the characteristic is a susceptibility to phishing attacks.

The research author selected a company with approximately 130 employees where the study was conducted. For the security reasons the name of the company is not disclosed. In this paper the company is called “X” to hide and protect its identity.

In order to find respondents for the interviews, several simulated phishing and scam attacks, also known as phishing campaigns, were launched in agreement with the company (see section 3.2.2). Attacks were carried off with the Gophish framework, a tool that allows to generate and send out phishing emails with landing pages, register information about users who opened the email, clicked on the malicious link, as well as collect any submitted information. This part of the research took approximately one month. Three different types of phishing attacks were launched within the company

“X”. Each of the phishing campaigns was active for one and a half weeks, which was enough time considering that some people might be on vacation. Attacks were launched between the 3rd of February and the 12th of March, 2021.

(24)

As previously stated, the goal of these phishing campaigns was to select people for the interviews. Those who did fall for simulated attacks were asked to participate in the interview process of this study.

3.2.1 Gophish Environment

In order to simulate real-life phishing and scam attacks, a platform called Gophish was used. Gophish is a well-known open-source tool that is being utilized by various companies to test their employee’s behavior once phishing or scam events occurs (Särökaari, 2020). In this particular case Gophish was installed and configured on a Linux Ubuntu 18.04 LTS virtual machine. To make phishing and scam emails, also known as campaigns, look legitimate, three domains were purchased for the purpose of hiding the IP address of the Gophish host machine.

In order to cover different scenarios of phishing and scam attacks, three different campaigns were used, expecting that it will increase the success rate of the campaigns. First campaign was trying to lure in users to register for a lottery with a prize of a new iPhone 12 Pro. This campaign was using domain register.win-prize.de.

Second campaign was targeting users to expose their social media portal LinkedIn.com login credentials. Respectively, for this campaign domain name linkedin.account- verification.de was used. Last campaign aimed to expose users' corporate account login credentials. Therefore, a domain that is similar to the real one was purchased. Instead of using “.com”, the phishing domain ended with “.co”. For security reasons, this domain name is not outlined in this paper, because it might expose the real name of the company.

(25)

To make this experiment safe for all employees in the company “X” and additionally gain their trust, all landing pages where users were expected to submit their credentials were equipped with the SSL/TLS certificate to encrypt traffic upon submission of information. Whilst cybercriminals are using more sophisticated phishing techniques to attack, it is becoming also more dangerous, since phishing emails are more often equipped with SSL/TLS certificates giving an impression of legitimate website (Särökaari, 2020). One of the reasons is that “Let's Encrypt” is offering a free SSL/TLS certificate valid for 90 days (Särökaari, 2020). In this study the same SSL/TLS free certificate from “Let's Encrypt” was used.

In addition a Google Workspace suite was subscribed to so that senders’ email could be hidden with the registered domains.

3.2.2 Ethical consideration

Before launching phishing attacks to the company's “X” employees, some ethical aspects of this research had to be addressed, since it might lead to legal issues (Hennink, Hutter and Bailey, 2020). To perform this research a “Statement of Ethics”

(shown in the Appendix A) was issued, where step-by-step actions were described. This statement of ethics was approved by the company's “X” CEO and CTO.

Furthermore, because the actual phishing server was hosted on the company's

“X” network and it had a public IP address owned by the company, in order to allow the phishing server to be reached from the outside of the corporate network, the Internet Service Provider (ISP) was informed about this educational experiment. This was done

(26)

in order to prevent IP address blacklisting, because people might report the sender as a malicious content spreader with the intent of phishing.

After all simulated phishing attacks were finished and selection for interviewees was done, all employees of the company “X” were informed about the ongoing study.

Anonymity was guaranteed for those who did fall victims.

3.2.3 Phishing campaigns

3.2.3.1 iPhone 12 Pro campaign

The very first phishing campaign or simulated attack in the company “X” was made with the intention to make users click on the malicious link. Already by simply clicking on the link in some attack scenarios might be dangerous, because it could launch an infected script, installing malicious software without any notice. In this particular case, an email claiming to be from a lottery company was sent. In the email it was mentioned that 1000 pieces of the new iPhone 12 Pros are the giveaway prize.

Everything that a user had to do to enter the lottery was to click on the button and provide their first name, last name, email address and home address.

This email was sent out to 132 people. Only 1 person clicked on the link that redirected to the landing, submission page. However, this user did not submit any details.

3.2.3.2 LinkedIn campaign

Second phishing attack was sent out claiming to be from the social media portal called “LinkedIn”. In this campaign it was mentioned that “LinkedIn” has recognized

(27)

some suspicious actions from the user's profile, therefore, security notice is pushed and their account is blocked. Users were asked to verify their accounts within 24 hours before it gets completely suspended from this social media portal. It was believed that the urgency factor in the email will increase the success rate of phishing as suggested by Tiwari (2020). Once clicked on the “Verify account” button, the user was redirected to a phishing landing page that looked the same as the regular login web page of LinkedIn. Users were asked to provide their email address and password in order to verify their account.

Same as in the previous campaign, this phishing email was sent out to 132 people. The click rate on the malicious link, however, was higher than on the iPhone 12 Pro campaign. From all delivered messages, 4 people clicked on the link.

Furthermore, 1 person also submitted credentials from his “LinkedIn” account.

3.2.3.3 Password reset campaign for internal systems

Last campaign was claiming to be from the IT department of the company “X”.

This campaign covered a scenario when someone's emails are stolen, hence, in the phishing email users were able to see previous messages about server upgrade. It was thought that this fact will increase the trust level for employees to believe that email was indeed legitimate (Tiwari, 2020). Campaign claimed that, because of security reasons, the IT department has decided that everyone have to change their password after the server was upgraded. The email provided a seemingly legitimate link that usually is used for resetting internal system passwords in the company “X”, however, once clicked, it redirected users to the phishing landing page which again looked exactly the same as the original web page.

From the very beginning this phishing campaign was expected to be with the highest success rate since it was related to the internal systems. Because of previous

(28)

experience with the unplanned “whistleblowers” who announced publicly in the corporate chat channel that they have received a phishing email, it was decided to exclude these people from the receivers list to increase potential success rate even more.

In this case, the final number of sent emails was 110. In total 7 people clicked on the malicious link and 6 users submitted their credentials.

Results of all phishing campaigns are gathered in the Table 1 below.

Name of the campaign People clicked on the link People submitted data

iPhone 12 Pro 1 0

LinkedIn 4 1

Password reset for internal

systems 7 6

Table 1 - Summary of phishing campaign results

3.3 Primary data collection - Interview Method

Once the selection of potential interview participants was done, it was time to conduct the actual interviews. Interviews are one of the primary tools used to collect data in Qualitative research (Merriam, 2009). Questions used in the interviews were semi-structured and open-ended in order to collect empirical material. According to Khan (2014), face-to-face interviews are suitable for analyzing some sensitive topics like employees perception and human behavior, in order to extract more detailed, yet sensitive information about some phenomenon. In this study, falling victim of a phishing attack is indeed a sensitive topic, since failing to recognize an attack and giving away user's credentials can cause financial and reputation damage to the company (Ekandjo, Jazri and Peters, 2018). Therefore, interviews had to be conducted

(29)

face-to-face and at the same time stay anonymous in order not to damage employees' reputation.

From 7 people who were identified as victims, one person was removed from potential interviewees list because, although he did fall for phishing, he did so with the intention to investigate malicious content and not because of having fallen victim to a phishing email itself. All other 6 people who did fall for simulated phishing attacks were asked to participate in the interview process through an official email. Full anonymity in the company and also in this research document was guaranteed as part of ethical considerations (Dudovskiy, 2018). Since it is not possible to force people to have an interview, two people decided that they do not wish to participate in this study and declined the invitation for the interview. Due to the restrictive conditions of COVID-19, interviews with other four participants were conducted remotely and in an out-of-office time over the digital collaboration platform “Zoom”. Suitable time slot for the interview was communicated through the email. Interviews lasted from 26 minutes up to 45 minutes, depending on the answers given by respondents. Interviews were conducted from the 15th till the 20th of April, 2021. Before the interview began, each respondent was informed about the aims of the research as well as a consensus to record the interview for further analysis was asked. As stated before, for security matters, the name and job title of the respondent is not presented in this paper. List of conducted interviews, respondents’ pseudonyms, gender of the respondents, length and date of interviews are presented in the Table 2.

(30)

Respondent Gender Length of the

Interview Date

A Male 26 Minutes 15.04.21

B Male 22 Minutes 15.04.21

C Female 24 Minutes 16.04.21

D Male 45 Minutes 20.04.21

Table 2 - List of conducted interviews

3.3.1 Interview process

Once agreed on a suitable time slot, each respondent received an invitation link for an online meeting in the digital collaboration platform “Zoom”. Right at the beginning of the meeting, each respondent was asked for consent to record the meeting for the purpose of further analysis, e.g., transcript and coding. All respondents gave their permission to record the interview. This was beneficial, because it allowed the interviewer to focus more on the interview itself, without taking additional notes (Halcomb and Davidson, 2006). Respondents were once again informed about the aims and objectives of the study. Furthermore, it was stated that their identity will not be disclosed in the research report, nor within the company “X”. Questions asked mainly were open-ended with an intention to make a discussion to understand given answers more in depth as well as to avoid leading questions (Dudovskiy, 2018). An interview guide (showed in the Appendix B) was prepared beforehand and questions were developed based on the theory around susceptibility, email load and stress, discussed in the Chapter 2. Questions were asked in a sequence, following the interview guide, however, if needed, jumping between questions was not forbidden, since it allowed a

(31)

smoother flow of the interview as well as deeper understanding of the answers. At the end of each interview, respondents were asked to do a “self-valuation” to estimate their own perceived level of stress in compassion with the answers they gave to get a fairer picture of the situation. The evaluation of stress level scale was from 0 to 5 where 0 is no stress at all and 5 is extremely high stress. Before the interview was finished, respondents were asked if they want to give any final comments about their answers.

3.3.2 Transcribing interviews

Interviews were transcribed verbatim that allowed the research author to get closer to the gathered data for further analysis (Halcomb and Davidson, 2006). Sounds that were not relevant, such as “mmm”, “uh”, “aam” were skipped to improve textual sentence formatting. The interview transcript process was completed right after each conducted interview. This helped to understand if there are any quality issues with the gathered data or interview questions and correct them before the upcoming interviews (Hennink, Hutter and Bailey, 2020). To transcribe interviews, an online tool called

“oTranscribe” was used which enabled functions such as speed adjustment of the audio recording as well as jump back and forward to a specific time stamp.

3.3.3 Thematic Analysis

Thematic Analysis was chosen to suit the best for the gathered empirical data because of its flexibility during the analysis process (Terry et al., 2017). Thematic

(32)

Analysis was conducted following the six phases suggested by Terry et al. (2017) which include Familiarisation with the data, Coding, Theme Development, Theme Reviewing, Defining Themes and finally Producing the Report. All six phases are described more in detail in this chapter.

1. Familiarisation

Familiarisation phase is the entry point of the whole analysis. It is necessary to engage and grasp insights of the gathered information to fully understand the meaning of the data (Terry et al., 2017). Whilst going through the whole dataset, the research author noted down some comments, interesting ideas and patterns in each interview that helped to develop codes later on. The Familiarisation was done in several cycles to make sure important information was not missed.

2. Coding

During the next phase of Thematic Analysis, information that is relevant to the research question was coded using an inductive approach. Based on the comments, noted ideas and patterns in the previous phase, the research author assigned meaningful codes to those segments of data that can help to answer the research question. Codes were developed by using that definition of stress (see section 2.3.1) to help interpreting the answers received. Furthermore, if the same code name was relevant to the data segment mentioned in different parts of the interview, it was used to tag and link those data segments to find more insights of the information.

(33)

3. Theme Development

Once the coding was done, all the codes were written out and it was time to try to find any similarities between them by clustering several codes into one topic.

To avoid too high granularity of themes but rather making them deeper, one central concept was identified that helped to determine what the theme's idea is about. It also helped to evaluate if one or another code belongs to this central concept. After several codes were clustered, a candidate theme or provisional theme name was given to each cluster.

4. Theme Reviewing

Throughout the Theme Reviewing phase, provisional themes were checked to verify if the selected data sets that belong to each candidate theme are meaningful to the central concept (Terry et al., 2017). If some of the linked codes or parts of the data set were identified to be applicable for more than one theme, the provisional theme was revisited once more and the transcript of the interview was checked to verify validity. Moreover, it was important to check if each of the candidate themes is distinctive, yet linked with each other in order to help tell the story to answer the research question (Terry et al., 2017).

5. Defining Themes

Once the review and refining of the potential themes was completed, three main themes were decided on to be used for the report phase of the analysis. Each of the themes were once again verified by writing a short abstract that helped to see if the theme is not too thin (Terry et al., 2017). Next, for each theme, a name

(34)

or a title was defined that gives an idea of the content found within the theme.

The final theme map is presented in Figure 1.

Figure 1 - Final theme map

6. Producing the Report

The final phase of Thematic Analysis was to produce the report. It can be found in the next section of this document, “Chapter 4: Analysis of empirical data”. It is divided into three sub-sections representing each selected themes. Under each of those sub-sections answers given by respondents help to come to the resolution of the research question presented.

(35)

CHAPTER 4: ANALYSIS OF EMPIRICAL DATA

This chapter represents several themes discovered from interviews with respondents whilst doing Thematic Analysis. After interviews were transcribed and coded, several codes were merged and a theme name was given. In total three main themes were identified. They are based on topics like email load and stress; workload and meetings;

additional factors from private life that increase stress.

4.1 Email load that increases stress directly and indirectly

All interviewees agreed that email load has increased lately, mainly because of government rules for working from home, however, not all respondents thought that it comes with a higher stress. Some respondents admitted that they rather see it as an indirect factor for stress and one respondent mentioned that email load is not bothering him.

Respondent “A” admitted that email load has increased because of the current situation with remote work. He estimated that on average there are approximately 50 new emails every day in his inbox, stating that he used to have more in previous company, therefore, he is used to a high load of emails. However, he explained that not only remote meeting requests are a big part of his inbox, but also regular emails have become much quicker, meaning they are used more like a chat service that requires fast response and it increases the stress:

I think there is a trend to write what you think right away and use it kind of like a chat service. [...] It would usually be an immediate response. From this point

(36)

of view you really have to keep up the pressure so that you do not lose time on communication.

Respondent “A” evaluated his stress level at 4 on a scale from 0 to 5 (where 0 is no stress and 5 is extremely high stress).

Second respondent “B” has also noticed email load increase but he thinks that it is more likely to come from the fact that his professional position was changed and now he is required to engage more into new projects. Respondent estimated that he receives approximately 100 new emails per day, stating that it is a lot, however, he felt like it does not affect much his stress level:

Between my work and private account I receive probably a hundred, hundred plus emails per day. It is more than before when I was in my previous position.

Then I was getting probably like 30-40 emails. Now it has definitely increased by factor two or more. [...] It is annoying. Maybe it is stress, but sort of a low level stress.

Later on during the interview he elaborated that a big part of his emails are irrelevant messages that come from the scientific and academic community. He felt like the volume of emails play an indirect role to his stress levels:

I noticed as I became more integrated in the scientific and academic community I started to get a lot of irrelevant emails from conferences and journals. Like lots of noise. And I get more and more of this noise. It is annoying. It is for sure quite distracting during the day. [...] I would not say that emails themselves make me feel under pressure, but I do feel pressure to achieve goals of the projects that I am currently working on and, absolutely, dealing with the volume of emails that I receive is a huge time sink and a distraction. Therefore it indirectly increases the stress.

Respondent “B” evaluated his stress level at 3.5 on scale from 0 to 5 (where 0 is no stress and 5 is extremely high stress).

Similarly, respondent “C” also noticed that email load is increased with lots of irrelevant emails. However, this is not increasing the stress level because she is not worrying about having an empty inbox:

(37)

I have perhaps noticed an increase in the number of emails from large businesses, for example, booking.com with offers for special deals, and small businesses, like my optician, urging me to make an appointment to have my contact lenses checked, hoping to drum up business. [...] I am not one to worry too much about having an empty inbox.

Same respondent admitted that the load of emails are usually making her do multiple things at once and therefore she can be easily distracted. For the stress level evaluation question, the respondent said that she does not feel stressed, giving herself mark 1 on scale from 0 to 5 (where 0 is no stress and 5 is extremely high stress).

Respondent “D” mentioned that email load has increased a lot because of the nature of his work. He used to have several face-to-face meetings per day and now the majority of these conversations are handled through the email because of the global pandemic. Furthermore, he said that also time when emails are delivered has changed that puts him under pressure:

The email load has increased a lot! I receive emails very late in the evening or early hours. So a lot has changed during the pandemic with the respect to the email. Not only the load has increased but also the time when the rate peaks.

It might be in the evening instead during the day. [...] I am always stressed when I have emails in my inbox, and I do not archive them to my local folders.

Furthermore, he elaborated that due to the switch from face-to-face meetings to email conversations, he has noticed that style of emails in some cases are changed to have less structure, which makes him feel nervous and anxious:

Young people are a bit confused between different digital means of communication. They write their emails like they are on messaging apps. [...]

They are ignorant of code of practices. I do not like when I have to look for more details. I get nervous and anxious and sometimes angry that I have to look for the purpose of the email.

When asked about stress level evaluation, the respondent “D” answered that currently he is experiencing level 5 stress on scale from 0 to 5 (where 0 is no stress and 5 is extremely high stress).

(38)

This section highlights that the majority of interviewees are suffering from high to extremely high stress caused directly or indirectly from high email load. One respondent said that, although he used to have more emails in previous job, he feels more stressed now because the email is being used for quicker communication, like a chat service. Majority of respondents answered that the email load lately, due to the global pandemic, has increased. Two of these interviewees explained that it is causing them to go under stress, however, for different reasons. One respondent mentioned that filtering and sorting emails takes a lot of his time that could be used for projects instead.

The other respondent mentioned that now meetings that were handled face-to-face are being transferred into emails. Moreover, new emails are being received in non-standard hours, filling up the inbox which increases stress for this interviewee. Although one respondent mentioned that email load has increased, she stated that she was never stressed over unread messages in her inbox. To sum up, majority of respondents feel stressed because of their email load.

4.2 Tight deadlines that require more meetings, putting people under pressure

All interviewees were questioned about current workload and meetings, specifically, remote meetings and how they are handled. Respondent “A” mentioned that he is having a tight deadline in September that comes with a lot of pressure:

We have a tight deadline in September when this new product must be ready.

We have to do complete documentation, that is quite a big task. [...] I think this will be a really tough time until autumn. [...] My team keeps targets and standards high that comes with a lot of pressure to finish projects on time.

Interviewee “A” elaborated that communication is quick and it is much needed to be aligned on ideas of the project. Because of the pandemic, usually communication

(39)

happens through the email or remote collaboration platforms like “Zoom” or “WebEx”.

However, respondent admitted that it is better to have face-to-face meetings:

It is always good to have face-to-face meetings if you really want to build that trust and relationship. For this reason we do have face-to-face meetings from time to time.

Respondent “B” stated that currently he is more integrated in several projects with tight deadlines that increase the stress. As for the communication with his team, he mentioned that he is having regular remote meetings per day, sometimes even multiple times per day. He prefers face-to-face meetings because of easier interaction but with the ongoing pandemic situation he feels stressed when having one:

About once a week I go for face-to-face meetings. I prefer face-to-face but I am a bit hypochondriac and right now because of external circumstances of COVID-19 I do not like having face-to-face meetings because of the additional feeling of stress, putting myself or somebody else at risk.

Respondent “D” stated that currently it is a very busy period in his professional life. Workload, demands for quick communication and resolution is high:

I am very busy I would say. I have a colleague who has a problem. The other day we had a remote session and I could not understand what was wrong. Now I have to look at it myself but I have to do it fast because the deadline is coming soon. So it is a pressure and stress.

He then elaborated that remote meetings are not his preference because of effort and time they require:

Meetings now are very difficult. I prefer to be in the office. I have this space where I can collaborate with my colleagues. [...] It is more difficult to have meetings remotely. You need more effort to explain things to people. Face-to- face is always easier, because we can interact, they can interrupt and ask questions. It is very important to have face-to-face interaction. Yes, it is much more effort. I hate that now all the meetings are remote. It is annoying that I have to spend double the time explaining things, more time and more effort.

This section highlights that the majority of respondents are also being stressed because of high demands of their projects and tight deadlines. In addition, to coordinate

(40)

their projects, they need to have regular remote meetings with their teammates.

However, all respondents admitted to prefer face-to-face meetings because of easier communication as well as building up a better relationship. One respondent mentioned that although he likes to see his colleagues face-to-face, he feels stressed doing that now because of COVID-19. Another respondent stated that it takes more effort to explain things over remote calls and estimated that he spends double the time for simple things that puts him under pressure because of having already tight deadlines. To sum up, all factors like, tight deadlines, the global pandemic that has already increased the email load by itself and remote meetings, make people even more stressed, because it is more difficult to communicate with their teams and challenges in communication take away precious time for actual project execution.

4.3 Various personal issues that increase stress

During the interviews, respondents were asked if there are any events, personal reasons that have affected their mood and caused stress levels to increase. Respondent

“A” admitted that the past year and a half has not been easy for him and he still feels the consequences:

I was required to change my job twice during these COVID-19 times. This was quite a challenge and stressful, and it is still quite distracting. I have to gain back my self-confidence again.

Respondent “B” explained that he becomes stressed when meeting people during the pandemic time, therefore he and his family has decided not to see anyone until the situation is stable:

Personally I have a touch of hypochondria so I am even against going out in public. I am kind of... try to avoid going into public and try to be responsible, do the right thing, at the expense of my social life. But yes, I would say that I am fairly stressed out because of that.

(41)

Next, respondent “C” explained that she feels restricted. She has made a decision that she will not travel, before she gets vaccinated against COVID-19 virus:

I have not been vaccinated yet. I am a bit anxious about that. I do check the numbers every day to see what is happening. I have made a decision that I will not travel before I get vaccinated. So it is a bit restrictive. [...] The couple of times I have been in the city now, there are so many people that it makes me feel stressed.

Also respondent “D” pointed out that he is feeling stressed because of the ongoing situation of pandemic. He stated that the fact that he is working from home is distracting, makes him feel like private life and work is mixed up and all days are the same:

I feel confused, because I cannot discriminate between my living space and working space. I have to do a lot of teleworking. Most of the time I spent at home. So there is no discrimination between working and living space and this creates a lot of confusion, because while you are working and looking at emails, for example, you might have to prepare a snack for kids, or you might have to answer a doorbell because it is a cleaning lady for the steers. So your tasks for your job, they mingle with your task for your private life. You get a lot of distraction from your work very often. I cannot discriminate all the days. All the days are the same for me, because I live and work here. I do not come back from the office, all the hours are the same. I receive emails throughout the weekend.

There is no weekend anymore.

He then elaborated that this confusion and constant distractions are bugging him.

Limited options for workspace is additional factor that increases stress:

Things are constantly popping in. It is like my inbox. People all the time expect something from me. This creates a lot of stress for sure. Kids are doing their education from home. My wife is in the other room also working. So that is why I am in the living room because we have a limited number of rooms in our apartment. Everybody is in front of the computer. Yes, it is full stress at the moment when we are working from home.

This section highlights that there are different personal factors that increase stress for people, however it all comes down to one source - COVID-19. During the global pandemic one respondent had to change jobs twice. He felt like he has to gain back self-confidence because of that and he still feels distracted over the days. Lack of

(42)

vaccines and social isolation also puts people under stress. With social isolation, working from home is mandated and because of that one respondent expressed that he feels stressed since he lacks the private space, when all the family is at home, working and studying. To sum up, personal stress increasing factors are coming mainly from the current situation in the world but for each respondent it projects slightly differently.

Email load and stress impact on susceptibility to phishing and scam emails