Awareness of Reporting Phishing Emails

Certainly, today's most common and well-known email attack is phishing that deceives users to perform malicious activities by making forged emails look authentic. Despite great technical efforts to prevent such attacks, email providers are still struggling to filter out all fraudulent incoming emails. Thus, we should train users not to fall into phishing traps to prepare for situations where the last hope is human, i.e., if a phish that successfully passes layered technological defenses approaches users' inboxes.

In order to make users actively participate in email security, the university's security team, SIU, has been carrying out simulated phishing campaigns targeting its employees. In such campaigns, artificial phishing is generated and sent to employees to create a realistic environment. Its purpose is to reduce human susceptibility and to encourage employees to report suspicious emails so that their improved awareness can help SIU quickly respond to phishing attacks. This study will focus on the latter goal, reporting. Namely, it aims (1) to identify a difference between the university's objective that motivates more employees to take part in reporting through simulated phishing campaigns and the level of employees' awareness of reporting phishing emails, and (2) to explore insights on how to handle the discrepancy between the ideals and reality in terms of reporting.