Spear Phishing Simulation in Critical Sector: Telecommunication and Defense Sub-sector

Abstract

Phishing is an attack that uses social engineering techniques to steal users’ confidential information like passwords and banking information. It happens when cyber criminals disguised as a trusted entity and deceived users to click on fake links in e-mail received by the user. Cyber criminals also act to target phishing attacks from individuals to organizations that are specific to the country's critical sector, and this is known as a spear phishing. In fact, the telecommunication sector is one of the main targets of cyber criminals using spear phishing attacks to obtain user-sensitive information. The main objective of this work is to identify the level of cyber security in the organization under the telecommunication sector and defense sub-sector by using existing general simulation procedure. The procedure is adapted and modified according to the organization’s working environment. The first simulation was conducted on June 4, 2018 involving 39 employees. Findings showed that all respondents did not respond to the spear phishing e-mails received. In fact, the results of the questionnaire conducted after the end of the simulation found that all respondents were able to identify all indicators on spear phishing e-mails quickly and easily. This proves that the level of awareness and knowledge of cyber security of the population is high. The second simulation was conducted in stages, from October 29 to November 15, 2018 using a different approach. Of the 39 e-mails sent, 12 respondents (31%) responded to the received e-mail by clicking on the link in the e-mail content. Based on the results of this second simulation, this spear phishing attack was successfully implemented and proved that the new simulation procedure can be used in the telecommunication sector and defense sub-sector.