ABSTRACT
While phishing has evolved over the years, it still exploits one of the weakest links in any information system — humans. The present study aims at describing who the potential phishing victims are. We constructed two types of phishing messages that represented two basic categories of phishing e-mails: regular and spear-phishing. In cooperation with the IT management of a municipality in the southwestern region of the United States, we sent these messages to the municipality’s employees and collected demographic data about individuals employed by the organization. We then applied eight supervised learning methods to classify the municipality’s employees into two groups: phished and not-phished. Our results indicate that spear-phishing yields a significantly higher response rate than regular phishing and that some machine learning methods yield high classification accuracy in predicting phishing victims. We finally provide discussion of the results as well as the future implications.
Data availability statement
Due to the nature of this research, the municipality from which the data were obtained did not agree for their data to be shared publicly, so supporting data are not available.
Notes
a The FLSA prescribes that most employees in the U.S. are to be paid at least the federal minimum wage for all hours worked and overtime pay at not less than time and one-half the regular rate of pay for all hours worked over 40 hours in a workweek.Citation47 Exempt employees are not eligible for overtime pay, while nonexempt are subject to the overtime provisions of FLSA.
b Note that figures listed in and were obtained after SMOTE algorithm had been already applied, so they do not reflect the actual numbers.