Email load and stress impact on susceptibility to phishing and scam emails - Emils Rozentals

 
CONTINUE READING
Email load and stress impact on
susceptibility to phishing and scam emails

                          Emils Rozentals

        Information Security, master's level (120 credits)
                              2021

                       Luleå University of Technology
        Department of Computer Science, Electrical and Space Engineering
ABSTRACT

Research Question       How does the email load and stress affect the susceptibility to
                        phishing and scam emails?

Methodology             The study was conducted with a Qualitative research
                        approach. Semi-structured interviews were selected for the
                        data gathering. Thematic Analysis was used to analyze
                        Empirical data.

Theoretical Framework   This research studied if a high email load affects the likelihood
                        of falling victim to phishing and scam attacks. Research was
                        studied through a theoretical lens of stress, since high email
                        load is subjective for each individual and stress rate can show
                        better how people are perceiving their email load.

Conclusions             Findings suggest that high email load for the majority of
                        people in this study, does increase the susceptibility towards
                        phishing and scam emails. Furthermore, those people with
                        higher email load who are processing their emails heuristically
                        evaluated their stress rates higher than those with high email
                        load who are processing their emails systematically.
                        Therefore, the results indicate that there is a relation between
                        high email load, stress and susceptibility to phishing and scam
                        emails. In this study, it was found that majority of respondents
                        described high stress as a factor that played a role in their
                        susceptibility of falling victim to phishing and scam emails.

Keywords                Phishing, scam, email load, stress, workload, COVID-19
ABBREVIATIONS

CEO - Chief Executive Officer

CTO - Chief Technical Officer

ISP - Internet Service Provider

SSL - Secure Socket Layer

TLS - Transport Layer Security

SCAM framework - Suspicion, Cognition, Automaticity Model

GCS - Generalized Communicative Suspicion

NIST - National Institute of Standards and Technology

ISO - International Organization for Standardization

IP address - Internet Protocol address

COVID-19 - Corona Virus Disease 2019 caused by SARS-CoV-2
TABLE OF CONTENTS

CHAPTER 1: INTRODUCTION                                            5

 1.1 Background of the Study                                       5

 1.2 Research Problem                                              6

 1.3 Scope of the research                                         7

 1.4 Structure of the Study                                        8

CHAPTER 2: THEORETICAL BACKGROUND                                 10

 2.1 Concepts of phishing                                         10

 2.2 Tools used to test employees                                 12

 2.3 Related work                                                 14

   2.3.1 Stress                                                   17

   2.3.2 Stress caused by email load, isolation and remote work   18

CHAPTER 3: METHODOLOGY                                            21

 3.1 Qualitative Research Approach                                21

 3.2 Selecting interviewees                                       22

   3.2.1 Gophish Environment                                      23

   3.2.2 Ethical consideration                                    24

   3.2.3 Phishing campaigns                                       25

      3.2.3.1 iPhone 12 Pro campaign                              25

      3.2.3.2 LinkedIn campaign                                   25

      3.2.3.3 Password reset campaign for internal systems        26

 3.3 Primary data collection - Interview Method                   27

   3.3.1 Interview process                                        29
3.3.2 Transcribing interviews                                                 30

   3.3.3 Thematic Analysis                                                       30

CHAPTER 4: ANALYSIS OF EMPIRICAL DATA                                            34

 4.1 Email load that increases stress directly and indirectly                    34

 4.2 Tight deadlines that require more meetings, putting people under pressure   37

 4.3 Various personal issues that increase stress                                39

CHAPTER 5: DISCUSSION                                                            42

CHAPTER 6: CONCLUSION                                                            47

 6.1 Empirical Findings                                                          47

 6.2 Theoretical Contribution                                                    47

 6.3 Research Limitations                                                        48

 6.4 Future Research                                                             49

BIBLIOGRAPHY                                                                     51

APPENDICES                                                                       57

 Appendix A - Statement of ethics                                                57

 Appendix B - Semi-Structured Interview Guide                                    59
CHAPTER 1: INTRODUCTION

1.1 Background of the Study

        Studies, such as Aldawood, Skinner and Alashoor (2020) and Bullee and

Junger (2020) agree that one of the biggest threats for the companies nowadays are

social engineering attacks, more specifically, phishing and scam attacks. Therefore,

employees are thought to be the first defense line or contrary - the weakest link in the

security chain (Alharthi and Regan, 2020; Jain et al., 2016). In other words, people are

the greatest threat for companies nowadays (Al-Mohannadi et al., 2018). The success

rates of phishing and spear-phishing attacks over the years have increased (Bhardwaj

et al., 2020) and therefore it is important to have well educated employees with a high

awareness level of risks (Alharthi and Regan, 2020).

       Because cybercriminals are constantly coming up with new, creative ways on

how to fool people (Vayansky and Kumar, 2018) it has raised a question about how to

better protect sensitive information in companies, their employees and networks. For

this reason, several studies have been carried out to determine why people actually are

falling for phishing and scam attacks to better understand characteristics and reasons

behind. Researchers have identified that there are many factors that play a role in

susceptibility to phishing, for example, gender (Halevi, Memon and Nov, 2015; Sun et

al., 2016; Abdelhamid, 2020), age (Oliveira et al., 2017), different personal traits like

risk tolerance (Chen, YeckehZaare and Zhang, 2018) and information processing style

(Vishwanath et al., 2018). Yet there are other factors that have not been fully studied,

for instance, email load (Sommestad and Karlzén, 2019).

                                                                                       5
Email has been the main communication tool in the companies for years,

meaning the received, read and sent message amount is growing every year (Stich et

al., 2019) and it has been growing even more during the global pandemic of COVID-

19 that started in 2020 (Teevan et al., 2021). Email load in general has been found to

increase the stress levels people are experiencing (Stich et al., 2019; Akbar et al., 2019;

Mark, Voida and Cardello, 2012). Moreover, the pandemic in the world has also made

its footprint in the information security field. People are mandated to isolate and work

from home, likely, from not as secure network environment as it would be in the office

(Ramadan et al., 2021). This down-pressing situation when people cannot meet their

relatives, travel for a vacation or simply hang out with friends, has also left an impact

on their mental state (Shah et al., 2021). Study by Shah et al. (2021) shows that

approximately 58% of people have increased indications of high stress during the

pandemic.

       It is not fully understood whether email load increases susceptibility to phishing

and scam emails (Sommestad and Karlzén, 2019). Additionally, how stress, driven

from increased email load and other side effects, is impacting the likelihood of falling

victim for such attacks. This study tries to fill the gap in this block of knowledge.

1.2 Research Problem

       Studies, such as Tiwari (2020) have found that authority, urgency in the

malicious emails as well as different personal traits leave a significant impact towards

susceptibility to phishing and scam emails. Study was based on a survey, therefore, the

future research proposal by the author was to conduct a simulated phishing attack

(Tiwari, 2020). Sommestad and Karlzén (2019) meta-analysis study that looked into

                                                                                         6
different reasons that increase the risk of falling victim for the phishing and scam emails

found that there are few studies made that analyze how email load influences the

susceptibility to phishing. To address this lack of empirical studies made on the email

load influence (Sommestad and Karlzén, 2019), phishing could be simulated as

proposed by Tiwari (2020) but followed up with interview questions around email load

to better understand how and if it influences the susceptibility to phishing attacks

(Sommestad and Karlzén, 2019). To measure high email load and understand why

people may click on malicious links, research could be expanded and addressed through

the perspective of stress, since email load is subjective and it would not bring an

accurate representation if looking only at the number of emails, instead how people

perceive email load. As such, the research question for this thesis is as follows “*How

does the email load and stress affect the susceptibility to phishing and scam

emails?”.

1.3 Scope of the research

       The research was conducted in a controlled environment, namely, in a company

with approximately 130 employees. Physical location of the company is Zurich,

Switzerland. Company employs people from different countries in Europe, Asia and

America. Majority of employees are in the age group from 30 to 45. The main purpose

of this study was to understand if and how does the email load and stress affect the

likelihood of falling victim to phishing and scam emails. The data gathered through the

interviews were analyzed through the theoretical lens of stress, as defined by Kyriacou

(2001) - the experience of unpleasant, negative emotions, such as anger, anxiety,

tension, frustration or depression.

                                                                                         7
1.4 Structure of the Study

       The research report consists of six chapters that are described in this section.

       Chapter 1 - Introduction, covers the background of study to better understand

reasoning why this research was important. It also briefly highlights the ongoing

challenges that the study field is facing. Furthermore, it argues why this research was

important and relevant as well as gives a scope of research made.

       Chapter 2 - Theoretical background, covers theory part of the research.

Concepts of social engineering, more specifically, phishing, spear phishing and scam

are explained. Next, a small overview of tools that can be used to mimic phishing

attacks are presented to better understand how they work and how they can help.

Chapter continues with the gathered literature overview of different aspects and

characteristics of users who are more likely to fall victims of phishing and scam emails.

Lastly, this chapter defines what stress means in this research and covers the previous

studies about causes of work stress.

       Chapter 3 - Methodology, describes a research process and methodology used

to conduct the study. It also argues the reasons why the selected method is used. Chapter

starts with an overview of Qualitative research approach and continues with the

description of technique used to select interviewees. Next, it describes the interviewee

selection phase and environment more in detail. It also highlights the ethical concerns

and actions made when the study began. Chapter ends with a detailed description of the

interview and transcript process as well as the Thematic Analysis of gathered empirical

data used to answer the research question.

       Chapter 4 - Analysis of Empirical data, represents several themes discovered

from interviews with respondents whilst doing thematic analysis. After interviews were

                                                                                          8
transcribed and coded, different common themes were identified. In this chapter

answers from interviewees that belong to the recognized themes are shown.

       Chapter 5 - Discussion, contains a discussion of the Empirical findings

presented in Chapter 4. Chapter starts with a brief recap of the whole study and then

moves to a more detailed discussion of Empirical data analysis, comparing results with

the existing literature presented in Chapter 2.

       Chapter 6 - Conclusion, contains a summary of empirical findings and

theoretical contributions. It also points out several limitations of the research as well as

suggestions for the possible future research are made.

                                                                                          9
CHAPTER 2: THEORETICAL

                            BACKGROUND

       This chapter outlines the theoretical part of the study to fully understand the

upcoming method used. It starts with the general overview of phishing concepts. Next,

it presents and explains different tools that can be used to mimic phishing attacks.

Further, it outlines a gathered literature of studies made on reasons why people are

failing to recognize phishing and scam emails. Lastly, the chapter concludes with the

definition of stress, what it means in this study, and theory on how the email load is

affecting the stress levels for people.

2.1 Concepts of phishing

       The attacks when cybercriminals are targeting people, using psychological

manipulation techniques are known as social engineering (Jain et al., 2016). Oxford

English Dictionary defines social engineering as: “The use of deception to manipulate

individuals into divulging confidential or personal information that may be used for

fraudulent purposes” (Oxford Dictionary on Lexico.com). Because social engineering

is taking advantage of human behavior and their emotions, detection and mitigation of

social engineering attacks is difficult (Kaushalya, Randeniya and Liyanage, 2018).

       It is thought that networks and computer systems over the years have improved

and security measures have become relatively reliable (Aldawood and Skinner, 2018).

Therefore, to compromise such systems, it has become a more technical and complex

task. For this reason cybercriminals are often making use of social engineering to

bypass technical controls by exploiting vulnerable users (Alharthi and Regan, 2020) or

                                                                                     10
the “weak link in information security” (Mouton et al., 2014) in order to break into the

company's network and steal classified information or even launch a greater attack.

Studies, such as Al-Mohannadi et al. (2018), Mouton et al. (2014) and Kaushalya,

Randeniya and Liyanage (2018) agree that the biggest threat for companies nowadays

is the internal users, hence, employees themselves who are likely to infect systems

unconsciously by browsing some sketchy webpage, downloading infected files or

giving away their credentials. There are several subtypes of social engineering, namely,

baiting, pretexting, tailgating, quid pro quo and phishing (Kaushalya, Randeniya and

Liyanage, 2018). This research is focusing specifically on phishing attacks.

       Phishing in general is an email based attack where criminals are using several

techniques to trick users into believing that the email comes from a legitimate source,

for example, a bank, social networking company or a colleague from a company where

the person is employed (Bhardwaj et al., 2020). By definition of Oxford English

Dictionary it is: “The fraudulent practice of sending emails purporting to be from

reputable companies in order to induce individuals to reveal personal information, such

as passwords and credit card numbers.” (Oxford Dictionary on Lexico.com). When

using phishing attacks, cybercriminals usually are trying to retrieve from targets

information such as usernames and passwords, home addresses, credit card details and

other sensitive information (Bhardwaj et al., 2020). Nowadays, the complexity of

phishing attacks has risen since criminals are using more sophisticated techniques to

trick the user by completely spoofing legitimate websites (Vayansky and Kumar, 2018).

       As mentioned, phishing happens through an email. Phishing email delivered to

the end user can contain logos and graphics from legitimate companies, convincing the

user that the email is real (Vayansky and Kumar, 2018). The concept of phishing is

fairly simple - phishing email is delivered to a victim, containing some sort of a weblink

                                                                                       11
which is usually in the form of a button; when clicked on the link, victim is taken to a

malicious website that is spoofed and looks identical to real one; victim is asked to

provide personal information, for example, credit card details, username and password;

once submitted, information is stored on cybercriminal's server (Vayansky and Kumar,

2018). Furthermore, spear-phishing is more tailored to specific groups of people.

Principles of spear-phishing are the same as regular phishing, however, cybercriminals

are usually doing some deeper research about potential victims before the attack,

gathering publicly available information on the internet, such as their workplace, bank,

or websites they visit (Vayansky and Kumar, 2018).

       In general, the success rates of phishing and spear-phishing attacks over the

years have been increasing (Bhardwaj et al., 2020) especially during the COVID-19

pandemic when phishing attacks peaked (Chokhonelidze, Basilaia and Kantaria, 2020).

Because cybercriminals are implementing new and creative approaches to phishing

attacks, making them more qualitative, it is becoming more difficult to distinguish them

from real emails (Vayansky and Kumar, 2018).

2.2 Tools used to test employees

       Social engineering is one of the biggest threats to companies at the present (Luse

and Burkman, 2020). Moreover, phishing attacks are becoming more sophisticated

every year (Kanhere et al., 2020). Therefore, it is vital for the companies to educate

their employees about threats and increase their security awareness level. One approach

is to have regular security awareness trainings that can help to refresh knowledge about

threats and techniques that cybercriminals are using (Vayansky and Kumar, 2018).

Another approach, which usually complements security awareness trainings, is real

                                                                                      12
simulated phishing attacks made by the company's IT department. Through simulated

attacks, companies test and can see how good their employees are prepared for such

attacks (Särökaari, 2020). It also helps to tailor security trainings that fit more for the

specific company or even separate people groups.

        There are several open-source and paid solutions that are available for

companies to test their workers. Among the more popular open-source penetration

frameworks there are Gophish, King Phisher and Phishing Frenzy (Pirocca, Allodi and

Zannone, 2020). There are also more advanced social engineering frameworks that

require license, for example, Lucy and Phishing Box.

        All of the above mentioned phishing frameworks in general have similar

objectives - simulate a phishing attack to see how employees are responding. All of

them support features like phishing email creation, modification, statistic gathering and

attack scheduling. Still, each framework has its own limitations and companies should

choose one that fits the best for them. Usually these testing frameworks can be installed

on a local, on-premises server as well as cloud based server. Furthermore, landing

pages, where a victim is taken once clicked on the link, can be equipped with a

purchased domain name and SSL/TLS certificate (Kanhere et al., 2020).

        Tools like these are useful to see the real situation in the company and prepare

their employees even better for social engineering attacks.

        For this study the Gophish framework was used because the research author was

already familiar with this tool and it suited well for the set research objectives - to select

participants for the interviews.

                                                                                           13
2.3 Related work

       User security awareness training in companies is gaining popularity. On one

hand, those companies that want to comply with security standards, like ISO 27001

series, NIST 800-53 are mandated to have such user awareness training on a regular

basis (ISO - ISO/IEC 27001 — Information security management, 2021; Joint Task

Force Interagency Working Group, 2020). On the other hand, studies are showing that

more often the biggest threat for the companies are their own employees (Aldawood,

Skinner and Alashoor, 2020). This can be explained by the fact that the success rates

of social engineering attacks are rising every year and have gone up even more during

the global pandemic in 2020 when cybercriminals took an advantage of spreading

misleading and malicious emails about COVID-19 and vaccination (Chokhonelidze,

Basilaia and Kantaria, 2020). To ensure that the employees are well aware of risks,

some firms even have gone one step further and have integrated gamification in their

training process to make the whole experience more interesting and more memorable

(Corradini, 2020). Organizations have also improved their security policies in order to

secure their business continuity to fight against social engineering threats (Aldawood

and Skinner, 2018).

       Presenting basics on how to recognize malicious emails is one thing, however,

more importantly it is to understand exactly what motivates employees to click on the

links of phishing and scam emails. Over time, there have been several researches made

to determine characteristics like age (Oliveira et al., 2017), gender (Halevi, Memon and

Nov, 2015; Sun et al., 2016; Abdelhamid, 2020), human behavior like risk tolerance

(Chen, YeckehZaare and Zhang, 2018) and information processing style (Vishwanath

et al., 2018) of the vulnerable user when it comes to taking such security risks.

However, there are many, yet unknown and even changing factors that can leave an

                                                                                     14
impact on giving a concrete answer on which group of people is the most vulnerable so

that companies can pay more attention, for example, by giving them more detailed

educational courses or restricting their access to some parts of the network (Sommestad

and Karlzén, 2019).

       In 2018 Vishwanath et al. created a framework called SCAM (Suspicion,

Cognition, and Automaticity Model). In order to be able to explain the reasons why

people are falling for phishing attacks, SCAM framework proposes two separate

aspects - habitual email use and cognitive information processing. The first part of

SCAM framework is referring to habitual email use, where Vishwanath et al. (2018)

analyzed one group of people that is processing their emails systematically and other,

heuristically. This is a habit that develops over the time. It was found that people with

the developed systematic email processing habits are less likely to fall victims to

phishing emails, whilst those who review their emails heuristically are in a higher risk

group (Vishwanath et al., 2018). This concept is also correlating with user beliefs of

their cyber risks. For example, the group of people which tends to think their cyber

actions are relatively risky are more often processing their emails systematically

(Vishwanath et al., 2018). On the other hand, those in denial who think their cyber

actions are relatively safe, are more likely to process their emails heuristically, hence,

more often becoming victims of phishing attacks (Vishwanath et al., 2018). The second

part of the SCAM framework is about cognitive mediation and how it influences the

habitual use of emails. It was concluded that habitual email use is related to the person's

capabilities to control their behavior, and the cognitive processing is highly influenced

by person’s cyber-risk beliefs (Vishwanath et al., 2018), meaning, habits of email use

are more often taking over the cognitive processing abilities. Similar results were found

in earlier study by Halevi, Memon and Nov (2015). Those who felt more secure were

                                                                                        15
more likely to fall victims of phishing and scam attacks (Halevi, Memon and Nov,

2015).

         In 2016 Harrison, Vishwanath and Rao study found that Generalized

Communicative Suspicion (GCS) has a correlation with susceptibility to phishing. GCS

is a phenomenon that describes a state in which a person believes to be able to recognize

a deception in face-to-face conversations (Harrison, Vishwanath and Rao, 2016).

During the study, GCS was not only found to be correlating with the susceptibility to

phishing but also to the way how people are processing online information like emails

- either systematically or heuristically (Harrison, Vishwanath and Rao, 2016). It was

concluded that people with higher levels of GCS are suffering from uncertainty and

trust issues and they are processing online information systematically (Harrison,

Vishwanath and Rao, 2016). On the other hand, people with lower GCS levels are

processing online information heuristically and therefore are more likely to fall for

phishing and scam attacks (Harrison, Vishwanath and Rao, 2016).

         Many researchers agree that gender is also playing a role towards susceptibility

to phishing (Halevi, Memon and Nov, 2015; Sun et al., 2016; Abdelhamid, 2020).

Study conducted by Halevi, Memon and Nov (2015) looked into different aspects of

why people are falling for phishing. One of the findings was that female participants

were more vulnerable to phishing than their male counterparts (Halevi, Memon and

Nov, 2015). Male participants were able to recognize malicious emails better and their

security awareness level scored greater overall (Halevi, Memon and Nov, 2015).

Similar findings were discovered by Sun et al. (2016) study where research objectives

were to test anti-phishing self-efficacy, internet self-efficacy and anti-phishing

behavior between male and female participants. Furthermore, a more recent study was

conducted in a health concern by Abdelhamid (2020) which also showed the same

                                                                                      16
results - the female participants were more likely to fall for phishing attacks than their

male counterparts.

       Another aspect that is associated with susceptibility to phishing is age group.

During the research made by Oliveira et al. (2017), it was found that older people are

more likely to become victims of phishing attacks, specifically older women. These

findings project similar results found in Halevi, Memon and Nov research made in

2015. Another more recent study concluded that younger adults are more careful and

suspicious when it comes to recognizing malicious emails (Chen, YeckehZaare and

Zhang, 2018). The same study also demonstrated that different characteristics of

personality and cyber-risk beliefs have an impact on likelihood of falling victim. False-

positive and false-negative decisions were tested and results indicated that people who

are intolerant to risky actions are more likely to identify legitimate email as malicious,

contrary to those who are more tolerant to risks (Chen, YeckehZaare and Zhang, 2018).

       To sum up, there are many factors that determine whether a person is susceptible

to phishing and scam emails and there might be even aspects that people have not yet

thought of.

2.3.1 Stress

       High email load is a subjective for each individual. For one person high email

load can be 20 messages per day and for other 100 messages per day. One natural way

of how to look at the email load is stress, because high email load has been proven to

increase stress level (Stich et al., 2019; Akbar et al., 2019; Mark, Voida and Cardello,

2012) and therefore it is relevant part to understand how email load is being perceived.

                                                                                       17
Stress defined by Kyriacou (2001) is experience of unpleasant, negative

emotions, such as anger, anxiety, tension, frustration or depression. Similar definition

is offered by Skaalvik and Skaalvik (2016). It has also been found that stress makes

negative impact on person’s self-esteem (Galanakis et al., 2020). Stress can be caused

from several factors, such as tight deadlines, heavy workload, high demands, personal

issues and others (Chen and Miller, 1997). In simple words, stress is the reflection of

cognitive processes leaving an impact on how people are responding to ordinary as well

as extraordinary conditions in their life (Robinson, 2018). It is individuals

psychological state of mind that changes perception of the environment they are in and

emotional experiences of it (Cox, 2007). In order to understand how people perceive

the world, Cox (2007) suggests to focus on individuals emotional answers.

2.3.2 Stress caused by email load, isolation and remote work

       Since this study examines the research through the theoretical lens of stress as

defined by Kyriacou (2001), it is important to understand how stress correlates with the

email load and what are the side effects that can increase stress.

       Nowadays when the majority of a company's workflow, job delegation, contract

negotiation and communication with partners and clients relies on emails, the load of

received, read and sent emails is growing every year (Stich et al., 2019). Especially

during the ongoing pandemic situation in the world when even those people who did

not use email that much are now mandated to work from home and use email as their

daily communication channel with their colleagues (Teevan et al., 2021).

                                                                                     18
Many researches show that increased email load and nowadays even overload

leaves a strong impact on the stress level people are experiencing (Stich et al., 2019;

Akbar et al., 2019; Mark, Voida and Cardello, 2012). It has been found that high email

load increases psychological strains as well as negative emotion development.

Furthermore, it leaves an impact on employees' performance in work related tasks that

can further turn into anxiety (Stich et al., 2019).

       Several studies have found clear relation between stress levels and email

amount. For instance, Mano and Mesch (2010) study found that fewer emails per day

decreases stress level employees are experiencing. Another study revealed that

dismissing emails for five days and focusing purely on the work tasks lowered the

overwhelming feelings of stress (Mark, Voida and Cardello, 2012), suggesting that

emails in general are increasing the stress for employees. Stich et al. study conducted

in 2019 found similar results as well.

       Still, there are other aspects that influence people's stress level considering

emails. For example, time spent answering messages. Akbar et al. (2019) study found

that people have lower stress if they are answering emails slowly. Hence, demand for a

quicker communication increases measures of stress.

       Another finding related to the email load is that interruptions during the ongoing

work increase stress levels. Study tested two techniques for processing emails - regular

or instant response and batching, meaning when emails are checked all in once, several

times per day. During this research a thermal camera was used to measure the stress

level. It was concluded that if batching technique is not used, there are more

interruptions that lead to higher stress levels (Akbar et al., 2019). The authors also

found that stress can additionally be caused by high demand and commitments at work,

                                                                                      19
deadlines or tension at home (Akbar et al., 2019). Even multitasking increases stress

levels, which is a common work style these days.

        Based on the discussions found in previous studies, it seems that there is a

correlation between high email load that leads to greater demands, multitasking and

higher stress level.

        Isolation during the global pandemic of COVID-19 has also left an impact on

human behavior (Shah et al., 2021). Lack of social interaction with colleagues was

found to correlate with stress levels people are facing. During Shah et al. (2021)

research, 57.4% of participants had clear signs of high stress levels. Seemingly a simple

conversation during a coffee break or a quick talk before a face-to-face meeting makes

people feel more comfortable and less tense. As during the global pandemic of COVID-

19 these activities are not possible, stress and the feeling of being isolated is certainly

increased to majority of people (Teevan et al., 2021). Furthermore, people who do not

feel the support from their managers, for instance, by having a face-to-face

conversation, more often experience negative emotion development that leaves an

impact on their physical and mental state (Teevan et al., 2021). In short, currently with

the ongoing global pandemic of COVID-19 situation people are feeling more stressed

than ever. This is caused not only by the increased email load but also from the lack of

social interaction with their colleagues and isolation.

                                                                                        20
CHAPTER 3: METHODOLOGY

       In this chapter a research process and methodology used to conduct the study

is described. It also argues the reasons why exactly this specific method was used.

Chapter starts with an overview of Qualitative research approach. It continues with the

description of the process of how the respondents for the interviews were selected. Next

it describes more in detail the selection phase and environment used. It also highlights

the ethical concerns and actions made when the study began. Chapter ends with a

detailed description of the interview and transcript process as well as the Thematic

Analysis of gathered empirical data used to answer the research question.

3.1 Qualitative Research Approach

       A qualitative research approach in general is used to study some phenomenon,

typically focusing on people's behavior and experience (Basias and Pollalis, 2018). A

qualitative approach does not cover numerical, mathematical or statistical studies,

which is contrary to quantitative research approach that looks into frequency of specific

phenomenon. It can also be described as series of interpretive techniques that usually

are trying to find an answer to a research question through decoding and translating

theory of a particular phenomenon (Basias and Pollalis, 2018). Moreover, qualitative

research questions are formulated with How, What, Where and When types of questions

(Hennink, Hutter and Bailey, 2020). Therefore, because the question of this study is

“How does the email load and stress affect the susceptibility to phishing and scam

emails?”, it was decided that a qualitative approach is the most suitable and should be

used to make this research by conducting semi-structured interviews.

                                                                                      21
3.2 Selecting interviewees

       Sampling or participant selection in qualitative research usually is small and

focused, hence, non-random and is purposeful (Merriam, 2009). In order to select

participants for the interviews in this research, the Quota Sampling method was used.

Inspiration for this part of research was taken from a suggestion of the future research

by Tiwari (2020), where the author proposed conducting a real-life simulated phishing

attack in a company.

       According to Dudovskiy (2018), the Quota Sampling method can be used to

gather data from a specific group of people that represents definite characteristics in the

population. In this study the characteristic is a susceptibility to phishing attacks.

       The research author selected a company with approximately 130 employees

where the study was conducted. For the security reasons the name of the company is

not disclosed. In this paper the company is called “X” to hide and protect its identity.

       In order to find respondents for the interviews, several simulated phishing and

scam attacks, also known as phishing campaigns, were launched in agreement with the

company (see section 3.2.2). Attacks were carried off with the Gophish framework, a

tool that allows to generate and send out phishing emails with landing pages, register

information about users who opened the email, clicked on the malicious link, as well

as collect any submitted information. This part of the research took approximately one

month. Three different types of phishing attacks were launched within the company

“X”. Each of the phishing campaigns was active for one and a half weeks, which was

enough time considering that some people might be on vacation. Attacks were launched

between the 3rd of February and the 12th of March, 2021.

                                                                                        22
As previously stated, the goal of these phishing campaigns was to select people

for the interviews. Those who did fall for simulated attacks were asked to participate in

the interview process of this study.

3.2.1 Gophish Environment

       In order to simulate real-life phishing and scam attacks, a platform called

Gophish was used. Gophish is a well-known open-source tool that is being utilized by

various companies to test their employee’s behavior once phishing or scam events

occurs (Särökaari, 2020). In this particular case Gophish was installed and configured

on a Linux Ubuntu 18.04 LTS virtual machine. To make phishing and scam emails,

also known as campaigns, look legitimate, three domains were purchased for the

purpose of hiding the IP address of the Gophish host machine.

       In order to cover different scenarios of phishing and scam attacks, three

different campaigns were used, expecting that it will increase the success rate of the

campaigns. First campaign was trying to lure in users to register for a lottery with a

prize of a new iPhone 12 Pro. This campaign was using domain register.win-prize.de.

Second campaign was targeting users to expose their social media portal LinkedIn.com

login credentials. Respectively, for this campaign domain name linkedin.account-

verification.de was used. Last campaign aimed to expose users' corporate account login

credentials. Therefore, a domain that is similar to the real one was purchased. Instead

of using “.com”, the phishing domain ended with “.co”. For security reasons, this

domain name is not outlined in this paper, because it might expose the real name of the

company.

                                                                                      23
To make this experiment safe for all employees in the company “X” and

additionally gain their trust, all landing pages where users were expected to submit their

credentials were equipped with the SSL/TLS certificate to encrypt traffic upon

submission of information. Whilst cybercriminals are using more sophisticated

phishing techniques to attack, it is becoming also more dangerous, since phishing

emails are more often equipped with SSL/TLS certificates giving an impression of

legitimate website (Särökaari, 2020). One of the reasons is that “Let's Encrypt” is

offering a free SSL/TLS certificate valid for 90 days (Särökaari, 2020). In this study

the same SSL/TLS free certificate from “Let's Encrypt” was used.

       In addition a Google Workspace suite was subscribed to so that senders’ email

could be hidden with the registered domains.

3.2.2 Ethical consideration

       Before launching phishing attacks to the company's “X” employees, some

ethical aspects of this research had to be addressed, since it might lead to legal issues

(Hennink, Hutter and Bailey, 2020). To perform this research a “Statement of Ethics”

(shown in the Appendix A) was issued, where step-by-step actions were described. This

statement of ethics was approved by the company's “X” CEO and CTO.

       Furthermore, because the actual phishing server was hosted on the company's

“X” network and it had a public IP address owned by the company, in order to allow

the phishing server to be reached from the outside of the corporate network, the Internet

Service Provider (ISP) was informed about this educational experiment. This was done

                                                                                       24
in order to prevent IP address blacklisting, because people might report the sender as a

malicious content spreader with the intent of phishing.

           After all simulated phishing attacks were finished and selection for interviewees

was done, all employees of the company “X” were informed about the ongoing study.

Anonymity was guaranteed for those who did fall victims.

3.2.3 Phishing campaigns

3.2.3.1 iPhone 12 Pro campaign

           The very first phishing campaign or simulated attack in the company “X” was

made with the intention to make users click on the malicious link. Already by simply

clicking on the link in some attack scenarios might be dangerous, because it could

launch an infected script, installing malicious software without any notice. In this

particular case, an email claiming to be from a lottery company was sent. In the email

it was mentioned that 1000 pieces of the new iPhone 12 Pros are the giveaway prize.

Everything that a user had to do to enter the lottery was to click on the button and

provide their first name, last name, email address and home address.

           This email was sent out to 132 people. Only 1 person clicked on the link that

redirected to the landing, submission page. However, this user did not submit any

details.

3.2.3.2 LinkedIn campaign

           Second phishing attack was sent out claiming to be from the social media portal

called “LinkedIn”. In this campaign it was mentioned that “LinkedIn” has recognized

                                                                                         25
some suspicious actions from the user's profile, therefore, security notice is pushed and

their account is blocked. Users were asked to verify their accounts within 24 hours

before it gets completely suspended from this social media portal. It was believed that

the urgency factor in the email will increase the success rate of phishing as suggested

by Tiwari (2020). Once clicked on the “Verify account” button, the user was redirected

to a phishing landing page that looked the same as the regular login web page of

LinkedIn. Users were asked to provide their email address and password in order to

verify their account.

       Same as in the previous campaign, this phishing email was sent out to 132

people. The click rate on the malicious link, however, was higher than on the iPhone

12 Pro campaign. From all delivered messages, 4 people clicked on the link.

Furthermore, 1 person also submitted credentials from his “LinkedIn” account.

3.2.3.3 Password reset campaign for internal systems

       Last campaign was claiming to be from the IT department of the company “X”.

This campaign covered a scenario when someone's emails are stolen, hence, in the

phishing email users were able to see previous messages about server upgrade. It was

thought that this fact will increase the trust level for employees to believe that email

was indeed legitimate (Tiwari, 2020). Campaign claimed that, because of security

reasons, the IT department has decided that everyone have to change their password

after the server was upgraded. The email provided a seemingly legitimate link that

usually is used for resetting internal system passwords in the company “X”, however,

once clicked, it redirected users to the phishing landing page which again looked

exactly the same as the original web page.

       From the very beginning this phishing campaign was expected to be with the

highest success rate since it was related to the internal systems. Because of previous

                                                                                      26
experience with the unplanned “whistleblowers” who announced publicly in the

  corporate chat channel that they have received a phishing email, it was decided to

  exclude these people from the receivers list to increase potential success rate even more.

  In this case, the final number of sent emails was 110. In total 7 people clicked on the

  malicious link and 6 users submitted their credentials.

          Results of all phishing campaigns are gathered in the Table 1 below.

 Name of the campaign           People clicked on the link          People submitted data

      iPhone 12 Pro                           1                                 0

        LinkedIn                              4                                 1

Password reset for internal
                                              7                                 6
        systems
  Table 1 - Summary of phishing campaign results

  3.3 Primary data collection - Interview Method

          Once the selection of potential interview participants was done, it was time to

  conduct the actual interviews. Interviews are one of the primary tools used to collect

  data in Qualitative research (Merriam, 2009). Questions used in the interviews were

  semi-structured and open-ended in order to collect empirical material. According to

  Khan (2014), face-to-face interviews are suitable for analyzing some sensitive topics

  like employees perception and human behavior, in order to extract more detailed, yet

  sensitive information about some phenomenon. In this study, falling victim of a

  phishing attack is indeed a sensitive topic, since failing to recognize an attack and

  giving away user's credentials can cause financial and reputation damage to the

  company (Ekandjo, Jazri and Peters, 2018). Therefore, interviews had to be conducted

                                                                                         27
face-to-face and at the same time stay anonymous in order not to damage employees'

reputation.

       From 7 people who were identified as victims, one person was removed from

potential interviewees list because, although he did fall for phishing, he did so with the

intention to investigate malicious content and not because of having fallen victim to a

phishing email itself. All other 6 people who did fall for simulated phishing attacks

were asked to participate in the interview process through an official email. Full

anonymity in the company and also in this research document was guaranteed as part

of ethical considerations (Dudovskiy, 2018). Since it is not possible to force people to

have an interview, two people decided that they do not wish to participate in this study

and declined the invitation for the interview. Due to the restrictive conditions of

COVID-19, interviews with other four participants were conducted remotely and in an

out-of-office time over the digital collaboration platform “Zoom”. Suitable time slot

for the interview was communicated through the email. Interviews lasted from 26

minutes up to 45 minutes, depending on the answers given by respondents. Interviews

were conducted from the 15th till the 20th of April, 2021. Before the interview began,

each respondent was informed about the aims of the research as well as a consensus to

record the interview for further analysis was asked. As stated before, for security

matters, the name and job title of the respondent is not presented in this paper. List of

conducted interviews, respondents’ pseudonyms, gender of the respondents, length and

date of interviews are presented in the Table 2.

                                                                                       28
Length of the
Respondent                 Gender                                            Date
                                                 Interview

     A                      Male                  26 Minutes                15.04.21

     B                      Male                  22 Minutes                15.04.21

     C                     Female                 24 Minutes                16.04.21

     D                      Male                  45 Minutes                20.04.21
Table 2 - List of conducted interviews

       3.3.1 Interview process

       Once agreed on a suitable time slot, each respondent received an invitation link

for an online meeting in the digital collaboration platform “Zoom”. Right at the

beginning of the meeting, each respondent was asked for consent to record the meeting

for the purpose of further analysis, e.g., transcript and coding. All respondents gave

their permission to record the interview. This was beneficial, because it allowed the

interviewer to focus more on the interview itself, without taking additional notes

(Halcomb and Davidson, 2006). Respondents were once again informed about the aims

and objectives of the study. Furthermore, it was stated that their identity will not be

disclosed in the research report, nor within the company “X”. Questions asked mainly

were open-ended with an intention to make a discussion to understand given answers

more in depth as well as to avoid leading questions (Dudovskiy, 2018). An interview

guide (showed in the Appendix B) was prepared beforehand and questions were

developed based on the theory around susceptibility, email load and stress, discussed

in the Chapter 2. Questions were asked in a sequence, following the interview guide,

however, if needed, jumping between questions was not forbidden, since it allowed a

                                                                                    29
smoother flow of the interview as well as deeper understanding of the answers. At the

end of each interview, respondents were asked to do a “self-valuation” to estimate their

own perceived level of stress in compassion with the answers they gave to get a fairer

picture of the situation. The evaluation of stress level scale was from 0 to 5 where 0 is

no stress at all and 5 is extremely high stress. Before the interview was finished,

respondents were asked if they want to give any final comments about their answers.

       3.3.2 Transcribing interviews

       Interviews were transcribed verbatim that allowed the research author to get

closer to the gathered data for further analysis (Halcomb and Davidson, 2006). Sounds

that were not relevant, such as “mmm”, “uh”, “aam” were skipped to improve textual

sentence formatting. The interview transcript process was completed right after each

conducted interview. This helped to understand if there are any quality issues with the

gathered data or interview questions and correct them before the upcoming interviews

(Hennink, Hutter and Bailey, 2020). To transcribe interviews, an online tool called

“oTranscribe” was used which enabled functions such as speed adjustment of the audio

recording as well as jump back and forward to a specific time stamp.

       3.3.3 Thematic Analysis

       Thematic Analysis was chosen to suit the best for the gathered empirical data

because of its flexibility during the analysis process (Terry et al., 2017). Thematic

                                                                                      30
Analysis was conducted following the six phases suggested by Terry et al. (2017) which

include Familiarisation with the data, Coding, Theme Development, Theme Reviewing,

Defining Themes and finally Producing the Report. All six phases are described more

in detail in this chapter.

    1. Familiarisation

        Familiarisation phase is the entry point of the whole analysis. It is necessary to

        engage and grasp insights of the gathered information to fully understand the

        meaning of the data (Terry et al., 2017). Whilst going through the whole dataset,

        the research author noted down some comments, interesting ideas and patterns

        in each interview that helped to develop codes later on. The Familiarisation was

        done in several cycles to make sure important information was not missed.

    2. Coding

        During the next phase of Thematic Analysis, information that is relevant to the

        research question was coded using an inductive approach. Based on the

        comments, noted ideas and patterns in the previous phase, the research author

        assigned meaningful codes to those segments of data that can help to answer the

        research question. Codes were developed by using that definition of stress (see

        section 2.3.1) to help interpreting the answers received. Furthermore, if the

        same code name was relevant to the data segment mentioned in different parts

        of the interview, it was used to tag and link those data segments to find more

        insights of the information.

                                                                                       31
3. Theme Development

   Once the coding was done, all the codes were written out and it was time to try

   to find any similarities between them by clustering several codes into one topic.

   To avoid too high granularity of themes but rather making them deeper, one

   central concept was identified that helped to determine what the theme's idea is

   about. It also helped to evaluate if one or another code belongs to this central

   concept. After several codes were clustered, a candidate theme or provisional

   theme name was given to each cluster.

4. Theme Reviewing

   Throughout the Theme Reviewing phase, provisional themes were checked to

   verify if the selected data sets that belong to each candidate theme are

   meaningful to the central concept (Terry et al., 2017). If some of the linked

   codes or parts of the data set were identified to be applicable for more than one

   theme, the provisional theme was revisited once more and the transcript of the

   interview was checked to verify validity. Moreover, it was important to check

   if each of the candidate themes is distinctive, yet linked with each other in order

   to help tell the story to answer the research question (Terry et al., 2017).

5. Defining Themes

   Once the review and refining of the potential themes was completed, three main

   themes were decided on to be used for the report phase of the analysis. Each of

   the themes were once again verified by writing a short abstract that helped to

   see if the theme is not too thin (Terry et al., 2017). Next, for each theme, a name

                                                                                   32
or a title was defined that gives an idea of the content found within the theme.

       The final theme map is presented in Figure 1.

Figure 1 - Final theme map

   6. Producing the Report

       The final phase of Thematic Analysis was to produce the report. It can be found

       in the next section of this document, “Chapter 4: Analysis of empirical data”. It

       is divided into three sub-sections representing each selected themes. Under each

       of those sub-sections answers given by respondents help to come to the

       resolution of the research question presented.

                                                                                     33
CHAPTER 4: ANALYSIS OF EMPIRICAL

                                        DATA

This chapter represents several themes discovered from interviews with respondents

whilst doing Thematic Analysis. After interviews were transcribed and coded, several

codes were merged and a theme name was given. In total three main themes were

identified. They are based on topics like email load and stress; workload and meetings;

additional factors from private life that increase stress.

4.1 Email load that increases stress directly and indirectly

       All interviewees agreed that email load has increased lately, mainly because of

government rules for working from home, however, not all respondents thought that it

comes with a higher stress. Some respondents admitted that they rather see it as an

indirect factor for stress and one respondent mentioned that email load is not bothering

him.

       Respondent “A” admitted that email load has increased because of the current

situation with remote work. He estimated that on average there are approximately 50

new emails every day in his inbox, stating that he used to have more in previous

company, therefore, he is used to a high load of emails. However, he explained that not

only remote meeting requests are a big part of his inbox, but also regular emails have

become much quicker, meaning they are used more like a chat service that requires fast

response and it increases the stress:

       I think there is a trend to write what you think right away and use it kind of like
       a chat service. [...] It would usually be an immediate response. From this point

                                                                                       34
of view you really have to keep up the pressure so that you do not lose time on
        communication.

Respondent “A” evaluated his stress level at 4 on a scale from 0 to 5 (where 0 is no

stress and 5 is extremely high stress).

        Second respondent “B” has also noticed email load increase but he thinks that

it is more likely to come from the fact that his professional position was changed and

now he is required to engage more into new projects. Respondent estimated that he

receives approximately 100 new emails per day, stating that it is a lot, however, he felt

like it does not affect much his stress level:

        Between my work and private account I receive probably a hundred, hundred
        plus emails per day. It is more than before when I was in my previous position.
        Then I was getting probably like 30-40 emails. Now it has definitely increased
        by factor two or more. [...] It is annoying. Maybe it is stress, but sort of a low
        level stress.

Later on during the interview he elaborated that a big part of his emails are irrelevant

messages that come from the scientific and academic community. He felt like the

volume of emails play an indirect role to his stress levels:

        I noticed as I became more integrated in the scientific and academic community
        I started to get a lot of irrelevant emails from conferences and journals. Like
        lots of noise. And I get more and more of this noise. It is annoying. It is for sure
        quite distracting during the day. [...] I would not say that emails themselves
        make me feel under pressure, but I do feel pressure to achieve goals of the
        projects that I am currently working on and, absolutely, dealing with the volume
        of emails that I receive is a huge time sink and a distraction. Therefore it
        indirectly increases the stress.

Respondent “B” evaluated his stress level at 3.5 on scale from 0 to 5 (where 0 is no

stress and 5 is extremely high stress).

        Similarly, respondent “C” also noticed that email load is increased with lots of

irrelevant emails. However, this is not increasing the stress level because she is not

worrying about having an empty inbox:

                                                                                         35
I have perhaps noticed an increase in the number of emails from large
       businesses, for example, booking.com with offers for special deals, and small
       businesses, like my optician, urging me to make an appointment to have my
       contact lenses checked, hoping to drum up business. [...] I am not one to worry
       too much about having an empty inbox.

Same respondent admitted that the load of emails are usually making her do multiple

things at once and therefore she can be easily distracted. For the stress level evaluation

question, the respondent said that she does not feel stressed, giving herself mark 1 on

scale from 0 to 5 (where 0 is no stress and 5 is extremely high stress).

       Respondent “D” mentioned that email load has increased a lot because of the

nature of his work. He used to have several face-to-face meetings per day and now the

majority of these conversations are handled through the email because of the global

pandemic. Furthermore, he said that also time when emails are delivered has changed

that puts him under pressure:

        The email load has increased a lot! I receive emails very late in the evening or
        early hours. So a lot has changed during the pandemic with the respect to the
        email. Not only the load has increased but also the time when the rate peaks.
        It might be in the evening instead during the day. [...] I am always stressed
        when I have emails in my inbox, and I do not archive them to my local folders.

Furthermore, he elaborated that due to the switch from face-to-face meetings to email

conversations, he has noticed that style of emails in some cases are changed to have

less structure, which makes him feel nervous and anxious:

        Young people are a bit confused between different digital means of
        communication. They write their emails like they are on messaging apps. [...]
        They are ignorant of code of practices. I do not like when I have to look for
        more details. I get nervous and anxious and sometimes angry that I have to
        look for the purpose of the email.

When asked about stress level evaluation, the respondent “D” answered that currently

he is experiencing level 5 stress on scale from 0 to 5 (where 0 is no stress and 5 is

extremely high stress).

                                                                                        36
You can also read