EXPLORE PUBLICATIONS BY COUNTRIES

Phishing, Data Security, Computer Crime, Internet Security

Phishing is a method that hackers use to fraudulently acquire sensitive or private information from a victim by impersonating a real entity (Turban, Leidner, McLean, & Wetherbe, 2010). Phishing can be defined as the act of soliciting or stealing sensitive information such as usernames, passwords, bank account numbers, credit card numbers, and social security or citizen ID numbers from individuals using the Internet (Ohaya, 2006). Phishing often involves some kind of deception. The results from a study of Jagatic et al. (2007) indicate that Internet users are four times more likely to become phishing victims if they receive a request from someone appearing to be a known friend or colleague. The Anti-Phishing Work Group indicates that at least five percent of users responded to phishing scams and about two million users gave away their information to spoofed websites (APWG, 2009). This results in direct losses of $1.2 billion for banks and credit card companies (Dhamija, 2006). In order to understand how phishing can be conducted, the researcher set up a phishing experiment in one of Thailand’s higher education institutions. The subjects were MBA students. A phishing email was sent to the subjects, and the message led the subject to visit the phishing website. One hundred seventy students became victims. The data collection included a survey, an interview, and a focus group. The results indicated that phishing could be easily conducted, and the result can have a great impact on the security of an organization. Organizations can use and apply the lessons learned from this study to formulate an effective security policy and security awareness training programs.