Phishing: Organizational Awareness for Cybersecurity

By, Enxhi Tagani, Erion Curaj, Flavio Koka, Joana Shehaj

Abstract

Phishing continues to be one of the most persistent and dangerous threats in modern cybersecurity. Attackers disguise themselves as legitimate entities to trick individuals into sharing sensitive information, such as login credentials and financial details. In the banking sector, phishing poses particularly significant risks due to the volume of sensitive data handled. While technological solutions like email filtering and multi-factor authentication (MFA) provide some protection, human error remains a critical vulnerability. A custom phishing simulation software was developed to replicate phishing attacks in a controlled environment, allowing researchers to evaluate employee readiness and response at Credins Bank. This mixed-method approach included quantitative data collected from simulated phishing attempts (spear phishing, vishing, and whaling) and qualitative data from employee surveys. These results were used to identify vulnerabilities and provide insights into the effectiveness of current cybersecurity measures. The phishing simulations revealed that 37% of employees clicked on phishing links, while 14% submitted sensitive information. The results highlighted a delay in reporting phishing attempts, with employees taking an average of four hours to notify the IT department. This finding underscores the need for continuous employee training, the integration of AI-based phishing detection tools, and the improvement of reporting mechanisms. The study suggests that a multi-layered approach—incorporating employee training, adaptive phishing simulations, and AI-driven detection systems—can  significantly reduce the risks associated with phishing. This research serves as a foundation for future development in both phishing defense technology and employee awareness programs.