Date Published: October 26, 2018
Publisher: Public Library of Science
Author(s): Sabina Kleitman, Marvin K. H. Law, Judy Kay, Kim-Kwang Raymond Choo.
Phishing email is one of the biggest risks to online information security due to its ability to exploit human trust and naivety. Prior research has examined whether some people are more susceptible to phishing than others and what characteristics may predict this susceptibility. Given that there are no standardised measures or methodologies to detect phishing susceptibility, results have conflicted. To address this issue, the current study created a 40-item phishing detection task to measure both cognitive and behavioural indicators of phishing susceptibility and false positives (misjudged genuine email). The task is based on current real-life email stimuli (i.e., phishing and genuine) relevant to the student and general population. Extending previous literature we also designed a methodology for assessing phishing susceptibility by allowing participants to indicate perception of maliciousness of each email type and the actions they would take (keep it, trash it or seek further information). This enabled us to: (1) examine the relationships that psychological variables share with phishing susceptibility and false positives–both captured as consistent tendencies; (2) determine the relationships between perceptions of maliciousness with behavioural outcomes and psychological variables; and (3) determine the relationships between these tendencies and email characteristics. In our study, 150 undergraduate psychology students participated in exchange for partial course credit (98 Females; Mean age = 19.70, SD = 2.27). Participants also completed a comprehensive battery of psychometric tests assessing intelligence, pre- and on-task confidence, Big 6 personality, and familiarity/competence in computing and phishing. Results revealed that people showed distinct and robust tendencies for phishing susceptibility and false positives. A series of regression analyses looking at the accuracy of both phishing and false positives detection revealed that human-centred variables accounted for a good degree of variance in phishing susceptibility (about 54%), with perceptions of maliciousness, intelligence, knowledge of phishing, and on-task confidence contributing significantly, directly and/or indirectly via perception of maliciousness. A regression model looking at discriminating false positives has also shown that human-centred variables accounted for a reasonable degree of variance (41%), with perceptions of maliciousness, intelligence and on-task confidence contributing significantly, directly and/or indirectly via perception of maliciousness. Furthermore, the characteristics of the most effective phishing and misjudged genuine email items were profiled. Based on our findings, we suggest that future research should investigate these significant variables in more detail. We also recommend that future research should capture consistent response tendencies to determine vulnerability to phishing and false positives (rather than a one off response to a single email), and use the collection of the most current phishing email obtained from relevant sources to the population. It is important to capture perceptions of maliciousness of email because it is a key predictor of the action taken on the email. It directly predicts accuracy detection of phishing and genuine email, as well as mediating the relationships between some other predictors whose role would have been overlooked if the perceptions were not captured. The study provides the framework of human-centred variables which predict phishing and false positive susceptibility as well as the characteristics of email which most deceive people.
With improving technology, storing and distributing information has never been easier. As a consequence, new ways of exploiting and obtaining information illegally have also developed. Online phishing is a particularly dangerous means of obtaining confidential information and is defined as “a form of deception in which an attacker attempts to fraudulently acquire sensitive information from a victim by impersonating a trustworthy entity” (, p 1). As opposed to other deceitful information-gathering methods (for example, following someone into a secure location; talking to someone with the intent of extracting classified information), phishing is only conducted online. Commonly orchestrated through email, phishing relies on exploiting human trust while bypassing email software detection systems. It exploits what is known as ‘Social Engineering’, where individuals are manipulated into aiding the deceivers, either through actions helpful to the deceiver or by providing confidential information .
The overarching goal of this study was to determine factors that predict phishing susceptibility, focusing on both personal and stimuli characteristics. While focusing on phishing susceptibility, we also collected information on how people responded to genuine email (false positives). Thus, this study’s aims were three-fold: 1) to determine the relationships between phishing susceptibility and different individual difference variables, 2) to determine the relationships between the frequency of false positives and different individual difference variables and 3) to determine the email characteristics which induced the greatest likelihood of phishing success and false positives. To achieve these goals and to mitigate the problems associated with previous research, we developed and used a novel 40-item phishing detection task with stimuli taken from current real-life email targeting the general public and higher education students. To deepen our understanding of cognitive and behavioural processes involved in phishing detection and frequency of false positives, we also employed a novel decision-making process using perception of maliciousness and behavioural actions on email to characterise email instead of a simple phishing/ non-phishing taxonomy. The maliciousness perception of, and behavioural judgements for email were then used as indications of phishing susceptibility and false positives.