Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email

Research problem: Phishing is an email-based scam where a perpetrator camouflages emails to appear as a legitimate request for personal and sensitive information. Research question: How do individuals process a phishing email, and determine whether to respond to it? Specifically, this study examines how users' attention to “visual triggers” and “phishing deception indicators” influence their decision-making processes and consequently their decisions. Literature review: This paper draws upon the theory of deception and the literature on mediated cognition and learning, including the critical role of attention and elaboration in deception detection. From this literature, we developed a research model to suggest that overall cognitive effort expended in email processing decreases with attention to visual triggers and phishing deception indicators. The likelihood to respond to phishing emails increases with attention to visceral cues, but decreases with attention to phishing deception indicators and cognitive effort. Knowledge of email-based scams increases attention to phishing deception indicators, and directly decreases response likelihood. It also moderates the impact of attention to visceral triggers and that of phishing deception indicators on likelihood to respond. Methodology: Using a real phishing email as a stimulus, a survey of 321 members of a public university community in the Northeast US, who were intended victims of a spear phishing attack that took place, was conducted. The survey used validated measures developed in prior literature for the most part and tested results using the partial least-squares regression. Results and discussion: Our research model and hypotheses were supported by the data except that we did not find that cognitive effort significantly affects response likelihood. The implication of the study is that attention to visceral triggers, attention to phishing deception indicators, and phishing knowledge play critical roles in phishing detection. The limitations of the study were that the data were drawn from students, and the study explored one phishing attack, relied on some single-item measures, cognitive effort measure, and a one-round survey. Future research would examine the impact of a varying degree of urgency and a varying level of phishing deception indicators, and actual victims of phishing attacks.

[1]  E. Brunswik Representative design and probabilistic theory in a functional psychology. , 1955, Psychological review.

[2]  J. G. Miller,et al.  Information input overload and psychopathology. , 1960, The American journal of psychiatry.

[3]  G. Katona What is consumer psychology? , 1967, The American psychologist.

[4]  D. Kahneman Attention and Effort , 1973 .

[5]  Elizabeth C. Hirschman,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[6]  Peter Wright The harassed decision maker: Time pressures, distractions, and the use of evidence. , 1974 .

[7]  J. W. Rigney Learning Strategies: A Theoretical Perspective , 1978 .

[8]  Gilbert A. Churchill A Paradigm for Developing Better Measures of Marketing Constructs , 1979 .

[9]  N. Schwarz,et al.  Interactive effects of writing and reading a persuasive essay on attitude change and selective exposure , 1980 .

[10]  S. Chaiken Heuristic versus systematic information processing and the use of source versus message cues in persuasion. , 1980 .

[11]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[12]  John W. Payne,et al.  Contingent decision behavior. , 1982 .

[13]  F. Bookstein,et al.  Two Structural Equation Models: LISREL and PLS Applied to Consumer Exit-Voice Theory , 1982 .

[14]  J. Cacioppo,et al.  Central and Peripheral Routes to Advertising Effectiveness: The Moderating Role of Involvement , 1983 .

[15]  John W. Payne,et al.  Effort and Accuracy in Choice , 1985 .

[16]  J. Zaichkowsky Measuring the Involvement Construct , 1985 .

[17]  P. M. Podsakoff,et al.  Self-Reports in Organizational Research: Problems and Prospects , 1986 .

[18]  H. Rothstein The effects of time pressure on judgment in multiple cue probability learning , 1986 .

[19]  D. A. Cowan Developing a Process Model of Problem Recognition , 1986 .

[20]  P Slovic,et al.  Perception of risk from automobile safety defects. , 1987, Accident; analysis and prevention.

[21]  J. Shanteau Psychological characteristics and strategies of expert decision makers , 1988 .

[22]  Richard L. Celsi,et al.  The Role of Involvement in Attention and Comprehension Processes , 1988 .

[23]  N. Klein,et al.  Context Effects on Effort and Accuracy in Choice: An Enquiry into Adaptive Decision Making , 1989 .

[24]  B. Sternthal,et al.  The Effects of Knowledge, Motivation, and Type of Message on Ad Processing and Product Judgments , 1990 .

[25]  Joan Meyers-Levy,et al.  The Influence of Message Framing and Issue Involvement , 1990 .

[26]  E. Perse Audience Selectivity and Involvement in the Newer Media Environment , 1990 .

[27]  R. Lennox,et al.  Conventional wisdom on measurement: A structural equation perspective. , 1991 .

[28]  S. Grazioli,et al.  Success and failure in expert reasoning , 1992 .

[29]  John W. Payne,et al.  Adapting to Time Constraints , 1993 .

[30]  John W. Payne,et al.  The adaptive decision maker: Name index , 1993 .

[31]  Eric J. Johnson,et al.  The adaptive decision maker , 1993 .

[32]  R. B. Horowitz,et al.  Stylistic guidelines for e-mail , 1994 .

[33]  Mike Palmquist,et al.  Relating communication training to workplace requirements: the perspective of new engineers , 1995 .

[34]  Leon A. Kappelman,et al.  Measuring user involvement: a diffusion of innovation perspective , 1995, DATB.

[35]  J. Burgoon,et al.  Interpersonal Deception Theory , 1996 .

[36]  W. V. Eerde,et al.  Vroom's expectancy models and work-related criteria: A meta-analysis , 1996 .

[37]  Lisa D. Ordóñez,et al.  Decisions under Time Pressure: How Time Constraint Affects Risky Decision Making , 1997 .

[38]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[39]  Shelly Chaiken,et al.  The heuristic-systematic model in its broader context. , 1999 .

[40]  Terence A. Shimp,et al.  Consumer vulnerability to scams, swindles, and fraud: A new theory of visceral influences on persuasion , 2001 .

[41]  Marios Koufaris,et al.  Applying the Technology Acceptance Model and Flow Theory to Online Consumer Behavior , 2002, Inf. Syst. Res..

[42]  Traci Carte,et al.  In Pursuit of Moderation: Nine Common Errors and Their Solutions , 2003, MIS Q..

[43]  Vallabh Sambamurthy,et al.  Sources of Influence on Beliefs about Information Technolgoy Use: An Empirical Study of Knowledge Workers , 2003, MIS Q..

[44]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[45]  William P. Eveland,et al.  Assessing Causality in the Cognitive Mediation Model , 2003, Commun. Res..

[46]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[47]  Gerrit van Bruggen,et al.  DSS Effectiveness in Marketing Resource Allocation Decisions: Reality vs. Perception , 2004, Inf. Syst. Res..

[48]  E. Kensinger,et al.  Remembering Emotional Experiences: The Contribution of Valence and Arousal , 2004, Reviews in the neurosciences.

[49]  S. Grazioli Where Did They Go Wrong? An Analysis of the Failure of Knowledgeable Internet Consumers to Detect Deception Over the Internet , 2004 .

[50]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[51]  L. Zhou An empirical investigation of deception behavior in instant messaging , 2005, IEEE Transactions on Professional Communication.

[52]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[53]  Xiaotie Deng,et al.  An antiphishing strategy based on visual similarity assessment , 2006, IEEE Internet Computing.

[54]  Charles Ohaya Managing phishing threats in an organization , 2006, InfoSecCD '06.

[55]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[56]  Dorothea Schaffner,et al.  Heuristic and Systematic Information Processing when Valuating multiple Gains and Losses , 2006 .

[57]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[58]  Arvind K. Tripathi,et al.  Economics of first-contact email advertising , 2006, Decis. Support Syst..

[59]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[60]  Lawrence Price Advanced Topics in Structural Equation Modeling , 2007 .

[61]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[62]  J. Tedesco,et al.  Organizations Respond to Phishing: Exploring the Public Relations Tackle Box , 2007 .

[63]  Paul A. Pavlou,et al.  Understanding and Mitigating Uncertainty in Online Exchange Relationships: A Principal-Agent Perspective , 2007, MIS Q..

[64]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[65]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[66]  P. Fischer,et al.  Selective exposure and information quantity: how different information quantities moderate decision makers' preference for consistent and inconsistent information. , 2008, Journal of personality and social psychology.

[67]  J. George,et al.  The Effects of Warnings, Computer-Based Media, and Probing Activity on Successful Lie Detection , 2008, IEEE Transactions on Professional Communication.

[68]  Dan Jong Kim,et al.  Exploring Online Transaction Self-Efficacy in Trust Building in B2C E-Commerce , 2009, J. Organ. End User Comput..

[69]  Rui Chen,et al.  Visual e-mail authentication and identification services: An investigation of the effects on e-mail use , 2009, Decis. Support Syst..

[70]  Edwin Donald Frauenstein,et al.  Phishing: How an Organization can Protect Itself , 2009, ISSA.

[71]  John W. Moore From Phishing To Advanced Persistent Threats: The Application Of Cybercrime Risk To The Enterprise Risk Management Model , 2010, BIS 2010.

[72]  Fatemeh Zahedi,et al.  Success Factors in Cooperative Online Marketplaces: Trust as the Social Capital and Value Generator in Vendors-Exchange Relationships , 2010, J. Organ. Comput. Electron. Commer..

[73]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[74]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[75]  H. Rao,et al.  An Exploration of the Design Features of Phishing Attacks , 2012 .