Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance

Phishing is a major threat to individuals and organizations. Along with billions of dollars lost annually, phishing attacks have led to significant data breaches, loss of corporate secrets, and espionage. Despite the significant threat, potential phishing targets have little theoretical or practical guidance on which phishing tactics are most dangerous and require heightened caution. The current study extends persuasion and motivation theory to postulate why certain influence techniques are especially dangerous when used in phishing attacks. We evaluated our hypotheses using a large field experiment that involved sending phishing messages to more than 2,600 participants. Results indicated a disparity in levels of danger presented by different influence techniques used in phishing attacks. Specifically, participants were less vulnerable to phishing influence techniques that relied on fictitious prior shared experience and were more vulnerable to techniques offering a high level of self-determination. By extending persuasion and motivation theory to explain the relative efficacy of phishers' influence techniques, this work clarifies significant vulnerabilities and lays the foundation for individuals and organizations to combat phishing through awareness and training efforts.

[1]  Y. Amichai-Hamburger The social net : understanding human behavior in cyberspace , 2005 .

[2]  J. Burgoon,et al.  Interpersonal Deception Theory , 2015 .

[3]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[4]  Jay F. Nunamaker,et al.  Detecting Fake Websites: The Contribution of Statistical Learning Theory , 2010, MIS Q..

[5]  G. Hoetker The use of logit and probit models in strategic management research: Critical issues , 2007 .

[6]  Claude H. Miller,et al.  Boosting the Potency of Resistance: Combining the Motivational Forces of Inoculation and Psychological Reactance. , 2013 .

[7]  John R. Carlson,et al.  Media Appropriateness in the Conduct and Discovery of Deceptive Communication: The Relative Influence of Richness and Synchronicity , 2004 .

[8]  Rosanna E. Guadagno,et al.  Persuade him by email, but see her in person: Online persuasion revisited , 2007, Comput. Hum. Behav..

[9]  Kimberly A. Cameron AN EXPERIMENTAL EXAMINATION OF STRATEGIES FOR RESISTING PERSUASION , 2015 .

[10]  C. Ai,et al.  Computing Interaction Effects and Standard Errors in Logit and Probit Models , 2004 .

[11]  Robert M. Groves,et al.  UNDERSTANDING THE DECISION TO PARTICIPATE IN A SURVEY , 1992 .

[12]  Emilio J. Castilla Bringing Managers Back In , 2011 .

[13]  Peter Wright,et al.  Persuasion Knowledge , 2022 .

[14]  D. T. Regan,et al.  Effects of a favor and liking on compliance , 1971 .

[15]  Edward L. Deci,et al.  Intrinsic Motivation and Self-Determination in Human Behavior , 1975, Perspectives in Social Psychology.

[16]  Brad J. Bushman,et al.  Perceived Symbols of Authority and Their Influence on Compliance1 , 1984 .

[17]  S. Chaiken,et al.  The psychology of attitudes. , 1993 .

[18]  Charles E. Gengler,et al.  What's in a Name? A Complimentary Means of Persuasion , 1995 .

[19]  Stephen A. Rains,et al.  A Meta-Analysis of Research on Inoculation Theory , 2010 .

[20]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[21]  Judith Donath,et al.  Identity and deception in the virtual community , 1998 .

[22]  V. Clark,et al.  Computer-aided multivariate analysis , 1991 .

[23]  David W. Hosmer,et al.  Applied Logistic Regression , 1991 .

[24]  Norah E. Dunbar,et al.  Risky Business or Managed Event? Perceptions of Power and Deception in the Workplace , 2011 .

[25]  Donald E. Zimmerman,et al.  A group card sorting methodology for developing informational Web sites , 2002, Proceedings. IEEE International Professional Communication Conference.

[26]  Wayne D. Hoyer,et al.  An Integrative Framework for Understanding Two-sided Persuasion , 1994 .

[27]  Gregory J. Conti,et al.  Malicious interface design: exploiting the user , 2010, WWW '10.

[28]  Viswanath Venkatesh,et al.  Determinants of Perceived Ease of Use: Integrating Control, Intrinsic Motivation, and Emotion into the Technology Acceptance Model , 2000, Inf. Syst. Res..

[29]  Detmar W. Straub,et al.  Examining Trust in Information Technology Artifacts: The Effects of System Quality and Culture , 2008, J. Manag. Inf. Syst..

[30]  J. Cacioppo,et al.  Low-ball procedure for producing compliance: Commitment then cost. , 1978 .

[31]  R. Cialdini The Science of PERSUASION. , 2001 .

[32]  Sara B. Kiesler,et al.  The Equalization Phenomenon: Status Effects in Computer-Mediated and Face-to-Face Decision-Making Groups , 1991, Hum. Comput. Interact..

[33]  R. Cialdini Influence: Science and Practice , 1984 .

[34]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[35]  Dennis F. Galletta,et al.  How Endogenous Motivations Influence User Intentions: Beyond the Dichotomy of Extrinsic and Intrinsic User Motivations , 2008, J. Manag. Inf. Syst..

[36]  R. Cialdini,et al.  Social influence: Social norms, conformity and compliance. , 1998 .

[37]  Malcolm R. Parks,et al.  What Women Know that Men don't: Sex Differences in Determining the Truth Behind Deceptive Messages , 1990 .

[38]  Chester A. Insko,et al.  The extra credit effect in interpersonal attraction , 1978 .

[39]  Jay F. Nunamaker,et al.  A Comparison of Classification Methods for Predicting Deception in Computer-Mediated Communication , 2004, J. Manag. Inf. Syst..

[40]  Richard T. Watson,et al.  Reducing Status Effects with Computer-Mediated Communication: Evidence from Two Distinct National Cultures , 1998, J. Manag. Inf. Syst..

[41]  D. Kahneman Thinking, Fast and Slow , 2011 .

[42]  Ryan T. Wright,et al.  Where Did They Go Right? Understanding the Deception in Phishing Communications , 2010 .

[43]  Vladas Griskevicius,et al.  The world's (truly) oldest profession: Social influence in evolutionary perspective , 2012 .

[44]  Norah E. Dunbar,et al.  Testing the Interactivity Principle: Effects of Mediation, Propinquity, and Verbal and Nonverbal Modalities in Interpersonal Interaction , 2002 .

[45]  J. Cacioppo,et al.  Attitude and Attitude Change , 1981 .

[46]  Fatemeh Zahedi,et al.  Impact of anti-phishing tool performance on attack success rates , 2012, 2012 IEEE International Conference on Intelligence and Security Informatics.

[47]  A. Greenwald 6 – Cognitive Learning, Cognitive Response to Persuasion, and Attitude Change1 , 1968 .

[48]  Tamara Dinev,et al.  An Extended Privacy Calculus Model for E-Commerce Transactions , 2006, Inf. Syst. Res..

[49]  J. Burger,et al.  What a Coincidence! The Effects of Incidental Similarity on Compliance , 2004, Personality & social psychology bulletin.

[50]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.

[51]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[52]  P. Glasziou,et al.  The paths from research to improved health outcomes , 2005, Evidence-based nursing.

[53]  Sally Wright,et al.  Auditor Negotiations: An Examination of the Efficacy of Intervention Methods , 2005 .

[54]  Lyle Brenner,et al.  Accentuate the Negative , 2006, Psychological science.

[55]  R. Heslin,et al.  Resistance to Persuasion: Inoculation Theory in a Marketing Context , 1973 .

[56]  Norah E. Dunbar,et al.  Testing the Interactivity Model: Communication Processes, Partner Assessments, and the Quality of Collaborative Work , 1999, J. Manag. Inf. Syst..

[57]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[58]  Edward L. Deci,et al.  Intrinsic Motivation and Self-Determination , 2004 .

[59]  Tracey Caldwell Spear-phishing: how to spot and mitigate the menace , 2013 .

[60]  Eliot R. Smith,et al.  Research methods in social relations , 1962 .

[61]  K. Stanovich,et al.  Heuristics and Biases: Individual Differences in Reasoning: Implications for the Rationality Debate? , 2002 .

[62]  M. Jakobsson,et al.  Designing and Conducting Phishing Experiments , 2006 .

[63]  Jason Bennett Thatcher,et al.  Can we have fun @ work? The role of intrinsic motivation for utilitarian systems , 2013, Eur. J. Inf. Syst..

[64]  John R. Carlson,et al.  Deception in Computer-Mediated Communication , 2004 .

[65]  R. Ryan,et al.  Perceived locus of causality and internalization: examining reasons for acting in two domains. , 1989, Journal of personality and social psychology.

[66]  Ryan T. Wright,et al.  The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived , 2010, J. Manag. Inf. Syst..

[67]  Kevin D. Mitnick,et al.  The path of least resistance , 2012 .

[68]  Markus Jakobsson,et al.  Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft , 2006 .

[69]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[70]  Fatemeh Zahedi,et al.  Interface Design Elements for Anti-phishing Systems , 2011, DESRIST.

[71]  J. Brehm,et al.  Psychological Reactance: Theory and Applications , 1989 .

[72]  O. Gadiesh,et al.  Transforming corner-office strategy into frontline action. , 2001, Harvard business review.

[73]  Joey F. George,et al.  Media Selection as a Strategic Component of Communication , 2013, MIS Q..

[74]  E. Goffman The Presentation of Self in Everyday Life , 1959 .

[75]  Jeffrey T. Hancock,et al.  15. Deception in computer-mediated communication , 2013 .

[76]  Liangyan Wang,et al.  Effects of Indirectly and Directly Competing Reference Group Messages and Persuasion Knowledge: Implications for Educational Placements , 2010 .

[77]  Izak Benbasat,et al.  Product-Related Deception in E-Commerce: A Theoretical Perspective , 2011, MIS Q..

[78]  M. Jakobsson The Human Factor in , 2007 .

[79]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[80]  James F. Roiger,et al.  Testing Interpersonal Deception Theory: The Language of Interpersonal Deception , 1996 .

[81]  Noah J. Goldstein,et al.  Social influence: compliance and conformity. , 2004, Annual review of psychology.

[82]  Praveen Aggarwal,et al.  Using Commitments to Drive Consistency: Enhancing the Effectiveness of Cause‐related Marketing Communications , 2005 .

[83]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[84]  Paul W. Paese,et al.  When an Adversary is Caught Telling the Truth: Reciprocal Cooperation Versus Self-Interest in Distributive Bargaining , 2000 .

[85]  R. L. Archer,et al.  Research methods in social relations, 3rd ed. , 1976 .

[86]  Paul Glasziou,et al.  Jottings , 2005, Evidence-based nursing.

[87]  Markus Jakobsson,et al.  Introduction to Phishing , 2006 .

[88]  E. Deci,et al.  Self‐determination theory and work motivation , 2005 .

[89]  T. Neal Harnessing the Science of Persuasion for Expert Witness Testimony , 2015 .

[90]  Viswanath Venkatesh,et al.  Creation of Favorable User Perceptions: Exploring the Role of Intrinsic Motivation , 1999, MIS Q..

[91]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.