Article Preview
TopIntroduction
Phishing is a technology-based, social engineering tactic where attackers attempt to appear as authorized sources to target individuals and obtain personal and/or sensitive information. An increase in web-based communication has increased the risk of phishing such that the availability and popularity of the Internet facilitates cybercriminals’ abilities to mount phishing attacks against numerous entities with a single strike (Furnell, 2008). Accordingly, the Anti-phishing working group reported at least 128, 378 unique phishing sites worldwide in the second quarter of 2014 – the second highest recorded number since the first quarter of 2012 (Anti-phishing Working Group, 2014).
Falling victim to a successful phishing attempt produces emotional and monetary consequences alike. Phishing victims generally experience feelings of distrust, paranoia, embarrassment, and distress relating to Internet-based communication that consequently minimizes Internet usage. Additionally, ramifications of phishing attempts can include extreme monetary loss and sometimes-permanent credit damage (Hardee, West, and Mayhorn, 2006).
Previous anti-phishing research has primarily focused on defensive technological approaches, such as generating and implementing anti-phishing browser sidebars (Wu, 2006), adaptive machines, phishing filters (Ceesay, 2008), and blacklists (Purkait, 2012) to minimize these fraudulent techniques. However, there are drawbacks to each of these technological solutions, particularly concerning system reliability. Furthermore, these countermeasures are generally retroactive in nature, typically identifying phishing attempts only after they have become active (Purkait, 2012):
Surprisingly, comparatively little research has explored the human element of the phishing susceptibility equation (Schultz, Proctor, Lien, & Salvendy, 2001). The limited psychological research that has recently become available provides evidence that phishing susceptibility varies across individuals, though the factors related to these variations have not yet been clearly defined.
One study aimed to outline if and how basic demographic characteristics influence individuals’ phishing susceptibility (Sheng, Holbrook, Kumaraguru, Cranor, & Downs, 2010). Participants from a University provided self-report demographic information and performed a role-play email categorization/decision making task where they had to differentiate between phishing attempts and legitimate emails. Results indicated that gender, age, and experience were related to overall performance on this phishing detection task; women were more susceptible to email-based phishing attempts, in addition to participants between the ages of 18 and 25. Furthermore, participants who reported having prior knowledge and/or exposure to anti-phishing education better managed phishing emails than those who did not report previous training.
Yet another study examined the impact of behavioral and dispositional factors on phishing susceptibility (Wright & Marett, 2010). Researchers investigated the role of trust, suspicion of humanity, and computer self-efficacy on phishing detection accuracy in an email-based role-play scenario. Undergraduate University students provided experience-related information, including: self-reported computer self-efficacy, web experience, and security knowledge. Participants also provided dispositional information, including: trust, perceived risk, and suspicion of humanity measures. Results indicated that higher computer self-efficacy, web experience, security knowledge, and suspicion of humanity were related to increased performance on the phishing detection task. Trust and risk were not significantly related to susceptibility.