Will the “Phisher-Men” Reel You In?: Assessing Individual Differences in a Phishing Detection Task

Will the “Phisher-Men” Reel You In?: Assessing Individual Differences in a Phishing Detection Task

Allaire K. Welk (Department of Psychology, North Carolina State University, Raleigh, NC, USA), Kyung Wha Hong (Department of Computer Science, North Carolina State University, Raleigh, NC, USA), Olga A. Zielinska (Department of Psychology, North Carolina State University, Raleigh, NC, USA), Rucha Tembe (Department of Psychology, North Carolina State University, Raleigh, NC, USA), Emerson Murphy-Hill (Department of Computer Science, North Carolina State University, Raleigh, NC, USA) and Christopher B. Mayhorn (Department of Psychology, North Carolina State University, Raleigh, NC, USA)
Copyright: © 2015 |Pages: 17
DOI: 10.4018/IJCBPL.2015100101
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Phishing is an act of technology-based deception that targets individuals to obtain information. To minimize the number of phishing attacks, factors that influence the ability to identify phishing attempts must be examined. The present study aimed to determine how individual differences relate to performance on a phishing task. Undergraduate students completed a questionnaire designed to assess impulsivity, trust, personality characteristics, and Internet/security habits. Participants performed an email task where they had to discriminate between legitimate emails and phishing attempts. Researchers assessed performance in terms of correctly identifying all email types (overall accuracy) as well as accuracy in identifying phishing emails (phishing accuracy). Results indicated that overall and phishing accuracy each possessed unique trust, personality, and impulsivity predictors, but shared one significant behavioral predictor. These results present distinct predictors of phishing susceptibility that should be incorporated in the development of anti-phishing technology and training.
Article Preview

Introduction

Phishing is a technology-based, social engineering tactic where attackers attempt to appear as authorized sources to target individuals and obtain personal and/or sensitive information. An increase in web-based communication has increased the risk of phishing such that the availability and popularity of the Internet facilitates cybercriminals’ abilities to mount phishing attacks against numerous entities with a single strike (Furnell, 2008). Accordingly, the Anti-phishing working group reported at least 128, 378 unique phishing sites worldwide in the second quarter of 2014 – the second highest recorded number since the first quarter of 2012 (Anti-phishing Working Group, 2014).

Falling victim to a successful phishing attempt produces emotional and monetary consequences alike. Phishing victims generally experience feelings of distrust, paranoia, embarrassment, and distress relating to Internet-based communication that consequently minimizes Internet usage. Additionally, ramifications of phishing attempts can include extreme monetary loss and sometimes-permanent credit damage (Hardee, West, and Mayhorn, 2006).

Previous anti-phishing research has primarily focused on defensive technological approaches, such as generating and implementing anti-phishing browser sidebars (Wu, 2006), adaptive machines, phishing filters (Ceesay, 2008), and blacklists (Purkait, 2012) to minimize these fraudulent techniques. However, there are drawbacks to each of these technological solutions, particularly concerning system reliability. Furthermore, these countermeasures are generally retroactive in nature, typically identifying phishing attempts only after they have become active (Purkait, 2012):

Surprisingly, comparatively little research has explored the human element of the phishing susceptibility equation (Schultz, Proctor, Lien, & Salvendy, 2001). The limited psychological research that has recently become available provides evidence that phishing susceptibility varies across individuals, though the factors related to these variations have not yet been clearly defined.

One study aimed to outline if and how basic demographic characteristics influence individuals’ phishing susceptibility (Sheng, Holbrook, Kumaraguru, Cranor, & Downs, 2010). Participants from a University provided self-report demographic information and performed a role-play email categorization/decision making task where they had to differentiate between phishing attempts and legitimate emails. Results indicated that gender, age, and experience were related to overall performance on this phishing detection task; women were more susceptible to email-based phishing attempts, in addition to participants between the ages of 18 and 25. Furthermore, participants who reported having prior knowledge and/or exposure to anti-phishing education better managed phishing emails than those who did not report previous training.

Yet another study examined the impact of behavioral and dispositional factors on phishing susceptibility (Wright & Marett, 2010). Researchers investigated the role of trust, suspicion of humanity, and computer self-efficacy on phishing detection accuracy in an email-based role-play scenario. Undergraduate University students provided experience-related information, including: self-reported computer self-efficacy, web experience, and security knowledge. Participants also provided dispositional information, including: trust, perceived risk, and suspicion of humanity measures. Results indicated that higher computer self-efficacy, web experience, security knowledge, and suspicion of humanity were related to increased performance on the phishing detection task. Trust and risk were not significantly related to susceptibility.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 7: 4 Issues (2017): 3 Released, 1 Forthcoming
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing