Who Gets Phished And Why

Communication researchers at four major universities have found that if you receive a lot of email, habitually respond to a good portion of it, maintain a lot of online relationships and conduct a large number of transactions online, you are more susceptible to email phishing expeditions than those who limit their online activity.

The study, “Why Do People Get Phished?” forthcoming in the journal Decision Support Systems and Electronic Commerce, uses an integrated information processing model to test individual differences in vulnerability to phishing.

The study is particularly pertinent, given the rash of phishing expeditions that have become public of late, the most recent involving the online marketing firm Epsilon, whose database was breached last week by hackers, potentially affecting millions of banking and retail customers.

The authors are Arun “Vish” Vishwanath, PhD, and H. Raghav Rao, PhD, University at Buffalo; Tejaswini Herath, PhD, Brock University (Ont., CA); Rui Chen, PhD, Ball State University, and Jingguo Wang, PhD., University of Texas, Arlington. Herath, Chen and Wang each hold a PhD in management science and systems from UB.

Email “phishing” is a process that employs such techniques as using the names of credible businesses (American Express, eBay), government institutions (Internal Revenue Service, Department of Motor Vehicles), or current events (political donations, Beijing Olympic tickets, aiding Katrina victims) in conjunction with statements invoking fear, threat, excitement, or urgency, to persuade people to respond with personal and sensitive information like usernames, passwords and credit card details.

Phishing exploits what are generally accepted to be the poor current web security technologies, but Vishwanath says, “By way of prevention, we found that spam blockers are imperative to reduce the number of unnecessary emails individuals receive that could potentially clutter their information processing and judgment.”

“At the other end,” he says, “individuals need to be extra careful when utilizing a single email account to respond to all their emails. An effective strategy is to use different email accounts for different purposes. If one email address is used solely for banking and another is used solely for personal communication with family and friends, it will increase your attention to the details of the email and reduce the likelihood of chance-deception because of clutter.”

Vishwanath also advocates setting aside time to focus and respond to personal emails separately from work-related emails. For instance, setting aside a time each day for responding to personal banking emails gives you time to process them more clearly and consider their legitimacy before responding.

The integrated information processing model of phishing susceptibility presented in this study is grounded in prior research in information processing and interpersonal deception.

“We refined and validated our model using a sample of intended victims of an actual phishing attack,” Vishwanath says. Overall, the model explains close to fifty percent of the variance in individual phishing susceptibility.

“Our results indicate that people process most phishing emails peripherally and make decisions based on simple cues embedded in the email. Interestingly, urgency cues, i.e., threats and warnings, in the email stimulated increased information processing, thereby short circuiting the resources available for attending to other cues that could potentially help detect the deception.”

“In addition, our findings suggest that habitual patterns of media use combined with high levels of email load have a strong and significant influence on individuals’ likelihood to be phished.”

The study also showed that a person’s competency with computing did not protect them from phishing scams, but their awareness about phishing in conjunction with healthy email habits, helped them avoid online deception.

Vishhwanath is an associate professor, Department of Communication at UB, where he directs graduate studies, and an adjunct associate professor in the department of Management Science and Systems, UB School of Management. He an expert in the field of consumer behavior, specifically the diffusion and acceptance of information technology.

 

Featured

  • Impact on Digital Transformation

    A 2023 Statista report projects that by 2030 there will be 30 billion Internet of Things (IoT) devices in use. That is three times as many as there were in 2020. The numbers continue to grow because connecting sensors and systems, especially across a business, promises big efficiency gains and new insights. As such, the IoT and IIoT (Industrial Internet of Things) have become a launching pad for digital transformation -- not only for individual organizations but for entire industries. Read Now

  • Optimizing Security and Business Performance with Clarity and Control

    In recent years, the security sector has experienced a significant influx of innovative technologies that have fundamentally transformed how organizations design, implement, and oversee their security programs. The widespread adoption of cloud-based infrastructure, edge processing, and AI or machine learning (ML) driven analytics has brought about revolutionary changes in applications such as access control, video surveillance and emerging areas like threat detection and drone identification. Read Now

  • Father of Georgia School Shooting Suspect Charged in Connection With Attack

    Colin Gray, the father of the 14-year-old Georgia school shooting suspect, has also been charged in connection with the attack. The 54-year-old father was charged with four counts of involuntary manslaughter, two counts of second-degree murder and eight counts of cruelty to children. More charges are expected. Read Now

  • Enhancing Security and Business Intelligence

    From border security to parking lots, ALPR has gained traction across multiple use cases as the technology becomes more accurate and affordable than ever. I spoke with Jason Cook, business development director at Vaxtor, a leader in ALPR AI-based analytics, and Rui Barbosa, category manager, Surveillance Products at i-PRO, a maker of AI-enabled security cameras, to delve into the latest advancements and applications of ALPR technology. Automated License Plate Recognition (ALPR) has transformed significantly over the years, evolving from a niche technology into a powerful tool for a wide range of applications, particularly in border security. Read Now

Featured Cybersecurity

Webinars

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3