Off the hook! Who gets phished and why

Apr 06, 2011

Communication researchers at four major universities have found that if you receive a lot of email, habitually respond to a good portion of it, maintain a lot of online relationships and conduct a large number of transactions online, you are more susceptible to email phishing expeditions than those who limit their online activity.

The study, "Why Do People Get Phished?" forthcoming in the journal Decision Support Systems and Electronic Commerce, uses an integrated model to test individual differences in vulnerability to phishing.

The study is particularly pertinent, given the rash of phishing expeditions that have become public of late, the most recent involving the online marketing firm Epsilon, whose database was breached last week by hackers, potentially affecting millions of banking and retail customers.

The authors are Arun "Vish" Vishwanath, PhD, and H. Raghav Rao, PhD, University at Buffalo; Tejaswini Herath, PhD, Brock University (Ont., CA); Rui Chen, PhD, Ball State University, and Jingguo Wang, PhD., University of Texas, Arlington. Herath, Chen and Wang each hold a PhD in and systems from UB.

"phishing" is a process that employs such techniques as using the names of credible businesses (American Express, eBay), government institutions (Internal Revenue Service, Department of Motor Vehicles), or current events (political donations, Beijing Olympic tickets, aiding Katrina victims) in conjunction with statements invoking fear, threat, excitement, or urgency, to persuade people to respond with personal and sensitive information like usernames, passwords and credit card details.

Phishing exploits what are generally accepted to be the poor current web security technologies, but Vishwanath says, "By way of prevention, we found that spam blockers are imperative to reduce the number of unnecessary emails individuals receive that could potentially clutter their information processing and judgment."

"At the other end," he says, "individuals need to be extra careful when utilizing a single email account to respond to all their emails. An effective strategy is to use different email accounts for different purposes. If one email address is used solely for banking and another is used solely for personal communication with family and friends, it will increase your attention to the details of the email and reduce the likelihood of chance-deception because of clutter."

Vishwanath also advocates setting aside time to focus and respond to personal emails separately from work-related emails. For instance, setting aside a time each day for responding to personal banking emails gives you time to process them more clearly and consider their legitimacy before responding.

The integrated information processing model of phishing susceptibility presented in this study is grounded in prior research in information processing and interpersonal deception.

"We refined and validated our model using a sample of intended victims of an actual phishing attack," Vishwanath says. Overall, the model explains close to fifty percent of the variance in individual phishing susceptibility.

"Our results indicate that people process most phishing emails peripherally and make decisions based on simple cues embedded in the email. Interestingly, urgency cues, i.e., threats and warnings, in the email stimulated increased information processing, thereby short circuiting the resources available for attending to other cues that could potentially help detect the deception."

"In addition, our findings suggest that habitual patterns of media use combined with high levels of email load have a strong and significant influence on individuals' likelihood to be phished."

The study also showed that a person's competency with computing did not protect them from phishing scams, but their awareness about in conjunction with healthy email habits, helped them avoid online deception.

Vishhwanath is an associate professor, Department of Communication at UB, where he directs graduate studies, and an adjunct associate professor in the department of Management Science and Systems, UB School of Management. He an expert in the field of consumer behavior, specifically the diffusion and acceptance of information technology.

Rao, SUNY Distinguished Service Professor in the Department of Management Science and Systems, UB School of Management, conducts research and publishes in the areas of areas of management information systems, decision support systems, e-business, emergency response management systems and information assurance.

Herath, who holds a PhD from UB, is an assistant professor in the Faculty of Business at Brock University. Chen, who holds a bachelor's and master's degree in computer science and a PhD in management science and systems from UB, is an assistant professor of information systems at Ball State. Wang, who holds a master's degree in industrial engineering and a PhD in management science and systems from UB, is an assistant professor o information systems and operations management, University of Texas, Arlington.

Explore further: Study: Social media users shy away from opinions

add to favorites email to friend print save as pdf

Related Stories

Phishing Attacks in May Jumped More Than 200 Percent

Jun 30, 2005

The phishing season is officially open. Phishing – using fraudulent emails to try to dupe recipients into revealing personal or financial information -- reached its highest level in May, according to IBM. The month Global ...

Researchers fight phishing attacks with phishing tactics

Oct 02, 2007

Early findings by Carnegie Mellon University researchers suggest that people who are suckered by a spoof email into visiting a counterfeit Web site are also people who are ready to learn their lesson about “phishing” ...

US banks, companies issue warning after email hack

Apr 04, 2011

Computer hackers gained access to the email addresses of customers of several large US banks and other companies in a potentially huge data breach at US online marketing firm Epsilon. ...

Recommended for you

Study: Social media users shy away from opinions

Aug 26, 2014

People on Facebook and Twitter say they are less likely to share their opinions on hot-button issues, even when they are offline, according to a surprising new survey by the Pew Research Center.

US warns shops to watch for customer data hacking

Aug 23, 2014

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

Aug 22, 2014

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

Aug 22, 2014

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

Aug 22, 2014

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

Aug 22, 2014

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

User comments : 0