Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Why People Still Fall for Phishing Emails: An Empirical Investigation into How Users Make Email Response Decisions (2401.13199v1)

Published 24 Jan 2024 in cs.CR, cs.CY, and cs.HC

Abstract: Despite technical and non-technical countermeasures, humans continue to be tricked by phishing emails. How users make email response decisions is a missing piece in the puzzle to identifying why people still fall for phishing emails. We conducted an empirical study using a think-aloud method to investigate how people make 'response decisions' while reading emails. The grounded theory analysis of the in-depth qualitative data has enabled us to identify different elements of email users' decision-making that influence their email response decisions. Furthermore, we developed a theoretical model that explains how people could be driven to respond to emails based on the identified elements of users' email decision-making processes and the relationships uncovered from the data. The findings provide deeper insights into phishing email susceptibility due to people's email response decision-making behavior. We also discuss the implications of our findings for designers and researchers working in anti-phishing training, education, and awareness interventions

Definition Search Book Streamline Icon: https://streamlinehq.com
References (81)
  1. H. Abroshan, J. Devos, G. Poels, and E. Laermans, “Covid-19 and phishing: effects of human emotions, behavior, and demographics on the success of phishing attempts during the pandemic,” IEEE Access, vol. 9, pp. 121 916–121 929, 2021.
  2. M. Ackerley, B. Morrison, K. Ingrey, M. Wiggins, P. Bayl-Smith, N. Morrison et al., “Errors, irregularities, and misdirection: Cue utilisation and cognitive reflection in the diagnosis of phishing emails,” Australasian Journal of Information Systems, vol. 26, 2022.
  3. S. Albakry, K. Vaniea, and M. Wolters, “What is this url’s destination? empirical evaluation of web users’ url reading,” in Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems.   ACM, 12 2019.
  4. L. Allodi, T. Chotza, E. Panina, and N. Zannone, “The need for new antiphishing measures against spear-phishing attacks,” IEEE Security & Privacy, vol. 18, no. 2, pp. 23–34, 2019.
  5. M. Alshaikh, S. B. Maynard, and A. Ahmad, “Applying social marketing to evaluate current security education training and awareness programs in organisations,” Computers & Security, vol. 100, p. 102090, 2021.
  6. K. Althobaiti, N. Meng, and K. Vaniea, “I don’t need an expert! making url phishing features human comprehensible,” in Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, 2021, pp. 1–17.
  7. E. Ayaburi and F. K. Andoh-Baidoo, “Understanding phishing susceptibility: an integrated model of cue-utilization and habits,” 2019.
  8. Berkeley University of California. (2022) berkeley phishing examples archive. [Online]. Available: https://security.berkeley.edu/education-awareness/phishing/phishing-examples-archive
  9. I. Bose and A. C. M. Leung, “Do phishing alerts impact global corporations? a firm value analysis,” Decision Support Systems, vol. 64, pp. 67–78, 2014.
  10. A. E. Brodsky, “Negative case analysis,” The SAGE encyclopedia of qualitative research methods, vol. 2, p. 552, 2008.
  11. M. Butavicius, R. Taib, and S. J. Han, “Why people keep falling for phishing scams: The effects of time pressure and deception cues on the detection of phishing emails,” Computers & Security, vol. 123, p. 102937, 2022.
  12. A. Caspi, M. Sayag, M. Gross, Z. Weinstein, and S. Etgar, “The effects of personal values and message values on vulnerability to phishing,” Personality and Individual Differences, vol. 186, p. 111335, 2022.
  13. D. Chandrasekaran and V. Mago, “Evolution of semantic similarity—a survey,” ACM Computing Surveys (CSUR), vol. 54, no. 2, pp. 1–37, 2021.
  14. R. Chen, J. Gaia, and H. R. Rao, “An examination of the effect of recent phishing encounters on phishing susceptibility,” Decision Support Systems, vol. 133, p. 113287, 2020.
  15. CISCO, “2021 cyber security threat trends- phishing, crypto top the list,” CISCO, Tech. Rep., 2021.
  16. A. Compitition and C. Commission. (2022) Identity theft. [Online]. Available: https://www.scamwatch.gov.au/types-of-scams/attempts-to-gain-your-personal-information/identity-theft
  17. X. Cui, Y. Ge, W. Qu, and K. Zhang, “Effects of recipient information and urgency cues on phishing detection,” in International Conference on Human-Computer Interaction.   Springer, 2020, pp. 520–525.
  18. G. Desolda, L. S. Ferro, A. Marrella, T. Catarci, and M. F. Costabile, “Human factors in phishing attacks: A systematic literature review,” ACM Computing Surveys (CSUR), vol. 54, no. 8, pp. 1–35, 2021.
  19. M. Fernando and N. A. G. Arachchilage, “Why johnny can’t rely on anti-phishing educational interventions to protect himself against contemporary phishing attacks?” arXiv preprint arXiv:2004.13262, 2020.
  20. A. Ferreira and S. Teles, “Persuasion: How phishing emails can influence users and bypass security measures,” International Journal of Human-Computer Studies, vol. 125, pp. 19–31, 2019.
  21. A. Franz, V. Zimmermann, G. Albrecht, K. Hartwig, C. Reuter, A. Benlian, and J. Vogt, “{{\{{SoK}}\}}: Still plenty of phish in the sea—a taxonomy of {{\{{User-Oriented}}\}} phishing interventions and avenues for future research,” in Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021), 2021, pp. 339–358.
  22. S. Garera, N. Provos, M. Chew, and A. D. Rubin, “A framework for detection and measurement of phishing attacks,” in Proceedings of the 2007 ACM workshop on Recurring malcode.   ACM, 2007, pp. 1–8.
  23. Y. Ge, L. Lu, X. Cui, Z. Chen, and W. Qu, “How personal characteristics impact phishing susceptibility: The mediating role of mail processing,” Applied Ergonomics, vol. 97, p. 103526, 2021.
  24. S. Goel, K. Williams, and E. Dincelli, “Got phished? internet security and human vulnerability,” Journal of the Association for Information Systems, vol. 18, no. 1, p. 2, 2017.
  25. K. K. Greene, M. P. Steves, M. F. Theofanos, and J. Kostick, “User context: an explanatory variable in phishing susceptibility,” in in Proc. 2018 Workshop Usable Security, 2018.
  26. F. L. Greitzer, W. Li, K. B. Laskey, J. Lee, and J. Purl, “Experimental investigation of technical and human factors related to phishing susceptibility,” ACM Transactions on Social Computing, vol. 4, no. 2, pp. 1–48, 2021.
  27. A.-P. W. Group, “Phishing activity trends report: 1st quarter 2020,” Anti-Phishing Working Group, Tech. Rep., 2020.
  28. B. B. Gupta, N. A. Arachchilage, and K. E. Psannis, “Defending against phishing attacks: taxonomy of methods, current issues and future directions,” Telecommunication Systems, vol. 67, no. 2, pp. 247–267, 2018.
  29. Z. M. Hakim, N. C. Ebner, D. S. Oliveira, S. J. Getz, B. E. Levin, T. Lin, K. Lloyd, V. T. Lai, M. D. Grilli, and R. C. Wilson, “The phishing email suspicion test (pest) a lab-based task for evaluating the cognitive mechanisms of phishing detection,” Behavior research methods, vol. 53, no. 3, pp. 1342–1352, 2021.
  30. Z. Halim, M. Waqar, and M. Tahir, “A machine learning-based investigation utilizing the in-text features for the identification of dominant emotion in an email,” Knowledge-based systems, vol. 208, p. 106443, 2020.
  31. B. Harrison, E. Svetieva, and A. Vishwanath, “Individual processing of phishing emails: How attention and elaboration protect against phishing,” Online Information Review, 2016.
  32. L. Jaeger and A. Eckhardt, “Eyes wide open: The role of situational information security awareness for security-related behaviour,” Information Systems Journal, vol. 31, no. 3, pp. 429–472, 2021.
  33. A. Jayatilaka, N. A. G. Arachchilage, and M. A. Babar, “Falling for phishing: An empirical investigation into people’s email response behaviors,” in International Conference on Information Systems (ICIS) 2021 Proceedings, 2021.
  34. A. Jenkins, N. Kokciyan, and K. E. Vaniea, “Phished: Automated contextual feedback for reported phishing,” in 18th Symposium on Usable Privacy and Security.   Usenix, 2022.
  35. H. S. Jones, J. N. Towse, N. Race, and T. Harrison, “Email fraud: The search for psychological predictors of susceptibility,” PloS one, vol. 14, no. 1, p. e0209684, 2019.
  36. I. Kirlappos and M. A. Sasse, “Security education against phishing: A modest proposal for a major rethink,” IEEE Security & Privacy, vol. 10, no. 2, pp. 24–32, 2011.
  37. Y. Kwak, S. Lee, A. Damiano, and A. Vishwanath, “Why do users not report spear phishing emails?” Telematics and Informatics, vol. 48, p. 101343, 2020.
  38. P. Lawson, C. J. Pearson, A. Crowson, and C. B. Mayhorn, “Email phishing and signal detection: How persuasion principles and personality influence response patterns and accuracy,” Applied ergonomics, vol. 86, p. 103084, 2020.
  39. P. Lawson, O. Zielinska, C. Pearson, and C. B. Mayhorn, “Interaction of personality and persuasion tactics in email phishing attacks,” in Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 61, no. 1.   SAGE Publications Sage CA: Los Angeles, CA, 2017, pp. 1331–1333.
  40. N. LeFranc and A. Savoli, “Factors influencing employees’ susceptibility to phishing emails: The role of emotions,” in Proc. 13th Medit. Conf. Inf. Syst.(MCIS), 2019, pp. 1–8.
  41. J. Lim, L. Zhou, and D. Zhang, “Verbal deception cue training for the detection of phishing emails,” in 2021 IEEE International Conference on Intelligence and Security Informatics (ISI).   IEEE, 2021, pp. 1–3.
  42. T. Lin, D. E. Capecci, D. M. Ellis, H. A. Rocha, S. Dommaraju, D. S. Oliveira, and N. C. Ebner, “Susceptibility to spear-phishing emails: Effects of internet user demographics and email content,” ACM Transactions on Computer-Human Interaction (TOCHI), vol. 26, no. 5, pp. 1–28, 2019.
  43. Z. Liu, L. Zhou, and D. Zhang, “Effects of demographic factors on phishing victimization in the workplace.” in PACIS, 2020, p. 75.
  44. X. R. Luo, W. Zhang, S. Burd, and A. Seazzu, “Investigating phishing victimization with the heuristic–systematic model: A theoretical framework and an exploration,” Computers & Security, vol. 38, pp. 28–38, 2013.
  45. A. Mai, K. Pfeffer, M. Gusenbauer, E. Weippl, and K. Krombholz, “User mental models of cryptocurrency systems-a grounded theory approach,” in Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), 2020, pp. 341–358.
  46. G. Misra, N. A. G. Arachchilage, and S. Berkovsky, “Phish phinder: A game design approach to enhance user confidence in mitigating phishing attacks,” arXiv preprint arXiv:1710.06064, 2017.
  47. K. A. Molinaro and M. L. Bolton, “Evaluating the applicability of the double system lens model to the analysis of phishing email judgments,” computers & security, vol. 77, pp. 128–137, 2018.
  48. G. D. Moody, D. F. Galletta, and B. K. Dunn, “Which phish get caught? an exploratory study of individuals’ susceptibility to phishing,” European Journal of Information Systems, vol. 26, no. 6, pp. 564–584, 2017.
  49. M. M. Moreno-Fernández, F. Blanco, P. Garaizar, and H. Matute, “Fishing for phishers. improving internet users’ sensitivity to visual deception cues to prevent electronic fraud,” Computers in Human Behavior, vol. 69, pp. 421–436, 2017.
  50. G. Nasser, B. W. Morrison, P. Bayl-Smith, R. Taib, M. Gayed, and M. W. Wiggins, “The role of cue utilization and cognitive load in the recognition of phishing emails,” Frontiers in big data, vol. 3, p. 546860, 2020.
  51. T. Neate, A. Bourazeri, A. Roper, S. Stumpf, and S. Wilson, “Co-created personas: Engaging and empowering users with diverse needs within the design process,” in Proceedings of the 2019 CHI conference on human factors in computing systems, 2019, pp. 1–12.
  52. J. Nicholson, L. Coventry, and P. Briggs, “Can we fight social engineering attacks by social means? assessing social salience as a means to improve phish detection,” in Thirteenth Symposium on Usable Privacy and Security ({normal-{\{{SOUPS}normal-}\}} 2017), 2017, pp. 285–298.
  53. K. Parsons, A. McCormac, M. Pattinson, M. Butavicius, and C. Jerram, “Phishing for the truth: A scenario-based experiment of users’ behavioural response to emails,” in IFIP International Information Security Conference.   Springer, 2013, pp. 366–378.
  54. K. Pfeffel, P. Ulsamer, and N. H. Müller, “Where the user does look when reading phishing mails–an eye-tracking study,” in International Conference on Human-Computer Interaction.   Springer, 2019, pp. 277–287.
  55. PhishTank. (2022) Phishtank. [Online]. Available: https://phishtank.org/
  56. N. Pilavakis, A. Jenkins, N. Kökciyan, and K. Vaniea, ““i didn’t click”: What users say when reporting phishing,” in Symposium on Usable Security and Privacy (USEC) 2023.   The Internet Society, 2023, pp. 1–13.
  57. R. M. Quintana, S. R. Haley, A. Levick, C. Holman, B. Hayward, and M. Wojan, “The persona party: using personas to design for learning at scale,” in Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems, 2017, pp. 933–941.
  58. B. Reinheimer, L. Aldag, P. Mayer, M. Mossano, R. Duezguen, B. Lofthouse, T. Von Landesberger, and M. Volkamer, “An investigation of phishing awareness and education over time: When and how to best remind users,” in Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), 2020, pp. 259–284.
  59. S. Salloum, T. Gaber, S. Vadera, and K. Shaalan, “A systematic literature review on phishing email detection using natural language processing techniques,” IEEE Access, vol. 10, pp. 65 703–65 727, 2022.
  60. D. M. Sarno and M. B. Neider, “So many phish, so little time: Exploring email task factors and phishing susceptibility,” Human Factors, p. 0018720821999174, 2021.
  61. Scam Detector. (2022) Scam detector. [Online]. Available: https://www.scam-detector.com/
  62. K. Schiller, F. Adamsky, and Z. Benenson, “Towards an empirical study to determine the effectiveness of support systems against e-mail phishing attacks,” in Extended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems, 2023, pp. 1–15.
  63. Sensors Tech Forum. (2022) Sensors tech forum. [Online]. Available: https://sensorstechforum.com/
  64. H. Shahbaznezhad, F. Kolini, and M. Rashidirad, “Employees’ behavior in phishing attacks: what individual, organizational, and technological factors matter?” Journal of Computer Information Systems, vol. 61, no. 6, pp. 539–550, 2021.
  65. S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs, “Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.   ACM, 2010, pp. 373–382.
  66. A. A. Smith-Ditizio and A. D. Smith, “Computer fraud challenges and its legal implications,” in Advanced Methodologies and Technologies in System Security, Information Privacy, and Forensics.   IGI Global, 2019, pp. 152–165.
  67. T. Stojnic, D. Vatsalan, and N. A. Arachchilage, “Phishing email strategies: Understanding cybercriminals’ strategies of crafting phishing emails,” Security and Privacy, vol. 4, no. 5, p. e165, 2021.
  68. Tessian, “Phishing statistics report 2021 phishing statistics report 2020,” Tessian, Tech. Rep., 2021.
  69. A. Vishwanath, B. Harrison, and Y. J. Ng, “Suspicion, cognition, and automaticity model of phishing susceptibility,” Communication Research, vol. 45, no. 8, pp. 1146–1166, 2018.
  70. A. Vishwanath, T. Herath, R. Chen, J. Wang, and H. R. Rao, “Why do people get phished? testing individual differences in phishing vulnerability within an integrated, information processing model,” Decision Support Systems, vol. 51, no. 3, pp. 576–586, 2011.
  71. J. Wang, Y. Li, and H. R. Rao, “Overconfidence in phishing email detection,” Journal of the Association for Information Systems, vol. 17, no. 11, p. 1, 2016.
  72. ——, “Coping responses in phishing detection: an investigation of antecedents and consequences,” Information Systems Research, vol. 28, no. 2, pp. 378–396, 2017.
  73. R. Wash, “How experts detect phishing scam emails,” Proceedings of the ACM on Human-Computer Interaction, vol. 4, no. CSCW2, pp. 1–28, 2020.
  74. R. Wash and M. M. Cooper, “Who provides phishing training?: Facts, stories, and people like me,” in Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems.   ACM, 2018, p. 492.
  75. R. Wash, N. Nthala, and E. Rader, “Knowledge and capabilities that non-expert users bring to phishing detection,” in Symposium on Usable Privacy and Security, 2021.
  76. B. W. Weaver, A. M. Braly, and D. M. Lane, “Training users to identify phishing emails,” Journal of Educational Computing Research, vol. 59, no. 6, pp. 1169–1183, 2021.
  77. Z. A. Wen, Z. Lin, R. Chen, and E. Andersen, “What. hack: engaging anti-phishing training through a role-playing phishing simulation game,” in Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2019, pp. 1–12.
  78. E. J. Williams, J. Hinds, and A. N. Joinson, “Exploring susceptibility to phishing in the workplace,” International Journal of Human-Computer Studies, vol. 120, pp. 1–13, 2018.
  79. E. J. Williams and D. Polage, “How persuasive is phishing email? the role of authentic design, influence and current events in email judgements,” Behaviour & Information Technology, vol. 38, no. 2, pp. 184–197, 2019.
  80. M. Workman, “Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security,” Journal of the American society for information science and technology, vol. 59, no. 4, pp. 662–674, 2008.
  81. S. Zheng and I. Becker, “Presenting suspicious details in {{\{{User-Facing}}\}} e-mail headers does not improve phishing detection,” in Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022), 2022, pp. 253–271.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now