Why people keep falling for phishing scams: The effects of time pressure and deception cues on the detection of phishing emails

Abstract

Lack of personalisation and poor mechanics (e.g., grammar, spelling and punctuation) are commonly cited as cues of deception that people can use to identify phishing emails. However, in an online email classification experiment (N = 472), we found no empirical evidence that the presence of these features was associated with better phishing email discrimination. We also manipulated time pressure and found that it significantly reduced detection accuracy. Participants rarely inspected the URLs associated with links in the phishing emails but, when they did, their detection performance improved. Better performance in distinguishing between genuine and phishing emails was linked to lower levels of an intuitive decision-making style and relatively lower education levels amongst a highly educated sample. Older participants and those with greater computer proficiency and stronger email habit showed a slight increase in tendency to judge emails as suspicious. The results are discussed in terms of intervention strategies such as cyber security training to improve resilience to phishing attacks.