Phishing Susceptibility Research Articles

Phishing and the Human Factor: Insights from a Bibliometric Analysis

Academic research on the human element in phishing attacks is essential for developing effective prevention and detection strategies and guiding policymakers to protect individuals and organizations from cyber threats. This bibliometric study offers a comprehensive overview of international research on phishing and human factors from 2006 to 2024. Analysing 308 articles from the Web of Science database, a significant increase in publications since 2015 was identified, highlighting the growing importance of this field. The study revealed influential authors such as Vishwanath and Rao, leading journals like Computers & Security, and key contributing institutions including Carnegie Mellon University. The analysis uncovered strong collaborations between institutions and countries, with the USA being the most prolific and collaborative. Emerging research themes focus on psychological factors influencing phishing susceptibility, user-centric security measures, and the integration of technological solutions with human behaviour insights. The findings highlight the need for increased collaboration between academia and non-academic organizations and the exploration of industry-specific challenges. These insights offer valuable guidance for researchers, practitioners, and policymakers to advance their understanding of phishing attacks, human factors, and resource allocation in this critical aspect of digitalisation, which continues to have significant impacts across business and society at large.

Phishing vulnerability compounded by older age, apolipoprotein E e4 genotype, and lower cognition.

With technological advancements, financial exploitation tactics have expanded into the online realm. Older adults may be particularly susceptible to online scams due to age- and Alzheimer's disease-related changes in cognition. In this study, 182 adults ranging from 18 to 90 years underwent cognitive assessment, genotyping for apolipoprotein E e4 (APOE4), and completed the lab-based Short Phishing Email Suspicion Test (S-PEST) as well as the real-life PHishing Internet Task (PHIT). Across both paradigms, older age predicted heightened susceptibility to phishing, with this enhanced susceptibility pronounced among older APOE4 allele carriers with lower working memory. Additionally, performance in both phishing tasks was correlated in that reduced ability to discriminate between phishing and safe emails in S-PEST predicted greater phishing susceptibility in PHIT. The current study identifies older age, APOE4, and lower cognition as risk factors for phishing vulnerability and introduces S-PEST as an easy-to-administer, ecologically valid tool for assessing phishing susceptibility.

Theoretical and Experimental Framework for Estimating Cyber Victimization Risk in a Hybrid Physical-Virtual World

This study proposes a framework integrating Routine Activities Theory into a hybrid physical-virtual space. Utilizing a space-time path metaphor, it explores phishing susceptibility in relation to daily activities in the hybrid physical-virtual environments. The mixed-method approach includes surveys and experiments, such as simulated phishing emails, to assess response patterns in both settings and investigate travel behavior’s impact on cyber victimization. This hybrid model seeks to understand how physical and virtual interactions affect cybercrime vulnerability, aiding in developing prevention strategies. Additionally, the research underscores the role of visual analytics in cybersecurity, turning complex data into visual forms for effective threat analysis.

The influence of affective processing on phishing susceptibility

ABSTRACT The heightened sophistication of phishing attacks results in billions of dollars of financial losses, loss of intellectual property, and reputational damage to organisations. Past work examining determinants of phishing susceptibility has been dominated by cognitive theoretical perspectives. However, recent research has also revealed the importance of emotion in phishing susceptibility. This study expands our understanding of phishing susceptibility by adopting an affective lens. Using an integrative perspective of emotion, we build on the Affective Infusion Model (AIM) to predict the effects of valence, certainty, and arousal on phishing susceptibility. We pilot our manipulations (N = 241) and then test our hypotheses using a mock phishing experiment (N = 474) in which phishing messages are sent directly to participant inboxes. We demonstrate that messages inducing positive valence and low certainty result in higher phishing susceptibility. This study contributes to phishing literature by illuminating the critical role that emotion plays in altering recipients’ susceptibility in the processing of phishing messages and has implications for scholars, practitioners, and organisations.

Which factors predict susceptibility to phishing? An empirical study

Phishing is a cybercrime in active growth that victimizes a large number of individuals and organizations.To explore which individual and contextual factors predict phishing susceptibility, an online survey was developed, and participants were invited to participate through institutional email from the University of Porto and social networks. The total sample was constituted of 449 individuals.Results showed that subjects that perceive to have phishing detection self-efficacy and those that have greater use of services in Internet routine activities were more susceptible to phishing. Technology competencies and other individual variables do not predict phishing susceptibility in our sample.Furthermore, the majority of factors (individual and contextual) tested do not predict phishing susceptibility. So, more studies are needed to understand which factors influence this susceptibility, and regarding that how individuals can protect themselves.Finally, potential applications of this research include replication in other countries/contexts, and/or the application of the survey together with other innovative tools.

Enhancing Cybersecurity: The Crucial Role of Self-Regulation, Information Processing, and Financial Knowledge in Combating Phishing Attacks

In today’s technologically advanced world, the escalating prevalence of phishing attacks necessitates an urgent exploration of effective countermeasures. This study delves into the crucial investigation of how self-regulation influences phishing susceptibility, while also examining the mediating role of information processing and the moderating influence of financial knowledge. A comprehensive survey was meticulously crafted, targeting 370 recent university graduates. The collected data underwent rigorous analysis using Hayes’ PROCESS macro, unveiling a mediated moderation model. The findings reveal that self-regulation does not directly predict phishing susceptibility. However, information processing, whether systematic or heuristic, significantly impacts phishing susceptibility. Additionally, information processing serves as a mediator, connecting self-regulation to phishing susceptibility. Notably, the interaction between systematic information processing and financial knowledge emerged as a significant determinant of phishing susceptibility. By establishing a comprehensive mediated moderation model, this study provides invaluable insights for individuals and organizations seeking to bolster their defenses against phishing attacks. Furthermore, it emphasizes the vital role of financial knowledge and employees’ heuristic information processing in mitigating cyber threats. This research serves as a crucial scientific contribution, offering compelling evidence that proactive management of contributing factors can effectively mitigate the escalating threats posed by phishing attacks.

Phishing susceptibility across industries: The differential impact of influence techniques

Organizations face an increasing risk of phishing attacks, leading to potential financial losses, privacy breaches, and damage to reputation. While past research has focused on individual and organizational factors in phishing susceptibility, there is a lack of understanding related to industry differences and their impact on the phenomenon. Drawing on existing literature on persuasion and phishing, we propose that shared industry practices, values, and assumptions influence the effectiveness of phishing techniques. To test our hypotheses, we conducted two studies: a lab experiment (n = 259) and a field quasi-experiment (n = 10,967) using a secondary dataset comprising mock phishing attacks on 30 finance and 15 non-finance organizations.The results revealed varying susceptibility to phishing techniques based on industry. Consistent with our expectations, liking-based techniques were more effective among non-finance organizations, while social proof, reciprocity, and authority techniques were more effective in finance organizations. These findings contribute to resolving past inconsistencies in empirical phishing research and provide insights into the role of industry characteristics in shaping phishing susceptibility.

Phishing Susceptibility in Context: A Multilevel Information Processing Perspective on Deception Detection

Despite widespread awareness of risks, significant investments in cybersecurity protection, and substantial economic incentives to avoid security breaches, organizations remain vulnerable to phishing attacks. Phishing research has informed effective practical interventions to address phishing susceptibility that emphasize the importance of broadly applicable IT security knowledge. Yet employees still frequently fall victim to phishing attempts. To help understand why, we conceptualize phishing susceptibility as the failure to differentiate between deceptive and legitimate information processing requests that occur within the context of an employee’s typical job responsibilities. We apply this contextual lens to identify characteristics of knowledge workers’ organizational task and social context that may enhance or diminish performance in detecting deception in phishing email attempts. To test our hypotheses, we conducted a study in which employees of the finance division of a large university encountered simulated email-based phishing attempts as part of their normal work routine. We found evidence supporting our hypotheses that an individual’s susceptibility to phishing attacks is influenced by their position in the knowledge flows of the organization and by the impact of workgroup responsibilities on their cognitive processing. We contend that phishing susceptibility is not merely a matter of IT security knowledge but is also influenced by contextualized, multilevel influences on information processing. As phishing attacks are increasingly targeted to specific organizational settings, it is even more important to incorporate this contextualized information processing view of phishing susceptibility.

Which phish is captured in the net? Understanding phishing susceptibility and individual differences

AbstractPhishing research presents conflicting findings regarding the psychological predictors of phishing susceptibility. The present work aimed to resolve these discrepancies by utilizing a diverse online sample and email set. Participants completed a survey that included an email classification task and measured several individual differences, including phishing awareness, age, impulsivity, curiosity, and personality (the Big‐5). Phishing susceptibility was measured by participants' ability to distinguish between phishing and legitimate emails. Three regression analyses were performed to predict email discrimination ability; (1) an age model, (2) a deficient self‐regulation model (i.e., impulsivity, response times, and curiosity), and (3) a personality (i.e., the Big‐5) model. Overall, phishing susceptibility was predicted by younger age, higher levels of impulsivity and extraversion, lower levels of openness to experience and agreeableness, and quick responses. The present work identifies several populations that are particularly vulnerable to phishing attacks and may require targeted training interventions.

SoK: Human-centered Phishing Susceptibility

Phishing is recognized as a serious threat to organizations and individuals. While there have been significant technical advances in blocking phishing attacks, end-users remain the last line of defence after phishing emails reach their email inboxes. Most of the existing literature on this subject has focused on the technical aspects related to phishing. The factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature and systematically categorized the phishing susceptibility variables studied. We classify variables based on their temporal scope, which led us to propose a three-stage Phishing Susceptibility Model (PSM) for explaining how humans are vulnerable to phishing attacks. This model reveals several research gaps that need to be addressed to understand and improve protection against phishing susceptibility. Our review also systematizes existing studies by their sample size and generalizability and further suggests a practical impact assessment of the value of studying variables: Some more easily lead to improvements than others. We believe that this article can provide guidelines for future phishing susceptibility research to improve experiment design and the quality of findings.

How do technology use patterns influence phishing susceptibility? A two-wave study of the role of reformulated locus of control

ABSTRACT Phishing attacks continue to be a concern for academia and practice. Practitioners ranked phishing attacks second to data breaches in a recent industry survey. For scholars, interest in understanding the factors that influence phishing susceptibility, defined as user vulnerability to phishing attacks, continues to grow. While prior research has identified either state (situational cues) or trait (technology use) factors that influence users’ response to phishing attacks, little previous research has investigated simultaneously user control of both state and trait factors on susceptibility to phishing. Additionally, the influence of users’ automatic or routine technology use, user traits, on phishing susceptibility has not been examined. We investigate the effects of users’ control of both state and trait factors on phishing susceptibility. Our results offer several interesting insights. Specifically, while routine technology use trait decreases phishing susceptibility, automatic technology use trait increases phishing susceptibility. Furthermore, while situational cues are related to phishing susceptibility, only users’ automatic technology use is related to susceptibility to phishing under message sender situational cues. Our findings provide practical insights for developing countermeasures that incorporate the level of control into training programs that target trainees with customised training aimed at preventing successful phishing attacks.

Contextual drivers of employees' phishing susceptibility: Insights from a field study

Phishing attacks rate as one of the most prevalent security threats to contemporary organizations. Hence, managers strive heavily to apply security measures that keep their employees safe from these risks, thereby relying on insights from security researchers who have predominantly focused on recipient characteristics, message attributes, and interventions to explicate the phishing susceptibility of individuals. A theoretical lens yet to be explored is the discrete context in which individuals encounter phishing attacks. This paper presents a multi-dimensional model – comprising the three contextual components social, task, and physical – that explains why an employee is likely to fall for phishing emails or not. To empirically validate our model, we conducted a field study among 2302 employees of an internationally operating pharmaceutical company in the United States. By combining employees' behavioral responses to a phishing email, training data, and contextual data, like help desk reliance, job status or workspace, we find that context is key to a more thorough understanding of phishing susceptibility. Moreover, our study provides practical insights on how organizations can identify and support employees prone to phishing as well as tailor training programs to prevent their workforce from falling prey to cybercriminals.

Prediction of Phishing Susceptibility Based on a Combination of Static and Dynamic Features

Phishing is a very serious security problem that poses a huge threat to the average user. Research on phishing prevention is attracting increasing attention. The root cause of the threat of phishing is that phishing can still succeed even when anti-phishing tools are utilized, which is due to the inability of users to correctly identify phishing attacks. Current research on phishing focuses on examining the static characteristics of the phishing behavior phenomenon, which cannot truly predict a user’s susceptibility to phishing. In this paper, a user phishing susceptibility prediction model (DSM) that is based on a combination of dynamic and static features is proposed. The model investigates how the user’s static feature factors (experience, demographics, and knowledge) and dynamic feature factors (design changes and eye tracking) affect susceptibility. A hybrid Long Short-Term Memory (LSTM) and LightGBM prediction model is designed to predict user susceptibility. Finally, we evaluate the prediction performance of the DSM by conducting a questionnaire survey of 1150 volunteers and an eye-tracking experiment on 50 volunteers. According to the experimental results, the correct prediction rate of the DSM is higher than that for individual feature prediction, which reached 92.34%. These research experiments demonstrate the effectiveness of the DSM in predicting users’ susceptibility to phishing using a combination of static and dynamic features.

Predicting User Susceptibility to Phishing Based on Multidimensional Features.

While antiphishing techniques have evolved over the years, phishing remains one of the most threatening attacks on current network security. This is because phishing exploits one of the weakest links in a network system—people. The purpose of this research is to predict the possible phishing victims. In this study, we propose the multidimensional phishing susceptibility prediction model (MPSPM) to implement the prediction of user phishing susceptibility. We constructed two types of emails: legitimate emails and phishing emails. We gathered 1105 volunteers to join our experiment by recruiting volunteers. We sent these emails to volunteers and collected their demographic, personality, knowledge experience, security behavior, and cognitive processes by means of a questionnaire. We then applied 7 supervised learning methods to classify these volunteers into two categories using multidimensional features: susceptible and nonsusceptible. The experimental results indicated that some machine learning methods have high accuracy in predicting user phishing susceptibility, with a maximum accuracy rate of 89.04%. We conclude our study with a discussion of our findings and their future implications.

Spear-Phishing Susceptibility Stemming From Personality Traits

This study explores the psychological aspects of social engineering by analyzing personality traits in the context of spear-phishing attacks. Phishing emails were constructed by leveraging multiple vulnerable personality traits to maximize the success of an attack. The emails were then used to test several hypotheses regarding phishing susceptibility by simulating a series of spear-phishing campaigns inside a software development company. The company’s employees underwent a standard Big Five personality test, four different phishing emails over four weeks, and cybersecurity training. The results were aggregated before and after the cybersecurity course, and binary logistic regression analyses were performed at each phase of the phishing attack. The results show that personality traits correlate with phishing susceptibility under certain circumstances and pave the way for new methods of protecting individuals from phishing attacks.

Heads-up! An alert and warning system for phishing emails

PurposeThis study introduces the concept of audiovisual alerts and warnings as a way to reduce phishing susceptibility on mobile devices.Design/methodology/approachThis study has three phases. The first phase included 32 subject matter experts that provided feedback toward a phishing alert and warning system. The second phase included development and a pilot study to validate a phishing alert and warning system prototype. The third phase included delivery of the Phishing Alert and Warning System (PAWSTM mobile app) to 205 participants. This study designed, developed, as well as empirically tested the PAWSTM mobile app that alerted and warned participants to the signs of phishing in emails on mobile devices.FindingsThe results of this study indicated audio alerts and visual warnings potentially lower phishing susceptibility in emails. Audiovisual warnings appeared to assist study participants in noticing phishing emails more easily and in less time than without audiovisual warnings.Practical implicationsThis study's implications to mitigation of phishing emails are key, as it appears that alerts and warnings added to email applications may play a significant role in the reduction of phishing susceptibility.Originality/valueThis study extends the existing information security body of knowledge on phishing prevention and awareness by using audiovisual alerts and warnings to email recipients tested in real-life applications.

How personal characteristics impact phishing susceptibility: The mediating role of mail processing

In the phishing email literature, recent researchers have given much attention to individual differences in phishing susceptibility from the perspective of the Big Five personality traits. Although the effectiveness and advantages of the phishing susceptibility measures in the signal detection theory (SDT) framework have been verified, the cognitive mechanisms that lead to individual differences in these measures remain unknown. The current study proposed and examined a theoretical path model to explore how the Big Five personality traits, related knowledge and experience and the cognitive processing of emails (i.e., mail elaboration) influence users’ susceptibility to phishing emails. A sample of 414 Chinese participants completed the 44-item Big Five Personality Inventory (BFI-44), Mail Elaboration Scale (MES), Web Experience Questionnaire, Experience with Electronic Mail Scale, Knowledge and Technical Background Test and a demographic questionnaire. The phishing susceptibility measures were calculated after the participants finished an email legitimacy task in a role-playing scenario. The results showed that the general profile of the “victim personality” included low conscientiousness, low openness and high neuroticism, and Internet experience and computer and web knowledge played an important role. All of these factors have significant indirect effects on phishing susceptibility by influencing mail elaboration. Moreover, the probabilities of checking for further information or deleting the email reflect the sensitivity of email judgment. These findings reveal the mediating role of cognitive processing between individual factors and phishing susceptibility. The theoretical implications of this study for the phishing susceptibility literature and its applications to phishing risk interventions or training programs are discussed.

Learning not to take the bait: a longitudinal examination of digital training methods and overlearning on phishing susceptibility

ABSTRACT As phishing becomes increasingly sophisticated and costly, interventions that improve and prolong resistance to attacks are needed. Previous research supported digital training as a method to reduce phishing susceptibility. However, the effects of training degrade with time. Therefore, we investigate overlearning as an approach that may increase skill retention through repetition and developing automaticity. We performed a longitudinal experiment crossing overlearning with anti-phishing digital training (rule-based, mindfulness, and control). Participants were tested using email identification tests (immediately following and 10 weeks after training) and mock phishing messages delivered to their inboxes (1 week and 8 weeks following training). Results showed that compared to rule-based training, mindfulness training resulted in significantly greater retention in terms of better email discrimination and less susceptibility to phishing attacks but similar levels of caution towards phishing after 2 months. Overlearning resulted in significantly less susceptibility to phishing attacks and more caution towards phishing compared to no overlearning but did not impact the digital training approaches. Even so, mindfulness was more beneficial compared to overlearning. Altogether, the results demonstrate the stability of the benefits of mindfulness training over time in terms of mitigating phishing susceptibility without influencing the chances of missing legitimate emails.

The Phishing Email Suspicion Test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection.

Phishing emails constitute a major problem, linked to fraud and exploitation as well as subsequent negative health outcomes including depression and suicide. Because of their sheer volume, and because phishing emails are designed to deceive, purely technological solutions can only go so far, leaving human judgment as the last line of defense. However, because it is difficult to phish people in the lab, little is known about the cognitive and neural mechanisms underlying phishing susceptibility. There is therefore a critical need to develop an ecologically valid lab-based measure of phishing susceptibility that will allow evaluation of the cognitive mechanisms involved in phishing detection. Here we present such a measure based on a task, the Phishing Email Suspicion Test (PEST), and a cognitive model to quantify behavior. In PEST, participants rate a series of phishing and non-phishing emails according to their level of suspicion. By comparing suspicion scores for each email to its real-world efficacy, we find initial support for the ecological validity of PEST - phishing emails that were more effective in the real world were more effective at deceiving people in the lab. In the proposed computational model, we quantify behavior in terms of participants' overall level of suspicion of emails, their ability to distinguish phishing from non-phishing emails, and the extent to which emails from the recent past bias their current decision. Together, our task and model provide a framework for studying the cognitive neuroscience of phishing detection.

The Role of Health Concerns in Phishing Susceptibility: Survey Design Study.

BackgroundPhishing is a cybercrime in which the attackers usually impersonate a trusted source. The attackers usually send an email that contains a link that allows them to steal the receiver’s personal information. In the United States, phishing is the number one cybercrime by victim count according to the Federal Bureau of Investigation’s 2019 internet crime report. Several studies investigated ways to increase awareness and improve employees’ resistance to phishing attacks. However, in 2019, successful phishing attacks continued to rise at a high rateObjectiveThe objective of this study was to investigate the influence of personality-based antecedents on phishing susceptibility in a health care context.MethodsSurvey data were collected from participants through Amazon Mechanical Turk to test a proposed conceptual model using structural equation modeling.ResultsA total of 200 participants took part. Health concerns, disposition to trust, and risk-taking propensity yielded higher phishing susceptibility. This highlights the important of personality-based factors in phishing attacks. In addition, females had a higher phishing susceptibility than male participantsConclusionsWhile previous studies used health concerns as a motivator for contexts such as sharing personal health records with providers, this study shed light on the danger of higher health concerns in enabling the number one cybercrime.