The author of a paper to be presented at the upcoming 2013
International Human Factors and Ergonomics Society Annual Meeting has described
behavioural, cognitive, and perceptual attributes of e-mail users who are
vulnerable to phishing attacks. Phishing is the use of fraudulent e-mail
correspondence to obtain passwords and credit card information, or to send
In "Keeping Up With the Joneses: Assessing Phishing
Susceptibility in an E-mail Task," Kyung Wha Hong discovered that people
who were overconfident, introverted, or women were less able to accurately
distinguish between legitimate and phishing e-mails.
She had participants complete a personality survey and then
asked them to scan through both legitimate and phishing e-mails and either
delete suspicious or spam e-mails, leave legitimate e-mails as is, or mark
e-mails that required actions or responses as "important”.
What the study found
"The results showed a disconnect between confidence and
actual skill, as the majority of participants were not only susceptible to
attacks but also overconfident in their ability to protect themselves,"
says Hong. Although 89% of the participants indicated they were confident in
their ability to identify malicious e-mails, 92% of them misclassified phishing
Almost 52% in the study misclassified more than half the
phishing e-mails, and 54% deleted at least one authentic e-mail.
Gender, trust, and personality were correlated with phishing
vulnerability. Women were less likely than men to correctly label phishing
e-mails, and subjects who self-reported as "less trusting, introverts, or
less open to new experiences" were more likely to delete legitimate e-mails.
Hong will continue to develop a user profile that can
predict when and with whom phishing attacks are likely to be successful.
Information gained in these studies will be used to design effective tools to
prevent and combat phishing attacks.