The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived

Phishing has been a major problem for information systems managers and users for several years now. In 2008, it was estimated that phishing resulted in close to $50 billion in damages to U.S. consumers and businesses. Even so, research has yet to explore many of the reasons why Internet users continue to be exploited. The goal of this paper is to better understand the behavioral factors that may increase one’s susceptibility for complying with a phisher’s request for personal information. Using past research on deception detection, a research model was developed to help explain compliant phishing responses. The model was tested using a field study in which each participant received a phishing e-mail asking for sensitive information. It was found that four behavioral factors were influential as to whether the phishing e-mails were answered with sensitive information. The paper concludes by suggesting that the behavioral aspect of susceptible users be integrated into the current tools and materials used in antiphishing efforts. Key WoRds and phRases: computer-mediated deception, electronic mail fraud, Internet security, interpersonal deception theory, phishing. The inTeRneT has opened up a WealTh of oppoRTuniTies for individuals and businesses to expand the reach and range of their personal and commercial transactions, but these 274 WRIghT aND MaRETT openings have also created a venue for a number of computer security issues that must be addressed. Investments in security hardware and software are now fundamental parts of a company’s information technology (IT) budget. also, security policies are continually developed and refined to reduce technical vulnerabilities. however, the frequent use of Internet technologies by corporations can also introduce new vulnerabilities. One recent phenomenon that exploits end users’ carelessness is phishing. Phishing uses obfuscation of both e-mails and Web sites to trick Web users into complying with a request for personal information [5, 27]. The deceitful people behind the scam, the “phishers,” are then able to use the personal information for a number of illicit activities, ranging from individual identity theft to the theft of a company’s intellectual property. according to some estimates, phishing results in close to $50 billion of damage to U.S. consumers and businesses a year [49, 71]. In 2007, phishing attacks increased and some 3 million adults lost over $3 billion in the 12 months ending in august 2007 [29]. although some reports indicate that the annual financial damage is not rising dramatically from year to year, the number of reported victims is increasing at a significant rate [35]. Phishing continues to be a very real problem for Web users in all walks of life. Consistent with the “fishing” homonym, phishing attacks are often described by using a “bait-and-hook” metaphor [70]. The “bait” consists of a mass e-mail submission sent to a large number of random and unsuspecting recipients. The message strongly mimics the look and feel of a legitimate business, including the use of familiar logos and slogans. The e-mail often requests the recipient’s aid in correcting a technical problem with his or her user account, ostensibly by confirming or “resupplying” a user ID, a password, a credit card number, or other personal information. The message typically encourages recipients to visit a bogus Web site (the “hook”) that is similar in appearance to an actual corporate Web site, except that user-supplied information is not sent to the legitimate company’s Web server, but to a server of the phisher’s choosing. The phishing effort is relatively low in terms of cost and risk for the phishers. Further, phishers may reside in international locations that place them out of reach of authorities in the victim’s jurisdiction, making prosecution much more difficult [33]. Phishers are rarely apprehended and prosecuted for the fraud they commit. Developing methods for detecting phishing before any damage is inflicted is a priority, and several approaches for detection have resulted from the effort. Technical countermeasures, such as e-mail filtering and antiphishing toolbars, successfully detect phishing attempts in about 35 percent of cases [84]. Updating fraud definitions, flagging bogus Web sites, and preventing false alarms from occurring continues to challenge individual users and IT departments alike. an automated comparison of the design, layout, and style characteristics between authentic and fraudulent Web sites has been shown to be more promising than a simple visual inspection made by a visitor, but an up-to-date registry of valid and invalid Web sites must be available for such a method to be practical [55]. Because of ineffective technological methods of prevention, much of the responsibility for detecting phishing lies with the end user, and an effective strategy for guarding against phishing should include both technological and human detectors. however, prior research has shown that, like technology, people ThE INFlUENCES OF ExPERIENTIal aND DISPOSITIONal FaCTORS IN PhIShINg 275 are also limited in terms of detecting the fraud once they are coerced into visiting a bogus Web site [19]. Once the message recipient chooses to visit a fraudulent Web site, he or she is unlikely to detect the fraudulent nature of the request and the “hook” will have been set. In order to prevent users from sending sensitive information to phishers, educating and training e-mail users about fraud prevention and detection at the “bait” stage must be considered the first line of defense [53]. The goal of this paper is to better understand, given the large number of phishing attempts and the vast amount of attention given to phishing in the popular press, why users of online applications such as e-mail and instant messaging still fall prey to these fraudulent efforts.