Phishing Susceptibility: An Investigation Into Human Information Processing of Spear-Phishing
Primary Investigator:
Robert Proctor
Aiping Xiong, Huangyi Ge, Jeremiah Blocki, Ninghui Li, Robert W. Proctor
Abstract
Universities and their employees and students are highly vulnerable to spear-phishing. Email scanning systems are implemented by universities to detect spoofing and to provide regular digests of emails quarantined by the scanning systems for users to review (e.g., once-a-day Cisco quarantine email at Purdue). Although such scanning systems can reduce the amount of obvious marketing pitches and unwanted emails from known junk email sources, they often fail to quarantine forged emails. Moreover, once a forged email gets in, users typically do not have the opportunity to be warned. We aim to understand how university undergraduate students process and respond to spear-phishing emails, and whether the presence of a quarantine digest email impacts their decisions and actions. We conducted a role-play experiment, in which 464 Purdue undergraduate students performed an email management task. Within the task, they were instructed to read 10 emails (2 spear-phishing, 8 legitimate) and to take actions as they would normally do. We found that participants were more likely to delete and junk the email and did not enter information for the known phishing scam than for the unknown phishing scam. The presence of a Cisco quarantine email increased participants’ awareness of phishing but showed no impact on their actions on spear-phishing emails and webpages. For participants who were aware of phishing, the presence of a Cisco quarantine email increased their likelihood of entering information on phishing webpages. However, a reversed pattern was evident for participants who were not aware of phishing. In summary, the results suggest a response bias and a lack of knowledge to identify phishing scams for undergraduate students. Although a Cisco quarantine email increased users’ awareness of phishing, such increase may increase their vulnerability to enter information on phishing webpages.