University of Buffalo study examines the psychology of phishing emails

A study by the University of Buffalo has revealed that ‘information rich phishing emails’ may be more effective due to their ability to alter recipients’ cognitive processes, reports Phys.org.

Professor Arun Vishwanath’s research found that information rich emails (including graphics, logos and brand markers, along with personalized text) were able to provoke a response because they ‘provoked in the victim a feeling of social presence, which is the sense that they are corresponding with a real person.’

“Presence’ makes a message feel more personal, reduces distrust and also provokes heuristic processing, marked by less care in evaluating and responding to it,” said Vishwanath.

“In addition the text is carefully framed to sound personal, arrest attention and invoke fear. It often will include a deadline for response for which the recipient must use a link to a spoof ‘response’ website. Such sites, set up by the phisher, can install spyware that data mines the victim’s computer for usernames, passwords, address books and credit card information.”

“In these circumstances, we found that if the message asks for personal information, people are more likely to hand it over, often very quickly. In this study such an information-rich phishing message triggered a victimization rate of 68 percent among participants.”

The study was structured in such a way that 125 undergraduate students were sent a test phishing email from a Gmail account used in the study, which included a reply-to address and sender’s address, both including the name of the university. The phishing email used the fear triggers mentioned above, informing students that there was an error in their email account, and they needed to visit an enclosed link to fix their account settings. The message had a deadline, after which time they would not be able to access their email account.

49 participants responded to the phishing email right away, while another 36 responded after a reminder was sent. Respondents then completed a five-point scale measuring their use of critical thinking and ‘heuristic information processing’ to asses their response to the email. In total, after variables were considered, the fake attack had a 68 percent success rate.

The study, entitled “Examining the impact of presence on individual phishing victimization” was presented at the University of Hawaii as part of the 48th Hawaii International Conference on System Sciences earlier this month.

Vishwanath believes that understanding the psychology of those being phished is all important in the ongoing fight against cybercrime: “With email becoming the dominant way of communicating worldwide, the phishing trend is expected to increase as technology becomes more advanced and phishers find new ways to appeal to their victims. While these criminals may not be easily stopped, understanding what makes us more susceptible to these attacks is a vital advancement in protecting Internet users worldwide.”

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.