research-article

Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions

Authors:

Mandy Holbrook,

Ponnurangam Kumaraguru,

Lorrie Faith Cranor,

Julie DownsAuthors Info & Claims

CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 373 - 382

https://doi.org/10.1145/1753326.1753383

Published: 10 April 2010 Publication History

Abstract

In this paper we present the results of a roleplay survey instrument administered to 1001 online survey respondents to study both the relationship between demographics and phishing susceptibility and the effectiveness of several anti-phishing educational materials. Our results suggest that women are more susceptible than men to phishing and participants between the ages of 18 and 25 are more susceptible to phishing than other age groups. We explain these demographic factors through a mediation analysis. Educational materials reduced users' tendency to enter information into phishing webpages by 40% percent; however, some of the educational materials we tested also slightly decreased participants' tendency to click on legitimate links.

References

[1]

Blais, A.-R. and Weber, E.U. A domain-specific risk-taking (DOSPERT) scale for adult populations. Judgment and Decision Making 1, 1 (2006), 33--47 KW

[2]

Dhamija, R., J.D. Tygar. and M. Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22-27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 581--590.

Digital Library

[3]

Downs, J., M. Holbrook and L. Cranor. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 12-14, 2006). SOUPS '06, vol. 149. ACM Press, New York, NY, 79--90.

Digital Library

[4]

Downs, J.S., Holbrook, M., and Cranor, L.F. 2007. Behavioral response to phishing risk. In Proceedings of the Anti-Phishing Working Groups 2nd Annual Ecrime Researchers Summit (Pittsburgh, Pennsylvania, October 04-05, 2007). eCrime '07, vol. 269. ACM, New York, NY, 37--44.

Digital Library

[5]

Downs, J., M. Holbrook, S. Sheng and L. Cranor. 2009. Are Your Participants Gaming the System? Screening Mechanical Turk Workers. CHI 2010.

Digital Library

[6]

Downs J.S. & Fischhoff B. (2009). Theories and models of adolescent decision making. In R.J. DiClemente, J.S. Santelli & R.A. Crosby (Eds.) Adolescent Health: Understanding and Preventing Risk Behaviors, San Francisco, CA: Jossey-Bass.

[7]

eBay. Spoof Email Tutorial. Retrieved March 7, 2006, http://pages.ebay.com/education/spooftutorial/.

[8]

Evers, J. Security Expert: User education is pointless. Retrieved, Jan 13, 2007, http://news.com.com/2100-7350_3-6125213.html.

[9]

Federal Trade Commission. An E-Card for You game. Retrieved Nov 7, 2006, http://www.ftc.gov/bcp/conline/ecards/phishing/index.html.

[10]

Ferguson, A.J. 2005. Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly. 2005, 1. Retrieved March 22, 2006, http://www.educause.edu/ir/library/pdf/eqm0517.pdf.

[11]

Flynn J, Slovic, P, and Mertz, C.K 1994. Gender, Race, and Perception of Environmental Health Risks. Risk Analysis 14(6): 1101--1108.

[12]

Gartner Research. Gartner survey shows phishing attacks escalated in 2007. Press Release, 2007. http://www.gartner.com/it/page.jsp?id=565125

[13]

Gorling, S. 2006. The myth of user education. In Proceedings of the 16th Virus Bulletin International Conference.

[14]

Jagatic, T., N. Johnson, M. Jakobsson and F. Menczer. Social Phishing. Communications of the ACM. Retrieved March 7, 2006.

Digital Library

[15]

Jakobsson, M. The Human Factor in Phishing. http://www.informatics.indiana.edu/markus/papers/aci.pdf, 2006.

[16]

Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L.F., and Hong, J. 2007. Teaching Johnny not to fall for phish. Tech. rep., Carnegie Mellon University. http://www.cylab.cmu.edu/files/cmucylab07003.pdf.

[17]

Kumaraguru, P., Y. Rhee, A. Acquisti, L. Cranor, J. Hong and E. Nunge. 2007. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. In Proceedings of the 2007 Computer Human Interaction, CHI 2007.

Digital Library

[18]

Kumaraguru, P. Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M.A., and Pham, T. School of Phish: A Real-World Evaluation of Anti-Phishing Training. In the Proceedings On Usable Privacy and Security, 2009.

Digital Library

[19]

Mackinnon, D.P. and Dwyer, J.H. Estimating Mediated Effects in Prevention Studies. Eval Rev 17, 2 (1993), 144--158.

[20]

Mackinnon D.P, Fairchild, A.J and Fritz, M.S. Mediation analysis. Annual Review of Psychology 58, 1 (12 2006), 593--614.

[21]

MessageLabs. Messagelabs Intelligence May 2009. Report, May 2009. http://www.messagelabs.com/intelligence.aspx

[22]

Microsoft. Recognizing phishing scams and fraudulent emails. Retrieved Oct 15, 2006. http://www.microsoft.com/athome/security/email/phishing.mspx.

[23]

National Consumer League, Internet fraud tips: phishing. {url} http://www.fraud.org/tips/internet/phishing.htm . Retrieved Jan 1, 2009.

[24]

New York State Office of Cyber Security & Critical Infrastructure Coordination. Gone Phishing. A Briefing on the Anti-Phishing Exercise Initiative for New York State Government. Aggregate Exercise Results for public release. 2005

[25]

OnGuardOnline, How Not To Get Hooked by a "Phishing" Scam. {url}: http://www.onguardonline.gov/topics/phishing.aspx. Retrieved Jan 1, 2009.

[26]

Preacher K.J and Hayers A.F. Asymptotic and resampling strategies for assessing and comparing indirect effects in multiple mediator models. Behavior research methods 40, 3 (Aug 2008), 879--91.

[27]

Reyna VF & Farley F. (2006). Risk and rationality in adolescent decision making: Implications for theory, practice, and public policy. Psychological Science in the Public Interest, 7, 1--44.

[28]

Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I., 2007 The Emperor's New Security Indicators. IEEE Symposium on Security and Privacy, 20-23 May 2007.

Digital Library

[29]

Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., and Nunge, E. 2007. Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 18-20, 2007). SOUPS '07, vol. 229. ACM, New York, NY, 88--99.

Digital Library

[30]

Slovic, P 2000. The Perception of Risk, Sterling, VA: Earthscan Publications Ltd.

[31]

Wu, M., Miller, R.C., and Garfinkel, S.L. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22-27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 601--610.

Digital Library

Cited By

Yasin AFatima RWen LJiangBin ZNiazi M(2025)What goes wrong during phishing education? A probe into a game-based assessment with unfavorable resultsEntertainment Computing10.1016/j.entcom.2024.10081552(100815)Online publication date: Jan-2025
https://doi.org/10.1016/j.entcom.2024.100815
Du JKalafut ASchymik G(2024)Phishing: Gender Differences in Email Security Perceptions and BehaviorsCybersecurity Pedagogy and Practice Journal;10.62273/PELX29653:2(35-47)Online publication date: 2024
https://doi.org/10.62273/PELX2965
Dubovecka K(2024)Vulnerability of Students of Masaryk University to Two Different Types of PhishingApplied Cybersecurity & Internet Governance10.60097/ACIG/190268Online publication date: 24-Jun-2024
https://doi.org/10.60097/ACIG/190268
Show More Cited By

Index Terms

Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions

Recommendations

Teaching Johnny not to fall for phish

Phishing attacks, in which criminals lure Internet users to Web sites that spoof legitimate Web sites, are occurring with increasing frequency and are causing considerable harm to victims. While a great deal of effort has been devoted to solving the ...
Two-Pronged Phish Snagging
ARES '12: Proceedings of the 2012 Seventh International Conference on Availability, Reliability and Security

Phishing causes billions of dollars in damage every year and poses a serious threat to the Internet economy. Among the many possible communication channels, electronic mail still remains the most commonly used medium to launch phishing attacks. In this ...
The persuasive phish: examining the social psychological principles hidden in phishing emails
HotSos '16: Proceedings of the Symposium and Bootcamp on the Science of Security

Phishing is a social engineering tactic used to trick people into revealing personal information [Zielinska, Tembe, Hong, Ge, Murphy-Hill, & Mayhorn 2014]. As phishing emails continue to infiltrate users' mailboxes, what social engineering techniques ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2010

2690 pages

ISBN:9781605589299

DOI:10.1145/1753326

General Chair:
Elizabeth Mynatt
Georgia Institute of Technology
,
Program Chairs:
Geraldine Fitzpatrick
Vienna University of Technology
,
Scott Hudson
Carnegie Mellon University
,
Keith Edwards
Georgia Tech
,
Tom Rodden
University of Nottingham

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CHI '10

Sponsor:

SIGCHI

CHI '10: CHI Conference on Human Factors in Computing Systems

April 10 - 15, 2010

Georgia, Atlanta, USA

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI '25

Sponsor:
sigchi

CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

391
Total Citations
View Citations
5,856
Total Downloads

Downloads (Last 12 months)588
Downloads (Last 6 weeks)60

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yasin AFatima RWen LJiangBin ZNiazi M(2025)What goes wrong during phishing education? A probe into a game-based assessment with unfavorable resultsEntertainment Computing10.1016/j.entcom.2024.10081552(100815)Online publication date: Jan-2025
https://doi.org/10.1016/j.entcom.2024.100815
Du JKalafut ASchymik G(2024)Phishing: Gender Differences in Email Security Perceptions and BehaviorsCybersecurity Pedagogy and Practice Journal;10.62273/PELX29653:2(35-47)Online publication date: 2024
https://doi.org/10.62273/PELX2965
Dubovecka K(2024)Vulnerability of Students of Masaryk University to Two Different Types of PhishingApplied Cybersecurity & Internet Governance10.60097/ACIG/190268Online publication date: 24-Jun-2024
https://doi.org/10.60097/ACIG/190268
Pramanik S(2024)Analysis Model at Sentence Level for Phishing DetectionMachine Learning Techniques and Industry Applications10.4018/979-8-3693-5271-7.ch004(73-89)Online publication date: 3-May-2024
https://doi.org/10.4018/979-8-3693-5271-7.ch004
Selvan CRagunathan AAshwinkumar U(2024)Mitigating Phishing Threats in Unmanned Aircraft Systems (UAS) Through Multi-Stage Defense StrategiesAnalyzing and Mitigating Security Risks in Cloud Computing10.4018/979-8-3693-3249-8.ch007(125-162)Online publication date: 5-Jan-2024
https://doi.org/10.4018/979-8-3693-3249-8.ch007
Mishra SPriyadarsini KNamdev AVenkataramana SVarun Pramanik SGupta A(2024)Analysis Model at the Sentence Level for Phishing DetectionDeep Learning, Reinforcement Learning, and the Rise of Intelligent Systems10.4018/979-8-3693-1738-9.ch011(209-227)Online publication date: 23-Feb-2024
https://doi.org/10.4018/979-8-3693-1738-9.ch011
Mutlutürk MWynn MMetin B(2024)Phishing and the Human Factor: Insights from a Bibliometric AnalysisInformation10.3390/info1510064315:10(643)Online publication date: 15-Oct-2024
https://doi.org/10.3390/info15100643
Fan ZLi WLaskey KChang K(2024)Investigation of Phishing Susceptibility with Explainable Artificial IntelligenceFuture Internet10.3390/fi1601003116:1(31)Online publication date: 17-Jan-2024
https://doi.org/10.3390/fi16010031
Ahmead MEl Sharif NAbuiram I(2024)Risky online behaviors and cybercrime awareness among undergraduate students at Al Quds University: a cross sectional studyCrime Science10.1186/s40163-024-00230-w13:1Online publication date: 10-Oct-2024
https://doi.org/10.1186/s40163-024-00230-w
Morrison BGraf EBayl-Smith PWiggins M(2024)Like Shooting Phish in a Barrel: Cue Utilization and Cognitive Reflection Aid Performance in Controlled, but Not Naturalistic Phishing TasksJournal of Cognitive Engineering and Decision Making10.1177/15553434241296170Online publication date: 27-Oct-2024
https://doi.org/10.1177/15553434241296170
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents