New research published in Applied Cognitive Psychology suggests that the older you are, the less susceptible you are to phishing scams. In addition, highly extroverted and agreeable people are more susceptible to this style of cyber attack. This research holds the potential to provide valuable guidance for future cybersecurity training, considering the specific knowledge and skills required to address age and personality differences.
Phishing is a type of cyber attack involving tricking individuals into revealing sensitive information or downloading malware through fraudulent emails or websites. Despite the growing prevalence of phishing attacks, much is still to be learned about the psychological factors contributing to susceptibility.
Past research has demonstrated conflicting results regarding the predictors of phishing susceptibility, with some studies finding that impulsivity increases susceptibility but others finding the opposite. Additionally, many past studies have relied on limited email sets or retrospective self-report measures, which may not accurately reflect real-world phishing scenarios.
In their new study, Dawn Sarno and colleagues investigated how factors such as users’ experience, age, deficient self-regulation (including impulsivity, response times, and curiosity), and personality impacted their ability to differentiate between legitimate and phishing emails.
The research team hypothesized that less experience, older age, and deficient self-regulation would be associated with poorer discrimination skills for emails. The study aimed to offer further insights into the psychological factors that influence susceptibility to phishing attacks by employing a diverse online sample and a diverse set of emails.
An online survey was conducted with 1,000 participants recruited from Amazon’s Mechanical Turk platform. The survey included an email classification task where participants had to distinguish between phishing and legitimate emails. The researchers also measured the relevant variables using established scales.
The results demonstrated that participants correctly classified 72% of the emails. As expected, participants who scored higher on measures of phishing awareness were better at distinguishing between phishing and legitimate emails.
Older participants were also better at distinguishing between phishing and legitimate emails than younger participants. This may be due to older individuals having greater life experience and knowledge about common scams. It is also possible that older individuals are more cautious when it comes to online security due to concerns about their financial or personal information being compromised.
The results of the current study support the idea that people with poor self-control and impulsive tendencies are more likely to misclassify phishing emails as legitimate. Interestingly, impulsive individuals also tend to be less confident in their classifications, suggesting they are somewhat aware of their vulnerability.
This awareness may explain some inconsistent findings in previous research, the researchers said. It is possible that when impulsive individuals are aware of the true purpose of the study, they can compensate for their lack of self-control and be more cautious.
Contrary to some past research findings, curiosity was not a significant predictor of phishing susceptibility in this study. This is somewhat surprising given that curiosity has been shown to increase engagement with online content in other contexts.
Participants who scored high on conscientiousness and emotional stability measures were less vulnerable to phishing emails. Conversely, those who scored high in extraversion and agreeableness were more vulnerable to phishing. This may be because these traits increase risk taking and decrease behaviors related to criticism or suspicion.
The study is limited by its reliance on self-report measures for some individual differences (such as impulsivity and curiosity), which may not be entirely accurate. Additionally, the sample was recruited from Amazon’s Mechanical Turk platform, which may not be representative of the general population. Finally, the research did not explore other factors contributing to phishing susceptibilities, such as education level or prior cyberattack experience.
Nevertheless, the present study has important implications for cybersecurity training and education. The results suggest that targeted interventions may be necessary to address the specific vulnerabilities of different populations. For example, training programs for older adults may focus on updating their knowledge about new phishing tactics. In contrast, programs for younger individuals may emphasize the importance of caution and skepticism when interacting with online content.
In addition, the findings suggest that personality traits may play an important role in determining susceptibility to phishing attacks. This research highlights the need for personalized cybersecurity training approaches that consider individual personality and behavior differences.
The study, “Which phish is captured in the net? Understanding phishing susceptibility and individual differences“, was authored by Dawn M. Sarno, Maggie W. Harris, and Jeffrey Black.