The Relationship Between Social Persuasion Strategies, Phishing Features and Email Exposure Time on Phishing Susceptibility

Abstract

A ‘phishing email’ aims to persuade an unsuspecting individual to reveal personal credentials and sensitive information. Currently, the global costs to businesses and individuals associated with phishing related attacks are reported in the hundreds of millions of dollars. While technological interventions capture a proportion of these phishing emails, ultimately, the human user is the last line of defence in determining the legitimacy of the email. ‘Phishers’ aim to exploit human weaknesses through the use of various persuasion strategies that create a sense of urgency and time pressure to respond to emails. Typically, individuals must also rely on subtle phishing features in an email to determine if the email is genuine or an attempted phish. Furthermore, phishers take advantage of the assumption that users determine the legitimacy of emails in a short amount of time. The present study aims to examine the impact of these email characteristics of persuasion strategies, the number of phishing features, and exposure time on phishing detection and susceptibility. Using an online survey platform, participants (N= 136) completed an email sorting task where they were required to review and sort 60 incoming emails from the inbox of ‘Professor Alex Jones’. Several significant results were obtained supporting the hypotheses. It demonstrated that individuals are better able to detect a phishing email when it utilises common persuasion strategies (authority and scarcity), and contain a greater number of phishing features. It also revealed that with increased email exposure time, individuals had a better phishing detection rate. However, the effect of identifying phishing emails with common persuasion strategies was not greater during shorter exposure time, providing a non-significant result. A greater understanding of these email factors associated with phishing susceptibility could lead to more tailored awareness campaigns and/or training programs to increase phishing detection and reduce susceptibility.