Individual processing of phishing emails: How attention and elaboration protect against phishing

The purpose of this paper is to explore user susceptibility to phishing by unpacking the mechanisms that may influence individual victimization. The focus is on the characteristics of the e-mail message, users’ knowledge and experience with phishing, and the manner in which these interact and influence how users cognitively process phishing e-mails.

A field experiment was conducted where 194 subjects were exposed to a real phishing attack. The experimenters manipulated the contents of the message and measures of user traits and user processing were obtained after the phishing attack.

Of the original list of targets, 47 percent divulged their private information to a bogus form page. Phishing susceptibility was predicted by a particular combination of both low attention to the e-mail elements and high elaboration of the phishing message. The presence of a threat or reward-based phishing message did not affect these processes, nor did it affect subsequent phishing susceptibility. Finally, individual factors such as knowledge and experience with e-mail increased resilience to the phishing attack.

The findings are generalizable to students who are a particularly vulnerable target of phishing attacks.

The results presented in this study provide pragmatic recommendations for developing user-centered interventions to thwart phishing attacks. Lastly the authors suggest more effective educational efforts to protect individuals from such online fraud.

This study provides novel insight into why phishing is successful, the human factor in susceptibility to online deception as well the role of information processing in effective decision making in this context. Based on the findings, the authors dispel common misconceptions about phishing and discuss more effective educational efforts to protect individuals from such online fraud.