In the world of the Internet, only a small number of things are worse than phishing. It’s a nasty business that sucks in countless hapless users, stealing their information and stealing their money. In the first half of 2012 alone, phishing cost $687 million. In fact, the government of Canada states that each day, 156 million phishing emails are sent, 16 million make it through spam filters, 8 million are opened by unsuspecting users, 800,000 links are clicked, and 80,000 share their personal information. And it might be tempting to make assumptions about those who fall victim to phishing attacks. Maybe you’ve said, ‘not me, I’m too smart for that,’ or ‘my employees won’t fall for these schemes, they’re too well trained.’ In fact, when we discuss phishing, the topic of demographics doesn’t usually find its way into the discussion. Perhaps because we don’t know, perhaps because we assume too quickly, or perhaps because it simply never occurred to us to ask who was most susceptible to the social disease called phishing.
Now, however, thanks to a recent study at the Polytechnic Institute of New York University, we actually get a glimpse at some possible clues; an idea of the character makeup of potential phishing victims, and you might find the results a little surprising. The study, entitled “Phishing, Personality Traits and Facebook” (the paper can be found here) “examines the correlation between the Big Five personality traits and email phishing response.” It also examines “how these factors affect users behavior on Facebook, including posting personal information and choosing Facebook privacy settings.”
The ‘Big Five’ personality traits refer to the five factor model of personality assessment, a widely used measurement used to identify personality types. The five traits are Neuroticism, Extroversion, Openness, Agreeableness, and Conscientiousness. Researchers Tzipora Halevi, James Lewis, and Nasir Memon selected a small group of students as test subjects:
“Participants were 100 students drawn from a psychology class at a small Northeastern engineering college. Students participated for extra credit and were told that this was primarily a study on Internet usage and beliefs. There were 83 males and 17 female. Students ranged from 18 to 31 with an average age of 21.17 years with two student choosing to to [sic] disclose their age. Students ranged in a variety of different majors but were primarily in the science and engineering disciplines.” The typo in the second last line suggests that perhaps all but two students disclosed their ages.
An online questionnaire was taken to establish the personality traits of the participants, and users were subjected to questions that included their Internet usage, pessimism about their safety online, and their leanings toward Internet addiction. While some of the study did consider Facebook, the phishing portion of the study pertained to email:
The researchers used a prize phishing email – a fake email constructed to lure participants in the study, in the same way a real phishing message would lure strangers. “An email was sent to the users promising an Apple product to the ﬁrst users to click the link. The email had a few typical characteristics of a phishing email, including the “from” ﬁeld not matching the actual address…The link also showed a text which did not match the actual link address. In addition, the email contained spelling mistakes and asked for immediate action, which is typical of phishing emails. The users that did click on the link were forwarded to a screen that looked like a typical Polytechnic screen.” The link was actually fake, and users who clicked the login button on the screen were considered to be phished (the researchers point out that they did not save usernames or passwords, just the identity of the person phished).
The results are interesting. All 100 students participated in the survey, and 17% of the participants fell for the phishing scheme. Considering gender, 14% of the males in the study were phished, and 53% of the women took the bait. While similar results were found in prior research, the study’s results “show a significantly higher difference between the percentage of women and men phished.” The researchers point out that women do tend to be more comfortable with digital communication and online shopping, but personality traits were considered, too. While there seemed to be no correlation between any one personality trait and phishing with the male sample, the female sample showed a strong correlation between neuroticism and susceptibility to phishing. The researchers suggest the high correlation may be the result of women being more comfortable than men in disclosing their emotions. Whatever the reason, it’s an interesting study, and an interesting look at the factors that make phishing a profitable criminal enterprise.