Keywords

1 Introduction

Phishing refers to the behavior of attacking end-users through computer technology and taking advantage of human psychological factors. Phishing is designed to lead consumers to counterfeit Web sites that trick them into divulging financial data such as usernames and passwords [1]. As individuals and organizations are continuing to increase their reliance on networks and the Internet [2], phishing causes significant economic damage and erodes consumer trust in business communication. Over the past few years, such attacks have increased in frequency and sophistication. The total number of phishing sites detected by the Anti-Phishing Working Group in the third quarter of 2019 was 266,387. This number is almost double the 138,328 detected in Q4 of 2018 and is at a high level not seen since late 2016 [1].

A growing body of research has begun to explore ways to shield individuals from getting phished. The solutions typically fall into one of three categories, which involve (i) educational or training interventions, (ii) new designs that can help ‘nudge’ users to make better decisions and (iii) work that considers individual differences in decision-making [3]. However, many interventions are unproductive because they take time and effort away from the users’ primary task [3], and education and training are effective only in the short term [4]. Additionally, past experience suggests that technology does not provide adequate protection because phishers evolve with the technology and improve their baiting techniques [5]. To better filter phishing emails and alert individuals about the deception, researchers have paid a large amount of attention to the characteristics of phishing emails.

Today, attackers have shifted from sending traditional emails, hoping to deceive anyone [6], to employing more selective, targeted attacks that use relevant elements of context in order to deceive specific victims (also known as spear phishing) [6, 7]. Context can be provided in a phishing email by including information that is both specific and relevant to the victims, which could trigger their willingness to comply with a request posed by an attacker [8]. Previous studies have shown a connection between recipient information and phishing email recognition performance. A study by Holm et al. found that the number of organizational employees falling victim to phishing increased by 22.2% when the name of the employee, name of the organization the employee worked for, and name of the executive sending the email were added in the attack [8]. In addition, Bullee et al. found that those in the spear phishing group had 1.693 times higher odds of compliance than those exposed to a general phishing email [9]. Another study showed that the likelihood increased 2.62-fold when name manipulation was present compared with the control condition [10].

Phishers also use urgency cues to communicate fear, threat, and scarcity, thereby attempting to short-circuit the evaluation process and elicit compliance [11]. The sense of urgency may result in a feeling of stress and create a need to cope [12]. A time-pressured individual tends to rely more on one cue than on multiple cues [13]. Wright et al. sent two phishing emails to participants, one with a request for an urgent response and the other without. The results showed that when urgency cues were used in the email, there was a 3.19-times higher likelihood of the consumer sending his or her super code [10]. The level of attention to urgency cues is positively related to the individual’s likelihood of responding to the phishing email [11], and it has a negative impact on cognitive effort [14]. Wang et al. argued that visceral triggers, including urgency cues, reduce the recipients’ depth of information processing and induce recipients to make decision errors [14].

Although the topic of recipient information and urgency cues has been previously investigated, no studies known to us have specifically examined how recipient information and urgency cues might be associated with phishing email recognition performance in combination. Linking recipient information and urgency cues would help improve our understanding of the impact of phishing emails’ characteristics and potentially pave the way for optimal design solutions for personnel with varying phishing susceptibility. In this article, we focused on the interaction effects of recipient information and urgency cues on phishing detection. This approach will help in the development of an improved knowledge base from which to design systems that would better meet the needs of specific types of users.

2 Methods

2.1 Participants

There were 518 valid participants in our research, ranging in age from 18 to 52 years (mean = 24.69, SD = 4.543). Of these participants, 54% were female, 68.9% claimed that they have phone phishing experience, 73.35% had mail phishing experience; and 75.29% had web phishing experience. A total of 9.46% of the subjects had lost money or private information as a result, and 13.32% of the subjects had phishing education experience.

2.2 Email Stimulus Material

In this study, 16 email screenshots were presented to participants, including 8 phishing emails. The phishing email constructed by the researchers mimicked the kinds of phishing attacks that had already been attempted on researchers or shown on antiphishing websites. Each phishing email included an email address error or an unofficial link of the sender (e.g., do-not-reply@amazon.com was modified to do-not-reply@gmail.com and https://supports.apple.com/ was modified to https://supports.opple.com/ by switching the letters “a” and “o”). To improve the involvement and immersion of the subjects, all of the emails came from authoritative companies, such as Apple, Amazon and Baidu. In addition, the content of the emails covered many topics, including order problems, account risk, system upgrades, bank consumption reminders and so on, which required the recipient to carry out an operation, such as clicking the link or replying to the email.

2.3 Design and Procedure

There were two independent variables, namely, time pressure (with or without time urgency cues) and recipient information (with or without the receiver’s name), with equal numbers of emails between the phishing and legitimate conditions. All independent variables were measured within subjects, and the order of the emails was randomly assigned to the participants.

The participants registered for this experiment online, and informed consent was obtained prior to completing the survey. Their behavior was measured by performance in a roleplay task, which was previously shown to be effective [15]. The participants were told to assume the role of Zhang Wei, who works at HongHai foreign trading company and uses the email address zhangwei2012a@honghai.com. As a marketing manager, Zhang Wei receives dozens of emails every day and checks his mailbox approximately 10 times per day. The participants were asked to indicate how they would handle the 16 emails as Zhang Wei. They answered four questions after reading each email, including ‘How likely are you to reply to this email?’, ‘How likely are you to delete this email?’, ‘How likely are you to search for information related to this email?’ and ‘How likely is this email to be a phishing email?’ The participants evaluated the possibility for each question on a 5-point scale, with 1 for unlikely to 5 for very likely. Only the results of 8 phishing emails were analyzed in this paper.

3 Results

3.1 The Likelihood of Replying to the Phishing Emails

A 2 × 2 ANOVA of the likelihood of replying to the phishing emails revealed significant main effects for time urgency cues (F(1, 517) = 32.325, p < .001) and recipient information (F(1, 517) = 116.763, p < .001) as well as a significant interaction between the two (F(1, 517) = 28.983, p < .001). Overall, the likelihood of replying to the phishing emails was significantly higher in trials in which phishing emails had time urgency cues than in trials without the time urgency cues. Similarly, the likelihood of replying to the phishing emails was significantly lower in trials in which phishing emails had added recipient information than in trials in which they did not have added recipient information. As indicated by the significant interaction and as illustrated in Table 1, the participants replied with approximately the same likelihood for both levels of time urgency cues when the phishing emails had no recipient information. However, when the phishing emails contained recipient information, the participants replied to significantly more phishing emails with time urgency cues than without.

Table 1. Descriptive statistics for each condition in the email task (mean/SD)

3.2 The Likelihood of Deleting the Phishing Emails

In contrast to the pattern for the likelihood of replying to the phishing emails, a 2 × 2 ANOVA of the likelihood of deleting the phishing emails revealed a significant main effect for recipient information (F(1, 517) = 75.830, p < .000) but not for the time urgency cues. The interaction between the time urgency cues and the recipient information was significant (F(1, 517) = 40.356, p < .000). Overall, the likelihood of deleting the phishing emails was significantly lower in trials in which the phishing emails did not have recipient information than in trials in which the emails contained recipient information. However, when phishing emails had recipient information, the participants deleted significantly more phishing emails without time urgency cues than with. No other significant results were found.

3.3 The Likelihood of Searching for Relevant Information

For the likelihood of searching for relevant information, main effects were found for time urgency cues (F(1, 517) = 11.038, p ≤ .001) and recipient information (F(1, 517) = 10.561, p ≤ .001). The interaction between the two was also significant (F(1, 517) = 100.000, p < .001). As indicated by the significant interaction and as illustrated in Table 1, when the phishing emails did not contain recipient information, the likelihood of searching for relevant information was significantly higher when the phishing emails did not have time urgency cues than when they did have time urgency cues. However, when the phishing emails contained recipient information, the likelihood of searching for relevant information was significantly lower for phishing emails without time urgency cues than for those with time urgency cues.

4 Discussion

This study focused on understanding how phishing emails persuade Internet consumers to disclose sensitive information. To accomplish this goal, we conducted an email roleplay task that manipulated recipient information and urgency cues within the email. The analysis suggests that emails with urgency cues are more likely to elicit reply responses than those without. However, this effect was influenced by recipient information. These findings showed that phishing email features are implicated in affecting phishing susceptibility.

Under the condition of time constraints, the participants preferred to make a quick response to the phishing emails and to conduct less searching for information. The urgency cues made the participant feel nervous, which resulted in impulsive behavior. Unfortunately, we did not find the expected effect of recipient information. Based on previous research, recipient information may increase the response rate because it evokes the receivers’ peripheral processing [10]. In contrast, we found that recipient information decreased the likelihood of response and increased the likelihood of deleting the email and searching for relevant information. This outcome could be caused by the participants’ low degree of immersion and involvement, which causes the influence of the recipient’s information to be reduced. With recipient information, urgency cues make the participant more likely to respond to the phishing emails than without the urgency cues. This finding suggested that recipient information makes people more engaged in finding more information and more likely to respond. Urgency cues are known to use large amounts of information processing resources [16]. Individuals focus disproportionately on urgency cues, often ignoring other elements of the email and increasing the likelihood of being phished [11].

The current study is limited in several aspects. First, most of the participants were university students, which could lead to a misunderstanding of the background of the role they were asked to play which thus decrease their degree of involvement. Second, this study employed a limited number of phishing emails, which may have increased the randomness of the experiment. Future research could expand the representative sample to be from the general population and improve the experimental materials.

In summary, this paper suggested that phishing emails’ features strongly affect the processing of and response to the emails. Through an exploration of the mechanism underlying phishing processing, this study deepens our understanding of detecting deception and may motivate a more effective strategy or assistance system to protect individuals from online fraud.