Phishing: Who Takes the Bait?

Are some of us more susceptible to phishing scams than others? Unfortunately, the answer is yes, but there is a simple way to keep the phishers from catching us.

The U.S. government’s Computer Security Resource center defines phishing as “[t]ricking individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in an electronic communication” — for example, an email that attempts to trick you into revealing your bank log-in information. Criminals who engage in phishing are quite creative in circumventing technology that attempts to block phishing attempts. So, we need other tactics to fight back against this crime. Helen Jones and her colleagues conducted a study to better understand, from a psychological perspective, who is most susceptible to phishing attempts. The researchers’ ultimate goal is to target and hopefully inoculate at-risk individuals against phishing.

Impulsive Versus Reflective Decision-Making

People who slow down and engage in reflection (rather than impulsively make decisions) are less likely to fall for a scam email.

Source: Thirdman/Pexels

In their study, Jones and her team examined decision-making styles, whether people tend to rely on “intuitive, immediate, and emotional responses” (impulsive) when making decisions, or manage to suppress any initial intuitive response to “gather necessary information” that includes “consideration of future consequences and allows a more considered decision to be made” (reflective). They asked 221 study participants to rate the legitimacy of 36 emails, half of which were phishing emails and half of which were legitimate. Some of the participants were told to finish the whole task in five minutes. The others were told to work at their own pace, and tended to complete the task in 10-15 minutes. All participants were told that there were cash prizes for the best performances, a way to incentivize them to do their best. The researchers also asked participants to complete several psychological measures, including one that assessed personality traits and another that assessed cognitive reflection. The latter measure requires participants to respond to problems that have “an intuitive incorrect response” — that is, if a participant responds without engaging in reflection, they are likely to get it wrong.

What did the researchers find? First, people are not great at differentiating between phishing and legitimate emails. No one categorized all 36 emails correctly, and only one person identified all 18 phishing emails. In fact, the average number of emails identified correctly was 68%. Although personality traits were not statistically significantly linked to performance, cognitive reflection was. Those participants who scored higher in cognitive reflection tended to perform better on the email task. The researcher also found that participants who could work at their own pace tended to outperform participants with the 5-minute time limit.

The lesson? Take your time when reading emails related to money, particularly if you tend to make decisions intuitively and impulsively. Jones and her colleagues note that their data support the likely effectiveness of initiatives such as the United Kingdom’s Take Five program, which aims to educate people to “stop and think before parting with your money or information.” Lessons on avoiding phishing scams might also be incorporated into media literacy education initiatives that have demonstrated promise in training young people to think critically about information.

Why Do Scammers Sometimes Try Not to Trick Us?

Oddly, not all scammers are trying to create the perfect simulation of a legitimate email. In fact, some scammers may actually be using knowledge about cognitive reflection to their advantage. We previously wrote about the ways in which scammers can trick ChatGPT into writing well-written, believable misinformation that they can then spread. ChatGPT can, therefore, reduce the effort to create false narratives. But not all scammers are aiming for eloquent, believable prose.

In a 2012 article titled “Why do Nigerian scammers say they are from Nigeria?,” Microsoft researcher Cormac Herley developed a statistical model to figure out an optimal strategy for scammers to achieve their goal of stealing your money. He concluded that some scammers try to select for those who think impulsively, culling those who take the time to reflect. They know that phishing costs time and money, given that these types of scams usually involve a great deal of interaction before the thief gets their payout. Scammers, therefore, want their attempts to have a higher hit rate — that is, people who respond and eventually pay versus people who waste their time. So even though the mention of Nigeria easily shows up in an internet search related to such scams, over half of such scammers say they are from Nigeria anyway, upping their chances of being exposed as a scammer. Herley says this is intentional. After all, he wrote, “[i]t would seem odd that after lying about his gender, stolen millions, corrupt officials, wicked in-laws, near-death escapes and secret safety deposit boxes that it would fail to occur to the scammer to lie also about his location.”

Herley concluded that his methodology led to a possible answer to his title question. “Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage.” Why? It helps to reduce false positives — people who respond but will ultimately not send money. Such an email “repels all but the most gullible” and “gets the most promising marks to self-select.” They are angling for people with an impulsive personal style. So, the next time you open your email, don’t be impulsive. Instead, take five, slow down, and think.