Who Falls for Phish? A Demographic Analysis of Phishing

Privacy and Security, Networks, the Internet, and Cloud Computing and Internet

Article Snapshot

Author(s)

Lorrie Faith Cranor, Julie Downs, Mandy Holbrook, Ponnurangam Kumaraguru and Steve Sheng

Source

ACM Conference on Human Factors in Computing Systems (CHI 2010), 2010

Summary

This paper presents research on how gender, age, and availability of educational materials affect responses to phishing.

Policy Relevance

Educating users about the potential risk of phishing attacks is one way to lower the risk of users unintentionally disclosing private information on the internet.

Main Points

  • Phishing is a process in which scammers send emails and other messages to individuals in order to con them into providing their login credentials and personal information.
     
  • Research shows that people are vulnerable to phishing for several reasons:

    • People tend to judge a website’s legitimacy by its “look and feel,” which attackers can easily replicate.
       
    • Many users do not understand or trust the security indicators in web browsers.
       
    • Awareness of phishing does not reduce a consumer’s vulnerability.
       
    • The perceived consequences of phishing do not predict users’ behavior.
       
  • Here, subjects were recruited to take a test that analyzed their susceptibility to phishing before and after an educational training session.
     
  • The study suggested that some demographics are more vulnerable to phishing than others.

    • Women appear to be more susceptible than men to phishing.
       
    • People between the ages of 18 and 25 are more susceptible than other age groups.
       
  • Following phishing education there was a forty percent drop in susceptibility. However, some training material decreased users’ tendency to click on legitimate links as well as phishing links.
     
  • Proper phishing education is a necessary step in helping to protect users, but even educated users fell for twenty-eight percent of phishing messages, indicating that education alone is not enough. Furthermore, the type of educational materials must be carefully structured so as to not prevent users from clicking on legitimate links out of fear.

Get The Article

Find the full article online

Search for Full Article

Share