To avoid phishing hooks don’t swim with the shoal

For phishing to work, it needs clicks. Victims have to open an email, reply, click on a link, or open up an attachment.

And click they do, in droves. The Anti-Phishing Working Group (APWG) estimates that there were at least 592,335 unique phishing attacks in the first half of 2017, while there are estimates that as many as 85% of organizations have fallen victim to at least one such attack.

Case in point: a study last year found that up to 56% of email recipients and about 40% of Facebook users clicked on a link from an unknown sender that could have been crawling with malware, for all they knew.

So who are these mad clickers? Researchers wanted to know. What they found: people from crotchety cultures that aren’t all that into group harmony are the least likely to click.

That’s according to a paper, Understanding susceptibility to phishing emails: Assessing the impact of individual differences and culture, presented last month at the Eleventh International Symposium on Human Aspects of Information Security & Assurance (HAISA 2017) in Adelaide, Australia.

Researchers from the Defence Science and Technology Group, in Edinburgh, South Australia, and from the University of Adelaide, also in South Australia, found that the strongest predictor of people’s ability to sniff out a malicious email was cultural orientation towards the needs of the individual rather than the needs of society.

For both phishing and spear-phishing, there was also a positive association between self-reported information security awareness and detection ability. Impulsivity in decision making predicted poorer detection of phishing emails, they found, but not so for spear-phishing emails.

The researchers’ review of current literature came up with contradictory results when it came to the Big Five personality traits and how they relate to susceptibility to phishing.

Those are the personality traits – openness, conscientiousness, extraversion, agreeableness, and neuroticism – that psychologists use to describe human personality.

Some researchers have previously found positive correlation between levels of neuroticism and phishing susceptibility, for example, but only in the women taking part in the experiment. Other researchers have found an association between phishing susceptibility and neuroticism, but the effect was evident for both genders. They also found evidence for an association between phishing email susceptibility and conscientiousness.

As far as phishing susceptibility and national origin goes, previous research has shown less gullibility in countries with high levels of individualism – i.e., those whose inhabitants prefer loosely knit social frameworks wherein an individual is more likely to focus on their own needs or the needs of immediate family.

Countries with low levels of individualism have tightly-knit social frameworks wherein individuals are more focused on the needs of the wider group than their own personal needs. The Australian researchers theorized that individualism may predict how a user responds to certain email requests, given that “someone with a focus on the group’s needs may be more inclined to comply with a request in order to maintain interpersonal harmony.”

Phisher’s gold, in other words. One previous study looked at how likely Swedes, Indians and Americans are to fall for phishing and found that Americans are least likely to take the bait, while Indians are moreso. The problem with such previous studies, though, is that they relied on self reporting.

For their recent study, the Australians worked with a small group of participants: 121 students. 68% were female, and most – 62% – were young, between 20 to 29 years of age. They hailed from 23 countries, and only 34% considered Australia to be their home.

The researchers set out to explore the role of a multitude of differences – age, gender, personality traits, cognitive impulsivity, information security awareness (ISA) for emails, and culture (i.e., how they rated on the Individualism scale) – on their success in detecting phishing and spear-phishing attempts.

Then, the researchers hit the participants up with a mix of legitimate emails and phishing emails based on actual, successful email attacks provided by the IT staff from an associated university.

The results: the strongest predictors were national culture and ISA. Those who had training on security concerned with email were better able to detect deceitful emails. Plus, those who came from countries with high levels of Individualism were better at detecting malicious emails. In fact, being from a country associated with higher levels of Individualism was the single strongest predictor of success at detecting email.

It’s the making the group happy impulse – the tendency to maintain group harmony, that prompts people to respond to requests from others, the researchers suggest – including requests in malicious emails.

But when it comes to spear-phishing, what really pays off is being neurotic. From the report:

This may be due to the link between neuroticism and compulsive thinking about possible threats (Nolan et al. 1978). In other words, heightened rumination may improve our ability to detect actual spear-phishing threats. Such rumination may be limited to spear-phishing emails due to the highly personalised nature of such cyber attacks where an individual may feel singled out.

The study had its limitations, the researchers note. Besides the small sample size, it also relied on participants self-reporting their cultural tendencies toward individual self vs. group.