Happy or Fear? An Investigation of Emotion Induced Phishing Susceptibility
Phishing has arisen to become the most hazardous threat to data breach and malware propagation with the professionalization of phishing campaign operation. The heightened sophistication and reach of phishing attacks result in billions of dollars of financial losses, divulgence of discretionary information, loss of intellectual property and reputational damage of organizations. Drawing on emotion theory, this study focuses on examine the effect of emotions imbedded in phishing messages, and how disparate emotion valence and evoked arousal differentially influence how people respond to phishing messages.
As a critical communication tool, emails are often exploited by cyber criminals to disrupt individuals and organizations. These attack emails are called phishing, referring to the endeavors to steal private information or spread malware disguised as legitimate communication. Phishing attacks can range from unsolicited requests targeting massive recipients for their credentials, to more hazardous threats such as targeted spear-phishing assault on organizations and scams carried out by organized crime groups such as Business Email Compromise (BEC). Unlike ordinary phishing attacks, BEC assaults are typically carried out by organized crime groups who hire attorneys, linguistic experts, hackers and employ conventional deceptive tactics. Their degree of sophistication in initiating effective multifaceted cybercrime is unprecedented. According to the Federal Bureau of Investigation, BEC has targeted and successfully assaulted large and small organizations throughout the 50 U.S. states and 130 countries across the globe (FBI, 2016). The strategies exploited by BEC perpetrators typically incorporate a series of highly effective tactics, such as spear-phishing, message spoofing, social engineering, identify theft, and malware dissemination enabled by sophisticated computer technology. More organizations are falling prey to this frighteningly effective attacking scheme. However, it is estimated that only about 20 percent of the corporate victims have chosen to report their losses in fear of reputational damage and regulatory scrutiny. According to FBI, the total BEC attacks have surged by 1300 percent since January of 2015 with total estimated losses exceeding $3 billion.
Aside from the professionalization of phishing campaigns and spamming operation as a result of the emergence of BEC groups, the statistics on the overall phishing attacks also indicates a clearly rising trend. Data collected through 2016 demonstrates phishing is evolving into as a major vector for data breach and malware propagation with the total instances exceeding 1.2 million in 2016, shattering all previous records (APWG 2016). The uptick of phishing attacks is largely driven by the professionalization of phishing and malware spamming operations, which result in phishing attacks in heightened sophistication and reach (Semantic, 2017). In 2013, a horrific data breach stolen the credit card and private information of Target’s 110 million customer by trapping a contractor employee into clicking on a phishing message. This event marked the beginning of a series of massive phishing attacks that made the business operational environments more tumultuous. More organizations are falling for these phishing schemes, among which the most- high profile was the series of intrusions in the process of 2016 US presidential election. In May 2017, news emerged that approximately one million Gmail accounts were compromised by phishing attacks in the forms of Google Docs (NBC News, 2017).
A burgeoning number of studies have started to explore potential mechanisms to shield individuals and organizations from phishing. In general, suggested solutions take two approaches. The first approach focuses on variety of technical procedures. PhishGuru and BogusBiter are two different examples of automatic tools building their surveillance on dynamically updated URL blacklist and identifying suspicious emails enabled by artificial intelligence (Kumaraguru, Cranshaw et al. , Yue and Wang 2010). Similarly, Ferguson’s study suggested a cloud-based infrastructure system to probe phishing website and scrutinize malicious messages utilizing virtual machines capable of spanning multiple geographic locations (Ferguson, Weber et al. 2012). Finally, studies emerged suggesting that certain machine learning algorithms (e.g., unsupervised clustering computation) can automatically categorize and identify phishing messages by incorporating key structural features of deceptive messages (Basnet, Mukkamala et al. 2008). Despite of the considerable efforts in defensing against phishing attack, automatic interventions appear incapable of eradicating the spread and diffusion of malicious emails (Dhamija, Tygar et al. 2006), and up to 40 percent of the phishing messages purportedly end up in people’s inbox evading technical surveillances (Semantic 2013).
Aside from automatic approach, another stream of research is primarily driven social psychologist and behavior scientists focusing on the cognitive mechanism through which information is processed (Dhamija, Tygar et al. 2006). For instance, drawing on Interpersonal Deception Theory (IDT), Wright’s study revealed that experiential factors (e.g., security knowledge and computer self-efficacy) are more salient antecedents determining people’s susceptibility to phishing attacks compared with dispositional factors (e.g., trust, suspicion, and perceived risk) (Wright and Marett 2010). Also, study showed that phishing messages employing framing and influence tactics that appeal to recipients’ intrinsic motivation are more likely to success than those appealing to their extrinsic motivation (Wright, Jensen et al. 2014). In the same line of logic, Vishwanath et al. (2011) found that individuals make quick decisions in assessing phishing messages by simply relying on some heuristics, and phishing messages capable of instantaneously prompting mental shortcut are mostly effective in soliciting compliance from message recipients. Table 1 offers a literature review of selected research on both the automatic and behavioral approach in a chronological order.
In spite of the rising attention to examine how cyber criminals multiplicate recipients’ information divulgence by effectively exploiting people’s tendency to rely on automatic information processing or peripheral cues (Wright, Jensen et al. 2014), however, fewer studies have investigated the effect of affective factors in eliciting compliance from message receivers. The noticeable among the sporadic studies attending to affect and emotion in phishing research is Workman (Workman 2008) which associated Cialdini’s taxonomy of influence techniques such as social proof and liking with a certain level of affective commitment. Another stream of research which touches on the potential impact of affect in phishing. We attempt to bridge this theoretical gap by introducing emotion theory and examining the effect of two most prevalent discrete emotions: hope and anxiety on individuals’ phishing susceptibility. We test the hypotheses by conducting pilot test, lab experiments and field works in a form of simulated phishing campaigns.
Table 1 Literature Review on Phishing
|Example studies||Title||Research Method||Theory||Main Findings|
|Kumaraguru et al. 2009||School of Phish: A Real-Word Evaluation of Anti-Phishing Training||Field study||N/A||PhishGuru, as an imbedded training system, provides training services when users click on the mock phishing emails, and it is found that real-time training can improve user’s efficacy in detecting phishing messages.|
|Abbsi et al. 2010||Detecting fake website||Field experiment||Statistical Learning Theory||Comparing a new automatic detection system of fake website with existing detection systems, the study finds that the new system based on STL is more accurate and efficient in detecting fake website.|
|Yue et al. 2010||BogusBiter: A Transparent Protection against Phishing Attacks||Experiment||N/A||Experiment shows that BogusBiter, as an automatic phishing detection technique installed in client-side, is effective in protecting users from falling prey to phishing attacks.|
|Ferguson et al. 2012||Cloud Based Content Fetching: Using Cloud Infrastructure to Obfuscate Phishing Scam Analysis||Field study||N/A||Cloud based infrastructure system can be employed to mask identity, probe phishing website, and perform sophisticated content analysis using virtual machines spanning multiple geographic locations|
|Workman 2008||Wisecrackers: A Theory – grounded Investigation of Phishing and Pretext Social Engineering Threats to Information Security||Field study||Influence Theory||Some factors that are successful in explaining marketing is also effective in phishing attempts: such as normative commitment, affective commitment, and trust.|
|Vishwannath 2011||Why do people get phished?||Field experiment||Integrated Information Processing Model(IPM) / Mediated Cognition Theory||Most phishing messages are processed in a peripheral manner, and computer efficacy is found to be a predictor of elaboration.|
|Wright et al. 2014||Influence Techniques in Phishing Attacks||Field experiment||Persuasion and Motivation Theory||Influencing techniques associated with higher degree of self-determination and not requiring fictitious prior experience are more effective in soliciting compliance.|
|Purkait et al. 2014||An empirical investigation of the factors that influence Internet user’s ability to correctly identify a phishing website||Experiment||Interpersonal Deception Theory (IDT) / ELM / O-S-I-R||Phishing emails are peripherally processed, and message receivers are vulnerable to phishing message because they primarily make decisions on simple heuristic cues. Urgency cues is found to be effective in that it prompts mental shortcut and prevent receivers from further surveillance of messages.|
|Asanka 2016||Phishing threat avoidance behavior: An empirical investigation||Experiment||Mobile learning
Game based learning
|Mobile game prototype is utilized to train percipients, and results indicate a significant improvement of users’ perception and behavior on phishing avoidance.|
While both technical surveillance and cognitive training increase organization’s resistance, there remains an unaddressed “weak link” that surrenders to phishing attacks: emotion- induced susceptibility. Numerous studies from cognitive psychology that suggested the potential vulnerability of human decision making to how the focal information is framed and presented, and emotions can play critical roles in interrupting rational human decision (Martino et al. 2006). Despite the prevalence of tactics to increase recipient response by manipulating emotion induction in phishing campaigns, little research has systematically investigated the impact of emotion on phishing susceptibility. To bridge the theoretical gap, this study draws on emotion theory to account for the
Individuals often rely on simple heuristics to process information when they are engaged in the state of emotional arousal (Smith and Petty 1996).
The findings on systematic biases induced by emotions are further corroborated by neuroscience that uncovers the underlying association between human’s amygdala activity with the emotional system (Martino et al. 2006). However, scant
Theories of Emotion and an Emotion-based Approach
Emotions have received augmented academic interests across multiple disciplines with an assortment of theoretical paradigms. Emotions and affect are used almost interchangeably in academic research, both of which are perceived as the mental states of processing that reflect individual internal feeling, or mental readiness that may arise from appraisals of surrounding occurrence or one ‘ s idiosyncratic judgment (Cohen and Minor 2008, Lazarus, 1991 #404). Emotion, as a phenomenology, has been theoretically explored and advanced by two primary streams of research, which are represented by dimension theory and appraisal theory respectively. Dimension theory distinguishes discrete emotions based on a few global, fundamental dimensions. Among the variety of dimensional frameworks, Russel (1980)’ circumplex model received the most attention, which mapped the universe of emotions into a two dimentional space delineated by valence (positive versus negative, or pleasant versus unpleasant) and arousal (activated or not-activated) (Russell and Pratt 1980). For instance, anxiety is described as an emotion with negative valence and high degree of arousal, excitement, instead, is defined as a distinct emotional experience involving both positive valence and high degree of arousal.
Besides dimension theory, the other well-known academic stream on emotions is represented by appraisal theory, which suggests that emotional reactions are the consequence of individual evaluation or interpretation of the occurrence or the environmental stimuli (Scherer, Schorr et al. 2001). Under this framework, each distinctive emotion is entailed by the result of set of cognitive appraisal processes based on whether the events are perceived to be goal relevant and goal congruent (Scherer, Schorr et al. 2001). The goal evaluation perspective of emotional appraisal was further elaborated by Austin and Vancouver (1996) in their seminal research of Communicative Theory of Emotions, where goal was defined as the internal representations of anticipated states generally characterized as outcomes, objectives or processes, and the people’s self – regulation of goals is perceived to be a critical antecedent of emotional induction. For instance, in the circumstance of phishing, sophisticated phishers often coerce recipients into divulgence of their privileged information by associating them with adverse consequences to induce fear and anxiety (Workman 2008). In the same light, phishers are capable of effectively elevating recipient’s response rate by crafting the messages eliciting people’s excitement and joy (Wright, Jensen et al. 2014).
Above and beyond the preliminary valence and arousal dimensions of emotions, researchers on attitude and social cognition further identified a number of diagonal appraisal patterns of emotions exemplified by certainly, perceived self-control, anticipated effort and so forth. These dimensions capture more nuanced discrete emotions and specify a subtler combination of appraisal of occurrences. For instance, the three different emotions – joy, interest, and hope- are all associated with positively valenced emotional experience, however, they pertain to distinct certainty condition. Apparently, both joy and interest involve high degree of certainty, whereas hope indicate a strong sense of uncertainty. Similarly, both interest and hope are likely accompanied by a certain degree of anticipated effort, whereas joy is generally perceived to be effortless (Smith and Ellsworth 1985).
Despite the pervasiveness of emotions in communication, there stands a century-long divergence between the affect-based approach and cognition-based approach in defining the role of affect and cognition in attitude change and persuasion. Affect-based approach posits that affects and cognition are largely separated processes, and cognitive appraisal is not necessarily a prerequisite for emotion activation (Zajonc, 1984 #418). In contrast, cognition-based approach argues that the way people interpret the event, the cognitive evaluation, is crucial in elicit emotional response, and the idiosyncratic evaluation at each given moment determines emotional experience (Lazarus, 1982 #419). Beyond these contrasting views, we attempt to build our theorizing on phishing susceptibility by embracing Solomon (2008)’s integrative perspective to view affect and cognition as synchronized processes which work in an interdependent and interactive fashion.
Emotions and Persuasion
Phishing is a form of semantic attack that fraudulent messages travel through legitimate telecommunication channels and unsuspecting recipients are illicitly solicited to disclose their credential, sensitive information in compliance with the requests of the emails (Davinson, 2010 #421). To make their phishing endeavors more effective, sophisticated phishers employs a multiplication of influencing techniques. As the purpose of this study aims to examine how the discrete emotions embedded in attack messages influence how recipients perceive and respond to the message, it is important to the understand relationship between emotions and their potential persuasive outcomes.
Prior studies on social psychology and persuasion suggest that evocation of discrete emotions can greatly elevate the effectiveness of persuasive arguments (Eagly and Chaiken 1993 (Schwarz, 1991 #411, Griskevicius, Shiota et al. 2010). Additionally, Griskevicius (2010)’s study found that emotional arousal activated by stimuli such as television commercial, can complement and enhance the persuasive efficacy of other peripheral appeals such as scarcity and social proof, two prototypical Cialdini influence tactics (Cialdini, 1987 #94). Therefore, emotion heuristic as a rhetorical strategy is widely used in a variety of persuasive communications such as politics, public health, marketing, social media, e-business and online review (DeSteno, 2004 #413;Stieglitz, 2013 #401;Bagozzi, 1999 #414;Dunlop, 2010 #415;Thelwall, 2010 #416). Despite the prevalence and significance of emotion in the context of phishing as framing devices, however, it is surprising that there has been little research systematically investigating the potential effect of affect in the phishing. To bridge this theoretical gap, it is important for this study to examine the effectiveness of emotional appealing (e.g., anxiety, joy and excitement) in concert with other prevalent influence techniques used in phishing attempts as well. Finally, because phishing messages, as a form of semantic attack, are primarily perpetrated and communicated through telecommunication channels with computers and networks as mediator, it is necessary to examine whether emotion can be transmitted and conveyed through emails system as a computer mediated communication (CMC) and how email recipients perceive and interpret emotions imbedded in emails.
Emotion Diffusion in Computer-Mediated Communication (CMC)
With the emergence and development of telecommunication technology, email have arisen to become the most frequently used form of business correspondence in the working place (Fulk and DeSanctis 1995). As a major form of CMC, the emails can effectively transfer emotion related information aside from communicating cognition related information (Stieglitz and Dang-Xuan 2013). Furthermore, research on CMC suggest that the message recipients are able to detect and recognized through multiple venues: first, to comprehend the positive or negative emotion through engaging in the cognitive appraisal of the arguments or content of the messages; second, to capture the emotion directly through the linguistic markers and emotional expressions of the messages (Harris and Paradice 2007).
Emotion Valence, Negativity Bias, and Certainty
Emotion Arousal (Activation)
Emotion activation, as a manipulative technique, is frequently exploited by sophisticated phisher in prompting recipients’ responses, and this phenomenon demands a thorough investigation. The most commonly used emotions to solicit responses in online semantic attacks fall into theses following categories: positive valenced affect with high arousal (e.g., excitement, happiness) and negative valenced affect with high arousal (e.g., fear, anxiety) (Fincher 2015). Despite the prevalence of emotional manipulation in phishing attacks, there is virtually no research examining the strategies that individuals and organizations can utilize to resist phishing vulnerabilities activated by emotional arousal. Prior research has demonstrated the wide variability of individual differences in their pattern of reaction to emotional stimuli (Hamann and Canli 2004). To incorporate these critical factors that potentially affect phishing response, our study will examine both the varying effect of discrete emotions with varying valence and activation impact individual’s phishing susceptibility with multiple research methods including experimental manipulation, survey, and simulated phishing campaign.
Sanbonmatsu and Kardes (1988) found that arousal may govern attitude formation in persuasive message settings. Attitudes were based
H1. Individuals are more susceptible to phishing messages with embedded emotions than those without embedded emotions.
H2. The time lag for individuals to response to phishing messages with embedded emotions (positive and negative) is shorter than those without embedded emotions.
H3. Individuals are more susceptible to message embedded with negatively valenced emotions (e.g., anxiety) positively valenced emotions (e.g., happiness, hope).
H4. Emotion arousal positively moderates the relationship between emotion and phishing susceptibility, in that, arousal (activation) will strengthen the positive relationship between message with emotion and phishing susceptibility.
H5. Individuals are more susceptible to messages with a combination of anxiety and authority influence techniques than messages with only anxiety or authority.
H6. Individuals are more susceptible to messages with a combination of hope and liking influence techniques than messages with only hope or only liking techniques.
Basnet, R., et al. (2008). Detection of phishing attacks: A machine learning approach. Soft Computing Applications in Industry, Springer: 373-383.
Cohen, A. S. and K. S. Minor (2008). “Emotional experience in patients with schizophrenia revisited: meta-analysis of laboratory studies.” Schizophrenia bulletin 36(1): 143-150.
DeSteno, D., et al. (2004). “Discrete emotions and persuasion: the role of emotion-induced expectancies.” Journal of personality and social psychology 86(1): 43.
Dhamija, R., et al. (2006). Why phishing works. Proceedings of the SIGCHI conference on Human Factors in computing systems, ACM.
Eagly, A. H. and S. Chaiken (1993). The psychology of attitudes, Harcourt Brace Jovanovich College Publishers.
Ferguson, E., et al. (2012). Cloud based content fetching: Using cloud infrastructure to obfuscate phishing scam analysis. Services (SERVICES), 2012 IEEE Eighth World Congress on, IEEE.
Fulk, J. and G. DeSanctis (1995). “Electronic communication and changing organizational forms.” Organization science 6(4): 337-349.
Griskevicius, V., et al. (2010). “Influence of different positive emotions on persuasion processing: a functional evolutionary approach.” Emotion 10(2): 190.
Hamann, S. and T. Canli (2004). “Individual differences in emotion processing.” Current opinion in neurobiology 14(2): 233-238.
Harris, R. B. and D. Paradice (2007). “An investigation of the computer-mediated communication of emotions.” Journal of Applied Sciences Research 3(12): 2081-2090.
Kumaraguru, P., et al. (2009). School of phish: a real-world evaluation of anti-phishing training. Proceedings of the 5th Symposium on Usable Privacy and Security, ACM.
Russell, J. A. and G. Pratt (1980). “A description of the affective quality attributed to environments.” Journal of personality and social psychology 38(2): 311.
Scherer, K. R., et al. (2001). Appraisal processes in emotion: Theory, methods, research, Oxford University Press.
Semantic (2013). “2013 Internet Security Threat Report.”
Smith, C. A. and P. C. Ellsworth (1985). “Patterns of cognitive appraisal in emotion.” Journal of personality and social psychology 48(4): 813.
Stieglitz, S. and L. Dang-Xuan (2013). “Emotions and information diffusion in social media—sentiment of microblogs and sharing behavior.” Journal of Management Information Systems 29(4): 217-248.
Vishwanath, A., et al. (2011). “Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model.” Decision Support Systems 51(3): 576-586.
Workman, M. (2008). “Wisecrackers: A theory‐grounded investigation of phishing and pretext social engineering threats to information security.” Journal of the American Society for Information Science and Technology 59(4): 662-674.
Wright, R. T., et al. (2014). “Research Note—Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance.” Information Systems Research 25(2): 385-400.
Wright, R. T. and K. Marett (2010). “The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived.” Journal of Management Information Systems 27(1): 273-303.
Yue, C. and H. Wang (2010). “BogusBiter: A transparent protection against phishing attacks.” ACM Transactions on Internet Technology (TOIT) 10(2): 6.