Spear-phishing in the wild: A real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks

Recent research has begun to focus on the factors that cause people to respond to phishing attacks. In this study a real-world spear-phishing attack was performed on employees in organizational settings in order to examine how users’ personality, attitudinal and perceived efficacy factors affect their tendency to expose themselves to such an attack. Spear-phishing attacks are more sophisticated than regular phishing attacks as they use personal information about their intended victim and present a stronger challenge for detection by both the potential victims as well as email phishing filters.

While previous research showed that certain phishing attacks can lure a higher response rate from people with a higher level of the personality trait of Neuroticism, other traits were not explored in this context. The present study included a field-experiment which revealed a number of factors that increase the likelihood of users falling for a phishing attack: the factor that was found to be most correlated to the phishing response was users’ Conscientiousness personality trait. The study also found gender-based difference in the response, with women more likely to respond to a spear-phishing message than men. In addition, this work detected negative correlation between the participants subjective estimate of their own vulnerability to phishing attacks and the likelihood that they will be phished. Put together, the finding suggests that vulnerability to phishing is in part a function of users’ personality and that vulnerability is not due to lack of awareness of phishing risks. This implies that real-time response to phishing is hard to predict in advance by the users themselves, and that a targeted approach to defense may increase security effectiveness.