Phishing attempts and the “Dark Triad”

Spam filters have been developed to effectively detect and deter phishing campaigns. Yet, attackers continuously find new ways to evade these technologies through sophisticated and personalized e-mails that take advantage of human limitations and persuade people to respond.

Machiavellianism, narcissism, and psychopathy are known as the “Dark Triad” of personality traits. Machiavellianism is associated with manipulative behaviour aimed at maximizing personal gain through strategic deception tactics. Narcissism is linked to entitlement and the willingness to exploit others. Regarding psychopathy, this trait is associated with the absence of empathy and tendencies toward impulsivity, aggression, and deception, which lead to reckless behaviour.

In this article, Shelby Curtis from the University of Texas at El Paso and her colleagues from Carnegie Mellon University set to determine how attackers and end-user personalities relate to phishing success.

They hypothesize that attackers who score higher in Machiavellianism will engage in more effort to change and adapt e-mails for phishing. In contrast, both psychopathy and narcissism will be linked to less individualized techniques, such as mass standardized “scamming.” Among end-users, they predict that only narcissism will be linked with higher susceptibility to phishing attacks because of the overconfidence associated with the trait.

A first group of 100 participants was recruited from Amazon Mechanical Turk to act as phishing attackers. A second group of 340 participants was later recruited, also from Amazon Mechanical Turk, as end-users.

The study employed a two-phase design. In Phase 1, participants in the attacker role were provided with instructions and basic training about phishing and phishing attacks via e-mail. After seeing examples of real phishing e-mails, participants were instructed to write phishing e-mails with two primary goals: (1) evade spam filter detection and (2) persuade end-users to respond.

In Phase 2, participants in the end-user role were asked to evaluate a series of 20 e-mails. The first half of the e-mails was benign in nature while the other half contained malicious phishing e-mails created and edited by participants in the attacker role during Phase 1. End-users’ stated task was to examine each e-mail. For each e-mail, they were asked to select one response action: (1) respond immediately; (2) leave the e-mail in the inbox and flag for follow-up; (3) leave the e-mail in the inbox; (4) delete the e-mail (4); (5) delete the e-mail and block the sender.

After completing their respective e-mail tasks, both attackers and end-users were asked to complete the 27-item Dark Triad  Survey which assesses psychopathy, Machiavellianism, and narcissism.

The results showed that attacker levels of Machiavellianism were linked to how much effort they put into writing their phishing e-mails, measured by the number of changes they made in the body of the e-mail. Narcissism, on the other hand, was associated with fewer changes to the body of the phishing e-mail, and psychopathy was negatively correlated with the number of changes to the subject line of the phishing e-mail, which may be explained by their overconfidence. Specifically, such individuals may believe that their superior skills necessitate little changes to evade detection.

Among end-users, narcissism was associated with greater vulnerability to phishing e-mails. Such individuals are unrealistically optimistic about potential outcomes and their ability to deal with tricky situations, which is driven by their superior sense of self.

Finally, the results revealed a marginal binary relationship between narcissistic individuals. Narcissistic end-users were more susceptible to phishing e-mails that originated from narcissistic attackers.

This research provides an understanding of both the attack patterns and vulnerabilities that may be present in individuals who are high in different Dark Triad traits. This understanding may lead organizations to best tailor specific interventions towards end-users.


Cite: Curtis, R. S., Rajivan, P., Jones, D. N. and Gonzalez, C. (2018). Phishing attempts among the dark triad: Patterns of attack and vulnerability. Computers in Human Behavior, 87, 174-182.