Phishing is a deceptive form that involves attempts to solicit personal or sensitive information through social engineering methods. Phishing is commonly conducted via email. An attacker acts as a reputable or trusted source to influence recipients to click on a link or to open an attachment within an email.
Social influence refers to change in attitude or behaviour caused by external pressure, either real or imagined. The most widely acknowledged framework of social influence is made up of the following six principles:
- Authority: According to this principle, people are more likely to respond to requests made by someone in a position of power or authority.
- Consistency: Under this principle, people seek to honour their commitments and remain consistent in their words and actions.
- Liking: This principle shows that people will be more easily persuaded by someone they like, which can be prompted using compliments or attractiveness.
- Reciprocity: This principle is based on the idea that people will feel obligated to repay for a service or favour they have received.
- Scarcity: This principle stems from the idea that the more difficult it is to acquire an item, the more value it gains. For example, email phishers would pose as a delivery company and send phishing emails describing a package that could not be delivered.
- Social proof: This principle relies on the norm that people want to be seen doing what other people are doing.
According to dual-process models of persuasion, when presented with a persuasive message, individuals use two different techniques to evaluate that message. The first technique involves ‘central’ or ‘systematic’ processing to assess the content and quality of information. The second technique involves ‘peripheral’ or ‘heuristic’ processing, which means that people are more influenced by the likeability or attractiveness of the source of the message. As such, social influence principles tend to be more effective when they are processed in a heuristic manner.
Using a role-play scenario-based methodology, the authors explore why some email phishing attacks are successful and why some people are more susceptible to them. Participants were exposed to both genuine and phishing emails that contained these influence principles.
The results of the study showed that individuals were least susceptible to phishing emails that contained the scarcity principle. Scarcity is commonly used in phishing emails, and this means that people are likely to have been exposed to phishing emails with appeals to urgent action, and may, therefore, have little difficulty recognizing and resisting this persuasion technique. Participants were most susceptible to the consistency and reciprocity principles, which were two of the least common principles in real-world phishing. Apart from the consistency and reciprocity principles, participants who were personally susceptible to a specific principle were significantly more susceptible to emails containing that principle than people who were not susceptible to that principle.
The findings of this study highlight an individual’s susceptibility to social influence and their tendency towards intuitive processing. These findings can be used to inform during training and ultimately reduce the phishing threat for organizations.