Understanding Situational Factors in Human-centred Phishing Susceptibility

Abstract

Phishing is a type of social engineering attack that deceives individuals into disclosing sensitive information or downloading malware. It poses a significant threat to both individuals and organisations, causing substantial financial losses. This thesis aims to enhance the understanding of human-centred phishing susceptibility by investigating the factors influencing users' vulnerability to phishing attacks. The thesis begins by categorising phishing susceptibility factors into long-term stable variables, situational variables, and in-the-moment variables. This categorisation leads to the development of a Phishing Susceptibility Model (PSM) and highlights the research gap in exploring situational factors that influence users' email processing behaviour and phishing susceptibility. To address this gap, we conducted a large-scale simulated phishing campaign to explore the impact of device type and link presentation on users' tendency to click on phishing links. Our study reveals that while the device used (mobile vs. computer) does not significantly influence susceptibility, masking the phishing link with hypertext significantly increases the likelihood of user clicks. Additionally, we identified a novel research method in phishing susceptibility, the Precision Email Interaction Study (PEIS), to closely observe users' interactions with phishing emails in a controlled yet realistic environment. PEIS allows precise measurement of user interactions with phishing emails under various conditions. To support the PEIS, we developed the Precision Email Simulator, which provides customisation for various research needs. Using PEIS, we conducted two user studies to explore the impact of workload on phishing susceptibility. We found that high workload is associated with shorter email reading times and an increased tendency to interact with task-relevant phishing emails. Additionally, paying attention to the email sender can significantly reduce phishing susceptibility. This thesis concludes by discussing the implications of these findings for designing anti-phishing interventions and training programmes. By providing actionable insights into the human factors of phishing susceptibility, this work contributes to developing more effective strategies to mitigate the risk of phishing attacks. We also discuss future research directions that could build on our findings and further enhance email security.