Full Text

1. Introduction

Phishing is an attempt to gain personal and sensitive information from individuals through online deception. Rather than using technical expertise to compromise system security, phishing - defined as a "semantic attack" (Downs et al. , 2006) - employs social engineering techniques in an attempt to persuade users to divulge private information like usernames and passwords, account details (including bank account details) and social security numbers. Phishers typically utilize an e-mail with a hyperlink embedded in it and a message with a warning of account closure or suggesting some unclaimed reward to entice the potential victim to click on the link. When clicked, such links open web-forms that mimic legitimate websites asking people to enter login and other credentials, which are then used to compromise individual computers and networks. In this manner, phishers obtain sensitive information from their victims and subsequently attempt to sell the information, open bank accounts, and even steal money.

Such phishing attacks are the vector of choice among cybercriminals. The Anti-Phishing Workgroup consistently discovers upwards of 40,000 unique phishing sites per month, targeting around 500 unique brands (Anti Phishing Work Group, 2014), while the Department of Defense and the Pentagon report receiving as many as 10 million phishing attacks per day. However, not every phishing attack is successful: estimates are that 30-60 percent of all phishing attacks result in victimization (Team, Verizon RISK, 2013). Thus, while many attacks are successful, some are not, perhaps due to certain features in those attacks or within the targeted individuals themselves. As such, it is plausible that variables exist within users or the content of the phishing message that cause some attacks to result in higher levels of victimization than others. To disentangle this the current research asks the following question:

RQ1. What makes certain phishing attacks more successful and certain users more susceptible than others?

Understanding what makes some attacks successful and why some users might be better at detecting than others holds the key to developing more targeted anti-phishing interventions (Harrison et al. , 2015; Vishwanath et al. , 2015).

Extant research on phishing has implicated users' cognitive processing as a key reason for individual victimization (Vishwanath et al. , 2011). Theoretically, many scholars use Petty and Cacioppo's (1986) Elaboration Likelihood...