Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails

TL;DR

This study investigates how social engineering tactics like authority, scarcity, and social proof influence user judgments of email safety, revealing that authority is most persuasive and users struggle to identify spear-phishing emails.

Contribution

It provides empirical evidence on the effectiveness of social engineering strategies in phishing and spear-phishing emails and highlights user vulnerabilities and decision-making factors.

Findings

Authority strategy most convinces users of email safety

Users perform poorly in detecting spear-phishing emails

Less impulsive users are less likely to falsely judge fraudulent links as safe

Abstract

We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.