Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model Arun Vishwanath a, ⁎, Tejaswini Herath b , Rui Chen c , Jingguo Wang d , H. Raghav Rao e a Department of Communication, Management Science and Systems, 333 Lord Christopher Baldy Hall, State University of New York at Buffalo, Buffalo, NY 14260, United States b Department of Finance, Operations and Information Systems, Brock University, Canada c Department of Information Systems and Operations Management, Ball State University, United States d Department of Information Systems and Operations Management, University of Texas at Arlington, United States e Management Science and Systems, State University of New York at Buffalo, United States abstract article info Article history: Received 23 July 2010 Received in revised form 28 December 2010 Accepted 6 March 2011 Available online 11 March 2011 Keywords: Social engineering Phishing Phishing vulnerability Information processing Message cues Attention Elaboration This research presents an integrated information processing model of phishing susceptibility grounded in the prior research in information process and interpersonal deception. We refine and validate the model using a sample of intended victims of an actual phishing attack. The data provides strong support for the model's theoretical structure and causative sequence. Overall, the model explains close to 50% of the variance in individual phishing susceptibility. The results indicate that most phishing emails are peripherally processed and individuals make decisions based on simple cues embedded in the email. Interestingly, urgency cues in the email stimulated increased information processing thereby short circuiting the resources available for attending to other cues that could potentially help detect the deception. Additionally, the findings suggest that habitual patterns of media use combined with high levels of email load have a strong and significant influence on individuals' likelihood to be phished. Consistent with social cognitive theory, computer self-efficacy was found to significantly influence elaboration, but its influence was diminished by domain specific-knowledge. © 2011 Elsevier B.V. All rights reserved. 1. Introduction Phishing is an email based deception where a perpetrator (phisher) camouflages emails to appear as a legitimate request for personal and sensitive information (Bose et al. 2007; Bose et al. 2008a; Bose et al. 2008b) [8–10]. Phishers use social engineering techniques such as using the names of credible businesses (American Express, eBay), government institutions (Internal Revenue Service, Department of Motor Vehicles), or current events (political donations, Beijing Olympic tickets, aiding Katrina victims) in conjunction with statements invoking fear, threat, excitement, or urgency, to persuade people to respond (Wang et al. 2009) [45]. In the last few years such attacks have increased in frequency and sophistication. The antiphishing workgroup (2008) reports that for the year 2008, there were over 85,630 unique phishing reports with 81,215 new unique phishing sites. A recent Gartner report notes that nearly 11 million online adults – representing about 19% of those attacked – may have clicked on the link in a phishing attack email (Litan 2004) [34]. Because phishing scams are sent to thousands of customers, even a 2–3% success rate can be financially costly. A study by Gartner group estimated the losses in 2003 to be $1.2B (Litan 2004) [34]. In addition to the monetary impact, phishing is likely to erode consumer trust in online security and payment systems. This distrust increases consumer resistance towards online communication, and increases the cost of doing business online (Belanger et al. 2006; Belanger et al. 2002; Gupta et al. 2004; McNall et al. 2007) [6,7,23,37]. With the growing popularity of electronic commerce, researchers have estimated the losses to exceed US$1 trillion globally (Bose et al. 2008a) [8]. A growing body of research has begun to explore ways to shield individuals from getting phished. The overall body of work takes one of two approaches. One approach, emanating from the computer sciences, focuses on engineering technological fixes that automati- cally detect phishing emails and either inhibit such emails from entering an individual's in-box (e.g., (Kamaraguru et al. 2006) [30] or alert individuals about the deception (Kamaraguru et al. 2006) [30]. While such research is noteworthy, past experience suggests that technology alone does not provide adequate protections especially because phishers tend to evolve with the technology and improve their baiting techniques. Some examples of this evolution are recent scams called spear phishing that target specific victims such as CEOs and high net worth individuals, and puddle phishing that target smaller regional bank and credit union customers. In such cases, the phisher creates sophisticated and personalized emails that overcome technology based screeners. The other approach, taken by social scientists, is to study the individual or the potential victim and understand why they respond Decision Support Systems 51 (2011) 576–586 ⁎ Corresponding author. Tel.: +1 716 6451163; fax: +1 716 6452086. E-mail addresses: avishy@buffalo.edu (A. Vishwanath), teju.herath@brocku.ca (T. Herath), rchen3@bsu.edu (R. Chen), jwang@uta.edu (J. Wang), mgmtrao@buffalo.edu (H.R. Rao). 0167-9236/$ – see front matter © 2011 Elsevier B.V. All rights reserved. doi:10.1016/j.dss.2011.03.002 Contents lists available at ScienceDirect Decision Support Systems journal homepage: www.elsevier.com/locate/dss