Examining the impact of presence on individual phishing victimization Brynne Harrison University at Buffalo brynneha@buffalo.edu Arun Vishwanath University at Buffalo avishy@buffalo.edu Yu Jie Ng University at Buffalo yujieng@buffalo.edu Raghav Rao University at Buffalo mgmtrao@buffalo.edu Abstract Research on phishing has implicated users’ heuristic processing as the reason why they fail to recognize deception cues and fall prey to phishing attacks. Other research on online behavior has found that the attributes of the medium activate heuristics that contribute to feelings of presence and enhance the persuasiveness of presented information. The deception literature has, however, yet to examine how such medium attributes lead to victimization in a phishing attack. The present research thus fills an important gap in the literature. The study explores how perceptions of presence in a phishing attack influence its victimization rate. This is examined using an experiment in which participants are subjected to a phishing attack where the amount of social presence in the email is manipulated. In contrast to subjects in the lean information conditions, those in the information- rich condition were more likely to heuristically process presence cues, leading to their victimization. [Research supported by NSF grant number 1227353] 1. Introduction It is no secret that deceit has become an increasingly common and often anticipated behavior in the online communication context. Phishing, one such behavior that has been specifically engineered to victimize email users, typically involves the solicitation of personal, organizational, or governmental information for illegal uses. Phishers use fake email accounts to send emails claiming to originate from legitimate businesses or individuals. These emails often include hyperlinks and attachments that lead victims to spoof websites or install spyware that data-mine the victim’s computer for usernames, passwords, and credit card information. Such attacks are growing in number: between 2011 and 2012, there were a reported 19.9 million Internet users who faced phishing attacks worldwide; in the following year, this number rose to 37.3 million, an increase of 87 percent. The most targeted industry sectors include banking, financial and retail services, Internet service providers, auction services, gaming websites and governmental agencies [9]. There is, therefore, a pressing need to address phishing issues on a global level. Research examining online deception has concluded that hackers target and exploit both the technical and social vulnerabilities of individuals [8]. Hence, researchers have recognized the importance of studying cognitive and psychological factors that lead to deception [3]. More recent research has found that victimized individuals often fail to recognize deception cues within phishing emails. Specifically, lower cognitive effort has been found to be associated with phishing victimization. When presented with information online, individuals have the tendency to utilize heuristics, or mental shortcuts and judgment rules, to make quick inferences [19]. This leads individuals to focus on specific elements in the email, such as the warnings of account closure in the phishing email, and quickly respond to the emails whilst ignoring messages elements such as grammatical errors or other content cues that could reveal the deception. Although deception scholars have studied individual variables such as technical ability, knowledge, and information processing, extant scholarship has ignored the effects of the medium’s attributes on phishing-based deception. This is important because early research in information systems (IS) has suggested that media vary in their information carrying capacity or information richness, with some media reducing equivocality and others fostering it [4]. Information richness influences the choice of communication media as well as the persuasive influence of communication carried by the medium [18]. Subsequent research has suggested that although richness is an inherent capacity of a medium, it is necessary for the user to experience it. Scholars advanced the concept of social presence to explain this subjective, psychological experience of media richness. More recent Communication research on interactivity has suggested that social presence is potentially triggered by cues in the medium and the heuristics they activate [17]. Different lines of research have found richness and social presence to have significant effects on individuals’ online behavior, including intention to use a website [1], online purchasing behavior [21], and 2015 48th Hawaii International Conference on System Sciences 1530-1605/15 $31.00 © 2015 IEEE DOI 10.1109/HICSS.2015.419 3483