Reaching Others University at Buffalo - The State University of New York
Skip to Content

Study explores who gets phished and why

Published April 11, 2011

Two UB professors were among the authors of a study that explores who tends to be more susceptible to email phishing.

“An effective strategy is to use different email accounts for different purposes.”
Arun Vishwanath, Associate Professor
Department of Communication

Communication researchers at four major universities found that if you receive a lot of email, habitually respond to a good portion of it, maintain a lot of online relationships and conduct a large number of transactions online you are more susceptible to email “phishing” expeditions than those who limit their online activity.

The study, “Why Do People Get Phished?” forthcoming in the journal Decision Support Systems and Electronic Commerce, uses an integrated information processing model to test individual differences in vulnerability to phishing.

The study is particularly pertinent given the rash of phishing expeditions that have become public of late, the most recent involving the online marketing firm Epsilon, whose database was breached last week by hackers, potentially affecting millions of banking and retail customers.

The authors are Arun “Vish” Vishwanath, UB associate professor of communication and adjunct associate professor of management science and systems, and H. Raghav Rao, UB professor of management science and systems, and Tejaswini Herath, Brock University, Ontario; Rui Chen, Ball State University; and Jingguo Wang, University of Texas, Arlington. Herath, Chen and Wang all hold a PhD in management science and systems from UB.

Email phishing is a process that employs such techniques as using the names of credible businesses (American Express, eBay), government institutions (Internal Revenue Service, Department of Motor Vehicles) or current events (political donations, Beijing Olympic tickets, aiding Katrina victims) in conjunction with statements invoking fear, threat, excitement or urgency to persuade people to respond with personal and sensitive information like usernames, passwords and credit card details.