Vulnerability to Phishing Scams May Be Linked to Personality, NYU-Poly Study Shows


Brooklyn, N.Y.—Phishing scams are some of the most effective online swindles, hooking both savvy and naïve computer users. New insights from researchers at the Polytechnic Institute of New York University (NYU-Poly) point to two factors that may boost the likelihood that a computer user will fall prey: being female and having a neurotic personality.

A multidisciplinary team comprised of Tzipora Halevi, postdoctoral scholar in computer science and engineering; James Lewis, instructor in the NYU-Poly Department of Science, Technology and Society; and Nasir Memon, professor and head of the Department of Computer Science and Engineering, set out to probe the connections between personality types and phishing to better inform computer security education and training.

In a preliminary study, the researchers sampled 100 students from an undergraduate psychology class, most of whom were science or engineering majors. Participants completed a questionnaire about their online habits and beliefs, including details about the type and volume of information they share on Facebook. They were also asked to rate the likelihood of negative things happening to them personally online, such as having an Internet password stolen. Finally, participants answered the short version of a widely used multidimensional personality assessment survey.

Shortly thereafter, the researchers used the email provided by participants to execute a real-life phishing scam, attempting to lure the students to click a link to enter a prize raffle and to fill out an entry form containing personal information. Like many phishing scams, the “from” field in the email did not match the actual address, and the email contained spelling and grammatical errors.

“We were surprised to see that 17 percent of our targets were successfully phished—and this was a group with considerable computer knowledge,” Lewis said.

The majority of those who fell for the scam were women, and those women who were categorized as “neurotic” according to the personality assessment were likeliest to fall for the phishing scam. Neurotic personalities are characterized by irrational thoughts and a tendency toward negative feelings like guilt, sadness, anger, and fear.

There was no correlation between men’s personality types and their vulnerability to phishing.

“These results tell us that personality characteristics may exert considerable influence when it comes to choices about online behavior, and that they may even override awareness of online threats,” Lewis explained.

The team found no correlation between participants’ level of knowledge of computer security and their likelihood of being phished.

The researchers also examined the connections between the amount of personal information participants admitted to sharing on Facebook and personality traits. Those categorized as having “open” personalities tended to share the most information on Facebook, and to have the least restrictive privacy settings on the social networking site, thus increasing their vulnerability to privacy leaks.

“In the moment, it appears that computer users may be more focused on the possibility of winning a prize or the perceived benefits of sharing information on Facebook, and that these gains distract from potentially damaging outcomes,” Lewis said.

The researchers also uncovered an inverse relationship between those with “openness” and “extroversion” as personality traits and the likelihood of their being phished or sharing copious information on Facebook. Among the cohort studied were 12 people without Facebook accounts. All were men, none fell prey to the phishing scheme, and all were least likely to be characterized as “open” or “extroverted.”

While the researchers emphasized that their study sample was small and further investigation is needed, they believe that insights into how personality traits impact decision-making online may aid in the design of more effective computer interfaces, as well as security training and education. As this experiment tested a single type of scam—prize phishing—future work may explore whether other personality types prove vulnerable to different types of scams.

These findings were first presented at the Second International Workshop on Privacy and Security in Online Social Media. Halevi, Lewis, and Memon conducted the investigation in collaboration with the Center for Interdisciplinary Studies in Security and Privacy (CRISSP), which brings together experts in computer security, psychology, law and public policy to formulate new approaches to privacy in an increasingly interconnected world. Their research was supported by a grant from the National Science Foundation.