The Influence of Context on Response to Spear-Phishing Attacks: an In-Situ Deception Study

Abstract

In today's digitized societies, phishing attacks are a security threat with damaging consequences. Organizations remain vulnerable to phishing attacks, and it is not clear how the work context influences people's perceptions and behaviors related to phishing attempts. I investigate (1) how contextual factors influence reactions to a spear-phishing attempt, (2) why people report or do not report phishing attempts, (3) which opportunities for security-enhancing interventions people identify. I use an in-situ deception methodology to observe participants (N=14) in their realistic work environment. I triangulate observational and self-reported data to obtain rich qualitative insights into participants' emotions, thoughts, and actions when receiving a targeted phishing email. I find that task, IT, internal and social context play an important role. The email's request being aligned with expectations and perceived time pressure when responding to emails were associated with insecure behavior. The social context positively influenced phishing detection, but "phished"participants did not tell anyone.