Are you easily taken in by e-mail “phishing” attempts to get you to reveal sensitive personal information? If not, it may not be due to your computer savvy as much a natural reflection of your personality.

That’s the strong suggestion from a recent WSU study intended to discern what key knowledge, experience and traits determine who may be more or less likely to fall prey to such scams.

As many as 57 million Americans have been targeted by e-mail phishing attempts seeking sensitive personal information, according to data from Microsoft and Phishing.org. Roughly five percent — or nearly 3 million people — are estimated to have fallen victim to such scams, resulting in more than $900 million in estimated financial losses.

Students studied
The WSU research was conducted in the management information system (MIS) department of the College of Business. It involved an effort to trick more than 300 undergraduates in an introductory class into revealing their “super secret” personal departmental passcode. 

The “bait” used by researchers was a phishing e-mail designed to look as if it had been sent by someone from the university’s technology group. The e-mail exhibited many of the fairly sophisticated features of most real-world phishing attempts, including a contrived sense of urgency meant to prompt the recipient into responding without giving the matter much thought.

Assistant professor Kent Marett said 32 percent of students revealed their passcodes, despite the fact that they had been frequently instructed not to give the information to anyone. The other students either detected that the e-mail was a scam, refused to reveal their passcodes or did not respond.

Clues’ ignored
Of particular interest to Marett and Ryan Wright — the graduate student who devised the experiment — was that “clues” that might raise questions about the validity of the e-mail were shown to have little or no bearing on whether the students were deceived.

“One batch was sent from a legitimate WSU e-mail address, another from a mock address designed to give some appearance of a valid WSU e-mail address, and another from a purely generic address (Mail.com) unlike anything typically used by the university,” Wright said.

“What we found was that the use of visible clues — such as a questionable address, intentional typos or oddly phrased language — really didn’t even come into play in our subjects’ perceptions of whether there was a risk associated with revealing their information.”

Suspicions aroused
The primary distinctions between those who revealed their personal information and those who did not were determined through a survey that assessed how students perceive their own personality traits, computer knowledge and proficiency, and internet experience.

Respondents who detected the e-mail as a scam tended to have more online experience than those who revealed their passcodes, Marett said. However, the more common trait among those who identified the scam was their mutual predisposition to be skeptical or suspicious by nature.

WSU’s MIS department will continue to pursue research into Internet security, he said, and may extend it to include e-commerce, social networking, identity theft, and personal security issues and threats, such as cyber-stalking and online sexual predation.