Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails

We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.

• Publication year

  2016

• Venue

  ACIS

• Publication date

  2016-05-28

• Fields of study

  Computer Science

• Identifiers
  arXiv 1606.00887
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Cognitive Reflection and Decision Making

  2016cited by this paper
• Resistance And Persuasion

  2016cited by this paper
• Managing Social Engineering Attacks- Considering Human Factors and Security Investment

  2015influential reference
• Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks

  2015cited by this paper
• Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance

  2014cited by this paper
• Analysing Persuasion Principles in Phishing Emails

  2014cited by this paper
• Phishing for the Truth: A Scenario-Based Experiment of Users' Behavioural Response to Emails

  2013influential reference
• The state of phishing attacks

  2012influential reference
• Why Do Some People Manage Phishing Emails Better Than Others?

  2012cited by this paper
• Philosophy's new challenge: Experiments and intentional action

  2011cited by this paper
• Infrared image enhancement and human detection performance measures

  2010cited by this paper
• Interactions between Exposure to Environmental Polycyclic Aromatic Hydrocarbons and DNA Repair Gene Polymorphisms on Bulky DNA Adducts in Human Sperm

  2010cited by this paper
• Attention to internal face features in unfamiliar face matching.

  2008cited by this paper
• Phishing: can we spot the signs?

  2007cited by this paper
• The neural basis of decision making.

  2007cited by this paper
• The Milgram Paradigm After 35 Years : Some Things We Now Know About Obedience to Authority ' THOMAS

  2006cited by this paper
• Solicitation by E-Mail and Solicitor's Status: A Field Study of Social Influence on the Web

  2002cited by this paper
• The Art of Deception: Controlling the Human Element of Security

  2001cited by this paper
• Principles of Persuasion

  2001cited by this paper
• Calculation of signal detection theory measures

  1999cited by this paper
• Simple Heuristics That Make Us Smart

  1999cited by this paper
• Psychology of Intelligence Analysis

  1999cited by this paper
• The Milgram Paradigm After 35 Years: Some Things We Now Know About Obedience to Authority1

  1999cited by this paper
• Influence: The Psychology of Persuasion

  1993cited by this paper
• Obedience to Authority

  1974cited by this paper
• On "Obedience to authority."

  1974cited by this paper
• Signal detection theory and psychophysics

  1966cited by this paper
• Australasian Conference on Information Systems

  year unknowncited by this paper

• Assessing Spear-Phishing Website Generation in Large Language Model Coding Agents

  2026cites this paper
• Social Engineering as an Intermediate Variable between Methods of Persuasion and Electronic Deception from the Point of View of Victims of Cybercrime

  2025cites this paper
• It's a Match - Enhancing the Fit between Users and Phishing Training through Personalisation

  2025cites this paper
• Stop the Clock - Counteracting Bias Exploited by Attackers through an Interactive Augmented Reality Phishing Training

  2025cites this paper
• Anti-Phishing Training (Still) Does Not Work: A Large-Scale Reproduction of Phishing Training Inefficacy Grounded in the NIST Phish Scale

  2025cites this paper
• Restricting the Link: Effects of Focused Attention and Time Delay on Phishing Warning Effectiveness

  2025cites this paper
• Persuasion under pressure: the influence of persuasion principles and time constraints on phishing email susceptibility

  2025cites this paper
• Forest or trees? Evidence for global processing via an information board study into cues utilised in phishing identification

  2025cites this paper
• Untangling the Web of Deceit: Examining Shared User Susceptibility Across Five Types of Digital Deceptions

  2025cites this paper
• Social Engineering Attack Detection Using Natural Language Processing and Machine Learning Techniques

  2025cites this paper
• The Psychology of Falsehood: A Human-Centric Survey of Misinformation Detection

  2025cites this paper
• Securing the Weakest Link: Exploring Affective States Exploited in Phishing Emails With Large Language Models

  2025cites this paper
• Caught in the Net: An Explorative HCI Study on HumanBehavioral Vulnerabilities Against Phishing

  2025cites this paper
• The Impact of LLM Assistance on User Spam Detection

  2025cites this paper
• SEAR: A Multimodal Dataset for Analyzing AR-LLM-Driven Social Engineering Behaviors

  2025cites this paper
• InstaTrust or InstaTrap: How relationships and developmental tasks affect young adults' phishing susceptibility on Instagram

  2025cites this paper
• The nexus of mindfulness, affect, and information processing in phishing identification: An empirical examination

  2025cites this paper
• Security awareness, decision style, knowledge, and phishing email detection: Moderated mediation analyses

  2024cites this paper
• Filtering Out the User?: Are Users Complacent with Phishing Emails Due to Automated Filters?

  2024cites this paper
• Reducing the risk of social engineering attacks using SOAR measures in a real world environment: A case study

  2024cites this paper
• A Pioneering Study and An Innovative Information Theory-based Approach to Enhance The Transparency in Phishing Detection

  2024cites this paper
• Who will take the bait? Using an embedded, experimental study to chart organization-specific phishing risk profiles and the effect of a voluntary microlearning among employees of a Dutch municipality

  2024cites this paper
• Analysis and prevention of AI-based phishing email attacks

  2024cites this paper
• Perceptions and dilemmas around cyber-security in a Spanish research center after a cyber-attack

  2024cites this paper
• Understanding Human Behavior in Phishing Attacks Across Diverse User Groups: An Ethical Hacking Analysis

  2024cites this paper
• An Innovative Information Theory-based Approach to Tackle and Enhance The Transparency in Phishing Detection

  2024cites this paper
• Prompted Contextual Vectors for Spear-Phishing Detection

  2024cites this paper
• Getting users to click: a content analysis of phishers' tactics and techniques in mobile instant messaging phishing

  2024cites this paper
• Neurophysiological and emotional influences on team communication and metacognitive cyber situational awareness during a cyber engineering exercise

  2023cites this paper
• The Influence of Human Factors on the Intention to Report Phishing Emails

  2023cites this paper
• New Benchmarks for Asian Facial Recognition Tasks: Face Classification with Large Foundation Models

  2023cites this paper
• Tailoring a Persuasive Game to Promote Secure Smartphone Behaviour

  2023cites this paper
• A Survey on the Principles of Persuasion as a Social Engineering Strategy in Phishing

  2023cites this paper
• “It may take ages”: Understanding Human-Centred Lateral Phishing Attack Detection in Organisations

  2023influential citation
• Targeted Attacks: Redefining Spear Phishing and Business Email Compromise

  2023cites this paper
• Phishing susceptibility across industries: The differential impact of influence techniques

  2023cites this paper
• The Peculiar Case of Tailored Phishing against SMEs: Detection and Collective DefenseMechanisms at a Small IT Company

  2023cites this paper
• The role of conscientiousness and cue utilisation in the detection of phishing emails in controlled and naturalistic settings

  2023influential citation
• Maladaptive Behaviour in Phishing Susceptibility: How Email Context Influences the Impact of Persuasion Techniques

  2023cites this paper
• “We Need a Big Revolution in Email Advertising”: Users’ Perception of Persuasion in Permission-based Advertising Emails

  2023cites this paper
• Evaluating organizational phishing awareness training on an enterprise scale

  2023influential citation
• Towards a thematic dimensional framework of online fraud: An exploration of fraudulent email attack tactics and intentions

  2023cites this paper
• Who Gets Caught in the Web of Lies?: Understanding Susceptibility to Phishing Emails, Fake News Headlines, and Scam Text Messages

  2023cites this paper
• Exploring the evidence for email phishing training: A scoping review

  2023cites this paper
• Understanding Cyber Threats Against the Universities, Colleges, and Schools

  2023influential citation
• Analytical reasoning reduces internet fraud susceptibility

  2023cites this paper
• Phishing, Data-Disclosure and The Cognitive Reflection Test

  2022cites this paper
• Education and Training Against Threat of Phishing Emails

  2022cites this paper
• A Replication Study of the Impact of Impulsivity on Risky Cybersecurity Behaviors

  2022cites this paper
• Accidental Insecure Behavior

  2022cites this paper
• Users Really Do Respond To Smishing

  2022cites this paper
• Experiences, Behavioral Tendencies, and Concerns of Non-Native English Speakers in Identifying Phishing Emails

  2022cites this paper
• Phishing awareness and education – When to best remind?

  2022cites this paper
• Errors, Irregularities, and Misdirection: Cue Utilisation and Cognitive Reflection in the Diagnosis of Phishing Emails

  2022influential citation
• Unrealistic Promises and Urgent Wording Differently Affect Suspicion of Phishing and Legitimate Emails

  2021cites this paper
• Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods

  2021cites this paper
• PERMARUN- A Persuasive Game to Improve User Awareness and Self-Efficacy Towards Secure Smartphone Behaviour

  2021cites this paper
• A Method for Assigning Probability Distributions in Attack Simulation Languages

  2021cites this paper
• What Remains Uncaught?: Characterizing Sparsely Detected Malicious URLs on Twitter

  2021cites this paper
• The Design and Development of Mobile Game to Promote Secure Smartphone Behaviour

  2021cites this paper
• Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility

  2021cites this paper
• Spotlight on Phishing: A Longitudinal Study on Phishing Awareness Trainings

  2021influential citation
• Phishing email strategies: Understanding cybercriminals' strategies of crafting phishing emails

  2021influential citation
• Buenas prácticas para el despliegue seguro del servicio de correo electrónico

  2021cites this paper
• Why They Ignore English Emails: The Challenges of Non-Native Speakers in Identifying Phishing Emails

  2021cites this paper
• How Phishers Exploit the Coronavirus Pandemic: A Content Analysis of COVID-19 Themed Phishing Emails

  2021cites this paper
• Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix

  2021cites this paper
• Response to a phishing attack: persuasion and protection motivation in an organizational context

  2021cites this paper
• The Prevalence of Cybersecurity Misinformation on Social Media: Case Studies on Phishing Reports and Zoom's Threats

  2021cites this paper
• Characteristics that Predict Phishing Susceptibility: A Review

  2021cites this paper
• Evaluation der interaktiven NoPhish Präsenzschulung

  2021cites this paper
• An investigation of phishing awareness and education over time: When and how to best remind users

  2020cites this paper
• Predicting Personal Susceptibility to Phishing

  2020cites this paper
• Who is targeted by email-based phishing and malware?: Measuring factors that differentiate risk

  2020cites this paper
• Scam Augmentation and Customization: Identifying Vulnerable Users and Arming Defenders

  2020cites this paper
• Workflow-based anomaly detection using machine learning on electronic health records’ logs: A Comparative Study

  2020cites this paper
• The Role of Cue Utilization and Cognitive Load in the Recognition of Phishing Emails

  2020cites this paper
• A novel hybrid approach of SVM combined with NLP and probabilistic neural network for email phishing

  2020cites this paper
• “HOW GOOD ARE THEY?” A STATE OF THE EFFECTIVENESS OF ANTI-PHISHING TOOLS ON TWITTER by SAYAK SAHA ROY

  2020cites this paper
• Don’t click: towards an effective anti-phishing training. A comparative literature review

  2020influential citation
• Testing the effectiveness of tailored phishing techniques in industry and academia: a field experiment

  2020cites this paper
• Susceptibility to phishing on social network sites: A personality information processing model

  2020cites this paper
• Trends & issues in crime and criminal justice

  2020cites this paper
• Social Engineering and Organisational Dependencies in Phishing Attacks

  2019cites this paper
• Susceptibility to Spear-Phishing Emails

  2019cites this paper
• Contemporary Cyber Security Social Engineering Solutions, Measures, Policies, Tools and Applications: A Critical Appraisal

  2019cites this paper
• Matching training to individual learning styles improves information security awareness

  2019cites this paper
• A Taxonomy for Social Engineering Attacks via Personal Devices

  2019cites this paper
• Mouse Behavior as an Index of Phishing Awareness

  2019cites this paper
• Why do I get phished? The role of persuasion, design authenticity and contextualization

  2019cites this paper
• Factors Affecting Individuals ’ Susceptibility to Cyber Attacks

  2019cites this paper
• The Enduring Mystery of the Repeat Clickers

  2019cites this paper
• 2019 Phishing and Cybercrime Risks in a University Student Community Follow

  2019cites this paper
• Phishing and Cybercrime Risks in a University Student Community

  2019cites this paper
• Cognitive Triaging of Phishing Attacks

  2019cites this paper
• Impulsivity and Information Disclosure: Implications for Privacy Paradox

  2019cites this paper
• Reviewing Cyber Security Social Engineering Training and Awareness Programs - Pitfalls and Ongoing Issues

  2019cites this paper
• Predicting susceptibility to social influence in phishing emails

  2019cites this paper
• You've got mail! Explaining individual differences in becoming a phishing target

  2018cites this paper
• A Game Theoretical Model for Anticipating Email Spear-Phishing Strategies

  2018cites this paper