Understanding Deceptive 
Communication In Computer 
Mediated Communications:
The Case of Phishing Emails
Dr. Ryan T. Wright

Agenda
What is Phishing
Motivation
Theoretical Perspective
Results
Practical Implications
Future Research
Phishing is.....
" the practice of directing users
to fraudulent websites to obtain
sensitive information"

Credit Card Number
Social Security Numbers
Passwords
etc....

(Dhamija et al., 2006)
Motivation
Each phishing attack success  = 0.000564%
US ~$929,000,000 in loses
Average phishing site is alive for 5 day
Source: antiphishing.org / Microsoft research

Past Phishing Research
Jagatic et al., 2005
Liu et al., 2006
Dhamija et al., 2006
Wu et al., 2006
Wright et al. 2008
Marett & Wright, 2009
Wright et al., 2010
Wright et al., 2010
Past Phishing Research
Wu et al., 2006
Impact of anti-phishing toolbars
Only prevented 35% of users for being tricked

Jagatic et al., 2005
Social networking and phishing scams 
72% users respondents from address of know user

Liu et al. 2006
Visual Characteristics
Layout  neighborhood relationship model
Style  page content

Results  even computer algorithms 
had a  hard time telling the difference

Dhamija et al., 2006
HCI Properties
Good site fool 90% 
No significant difference between:
Sex
Age
Hours using a computer
Previous use of the web site
Education
Knowledge of phishing

Wright et al. 3 Studies
JMIS, Forthcoming (Wright and Marett)
300 plus subjects

Behavioral Profiles of the Deceived



GDN, 2010 (Wright, Marett, Chakraborty and Basoglu)
400 plus subjects and 30 plus interviews

Behavior Profiles of Detected Deception 


Submitted
Wright, Marett & Thathcher
Email Properties
2005
2010
2008
2006
Theory of Deception 
Methods
Code given to students at the beginning semester

Students Sign a NDA

SSC reiterated at every lab

MIS class has security module (Week 3)

Includes internet threats 

Phishing began (Week 6)

Disclosure / Training (Week 8)

N = 224 Subject in Intro MIS class

Average 21 Years Old

52% Male

Only 10% were MIS Majors

Demographics
Treatments
DV  = Binary (Answered with code or not)

Conditions
Mimic = Categorical (Real EDU, spoofed EDU, 
Mail.com)

Treatments
Low (Baseline)
Personalized
Name Dropping
Call to Action

Omnibus Model:  2 = 49.28, p < .000
R-Squared of .263
Logistic Regression
Limitations
Student Subjects

Phishing event lead to priming

We targeted information we knew they had

Lacked generalizability but gained in precision 
(Dennis & Valacich 1999; McGrath 1989)

Training/Education
Corporate Polices
Consumers Awareness

Heuristic 
Personal Decisions
Algorithm(s) for Detection

Implications
Future Research
1 - Explore the Factors Individually

2 - Test against other heterogeneous samples

3 - Timing
When to Phish
Response Time

Here is my SSC “XXXXXX". I hope that the database will get fixed very soon. Best of luck to you on fixing the database.

My Network ID is XXXXX, my password is XXXX, My Student Number is XXXXX, my super secure Code is XXXXX, my home number is XXXXX
Hi, this is Andrew XXX (ID#XXX). My super secure password to log onto TAIT is XXX. Again that is XXX. 
I’m unsure of my SSC but I think my mom knows it. 
Her email address is XXXXX and her cell number is XXX.
Qualitative Findings