One of the worst and most helpless feelings in the world is to get scammed by a phishing email. Chances are that your inbox has been flooded with many of those sketchy emails, waiting for you to take the bait.
What is a phishing email? According to the Federal Trade Commission, “Phishing is a type of online scam that targets consumers by sending them an e-mail that appears to be from a well-known source – an internet service provider, a bank, or a mortgage company, for example. It asks the consumer to provide personal identifying information. Then a scammer uses the information to open new accounts, or invade the consumer’s existing accounts.”
Phishing has become a major problem, with the FBI reporting it as the most common cybercrime. In 2022 alone, phishing caused losses of more than $10.2 billion, up from $6.9 billion in 2021. Phishing often serves as the first step in more advanced cyberattacks, such as business email compromise and ransomware.
Despite efforts to prevent phishing, people remain highly vulnerable. Even with training and advanced security systems, individuals still fall victim to these attacks. Researchers have found you can do something to lower the risk of falling prey to these cyber-attacks: Check your emotions at the door.
Chuan (Annie) Tian, assistant professor of MIS, and Greg Bott, associate professor of MIS, are co-authors of study published in European Journal of Information Systems that discovered when people feel strong emotions—such as fear or excitement—they are more likely to click on dangerous links or share personal information.
Most past research has focused on the cognitive side of phishing, studying how people process persuasive messages.
“Most of the stuff we’re doing cognitively, right? Cognitively, you are really using your brain to think, although sometimes you think superficially. Sometimes you think deeply and analytically,” Tian said. “That’s the length of the current research. Really nobody has done the work to tease out how emotion play a role, though emotion is so important.”
The study explored the influence of three emotional dimensions: valence, arousal, and certainty on phishing susceptibility.
“One email gets manipulated so that it’s either a high amount or low amount of a positive valence (pleasure) or a negative valence (displeasure) and high certainty (anger, happiness) and low certainty (hope, anxiety, curiosity),” Bott said.
For example, researchers created emails with messages promising financial rewards that made victims feel excited, which makes people rely on quick, heuristic thinking instead of careful analysis.
In another email, researchers sent messages that elicited discomfort and anxiousness, which created an increased desire for a resolution, which can lead to someone feeling impulsive and urged to click a link or open an attachment.
“You’re more likely to fall for it because you’re not thinking calmly and mindfully,” Bott said. “You’re angry and you’re acting out of emotion. So you’re going to do this more likely. You’re more likely to fall for it if you’re emotional.”
One key finding of the study is that training people to recognize phishing attempts can help reduce their chances of becoming victims. The authors suggest that organizations should educate employees on how emotions impact decision-making online. Simple strategies, such as pausing before clicking on links and double-checking sender details, can make a big difference.
While cognitive factors like persuasion are important, emotions play a significant role in phishing attacks. Recognizing the emotional tactics used by cybercriminals can help improve defenses and reduce the risk of falling victim to phishing in the future.