What Type of People Fall for Internet Scams?

Modern companies, educational institutions, and other business enterprises provide ongoing training for employees, students, and other stakeholders to help users recognize the red flags of cyber fraud. What types of people are most likely to fall for Internet scams? Online fraudsters know the answer to this question, and we should too.

Victim Vulnerability

Helen S. Jones and colleagues (2019) tackled the question of online victim vulnerability in a piece aptly entitled “Email Fraud: The Search for Psychological Predictors of Susceptibility.”

They begin by recognizing that individual decision-making about whether to engage with unfamiliar emails poses a potentially significant threat to both organizational and individual security.

Exploring the cognitive and situational influences that could explain why some people are more susceptible to scams than others, they identified cognitive reflection and sensation seeking as predictors of susceptibility that were modest, but significant.

They also found that study participants asked to make quicker responses, also made more errors in judgment.

Jones and colleagues recognized that their research reinforced prior findings by combining three factors explaining phishing email susceptibility: cognitive processing as a consequence of situational factors, user individual differences, and persuasiveness of email content.

Organizational Familiarity

Ryan T. Wright and colleagues (2023) explored employee phishing susceptibility within organizational tasks and social contexts. They began by recognizing that even though phishing research has sparked effective practical interventions designed to decrease susceptibility, employees continue to fall for phishing scams.

Examining finance division employees at a large university who encountered simulated email-based phishing attempts during the course of their normal work routine, they found that individual susceptibility to phishing attacks was impacted by position within organizational knowledge flows, as well as the impact of workgroup responsibilities on cognitive processing.

Specifically, Wright and colleagues found that employees who were central within the organization’s task network were less susceptible to phishing, which they suggest is due to having a higher amount of context-specific knowledge about what legitimate requests would look like.

They also found that employees in workgroups that were subjected to higher amounts of perceived time pressure were more susceptible to phishing—a result they suggest may result from the increased challenge of mindfully processing emails.

Who Is More Susceptible?

They also found that employees who are more reliant on IT support were more susceptible to phishing scams. They explained this was because their IT self-efficacy and centrality within the IT advice network was much lower—consistent with the position that employees who are less integrated into networks of organizational advice have less access to the type of contextualized knowledge necessary to help distinguish between legitimate and deceptive information processing requests within the context of their employment.

Accordingly, Wright and colleagues suggest that generic training will likely be less effective in averting scams than contextualized training incorporating the unique characteristics of employee organizational relationships and information systems involved in their work.

Decreasing victim vulnerability appears to be best achieved through training that incorporates learning what to look for in a legitimate email, as well as a fake—and the importance of taking the time to notice the difference.