An examination of susceptibility to spear phishing cyber attacks in non-English speaking communities

Abstract

PurposeSpear phishing is a fraudulent practice that targets specific and well-researched users in an organization to collect their credentials. Previous studies have addressed the underlying drivers that significantly influence susceptibility to spear phishing. However, findings may not be generalized to other cultures and environments such as the developing Non-English-speaking countries. To fill this knowledge gap, this research investigated the drivers that affect susceptibility to spear phishing in the Middle Eastern culture. We proposed and tested a theoretical model that explains users' behavior toward phishing material in the context of Non-English-speaking countries. Design/Methodology/ApproachWe created the proposed model relying on the perceived risk theory, the theory of planned behavior, and the OSIR decision making model. The proposed model addressed the impact of information privacy risks, information security risks, and information security knowledge on the susceptibility to spear phishing attacks through the moderating trust construct. The study was conducted in Jordan, a developing and Non-English-speaking country in the Middle East. We designed a lab experiment to evaluate the robustness of the proposed model based on a multistage research, where 83 university students used a phishing website then answered a related survey. Collected data were empirically tested and evaluated using Partial Least Square Analysis and Structural Equation Modeling. FindingsThe results demonstrated the influence of the identified factors on the susceptibility to spear phishing. The study may provide an assistance in evaluating and selecting tools, methods and features for handling targeted types of phishing. Originality/ValueThere are several novel aspects in this study. 1) the experimental nature of study, where we used a real-life spear phishing scenario. 2) the nature of the targeted websites. We created spoofed pages of two webpages that provide academic activities, where students’ level of trust in those websites is likely higher than other websites. 3) the investigation of the mediation role of trust construct, particularly within a university environment, is a new direction in susceptibility to spear phishing. Unlike existing models that measure the direct effect of personality characteristics on phishing susceptibility, our model introduces trust attitude as an aggregation of positive and negative security-privacy interpretations. Finally, the study was conducted in a developing country environment where the Arabic Language is used in initiating and executing the attack.