Spear-Phishing – Are Personality Traits a Key Factor?

Posted by Trevagh Stankard on Thu, Dec 1st, 2022

Although general phishing attacks send malicious email messages to a mass group of people, spear phishing is much more targeted. Attackers take their time in a spear phishing attack to determine the right target and increase their chance of success. It takes time to create a spear phishing attack, and research is a critical initial step in every strategy. Although a target’s position within the organization and potential permissions on the network are important factors, a recent study shows that some personality traits are more vulnerable to phishing than others.

 

Phishing Research Involving the Five Big Personality Traits

The study focused on the five basic personality traits: openness, conscientiousness, extraversion, agreeableness, and neuroticism. A brief description of each:

1. Openness: The inclination towards exploration and inquisitiveness. Low openness traits are considered a higher security risk.
2. Conscientiousness: To pursue social norms, be goal-oriented, and postpone personal gratification. People with the conscientiousness trait are inclined to think and judge. High levels of conscientiousness lower security vulnerabilities.
3. Extraversion:  Successfulness in interpersonal relationships. Extraverts are at a higher risk of vulnerability due to their sense of acceptance from other people.
4. Agreeableness: Avoid conflicts, want to cooperate, and help other people. Agreeableness is the trait with the highest risk of security vulnerabilities.
5. Neuroticism: Powerful negative feelings in response to high levels of stress. People with low neuroticism have a lower risk of security vulnerabilities and less anxiety when approached with a phishing message or social engineering.

With these traits in mind, researchers performed several rounds of phishing attacks. Statistics were divided into three categories: opened email clicked link and submitted data. Identifying if a user opens an email versus clicks a link and submits data provides a level of severity for human vulnerabilities within the organization. For example, a user might open an email and determine that it’s phishing without interacting with its content. Another user might open the email and click the link, indicating that the user did not know that the email was a phishing campaign. Security teams must focus training efforts on users who do not recognize phishing emails, click links, or submit data.

The researchers found that age and neuroticism greatly affected results. High neuroticism was associated with a greater chance of a user opening the email, while a higher age reduced the chance of the phishing email being opened. An increase in openness and conscientiousness lowered the risk of the phishing links being clicked, but people with high extraversion, agreeableness and neuroticism traits were more likely to click the malicious phishing email link. The same traits affected the likelihood of a user submitting data. Like the statistics for clicking the phishing link, an increase in openness and conscientiousness lowered the risk of the phishing links being clicked, but people with high extraversion, agreeableness and neuroticism traits were more likely to click the malicious phishing email link.

 

Where Can Corporations Go from Here?

Many of the personality traits that increase risk of a security vulnerability also help with certain job functions, so the answer isn’t to hire based on personality but to train users and install the right infrastructure. For example, sales and marketing people might generally be extraverted to help with their job functions. Corporations can work with people containing these specific traits so that they can identify and detect a phishing email rather than interacting with it.

Security awareness training should always be a part of corporate onboarding. Training empowers users to recognize spear phishing and understand the implications of falling for a malicious email. Security awareness training can be materials available to employees on the network, or businesses can offer web-based training videos and content. Periodic phishing tests and exercises tell administrators when any employee needs more training. Phishing tests track user interaction with phishing messages, and any users tricked into interacting with them or submitting sensitive data can be retrained.

Email filters are also necessary for any organization. They take the human factor out of phishing security and stop messages from reaching the intended targeted recipient. Security filters use artificial intelligence to identify suspicious messages and quarantine them so that an administrator can further review messages for any spear phishing content. Any messages identified as spear phishing can be analyzed to figure out if any other attacks are targeting a specific employee, so the employee can be notified.

TitanHQ SpamTitan is an easily configured full phishing security solution that blocks general and targeted spear phishing. To get started, check out how SpamTitan can greatly reduce your organization’s risk of being the next victim of a data breach.

Did you know that phishing remained the second most prominent cause of data breaches in 2021? The tactic is quite old, and we’re all probably familiar with it now, yet many employees still fall for it.

Most often than not, staff can’t tell a phishing email from a legitimate one. However, concerns such as this are addressable through security awareness training. Be safe, not sorry. If you feel the urgent need to empower your team with security awareness, contact TitanHQ. Our elite cyber experts will be happy to help you and your team learn how to protect your brand and your assets.

Take our Security Training Awareness Quiz