DEFENDING AGAINST SPEAR PHISHING: MOTIVATING USERS THROUGH FEAR APPEAL MANIPULATIONS

Phishing is a pervasive and growing form of online fraud that causes billions in losses annually. Spear-phishing is a highly targeted and successful type of phishing that uses social engineering to craft emails that appear genuine. Multiple studies consistently reported that more than 70 percent of participants fell for such sophisticated spear-phishing attacks. Unfortunately, anti-phishing training campaigns struggle to effectively educate users on how to detect such spear-phishing emails—partially because security is seen as a secondary task outside their normal work, and partially because users are rarely motivated to undergo lengthy training. An effective training approach thus needs to be non-disruptive and brief as to avoid being onerous, and yet, needs to inspire dramatic behavioral change. This is a tremendous, unsolved challenge that we believe can be solved through a novel application of theory. Namely, we turn to fear appeals and protection-motivation theory (PMT) to explain how brief training—delivered in form of a fear appeal—can educate users and evoke protection motivation. As training has to be brief and effective, we further integrate construal-level theory (CLT) to explain how fear appeals can quickly and powerfully evoke mental representations (construals) that effectively stimulate threat perceptions. We plan to conduct a field experiment to test our hypotheses and verify the effectiveness of our proposed training measures in an ecologically valid environment. Our contributions encompass: (1) providing effective and brief anti-phishing training based on fear appeals and PMT; (2) expanding PMT with CLT to guide fear appeal design; (3) demonstrate a full application of CLT.