An Investigation into Students Responses to Various Phishing Emails and Other Phishing-Related Behaviours

  • Edwin Donald FrauensteinEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 973)


Reports continue to testify that the problem of phishing remains pertinent in many industries today. This descriptive study investigated 126 university students’ responses to various forms of phishing emails and other security-related behaviours through a self-designed questionnaire. The majority of the participants reported having an average experience in using computers and the Internet. Most participants chose to respond to phishing emails purportedly originating from Facebook and university contexts thus supporting that users are more likely to fall victim to phishing if the message is of interest or has relevance to their context. However, susceptibility was significantly reduced when users were presented with emails that imitate well-known South African banking institutions. This may suggest that users are either aware of phishing schemes that impersonate banking institutions, or they feel uncomfortable giving up personal information when they feel more at risk to be affected financially. The results from this study offer insights on behavioural aspects that can assist the information security community in designing and implementing more efficient controls against phishing attacks. Furthermore, this study suggests that researchers should consider exploring the behaviour of social media users as they can be vulnerable to phishing.


Phishing Social phishing Social engineering Responses to phishing Social network sites Facebook Human factors Behavioural information security 


  1. 1.
    Purkait, S.: Phishing counter measures and their effectiveness - literature review. Inf. Manag. Comput. Secur. 20(5), 382–420 (2015)CrossRefGoogle Scholar
  2. 2.
    Yates, D., Harris, A.L.: Phishing attacks over time: a longitudinal study. In: Twenty-First Americas Conference on Information Systems, Puerto Rico (2015)Google Scholar
  3. 3.
    Symantec, Internet Security Threat Report 2017, vol. 22, April 2017. Accessed 9 Mar 2018
  4. 4.
    APWG, Phishing Activity Trends Report, 4th Quarter 2016. Accessed 10 Mar 2018
  5. 5.
    APWG, Phishing Activity Trends Report, 3rd Quarter 2017. Accessed 10 Mar 2018
  6. 6.
    ProofPoint, Quarterly Threat Summary–Q4 2016 & Year In Review,
  7. 7.
    Roberts, J.J.: Facebook and Google Were Victims of $100M Payment Scam, Fortune, 27 April 2017.
  8. 8.
    Abbasi, A., Lau, R.Y., Brown, D.E.: Predicting behavior. IEEE Intell. Syst. 30(3), 35–43 (2015)CrossRefGoogle Scholar
  9. 9.
    Metzger, M.J., Flanagin, A.J.: Credibility and trust of information in online environments: the use of cognitive heuristics. J. Pragmat. 59, 210–220 (2013)CrossRefGoogle Scholar
  10. 10.
    Mayhorn, C.B., Welka, A.K., Zielinska, O.A., Murphy-Hill, E.: Assessing individual differences in a phishing detection task. In: Proceedings 19th Triennial Congress of the IEA, Melbourne (2015)Google Scholar
  11. 11.
    Wombat Security Technologies, “State of the Phish 2018 Report”. Accessed 10 Apr 2018
  12. 12.
    Statista, Number of monthly active Facebook users worldwide as of 4th quarter 2017 (in millions). Accessed 22 Mar 2018
  13. 13.
    Patricios, O., Goldstuck, A.: SA Social Media Landscape 2018. World Wide Worx (2018). Accessed 12 Apr 2018
  14. 14.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM, Montreal (2006)Google Scholar
  15. 15.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610. ACM, Montreal (2006)Google Scholar
  16. 16.
    Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Proceedings of the 2nd Symposium on Usable Privacy and Security, pp. 79–90. ACM, Pittsburgh (2006)Google Scholar
  17. 17.
    Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of the 26th Annual SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM, Florence(2008)Google Scholar
  18. 18.
    Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)CrossRefGoogle Scholar
  19. 19.
    Silic, M., Back, A.: The dark side of social networking sites: understanding phishing risks. Comput. Hum. Behav. 60, 35–43 (2016)CrossRefGoogle Scholar
  20. 20.
    Hameed, K., Rehman, N.: Today’s social network sites: an analysis of emerging security risks and their counter measures. In: International Conference on Communication Technologies (ComTech), pp. 143–148. IEEE, Pakistan (2017)Google Scholar
  21. 21.
    Halevi, T., Lewis, J., Memon, N.: A pilot study of cyber security and privacy related behavior and personality traits. In: Proceedings of the 22nd International Conference on World Wide Web Companion, pp. 737–744. ACM, Rio de Janeiro (2013)Google Scholar
  22. 22.
    Vishwanath, A.: Habitual Facebook use and its impact on getting deceived on social media. J. Comput. Mediat. Commun. 20, 83–98 (2015)CrossRefGoogle Scholar
  23. 23.
    Vishwanath, A.: Getting phished on social media. Decis. Support Syst. 103, 70–81 (2017)CrossRefGoogle Scholar
  24. 24.
    Mouton, F., Malan, M.M., Venter, H.S.: Social engineering from a normative ethics perspective. In: Information Security South Africa, Johannesburg, pp. 1–8 (2013)Google Scholar
  25. 25.
    Langheinrich, M., Karjoth, G.: Social networking and the risk to companies and institutions. Inf. Secur. Tech. Rep. 15, 51–56 (2010)CrossRefGoogle Scholar
  26. 26.
    ProofPoint, The Human Factor Report 2016. Accessed 22 Mar 2018
  27. 27.
    Luo, X., Zhang, W., Burd, S., Seazzu, A.: Investigating phishing victimization with the Heuristic-Systematic model: a theoretical framework and an exploration. Comput. Secur. 38, 28–38 (2013)CrossRefGoogle Scholar
  28. 28.
    Harrison, B., Svetieva, E., Vishwanath, A.: Individual processing of phishing emails How attention and elaboration protect against phishing. Online Inf. Rev. 40(2), 265–281 (2016)CrossRefGoogle Scholar
  29. 29.
    Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 36–47. Springer, Cham (2015). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Information TechnologyWalter Sisulu UniversityEast LondonSouth Africa

Personalised recommendations