ABSTRACT
The heightened sophistication of phishing attacks results in billions of dollars of financial losses, loss of intellectual property, and reputational damage to organisations. Past work examining determinants of phishing susceptibility has been dominated by cognitive theoretical perspectives. However, recent research has also revealed the importance of emotion in phishing susceptibility. This study expands our understanding of phishing susceptibility by adopting an affective lens. Using an integrative perspective of emotion, we build on the Affective Infusion Model (AIM) to predict the effects of valence, certainty, and arousal on phishing susceptibility. We pilot our manipulations (N = 241) and then test our hypotheses using a mock phishing experiment (N = 474) in which phishing messages are sent directly to participant inboxes. We demonstrate that messages inducing positive valence and low certainty result in higher phishing susceptibility. This study contributes to phishing literature by illuminating the critical role that emotion plays in altering recipients’ susceptibility in the processing of phishing messages and has implications for scholars, practitioners, and organisations.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Supplementary material
Supplemental data for this article can be accessed online at https://doi.org/10.1080/0960085X.2024.2351442.
Notes
1. In addition to the models of emotion noted here, we also acknowledge other models of emotion that have yet to be applied in technology-related contexts. Notably among these is the Basic Emotion Theory first described by Ekman and Friesen (Citation1971). The debate among emotion scholars regarding definitions and theoretical representations of emotion is rigorous and ongoing (e.g., see Journal of Nonverbal Behaviour, Vol. 43, Iss. 2). Therefore, in our investigation of emotions in phishing susceptibility, we have limited our attention to models of emotion that have been applied in MIS research and focus on attributional and appraisal perspectives.
2. Besides heuristic and substantive processing described in this work, the AIM also includes mechanisms labelled direct access and motivational. The direct access mechanism describes instances that refer to when individuals retrieve existing judgements, and the motivational mechanism refers to when there is pressure or strong preference to achieve a certain outcome. However, these mechanisms will likely be less relevant when exploring phishing message processing since phishing messages are typically unsolicited messages in limited exchanges. In the phishing context, reference to a pre-existing motivation or stored evaluations are unlikely. Furthermore, under direct access and motivational mechanisms, affect infusion is likely to be very low or non-existent (Forgas, Citation1995).
3. This study was approved by our university Institutional Review Board.
4. The observations in the baseline condition were not included in this analysis but are included in robustness tests.
5. The baseline condition, which contained no mention of refunds or charges, served as the condition for low arousal.