There has been substantial press coverage about how recruiters examine job candidates’ social media profiles to gain a bit more insight about prospective employees. While the merits and ethics of doing so are subject to substantial debate, there is evidence to suggest that social media can provide some interesting clues about how vulnerable some people are to phishing scams.
For example, 100 students from an undergraduate psychology at the Polytechnic Institute of New York were sampled. These students a) completed a survey focused on their beliefs and habits with regard to online behavior; b) asked about how likely they thought they would be the victim of online crime, such as password theft; and c) completed a personality assessment survey. After completing these activities, these students were then sent obvious phishing emails.
One out of six of those tested – most of whom were engineering or science majors – fell for the scam emails. Ignoring the gender differences of those who were most likely to fall for the phishing emails in this study (nope, you’re not getting me into that Vietnam War), the researchers found that hose with the most “open” personalities – i.e., those who are most extroverted – were more likely to fall for phishing scams. The findings strongly suggest that people who overshare on Facebook or Twitter, for example, are more likely to become victims of phishing scams and other online fraud than those who are more introverted, share less or who don’t even have social media accounts. Another study found that younger students (aged 18-25) were more likely to fall for phishing scams than their younger counterparts.
So why the differences:
- Extroverts tend to be more optimistic overall and so may be less inclined to assume that suspicious emails are being sent to them for nefarious reasons. Introverts, on the other hand, are generally less optimistic and so may be more skeptical of the world around them, including of emails that don’t seem quite right.
- Extroverts may have a perception of upside benefit vs. downside risk that is at odds with the needs of the corporate security model. For example, the ability to gain some perceived benefit by responding to an offer in a phishing email or friending a stranger in social media may overwhelm whatever training users might have received about the risks of these kinds of behaviors.
The issue for corporate security managers is obviously good user training and robust security technology. However, the missing element may end up being the critical need to evaluate those personality types that are most vulnerable to being fooled by phishing scams, malicious social media contacts and the like.