Abstract
Phishing attacks have been predominantly delivered through emails but have recently found new paths through social networking services (SNSs). Numerous methods to combat email phishing have been tested, but few have been tested to combat phishing on SNSs. The current study investigated the efficacy of in-app training and priming to combat phishing attacks on an SNS, the Instagram Shop. This study manipulated priming, training type, and advertisement type through a mixed experimental design. Participants were tasked to view Instagram Shop advertisements to rate how likely they would recommend the products to their boss along with their reasoning for their ratings. Results showed that the text-with-image training effectively enhanced the likelihood of recommending legitimate advertisements and not recommending phishing ones. Overall, this study shows that the training implemented aided Instagram users in appropriately recommending phishing and legitimate advertisements, although priming was not seen to have an effect toward this goal.
Keywords
As technology advances in cyberspace, so do malicious cyberattacks and ways for criminals to steal information (Gupta et al., 2017). Personal information can be stolen through phishing attacks, where an online attacker deceives a user into providing information, such as credit card numbers and passwords, through email, text messages, social media, and so on (Dunham, 2004; Kirda & Kruegel, 2006). Phishing attacks have been primarily delivered through emails but have found new platforms through social networking sites (SNSs) (e.g., Benenson et al., 2017; Shafahi et al., 2016). Numerous methods to combat email phishing efficiency have been tested, such as training or educating the user, using automated aids, and priming the user to think about their security (Baki & Verma, 2022; Chen et al., 2018, 2021; Chong et al., 2018; Kumaraguru et al., 2007; Yang et al., 2015). However, few studies have used training to combat phishing on SNSs (but see Garcia et al., 2023).
The current study investigated the efficacy of in-app training and priming to combat phishing attacks on the Instagram Shop. A total of 158 participants with an active Instagram account (age: M = 19.62, SD = 1.43; 58 male, 96 female, 4 non-binary) were recruited for this study. This study used a 2 priming (with, without; between-subjects) × 3 training type (none, text-only, text-with-image; between-subjects) × 2 advertisement type (phishing, legitimate; within-subjects) mixed-design. Participants were recruited under the pretense that the study was about shopping preferences. Participants were tasked to view Instagram Shop advertisements to rate how likely they would recommend the corresponding products to their boss, which was the dependent variable. They were randomly assigned to a with- or without-priming group. Those in the with-priming group started with eight questions about online personal privacy to prime them to think about their privacy, while the without-priming group did not receive any questions. All participants were then instructed to rate Instagram Shop advertisements containing office supplies to recommend to their boss with their provided reasoning. After, they were randomly assigned to a training condition. Those in the text-with-image training were given written advice about what to be aware of with a labeled example image, while those in the text-only training were only given the written advice, and those in the no-training group were not provided any extra information. Participants then viewed and rated 16 advertisements (8 legitimate, 8 phishing). Lastly, they answer demographic questions before being debriefed about the true nature of the study.
Results showed that participants recommended the phishing advertisements significantly less than the legitimate ones, regardless of their assigned training. This indicates that participants may already have some knowledge of what to look for in advertisements. Compared to participants’ recommendations in the text-with-image training, the no-training group recommended products with phishing advertisements more often and legitimate advertisements less often, and the text-only-training group recommended phishing advertisements more often. Similarly, the text-only-training group recommended legitimate advertisements more than the no-training group. This indicates that both trainings enhanced participants’ likelihood to recommend legitimate advertisements, while only the text-with-image training reduced their likelihood to recommend phishing advertisements. There was no significant effect of priming, which indicates that priming may not be applicable in the current context of Instagram. Instagram users may already think about their privacy when using the application, regardless of the priming manipulation.
Overall, this study shows that the training implemented aided Instagram users in appropriately recommending phishing and legitimate advertisements, although priming was not seen to have an effect toward this goal. Instagram users seem to already have some preexisting knowledge about phishing. Future studies can explore other training methods, such as including feedback or priming participants through videos.
Footnotes
Acknowledgements
The authors thank Melody Jing, Kevin Hernandez, Teon Golden, and Sharazad Ali for their assistance in the data collection.
Declaration of Conflicting Interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This material is based upon work supported by a seed grant from the Rice University Social Sciences Research Institute.
