Many people catch up on social media right before turning off the light to go to bed. They may want to wait to check their feeds until after their morning coffee to decrease their vulnerability to deceptive content shared by cybercriminals, suggests research from the CSU College of Business’ computer information systems department.
Social platforms abound with phishing links, cybercriminals’ practice of sending misleading content in order to trick users into sharing personal information or downloading malware. Hamed Qahri-Saremi and his coauthor deployed an ostensible social media platform to investigate users’ responses to phishing messages and found that situational factors, such as lack of sleep, make users more likely to fall for these deceptions. The article, “Situational Contingencies in Susceptibility of Social Media to Phishing: A Temptation and Restraint Model,” was published by the Journal of Management Information Systems.
Qahri-Saremi and his coauthor’s research comes when social media phishing schemes have reached crisis proportions in the cybersecurity world. Due to the algorithms designed to exploit user psychology, social media platforms have become an astonishingly rich target for criminals: In some cases, up to 70% of social media users presented with a phishing link click on it.
“Situational Contingencies in Susceptibility of Social Media to Phishing: A Temptation and Restraint Model”
Hamed Qahri-Saremi, Ofir Turel1
Journal of Management Information Systems
1 School of Computing and Information Systems, The University of Melbourne
“Social platforms are ad-selling machines,” Qahri-Saremi said. “The strategy they use to sell ads is to take your attention for a longer period of time. They put content in the right circumstances to interest users. That’s a major power of social media.”
Temptation, restraint and social platform cues
The research builds on psychology’s dual system theory, which splits actions between two systems of the brain. One, a more primal and reactive system, operates on instincts and is easily tempted. The other offers higher-level functions and provides cognitive and behavioral restraints to those impulses.
As previous researchers discovered, a variety of features such as notification messages and personalized content feeds leverage the temptation impulse to keep users on the platform. The more ingrained the habit of responding to social media cues, the more immediate and instinctive that temptation becomes for a user.
“If someone is on social media a lot and strengthening the temptation system, they become more susceptible to these phishing attacks than someone who’s hardly ever on there,” Qahri-Saremi said. “You would think as you get more experienced with something, you get smarter about it. But on social media, they are more exposed to these cues, meaning that now they crave the enjoyment of responding to temptations that social media cues like notifications of new messages create.
“That’s why social media is addictive.”
Tamping down those impulses to click links and engage with content requires the higher-level restraint system to kick in. The power of those temptations varies among users, but Qahri-Saremi found that when users’ sleep quality dipped, so did their ability to rein in impulses to interact with phishing content. Social media users were also found to be more susceptible to phishing attacks when they were ostracized from an online community by receiving less attention than others, such as fewer likes, comments and feedback from other users. Similarly, when phishing links were shared by other accounts that users identified as highly likeable, the likelihood of engagement with them, and subsequently the susceptibility to phishing, increased.
An experimental social media platform to test engagement
Qahri-Saremi began the research with a Delphi study that solicited opinions from academics and cybersecurity experts. They identified factors that might influence social media users’ restraint. The crowdsourced list named sleep quality, ostracism, fear appeals and messenger likability as likely factors.
From there, researchers implemented an ostensible social media platform resembling the main platforms, such as Facebook, and invited regular social media users to interact with it. On that platform, they created profiles for themselves and engaged with other profiles by, for example, providing “likes” and exchanging direct messages for about three minutes. Unbeknownst to test subjects, they were the only users of the platform, with researchers manipulating their experience using simulated profiles to watch their reactions. In a series of randomized controlled experiments, subjects earned little engagement from their virtual peers, simulating ostracism or received phishing links from a user they identified as a likeable person on the network. Those users demonstrated less restraint and engaged more with the phishing messages than a control group.
Researchers also examined results of a survey on the amount and quality of sleep users had the night before. These users also showed less restraint than well-rested peers when faced with phishing links.
“These three-minute sessions provide us with a very conservative estimate of users’ susceptibility to social media phishing,” Qahri-Saremi said. “On Facebook, you’re not interacting with an account for only minutes; you can be there for hours, for days. However, seeing the effects after just three minutes of interactions shows how strong these effects are.”
If these findings make users nervous to browse their social media feeds, that’s actually a good thing. The research found that fear appeals – reminders of the prevalence of phishing on social platforms and the effective coping mechanisms for them – helped inspire users to keep scrolling past phishing content.
Knowledge of the types of threats, as well as strategies users can use to mitigate them, can help everyone avoid cybercriminals’ attempts to access their data via social media. Stay off social media when you’re tired. Don’t browse Instagram when you’re lonely. And always, always, think twice before clicking an off-platform link.
“You should have an understanding of the situations that reduce your restraint,” Qahri-Saremi said. “You have these things at your discretion.”
The College of Business at Colorado State University is focused on using business to create a better world.
As an AACSB-accredited business school, the College is among the top five percent of business colleges worldwide, providing programs and career support services to more than 2,500 undergraduate and 1,300 graduate students. Faculty help students across our top-ranked on-campus and online programs develop the knowledge, skills and values to navigate a rapidly evolving business world and address global challenges with sustainable business solutions. Our students are known for their creativity, work ethic and resilience—resulting in an undergraduate job offer and placement rate of over 90% within 90 days of graduation.
The College’s highly ranked programs include its Online MBA, which has been recognized as the No. 1 program in Colorado for five years running by U.S. News and World Report and achieved No. 16 for employability worldwide from QS Quacquarelli Symonds. The College’s Impact MBA is also ranked by Corporate Knights as a Top 20 “Better World MBA” worldwide.
