Is This Phishing? Older Age Is Associated With Greater Difficulty Discriminating Between Safe and Malicious Emails.

OBJECTIVES: As our social worlds become increasingly digitally connected, so too has concern about older adults falling victim to "phishing" emails, which attempt to deceive a person into identity theft and fraud. In the present study, we investigated whether older age is associated with differences in perceived suspiciousness of phishing emails. METHODS: Sixty-five cognitively normal middle-aged to older adults rated a series of genuine and phishing emails on a scale from definitely safe to definitely suspicious. RESULTS: Although older age was not related to a shift in overall perception of email safety, older age was related to worse discrimination between genuine and phishing emails, according to perceived suspiciousness. DISCUSSION: These findings suggest that cognitively normal older adults may be at particular risk for online fraud because of an age-associated reduction in their sensitivity to the credibility of emails.

The Phishing Email Suspicion Test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection.

Phishing emails constitute a major problem, linked to fraud and exploitation as well as subsequent negative health outcomes including depression and suicide. Because of their sheer volume, and because phishing emails are designed to deceive, purely technological solutions can only go so far, leaving human judgment as the last line of defense. However, because it is difficult to phish people in the lab, little is known about the cognitive and neural mechanisms underlying phishing susceptibility. There is therefore a critical need to develop an ecologically valid lab-based measure of phishing susceptibility that will allow evaluation of the cognitive mechanisms involved in phishing detection. Here we present such a measure based on a task, the Phishing Email Suspicion Test (PEST), and a cognitive model to quantify behavior. In PEST, participants rate a series of phishing and non-phishing emails according to their level of suspicion. By comparing suspicion scores for each email to its real-world efficacy, we find initial support for the ecological validity of PEST - phishing emails that were more effective in the real world were more effective at deceiving people in the lab. In the proposed computational model, we quantify behavior in terms of participants' overall level of suspicion of emails, their ability to distinguish phishing from non-phishing emails, and the extent to which emails from the recent past bias their current decision. Together, our task and model provide a framework for studying the cognitive neuroscience of phishing detection.