The role of conscientiousness and cue utilisation in the detection of phishing emails in controlled and naturalistic settings

Email phishing is a serious and potentially catastrophic threat to organisations and individuals. Understanding what factors may influence individual susceptibility to phishing attacks is essential to protecting against cybercrime. We investigated the potential interplay between conscientiousness and cue utilisation in individuals' ability to accurately differentiate between phishing and legitimate emails. University students (N = 255) completed a phishing detection task, the Mini International Personality Item Pool, and the phishing edition of the Expert Intensive Skill Evaluation (2.0) battery. After, they were sent simulated phishing emails to their student email address. A Signal Detection Theory approach revealed that higher cue utilisation was associated with a greater ability to tell whether an e-mail was phishing or not in the detection task. For the simulated phishing emails, participants with lower conscientiousness were more likely to click an embedded link in an unsophisticated phishing email, however cue utilisation had no association with email engagement in a naturalistic setting. The findings provide insight into why some people are more susceptible to phishing scams and reveal important differences in phishing sensitivity as a function of context, which has implications to interventions.