Phishing attempts among the dark triad: Patterns of attack and vulnerability

Phishing attacks are more common and more sophisticated than other forms of social engineering attacks. This study presents an investigation of the relationships between three personality traits—Machiavellianism, narcissism, and psychopathy (i.e., the Dark Triad)—and phishing effort, attack success, and end-user susceptibility to phishing emails. Participants were recruited in two stages. The first set of participants acted as attackers, creating phishing emails. The second set of participants acted as end-users, reading both benevolent and phishing emails and indicating their likely behavioral response to each email. Our findings suggest that attackers' Dark Triad scores relate to the effort that they put in writing a phishing email, but do not predict phishing success. Instead, it is the end-users’ Dark Triad scores that predict the success of phishing emails. We found that higher levels of attacker Machiavellianism were linked to increased phishing effort, while end-user narcissism was associated to greater vulnerability when receiving phishing emails. Furthermore, our findings suggest that narcissistic end-users were marginally more susceptible to phishing emails that originated from narcissistic attackers. These results have important practical implications for training, anti-phishing tool development, and policy in organizations. •We investigate the relationship between personality, phishing effort, and success.•Three traits are: Machiavellianism, narcissism, and psychopathy (dark triad).•Attackers high in Machiavellianism were more likely to put more phishing effort.•High end-user narcissism was related to greater susceptibility to phishing emails.•End-user narcissists were susceptible to emails from narcissist attackers.