Abstract
Mobile phishing has emerged as one of the most severe cybercrime threats; thus, research must examine the factors affecting people’s likelihood of becoming instant messaging phishing targets. In this study, we draw on the cyber-routine activity theory (Cyber-RAT) and heuristic-systematic model (HSM) to predict Gen-Zers’ phishing susceptibility. Based on online survey data (n = 361), the proposed research model was validated via structural equation modeling conducted with SmartPLS 4. Findings indicate that engaging in online risky behavior (social media: instant messaging, vocational, and leisure activities) increases Gen-Zers’ exposure to phishers, increasing their likelihood of becoming instant messaging phishing targets. Phishing messages with a desirable or relevant topic (high message involvement) significantly impact Gen-Zers’ phishing susceptibility. Gen-Zers’ phishing susceptibility is also influenced by phishing messages with persuasive cues. While knowledge of the phishing domain does not directly influence Gen-Zers’ susceptibility to phishing attacks, it significantly motivated them to adopt effective online security management practices on social instant messaging platforms. This paper discusses how these findings implicate online users and inform agencies to promote knowledge for understanding and detecting phishing attacks to avoid victimization.
Similar content being viewed by others
Introduction
Cybercrimes such as phishing, identity theft, and spoofing are rising in Malaysia (MyCERT, 2021); among these, phishing is the highest occurrence of cyberattack victimization (Statista, 2019). Popular mobile instant messaging apps like WhatsApp and Facebook Messenger enable real-time and convenient communication within virtual communities (Leon, 2018; Suganya, 2016). Alas, this characteristic makes these platforms a hunting ground for scammers (Suganya, 2016). A primary reason why cybercriminals, such as phishers, favor mobile instant messaging for targeting vulnerable and unsuspecting victims (Central Bank of Malaysia, 2017) is that, unlike emails, instant messaging applications have limited to no spam filters (Verkijika, 2019). When trusting victims disclose confidential information to scammers via messaging apps, they risk losing money (Aiman, 2020). Indeed, mobile phishing victimization is more common than traditional phishing, with mobile phishing success rates three times higher than general phishing attacks (Goel and Jain, 2018). In light of these, it is hardly surprising that phishing is placed of utmost importance among security researchers and practitioners (Verkijika, 2019; Arachchilage and Love, 2014; Chen et al. 2020; Musuva et al. 2019), given that it significantly threatens personal and organizational information security (Verkijika, 2019).
Traditionally, phishing entails fake emails to trick users into disclosing personal information (Sarker et al. 2024), often through the impersonation of an authorized person from a legitimate institution (Frauenstein and Flowerday, 2020). However, modern phishing has evolved to include channels such as mobile devices and instant messaging apps. Social media (i.e., instant messaging platforms) include both synchronous (i.e., embedded chat features) and asynchronous (i.e., private/personal message sent) communication modes (Frauenstein and Flowerday, 2020; Kuss and Griffiths, 2011). Consequently, instant messaging serves as a phishing message transmission channel, exposing users to the motivated offender for phishing attacks (Verkijika, 2019; Frauenstein and Flowerday, 2020; Ahmad et al. 2023). From a scholarly standpoint, while a significant amount of research effort has gone into determining the predictors of being a victim of phishing email attacks (Musuva et al. 2019; De Kimpe et al. 2018; Ge et al. 2021; Jansen and Leukfeldt, 2016; Ngo et al. 2020; Zhang et al. 2012), research on phishing via instant messaging is relatively limited (Frauenstein and Flowerday, 2020), particularly in Malaysia.
A lack of cybersecurity knowledge and awareness among Internet users is a primary factor contributing to their vulnerability to cybercrime (Zolkiffli et al. 2023). The recent surge in phishing cases in Malaysia highlights the prevalence of this issue, indicating a lack of phishing awareness and knowledge among Malaysian Internet users (Kaur, 2024; Mohd and Mohd, 2021; Olivia Tan et al. 2020). Instant messaging applications, such as WhatsApp and Facebook Messenger, are commonly used for both personal and professional communication (Wei, 2014). This multi-tasking nature makes them attractive to phishers, who can anonymously disseminate false information and clickbait to target Malaysian users (Saudi et al. 2007; Singh, 2013; Tan, 2023). Recent reports indicated that young Malaysians are particularly vulnerable to phishing attacks via instant messaging platforms, facing a heightened risk of financial loss due to investment and loan scams (Adamu et al. 2020; Bernama, 2019; Bernama, 2022; Goh, 2022; Singh, 2021; Wong, 2021; Yeoh, 2023; Zainal et al. 2022).
Given the extensive usage of instant messaging, increasing knowledge and awareness of fraud prevention is critical. This involves providing information on useful online security measures, such as how to use instant messaging apps safely and avoid typical risks (Pascal, 2024). Despite the increasing prevalence of cybercrime, the understanding of how individuals’ awareness (i.e., knowledge), and cyber security protection behavior vary in response to diverse cyber threats remains limited (Moti et al. 2020). To the best of the knowledge, there is a lack of empirical evidence exploring the relationship between threat knowledge and cyber protection behavior. To investigate the relationship between knowledge of the cybersecurity and online security management on instant messaging platforms, this study therefore aims to examine whether knowledge of the phishing domain is a significant predictor of effective security practices.
While numerous studies have been conducted on the governance and implications of cyber fraud, few studies have examined the risk of phishing victimization in Malaysia (Mohd and Mohd, 2021). This research gap is unfortunate because phishing threats have significantly increased in Malaysia compared to other cybercrime (Singh et al. 2021), resulting in significant financial losses (Mohd and Mohd, 2021; Singh et al. 2021). Although phishing cannot be completely eliminated, but it can be mitigated and prevented to some extent (Mohd and Mohd, 2021). This study provides the first crucial step in this direction by obtaining insights into the factors driving Malaysia’s risk of instant messaging phishing victimization, which informs potential risk factors and recommends effective preventive interventions. Increasing phishing knowledge could give users increased vigilance and savviness, reducing the likelihood of phishing victimization. To achieve this, we propose a research model for predicting instant messaging phishing victimization risk (phishing susceptibility). The following section outlines the research background, theoretical framework and the development of the hypotheses.
Literature review and theoretical foundation
Phishing susceptibility
Phishing susceptibility represents the risk rate that a phishing attack will dupe Internet users (Chen et al. 2020). It denotes the likelihood that a person will respond to phishing attacks, including interacting with or being lured by clickbaits (Wang et al. 2012). The respective literature places susceptibility to phishing as a dependent variable (Chen et al. 2020; Frank-Chou et al. 2021; Musuva et al. 2019; Parsons et al. 2019) as phishing victim is expected to update their susceptibility to phishing by combining previous victimization experience with a new phishing encounter (Chen et al. 2020).
Previous research on phishing susceptibility and victimization has primarily employed two types of dependent variables: (1) phishing susceptibility, assessed using a five-point Likert scale to measure respondents’ likelihood of being deceived by a phishing attack (Musuva et al. 2019); and (2) phishing victimization experience, measured using dichotomous scales to determine whether respondents have been victims of phishing attacks (Ngo et al. 2020).
Chen et al. (2020) highlight the frequent use of the term “phishing susceptibility” in studies examining phishing victimization. Numerous studies have explored the relationship between deception detection processes and phishing susceptibility (Alseadoon et al. 2014; Chen et al. 2020; Frank-Chou et al. 2021; Frauenstein and Flowerday, 2020; Musuva et al. 2019; Vishwanath et al. 2011). This is because, from a temporal perspective, individuals must engage in deception detection before determining their susceptibility to phishing attacks (Chen et al. 2020).
Given the current study’s primary objective of identifying significant predictors of phishing susceptibility, a dichotomous dependent variable (yes or no) measuring whether respondents responded to the phisher is not applicable. Instead, the endogenous variable in this study is phishing susceptibility, measured using a five-point Likert scale. This approach aligns with previous research that has employed phishing susceptibility to examine respondents’ perceptions of their vulnerability to phishing attacks (Algarni, 2019; Alseadoon et al. 2014; Chen et al. 2020; Frauenstein and Flowerday, 2020; Frauenstein et al. 2023).
Systematic review of phishing empirical studies
This paper adhered to the guidelines for conducting systematic literature reviews proposed by Watson and Webster (2002). To develop a comprehensive theory of phishing susceptibility, this study employs a concept-centric literature review approach, synthesizing existing empirical research on phishing susceptibility. A comprehensive literature review conducted via Scopus, Web of Science, Springer, and Google Scholar, focusing exclusively on studies that employed survey methodologies, identified several theoretical frameworks commonly employed in phishing victimization research (Table 1). These include the Theory of Deception (TOD), Routine Activities Theory (RAT), Lifestyle-Routine Activities Theory (LRAT), Elaboration Likelihood Model (ELM), Heuristic-Systematic Model (HSM) of information processing, Social Judgment Theory (SJT), Big Five Personality Traits, Protection Motivation Theory (PMT), Social Cognitive Theory (SCT), and Stimulus Interpretation Response (SIR).
The TOD, which emphasizes the significance of assessing targeted victims’ domain-specific knowledge of deception detection factors, was a foundational theory in explaining phishing susceptibility (Chen et al. 2020). According to Musuva et al. (2019), this theory suggests that individuals’ ability to make informed decisions when confronted with phishing attacks is influenced by their understanding of deception tactics. Previous empirical studies have primarily focused on three categories of phishing susceptibility: (1) phishing target characteristics, utilizing the RAT (Leukfeldt 2014) and LRAT (Ngo et al. 2020; Ribeiro et al. 2024) to explore how individual lifestyles and habits may increase vulnerability to phishing attacks; (2) phishing message characteristics, employing ELM (Algarni, 2019; Musuva et al. 2019), HSM (Farkhondeh et al. 2020; Frauenstein and Flowerday, 2020; Frauenstein et al. 2023; Ribeiro et al. 2024) and SIR (Frank-Chou et al. 2021) to investigate how individuals process and evaluate phishing messages; and (3) individual intentions to engage in protective behaviors, applying PMT (Manoharan et al. 2022) and SCT (Kwak et al. 2020) to understand factors influencing individuals’ willingness to adopt protective measures against phishing.
While RAT and LRAT have been frequently employed as theoretical frameworks for predicting cybercrime phishing, their applicability in the online context has been debated. Yar (2005) and Hsieh and Wang (2018) argued that RAT’s emphasis on physical proximity may be less relevant in the virtual world. RAT emphasizes the principle of physical co-presence between offender and victim (Choi and Lee, 2017). However, technological advancements have rendered physical proximity less relevant in the online context (Pratt et al. 2010; Reyns and Henson, 2015). The virtual environment challenges RAT’s applicability in cybercrime investigations due to the lack of physical interaction between offender and victim (Choi, 2015; Choi and Lee, 2017; Hsieh and Wang, 2018).
Previous research suggests that RAT may not be sufficient for explaining criminal victimization, particularly phishing (Hutchings and Hayes, 2009; Leukfeldt, 2014; Ngo and Paternoster, 2011). While RAT and lifestyle exposure theory can provide insights into victimization, future research may benefit from developing an integrated theory to predict cybercrime victimization (Choi, 2008; Choi and Lee, 2017; Choi et al. 2019; Lee and Choi, 2021). Cyber-RAT, a modified version of RAT, has been applied to cyber-interpersonal offending and violence victimization. Despite its potential, the application of Cyber-RAT to phishing remains unexplored. This study aims to address this theoretical gap by investigating the relevance of Cyber-RAT in predicting the risk of instant messaging phishing victimization.
Theory of deception
The Theory of Deception explains how Internet users recognize deception (Musuva et al. 2019), and researchers adopt this theory to investigate online deceptions (i.e., phishing susceptibility) occurring in the virtual network (Chen et al. 2020; Grazioli, 2004; Vishwanath et al. 2011; Wang et al. 2012). Four stages characterize the model: “activation,” “postulate generation,” “postulate evaluation,” and “global assessment” (Johnson et al. 2001). The first process (activation) manifests when targeted victims receiving deceptive information recognize inconsistent cues that differ from the expectation of an authentic message (Vishwanath et al. 2011). The targeted users generate interpretative data based on their knowledge of the threat domain (Musuva et al. 2019; Wang et al. 2012). The second process, postulate generation, entails them detecting anomalies and then developing deception hypotheses based on prior knowledge to explain the inconsistencies (Wang et al. 2012). The third stage, postulate evaluation, is when they use their competencies and knowledge of the threat domain to compare or evaluate the deception cues against some criteria (Musuva et al. 2019; Wang et al. 2012; Wright et al. 2009). The final process is the global evaluation, where messages or information are combined to form a synthetic judgment of (Musuva et al. 2019; Wang et al. 2012). The targeted victims combine the anticipated outcomes and then use the results to assess a phishing postulate (Chen et al. 2020). The phishing attempt is confirmed once the phishing evaluation is completed (Chen et al. 2020).
Vishwanath et al. (2011) used the Theory of Deception to explain how and what deception techniques (i.e., cues) can detect deception. This model is appropriate for comprehending phishing-based deception (Vishwanath et al. 2011). Similarly, Musuva et al. (2019) postulate that the Theory of Deception fits very well in examining social engineering cases because it systematically guides the assessment of mental processes undertaken by representatives to recognize the gap that leads to successful attacks. This theory contends that it is critical to assess targeted victims’ domain-specific knowledge (i.e., the targeted victims’ understanding of deception detection cues) to assist them in making final decisions when confronted with phishing attacks (Musuva et al. 2019).
Cyber routine activities theory
Choi (2008) modeled the Cyber-Routine Activities Theory (Cyber-RAT) based on the Routine Activity Theory (RAT) (Cohen and Felson, 1979) and the Lifestyle Routine Activities Theory (LRAT) (Hindelang et al. 1978). According to the conceptual model, risky online behaviors and digitally capable guardianship (e.g., online security management) are significant predictors of computer crime victimization (Choi, 2008; Choi and Lee, 2017; Choi et al. 2019). The three main elements of RAT are “motivated offender,” “suitable targets,” and “absence of capable guardianship” (Choi, 2008; Cohen and Felson, 1979). The “motivated offender” refers to “proximity to motivated to the offender” and “exposure to risk situations” associated with Internet users’ online frequency (Ngo et al. 2020; Leanna, 2020; Milani et al. 2020). A suitable target signifies the visibility of victims based on their activities, contributing to the extent to which they appear susceptible to potential offenders (Leukfeldt and Yar, 2016). Choi and Lee (2017) denote capable guardianship as the proficient and proactive management of online security measures, encompassing various practices and strategies to safeguard digital assets, minimize vulnerabilities, and ensure a robust defense against cyber threats, ultimately maintaining a secure digital environment. The Routine Activity Theory (RAT) posits that a crime will likely occur when three elements converge: a motivated offender, a suitable target, and the absence of a capable guardian, leading to victimization. (Leukfeldt and Yar, 2016; Leukfeldt, 2014; Holt and Bossler, 2009; Lastdrager, 2014). However, if one of the components is missing, cybercrime victimization might not occur.
The LRAT was developed by measuring Internet users’ daily social interactions (Hindelang et al. 1978). When Internet users engage in risky cyber activities, they are particularly vulnerable to offenders and thus victimized (Choi and Lee, 2017; Choi et al. 2019). Online risky activities include professional and recreational pursuits (Hindelang et al. 1978). Both the RAT and the LRAT posit that poor security management increases the likelihood of Internet users being victimized online and vice versa (Choi and Lee, 2017). Effective online security management (i.e., online privacy) reduces the risk of being a victim of cybercrime, particularly phishing (Leanna, 2020; Kabiri et al. 2020; Naci and Christopher, 2020).
The Cyber-Routine Activity Theory (Cyber-RAT) has garnered significant attention in cybercrime victimization research and offers an apt predictive model for comprehending cybercrime victimization (Choi, 2008; Choi and Lee, 2017; Choi et al. 2019). This research focuses on the roles of online digital guardianship (online security management) and risky online activities (vocational, leisure, and instant messaging activities) in affecting instant messaging phishing victimization.
Heuristic-systematic information processing model
The Heuristic-Systematic Model (HSM) proposed by Chen and Chaiken (1999) has been widely used in social psychology, particularly in persuasion studies (Luo et al. 2013) on how a message or information received can change people’s attitudes (Luo et al. 2013; Rahman, 2018). The HSM model posits that when people are persuaded, they will first determine the validity of the acquired information by combining systematic and heuristic processing in a composition determined by different predictors (Luo et al. 2013). The HSM is pervasive in the field of information security (Frauenstein and Flowerday, 2020) and is recognized as an appropriate framework for understanding phishing victimization (Harrison et al. 2016; Farkhondeh et al. 2020; Luo et al. 2013; Valecha et al. 2015; Vishwanath et al. 2018; Zhang et al. 2012).
HSM entails two types of information processing modes: systematic and (Frauenstein and Flowerday, 2020; Luo et al. 2013). The heuristic mode is a limited form of information processing that demands reduced cognitive effort and fewer cognitive resources, typically resorted to by people lacking cognitive or motivational resources (Frauenstein and Flowerday, 2020). The heuristic processing mode enables message receivers to decide based on specific indicators. Heuristic cues are subjected to extensive research, given that phishing attackers frequently use persuasive cues to deceive targeted victims (Musuva et al. 2019; Wright et al. 2020).
On the other hand, systematic processing occurs when Internet users thoroughly evaluate the message’s content while investigating and validating the authenticity of the phishing messages (Luo et al. 2013). However, phishing or suspicious messages are typically intended to slow down systematic processing (Workman, 2008). Message involvement is a systematic cue that has been studied (Chen et al. 2020; Farkhondeh et al. 2020; Musuva et al. 2019; Wang et al. 2012).
Justification of integration of theories
The Theory of Deception (TOD) delves into the cognitive processes of individuals encountering deceptive communication, accentuating the importance of understanding their cognitive functioning and reasoning capacity to navigate deception effectively. The theory investigates deception strategies and indicators for recognizing fraud (Musuva et al. 2019; Vishwanath et al. 2011), rendering it relevant in the social engineering domain by analyzing the cognitive processes of message recipients to identify vulnerabilities contributing to successful attacks. In sum, the TOD underlines the significance of evaluating the message recipient’s subject knowledge and comprehension of recognition indicators (Wang et al. 2012; Shang, et al. 2023; Vishwanath et al. 2011).
A TOD’s constraint lies in the lack of discerning between various indicators deemed essential for recognizing fraud (Musuva et al. 2019). Deception works when a scammer preys on the target’s information processing deficiency and actively undermines the target’s mental efforts (Johnson et al. 2001). Thus, victimization is attributed to an error in knowledge processing, an absence of the cognitive ability to recognize false information, or both. Implicatively, recipients are more likely to prey for fraud if they emphasize persuasive cues instead of threat detection signs and the level of argument inherent in the phishing messages (Luo et al. 2013; Vishwanath et al. 2011).
The Heuristic Systematic Model potentially addresses the preceding concern (Musuva et al. 2019) by discerning the types of cognitive processing modes (heuristic and systematic) in the evaluation of persuasive communication (Chaiken, 1980). The HSM may offer a more integrative view when applied in conjunction with the Theory of Deception’s one-process approach within social engineering studies (Workman, 2008). Wang et al. (Wang et al. 2012) converged TOD and HSM and confirmed significant robustness in predicting individual phishing email susceptibility. In light of this, this research integrates TOD and HSM to predict the risk of instant messaging phishing victimization in the Malaysian context.
Nonetheless, while phishing message processing and knowledge relevant to phishing detection are claimed to play an essential role in predicting phishing susceptibility (Frauenstein and Flowerday, 2020; Luo et al. 2013), many Internet users have developed, most likely as a result of their daily experience, and ability to recognize conventional mass phishing (Rizzoni, et al. 2022). However, this notion may be less valid for more intensely-crafted targeted phishing messages (Rizzoni, et al. 2022). Phishing still dupes many people, although it is a cybercrime regularly encountered publicly (De Kimpe et al. 2018). Because receiving phishing messages is a precursor to victimization (De Kimpe et al. 2018), we consider phishing target characteristics a crucial factor in this study. Sommestad and Karlzén’s (2019) meta-analysis indicates that message attributes and phishing recipient characteristics affect susceptibility. Unstructured online activities like “hanging out on the street” are conducive to crime, particularly phishing victimization (De Kimpe et al. 2018; Ngo et al. 2020; Leukfeldt, 2014; Hutchings and Hayes, 2009). Therefore, this study delves into the relationship between various unstructured online activities (e.g., online risky activities) and the susceptibility to phishing in instant messaging. In sum, our research model straddles the TOD, HSM, and Cyber-RAT to predict instant messaging phishing victimization.
Echoing the notes of Musuva et al. (2019), highlighted the lack of theoretical frameworks in existing phishing studies, particularly those focusing on Malaysia (Asfoor et al. 2018). This study was undertaken to fill this research gap. The current study presents a theoretically grounded empirical analysis of phishing target characteristics, phishing message characteristics, and individual phishing knowledge to understand the individuals fall victim to phishing attacks. According to the best of our knowledge, in contrast to the majority of available literature, which has instead resulted in the use of pre-existing theories, this study aims to integrate all of these theories to explore these causal relationships between various predictors to better understand phishing susceptibility among Malaysian youth. Figure 1 depicts the current study’s overall research framework.
This diagram depicts all of the individual prior phishing knowledge, including phishing messages and target characteristics that influence phishing susceptibility (H - Hypothesis).
Individual prior knowledge
Knowledge of the threat domain
Knowledge of the threat domain characterizes an individual’s acquired skills and information for detecting a threat, such as a phishing attack (Musuva et al. 2019). Knowledge about threat techniques and terminologies is one crucial aspect of knowledge (Musuva et al. 2019; Grazioli, 2004). Empirical studies have been conducted to determine whether knowledge plays a significant role in phishing detection (Musuva et al. 2019; Wang et al. 2012). Educating Internet users about the strategies could reduce their susceptibility to the phishing threat (Verkijika, 2019). Internet users with more knowledge about phishing attacks can discern phishing threats (Wang et al. 2012) and confidently mitigate the risks of phishing victimization (Musuva et al. 2019).
Interestingly, a counterintuitive finding discovered a positive relationship between phishing knowledge and susceptibility to phishing (Diaz et al. 2019) — that is, the greater an individual’s knowledge of phishing, the greater his or her susceptibility to phishing. The authors speculated that Internet users who have experienced phishing attacks may be likelier to overestimate their phishing knowledge, resulting in a higher victimization rate. Although phishing-related knowledge reduces the likelihood of susceptibility to phishing scams, this awareness of suspicious messages may not reduce the likelihood of clicking on phishing messages (Downs et al. 2006; Sturman et al. 2023). This study aims to clarify this conundrum by examining the link between threat domain knowledge and phishing susceptibility. The current study, guided by the Theory of Deception (Johnson et al. 1992), seeks to determine whether knowledge of phishing or scams can reduce the risk of phishing victimization (Wang et al. 2012). Thus,
H1: Having knowledge on the threat domain is negatively related to the instant messaging phishing susceptibiliy.
Phishing target’s characteristics
Cyber risky behaviors
The central tenets of risky cyber activities are cyber-vocational activities, cyber leisure activities, and cyber social media activities (Choi, 2008; Choi and Lee, 2017; Choi et al. 2019). One’s online daily activities influence exposure to the risk of cybercrime victimization (Choi, 2008), including phishing victimization (Hutchings and Hayes, 2009; Holt and Bossler, 2009; Leanna, 2020; Leukfeldt, 2014; Ribeiro et al. 2024), cyber-interpersonal violence, cyber-interpersonal violence victimization (Choi and Lee, 2017), and cyber-bullying victimization (Choi et al. 2019). Internet users’ visibility from various online activities contributes to the extent to which the victim is a suitable target from the perspective of a would-be offender (Leukfeldt and Yar, 2016; Ngo et al. 2020). Empirical evidence indicates that cyber-risky activities predict cybercrime (Choi and Lee, 2017; Choi et al. 2019; Goede et al. 2023), cyber interpersonal violence (Choi and Lee, 2017), and cyberbullying (Choi and Lee, 2017) victimization. Therefore, this study predicts that:
H2: Engaging in cyber-risky social media (instant messaging) activity is positively related to the instant messaging phishing susceptibiliy.
H3: Engaging in cyber-risky leisure activity is positively related to the instant messaging phishing susceptibiliy.
H4: Engaging in cyber-risky vocational activity is positively related to the instant messaging phishing susceptibiliy.
Online security management
Capable guardianship can be classified into two categories: physical guardianship and digital (i.e., cybersecurity) guardianship, emphasizing effective online security management (Kabiri et al. 2020). This encompasses cybersecurity and security applications/software guardians (i.e., cybersecurity management). Regarding cybercrime victim behavior, cybersecurity management has been identified as the most critical factor in predicting cybercrime victimization among Internet users (Choi and Lee, 2017; Back, 2016). Internet users frequently employ information security management techniques to protect themselves from cybercrime attacks (Abu-Ulbeh, et al. 2021), as affirmed by The Routine Activities Theory documenting guardianship as the most influential and critical factor in reducing victimization (Leukfeldt and Yar, 2016). Online security management has garnered significant empirical support as a critical factor impacting cybercrime victimization. Insufficient online security management, including neglecting to use privacy protection on social media, enables motivated offenders to gather the potential victim’s information (Choi and Lee, 2017; Choi et al. 2019). Whitty (2019) found that Internet users engage in online guardianship behaviors to reduce their risk of online victimization. Recent findings confirmed that digitally capable guardianship significantly predicts cybercrime victimization (Smith and Stamatakis, 2021; Guedes et al. 2022).
Studies have demonstrated the pivotal role of knowledge in effective guardianship, shaping decision-making processes. The concept of guardianship functions along a range of capacities, including accessibility, observation, and involvement (Reynald, 2010). A fundamental requirement for effective guardianship, as outlined by Felson (2006), is a comprehensive knowledge of the immediate environment and its associated risks. In line with Felson’s (2006) perspective, capable guardianship in the online realm involves a deep understanding of online security practices and their application within social media platforms in preventing crime (Choi and Lee, 2017; Choi et al. 2019). In this way, online security management complements the concept of capable guardianship from routine activity theory.
Capable guardianship is an attitude that reflects an individual’s willingness to actively engage in crime prevention efforts (Marzbali et al. 2020). Possessing a capable guardianship attitude indicates that one is willing to take an active role in efforts to prevent crime. Research showed that the association between knowledge and attitude has been established, supported by the Knowledge, Attitude, and Behavior (KAB) (Schafeitel-Tähtinen et al. 2024). It is anticipated that the knowledge will transform a person’s mindsets (i.e., attitudes) and cause changes in behavior. An individual’s attitude towards information security is impacted by their level of expertise (i.e., knowledge) in the subject of cybersecurity awareness (McCormac, et al. 2017).
Inadequate online security management, such as neglecting to engage in privacy protection on social media, can leave individuals vulnerable to online exploitation (Choi and Lee, 2017). Therefore, possessing knowledge of cyber threats is crucial for developing the capability to effectively prevent such attacks (Moti et al. 2020). A strong understanding of cyber threats can empower individuals to adopt effective protective behaviors from phishing attacks and clickbaits, and ultimately achieve optimal levels of cybersecurity (Martens et al. 2019). In addition, Internet user with a higher level of cyber knowledge are more likely to recognize potential cyber threats and, consequently, engage in more effective cyber protection behaviors (Moti et al. 2020). This study hypothesizes that respondents with a higher level of cybersecurity knowledge (i.e., knowledge on threat domain) are more likely to engage in preventive measures (i.e., practicing online security management) against phishing attacks. Therefore, this study assumes that:
H5: Effective online security management is negatively related to the instant messaging phishing susceptibiliy.
H6: Knowledge on threat domain is correlated positively with good online security management on instant messaging platforms.
Phishing messages characteristics
Message involvement
Message involvement represents how individuals perceive the information’s relevance within the context of their interests (Chen et al. 2020). It concerns the level of engagement and interest individuals feel toward the message, reflecting their subjective evaluation of how meaningful the content is to their specific concerns, preferences, or areas of interest. Messages depicted as highly-involved are those deemed more pertinent to individuals’ interests, while lower-involved messages are perceived as holding little personal relevance, evoking relatively lesser personal connections (Wang et al. 2012). Individuals are less likely to engage in information processing when they perceive information as less relevant to their needs, whereas highly-involved messages or information prompt deeper cognitive efforts (Wang et al. 2012).
Message involvement, as a systematic information cue (Franz and Croitor, 2021; Xiao et al. 2018), significantly impacts phishing susceptibility. Highly-involved messages incentivize individuals to devote higher cognitive effort to be confident in the thoroughness of their judgment and decision-making (Chaiken, 1980). Framed differently, a person will expend as much cognitive effort as is required to achieve adequate levels of confidence for messages with high involvement (Wang et al. 2012). Different levels of message involvement have varying effects on an Internet user’s susceptibility to phishing (Franz and Croitor, 2021). A higher level of message involvement, in particular, increases susceptibility to phishing victimization (Wang et al. 2012; Franz and Croitor, 2021), given that a higher level of message involvement is more likely to elicit a favorable response. Therefore,
H7: Phishing messages with a higher level of message involvement is positively related to the instant messaging phishing susceptibiliy.
Persuasive cues
Persuasive cues are cues in a message that can influence one’s perception (Musuva et al. 2019), which encompasses layout, grammar, spelling, genre conformity, and message source (Luo et al. 2013; Vishwanath et al. 2011). Unlike argument quality, persuasive cues render instant communication without scrutinizing the message content (Musuva et al. 2019). Despite not triggering a solid inspection of the message content, these cues significantly affect recipients’ trust in the message (Musuva et al. 2019).
There is a significant relationship between persuasive cues and phishing susceptibility (Wright et al. 2020). Scholars have investigated the impact of various persuasive cues on phishing susceptibility (Grazioli, 2004; Workman, 2008; Vishwanath et al. 2011; Wang et al. 2012). Musuva et al. (Musuva et al. 2019) discovered that persuasive cues impact susceptibility to phishing victimization. People relying on cognitive shortcuts (i.e., heuristic cues) to evaluate phishing messages are likelier to fall victim to phishing attacks (Hanus et al. 2022). This is because specific cues embedded in deceptive messages can disrupt the systematic processing of their content, which could otherwise potentially reveal the deception in phishing messages. Hence,
H8: Phishing messages with persuasive cues is positively related to the instant messaging phishing susceptibiliy.
Methodology
Participants and data collection
The target demographic for this study was Generation Z. instant messaging users According to recent reports, young Malaysians aged 18 to 29 have lower awareness and perceptions of cybercrime, making them easy targets for cybercrime attackers (Ghani and Ghazali, 2019; Hasan et al. 2020). Similarly, studies have found that young adults are more likely than elderly adults to fall victim to fraud (MCMC, 2023; Digi, 2023; Maxis, 2023). In 2023, more than 95% of Malaysian instant messaging users will be between the ages of 18 and 34, with over 50% belonging to Generation Z (ages 18 to 24) (Start.io, 2024). In addition, phishing cyberthreats in Malaysia were carried out on instant messaging platforms, with WhatsApp being the most commonly used method for delivering phishing attack (MCMC, 2023; Maxis, 2023; Digi, 2023).
People born in 1996 and later are categorized as Gen-Zers (Cilliers, 2017). According to Nagy (2017), Gen-Zers are people born between 1995 and 2012. Noble et al. (2009) define Gen-Zers as those born between 1995 and 2009. Considering the suggested age range for Gen-Zers, this study defined Gen-Zers as individuals born in 1995 or later.
The present study applied a non-probability purposive sampling technique for data collection. Purposive sampling allows for more reflective and situation-specific data (Lew et al. 2020). Participants were chosen based on their knowledge of cybercrime phishing victimization (Ghazi-Tehrani and Pontell, 2021), specifically having received phishing messages through instant messaging. As a result, purposive sampling in conjunction with pre-set screening criteria was deemed appropriate for the current study. Screening questions ensured that study participants met the following criteria:
-
(a)
Malaysians born between 1995 to 2004;
-
(b)
Have used mobile instant messaging for online communication;
-
(c)
Have ever received phishing messages.
This study followed ethical guidelines and was approved by the university’s Research Ethics Committee. Respondents had to be at least 18 years old and fill out an informed consent form before participating in the survey. All participants were fully informed about the study’s purpose, and the survey ensured anonymity by not collecting respondents’ personal information. The respondents have been adequately informed of their other rights, including confidentiality, privacy, voluntary participation, and the right to withdraw from this study without explanation. Because Malaysian young adults actively use social media (MCMC, 2020), data was collected via an online survey using Google Forms and posted on social media, such as Facebook and WhatsApp.
Measures
The online survey was developed using various sub-scales (Table 2). Items from the knowledge of the threat domain scale developed by Musuva et al. (2019) were used to measure individual prior knowledge. Items from the risky cyber activities scale (social media: instant messaging, vocational, leisure activities) developed by Choi and Lee (2017) were used to measure risky cyber behavior. This study operationalized cyber-risky social media activity as cyber-risky instant messaging activities. Cybersecurity management was measured using the scales developed by Kabiri et al. (2020). The message involvement and persuasive cues scales were used to measure the phishing message characteristics. The message involvement and phishing susceptibility scales were from Chen et al.’s (2020) study. The message involvement scale was scored on a seven-point differential scale ranging from strongly disagree (1) to strongly agree (7). The persuasive cue scale was adopted from Musuva et al. (2019), ranging from not at all influence (1) to a very great extent influence (5).
A conducted expert review assured the content validity of the survey. A pilot test (n = 54) performed before the main data collection affirmed that all the research construct reliability was above 0.70 (Hair et al. 2014).
Results
Descriptive analysis
Among the collected 386 data, twenty-five sets of responses were removed due to straight-lining responses (Hair et al. 2014). The results indicated that the skewness for all research construct indicators ranged between −0.912 and 1.031. The kurtosis for all indicators ranged from -−1.024 to 0.293. Both skewness and kurtosis values fall within the criteria of normality of the data that is, +2 or −2 (skewness) and −7 or +7 (kurtosis) (Hair et al. 2010). In addition, Harman’s single factor was determined to examine the common method bias (CMB). Unrotated principal component factor analysis accounted for 29.91% (less than 50%). CMB is not a concern in the current research framework (Podsakoff et al. 2003).
This study follows Kock’s (2015) recommendation to test the full collinearity. Variance inflation factor (VIF) values greater than 3.3 indicate potential collinearity problems (Kock, 2015). All the research constructs have been regressed on a common variable. The results found that all of the VIF values for cyber-risky instant messaging activities (1.535), cyber-risky leisure activities (2.234), cyber-risky vocational activities (2.372), knowledge on threat domain (1.357), message involvement (1.833), online security management (1.442), persuasive cues (1.591), and phishing susceptibility (1.466) were less than 3.3. Thus, the results indicated that single-source bias may lead to common method variance and that common method bias is not an issue for the current data set.
Demographic Profile
A total of 361 valid responses were used for the final analyses. Of those who responded, 29.6% were males (n = 107) and 70.4% were females (n = 254). The majority of participants (80.1%) were students. 96.1% of those surveyed have a tertiary education (diploma, bachelor’s degree, master’s degree, or doctorate). WhatsApp (n = 321), Facebook Messenger (n = 241), and Telegram (n = 159) were the top three instant messaging platforms chosen by respondents for online communication. 30.2% of respondents said they rarely received phishing messages. 5.8% of those surveyed said they received phishing messages more than once a week. One hundred sixty-eight people said they get phishing emails or messages once or twice a month. Sixty-three people said they had received phishing messages once or twice every two weeks.
Measurement model assessment
To determine convergent validity, the factor loading, composite reliability (CR), and average variance extracted (AVE) were all evaluated. The outer loading of PC1 (0.405) for measuring persuasive cues was found to be less than 0.50 (Chin, 1998); thus, it was removed. As shown in Table 3, the CR and AVE values of each research variable all meet the 0.7 and 0.5 thresholds (Hair et al. 2011).
The Fornell-Larker Criterion and the heterotrait-monotrait ratio of correlations (HTMT) are used to determine discriminant validity. Table 4 shows that the squared roots of AVEs (bold diagonal values), greater than the correlations with other constructs, demonstrate discriminant validity (Fornell and Larckers, 1981). Furthermore, as shown in Table 5, the heterotrait-monotrait ratio of correlations (HTMT) was used to assess the correlations between the research constructs. None of the research constructs are correlated with more than 0.85 (Henseler et al. 2015). As such, the Fornell-Larcker criterion and HTMT results provided sufficient evidence of discriminant validity for all variables and proved that the measurement items are reliable and valid.
Figure 2 indicates that six path relations have a t value ≥ 1.645, thus significant at a 0.05 significance level. The data analysis results affirmed hypotheses 2, 3, 4, 6, 7, and 8, as summarized in Table 5. The findings indicated that knowledge of the threat domain (β = −0.041; p = 0.225) does not significantly predict instant messaging phishing susceptibility. Thus, H1 was refuted. The findings indicated that engaging in cyber-risky instant messaging activities (β = 0.104; p = 0.034), cyber-risky leisure activities (β = 0.122; p = 0.020), and cyber-risky vocational activities (β = 0.115; p = 0.037) were positively related to the instant messaging phishing susceptibility. Thus, H2, H3, and H4 were supported. Effective online security management (β = −0.004; p = 0.470) does not significantly influence instant messaging phishing susceptibility. Thus, H5 was rejected. Knowledge of threat domain (β = 0.502; p = 0.042) significantly influenced online security management. Thus, H6 was supported. Phishing messages with a high level of message involvement (β = 0.248; p < 0.001) and persuasive cues (β = 0.130; p = 0.025) were positively related to the instant messaging phishing susceptibility. Thus, H7 and H8 were supported.
***p < 0.001; *p < 0.05. This figure depicts the significant factors found influencing phishing susceptibility.
The research variables’ variance inflation factor (VIF) ranges from 1.000 to 2.353. All of the VIF values are less than 5 (Kock, 2015). The VIF result indicates that there is no multicollinearity between the exogenous variables (see Table 6). In sum, the model explains 31.8% of the variance in instant messaging phishing susceptibility and 25.2% of the variance in online security management. Figure 2 shows this study’s structural model.
PLS-predict
This study assesses PLS-predict (Q2) to examine whether the current research framework’s predictive relevancy uses a ten-fold procedure and ten times repetition. The Q2 value of the latent variable (phishing susceptibility) is 0.285, greater than zero (Shmueli, et al. 2019). Next, this study follows Shmueli et al.’s (2019) recommendation by assessing all item differences (PLS-LM). All of the PLS-LM items have lower RMSE values, indicating that this study’s framework has a strong predictive power (Shmueli et al. 2019). Table 7 presents the PLS-predict result.
Discussions
Phishers prowl the Internet, crafting fake messages that prey on people’s desires to entice them to reveal personal information (De Kimpe et al. 2018). To keep people from falling into phishing traps, it is critical to learn more about the types of Internet users who are more likely to become phishing targets or victims (De Kimpe et al. 2018). According to this study, engaging in risky cyber (instant messaging and vocational activity) increases the risk of instant messaging phishing victimization. This is consistent with previous research indicating that engaging in risky online activities may increase the likelihood of becoming a phishing target (Paek and Nalla, 2015; Reyns, 2015). As a result, sharing or posting personal information on instant messaging platforms is a significant predictor of becoming a phishing victim.
There is a statistically significant link between online leisure activity and phishing victimization. It is possible to conclude that downloading items such as music and movies from any website is significantly affected the instant messaging phishing susceptibility. This finding is consistent with the previous link between online leisure activities and cybercrime victimization (Choi and Lee, 2017; Kai et al. 2023). On the other hand, this observation contradicts to other studies indicating a lack of association between online activities and phishing susceptibility (Akdemir and Lawless, 2020; Leukfeldt, 2014). A recent study discovered that engaging in risky leisure activities online significantly predicts offender behavior rather than victim behavior (Llinares and Moneva, 2019). As individuals devote more time to online leisure activities, their likelihood of criminal activity victimization decreases (Llinares and Moneva, 2019).
Users’ security and online safety platforms (online security management) were found to have no significant relationship with phishing susceptibility. This finding corroborates previous research that found guardianship measures do not predict cybercrime victimization (Choi et al. 2019), particularly phishing victimization risk (Leukfeldt, 2014). When “a motivated offender,” “a suitable target,” and “the absence of a capable guardian” all come together, crime occurs (Leukfeldt and Yar, 2016). According to Choi et al. (2019), “cybercrime victimization is a relatively new form of victimization that presents unique and different situations than offline crime victimization” (Aizenkot, 2021; Choi et al. 2019). Cybercrime can occur when the above criteria are present asynchronously through the online network; in other words, cybercrime can occur when one of the criteria is met (Choi et al. 2019). The findings of this study imply that criminals (offenders) are always consistent and that anyone (targeted victim) may be a victim of cybercrime without the protection of a digitally capable guardian (Choi et al. 2019).
The current finding suggests that knowledge of the phishing domain is a significant predictor of effective online security management behavior among individuals using instant messaging platforms. Counterintuitively, this knowledge did not appear to correlate with a reduced susceptibility to phishing attacks. Individuals’ prior knowledge, such as threat domain knowledge does not predict phishing susceptibility significantly. This finding contravenes previous research indicating that threat domain knowledge (Butler and Butler, 2018) significantly affects phishing victimization risk. Internet users may be unable to detect phishing attacks due to a lack of awareness and phishing knowledge (Butler and Butler, 2018) and a lack of ability to gain phishing-related knowledge (Sun et al. 2016). This study demonstrates that having relevant phishing do not affect the instant messaging phishing susceptibility. One plausible explanation can be attributed to the advent of more advanced and sophisticated phishing techniques. Phishing methods are constantly evolving, particularly those that use psychological techniques to assess the honesty of individuals on instant messaging platforms, making these phishing forms challenging to detect (Prasad and Rohokale, 2020). Scholars observed that people’s judgments about phishing attacks are not always entirely rational (Metzger and Suh, 2017; Lei et al. 2022). Even if individuals possess pertinent information, it will not directly impact their final decision-making (Ge et al. 2021).
This study finding underscores the significance of phishing domain awareness in enabling individuals to effectively manage their online security on instant messaging platforms. This includes the ability to swiftly block or restrict unwanted contacts, report harmful content, and adjust privacy settings to mitigate the risks associated with phishing attacks. Our findings align with previous research by Kennison and Chan-Tin (2020), which demonstrated that possessing cybersecurity knowledge can influence Internet users’ behavior and enhance their grasp of fundamental cybersecurity principles. Similarly, existing studies have shown that understanding of knowledge on threat domains can empower Internet users to adopt proactive protection measures, such as controlling privacy settings (Ahamed et al. 2024).
It was discovered that message involvement (systematic processing cues) and persuasive cues (heuristic processing cues) influence phishing victimization risk. Previous research has shown that message involvement (Franz and Croitor, 2021) and persuasive cues (Vishwanath et al. 2011; Wang et al. 2012) play essential roles in predicting phishing susceptibility. This could imply that a variety of persuasive cues, such as resemblance to other official websites or emails, as well as urgency, can effectively persuade and convince people to believe the phishing message (Luo et al. 2013; Musuva et al. 2019; Vishwanath et al. 2011). As a result, the risk of being a victim of instant messaging phishing increases. Furthermore, a phishing message with a high message involvement increases the risk of instant messaging phishing victimization. An inference could be drawn: when Internet users are drawn to the contents of the messages, they are more likely to pay attention to the phishing message or information (Chen et al. 2020), making them more vulnerable to phishing traps.
Theoretical and practical implications
This study offers an integrative, holistic, and comprehensive understanding of instant messaging phishing victimization vulnerability. Our findings clarify how people deal with phishing messages while identifying potential risk factors influencing Gen-Zers’ susceptibility to phishing. Despite the importance of phishing awareness and prevention, many Internet users lack knowledge of processing information concerning phishing threats (Alseadoon et al. 2014; Kritzinger and von Solms, 2010). This study investigates whether the role of information processing in phishing detection influences phishing susceptibility to instant messaging phishing victimization, thereby empowering Internet users to detect and avoid phishing attacks.
One implication, derived from our data and synthesized with the Heuristic-Systematic Model (HSM) (Wall and Warkentin, 2019), is that users frequently rely on and only focus on heuristics when evaluating and handling messages. Users may not carefully and methodically evaluate the message contents, warranting more research be conducted to investigate the theoretical foundation in order to systematically clarify how individuals process phishing communication (Musuva et al. 2019; Wang et al. 2012). Using the HSM, this empirical study investigates how people process phishing information or communication, which leads to them falling into phishing traps. This study focuses on Gen-Zers’ information/message processing, which includes the message involvement factors of systematic information processing (Luo et al. 2013). Furthermore, our study posits that persuasive cues are a heuristic information processing factor (Chen et al. 2020; Musuva et al. 2019).
According to researchers, when people are deeply involved with a suspicious message, they are more likely to devote more resources to the message and take the necessary actions (Chen et al. 2020). In this case, detecting the deception is more difficult to detect because the cues are more difficult to identify, exposing Internet users to a higher risk of phishing victimization (Chen et al. 2020). Phishing susceptibility is increased by highly involved phishing messages with persuasive cues such as account suspension notifications, financial reward prospects, and the resemblance of legitimate emails or websites. As a result, this study advocates for more education and training for Internet users to assess messages’ authenticity more effectively. Relevant agencies responsible for combating cybercrime may regularly review the cues of phishing and genuine messages and then expose these tactics through phishing awareness campaigns to improve users’ responses to suspicious messages.
In contrast to physical (offline) activities, cyber activities, regardless of usage capacity, have the potential to influence Internet users (Choi and Lee, 2017). In the United States, the Cyber-Routine Activities Theory (Cyber-RAT) has been used to predict cybercrime (cyberbullying) behavior, whether motivated offender or victimization behavior (Choi, 2008; Choi and Lee, 2017; Choi et al. 2019). The current study validates the use of Cyber-RAT as a theoretical model for examining instant messaging phishing susceptibility. In line with empirical studies that show that exposure to motivated offenders increases the likelihood of cybercrime phishing victimization (Graham and Triplett, 2016; Leukfeldt, 2014; Ngo et al. 2020), the findings of this study imply that users’ daily online social activities (participating in leisure activities, vocational activities and instant messaging activities) predict the instant messaging phishing susceptibility. This work demonstrates that risk-taking behavior, such as clicking on phishing links or infected files (vocational activities), is a root cause of successful phishing attacks (Abdelhamid, 2020; Williams and Polage, 2018), contributing to higher phishing victimization risks (Abroshan et al. 2021).
Furthermore, this study discovered that Gen Z Internet users will indulge in illicit downloads of movies, music, and other material if they are unaware of negative consequences from the unlawfully downloaded product, making them more susceptible to instant message phishing. This is because users’ personal information may be captured when they download free movies, games, music, or other stuff from any website. As a consequence, one’s probability of being a phishing victim increases because the phishers have obtained their personal information. These observations inform policymakers and regulatory bodies in Malaysia, such as the Malaysian Communications and Multimedia Commission (MCMC) and Cybersecurity Malaysia, which are in charge of combating cybercrime (MCMC, 2024; Mohd and Mohd, 2021). Agencies may use the findings of this study to develop anti-phishing programs and awareness campaigns to help Internet users avoid being victimized by phishers.
This study focuses on Malaysian Gen-Zers because they are more vulnerable to cybercrime attacks (Mohd et al. 2016; Lalitha et al. 2017). According to the official report of the Federation of Malaysian Consumers Associations (FOMCA), the young Malaysian generation is becoming more involved in the digital economy by engaging in online activities and digital financial services (Raj, 2021). Consumers exposed to these online activities will face numerous risks, including spamming and phishing (Raj, 2021). As a result, it is critical to investigate youth behaviors within this research domain, including their daily online social activities (i.e., online posting, online vocational activities, and online leisure activities). Gen-Zers are Malaysia’s future workforce (Lalitha et al. 2017); therefore, they must be equipped with cybersecurity knowledge (Verkijika, 2019) to protect them from financial losses due to phishing. Research on the risk of instant messaging phishing victimization can help organizations guide employees to avoid phishing traps that cause financial losses.
Finally, the current study found that knowledge of the threat domain from the Theory of Deception (TOD) did not statistically predict the instant messaging phishing susceptibility. Despite insignificant findings, phishing-related knowledge and the ability to gain anti-phishing knowledge were undeniably essential factors in predicting phishing susceptibility. This is due to the extensive use of TOD in phishing victimization risk research (Chen et al. 2020; Musuva et al. 2019; Wright et al. 2009; Vishwanath et al. 2011). Furthermore, knowledge is vital in avoiding phishing victimization (Butler and Butler, 2018; Sun et al. 2016; Vishwanath et al. 2011). TOD emphasizes that people will use their prior knowledge to interpret the suspicious message and decide whether to respond (Chen et al. 2020). Prior experiences (i.e., knowledge) significantly impact how people react to phishing attacks (Chen et al. 2020; House and Raja, 2019). On the other hand, evidence suggests that less experienced Internet users cannot interpret and deal with unfamiliar or novel phishing attacks (Ebot, 2018). Without denying that TOD was the grounded theory capable of explaining phishing victimization risk, the findings of this study add to the body of knowledge in this field by indicating that this study’s respondents may have had less prior phishing victimization experience. As a result, the antecedents of TOD (knowledge of phishing domain) did not significantly predict Gen-Zers’ susceptibility to phishing.
This study discovered that respondents who have knowledge of cybersecurity (i.e., phishing domain knowledge) engage in more sophisticated protection activities (practicing digital capable guardianship attitude, that is, online security management that includes profile controls and user controls, which allow users to control the accessibility of their online profile to only a specific individual or party. Although knowledge of the phishing domain has no direct affect on phishing susceptibility, we suggest that respondent cyber knowledge may explain this gap by allowing Gen-Zers to strengthen their protection mechanisms. This study suggested that tertiary education could empower Gen-Zers by encouraging critical thinking. Encourage younger social media users to utilize critical thinking skills to assess the reliability contents and identify potential phishing attempts. Furthermore, universities might promote a security culture by encouraging students to be vigilant about online security and to share best practices with their social networks. Government organizations may conduct education and awareness efforts to assist instant messaging users comprehend and implement security settings to their instant messaging accounts, such as two-factor authentication and privacy controls.
Limitations and suggestions for future research
Some limitations and avenues for further studies are discussed in this section. This study focuses on individuals susceptible to phishing victimization, that is, instant messaging phishing victimization. However, this study’s findings may not generalize to other domains, such as phishing conducted on other online platforms. Future studies can conduct a longitudinal study, such as in-depth interviews, to add additional insights into understanding how individuals react to phishing content and how to minimize the phishing victimization risk. Additionally, further work can include other potential predictors of phishing susceptibility, including behavioral comprehensiveness (Hong and Furnell, 2021). For instance, studies can assess whether precautionary measures taken by Internet users, such as refraining from downloading unknown files, can avert phishing victimization risks. This study scopes to Gen-Zers; hence, comparative studies may extend this model for examining Internet users’ risk of phishing victimization to other generational cohorts.
Future research could extend this framework by examining whether the characteristics of phishing messages moderate the susceptibility of different target groups to phishing attacks. For example, existing empirical studies (Luo et al. 2013) have identified the psychological mechanism of need for cognition as a potential moderator in the relationship between phishing message cues and susceptibility. Additionally, recent research (Franz and Croitor, 2021) has demonstrated that social networking sites use can influence users’ processing of heuristic and systematic cues, exacerbating their susceptibility to decision-making errors and making them more vulnerable to phishing attacks.
Data availability
The datasets are not publicly available due to obligations under the Malaysia Personal Data Protection Act 2010), and are available on reasonable request.
References
Abdelhamid M (2020) The role of health concerns in phishing susceptibility: survey design study. J Med Internet Res 22(5):1–10
Abroshan H, Devos J, Poels G, Laermans E (2021) Phishing happens beyond technology: the effects of human behaviors and demographics on each step of a phishing process. IEEE: Multidiscip Open Access J 9:44928–44949
Abu-Ulbeh W, Altalhi M, Abualigah L, Almazroi AA, Sumari P, Gandomi AH (2021) Cyberstalking victimization model using criminological theory: a systematic literature review, taxonomies, applications, tools, and validations. Electronics 10(1670):1–45
Adamu AG, Maheyzah S, Siti H, Ibrahim BD (2020) Cyber security awareness among university students: a case study. Int J Sci Adv Res Technol 29(10S):767–776
Ahamed B, Polas MR, Kabir AI, Sohel-Uz-Zaman AS, Fahad AA, Chowdhury S, Dey MR (2024) Empowering Students for Cybersecurity Awareness Management in the Emerging Digital Era: The Role of Cybersecurity Attitude in the 4.0 Industrial Revolution Era. SAGE Open 14(1):1–14
Ahmad R, Terzis S, Renaud K (2023) Investigating Mobile Instant Messaging Phishing: A Study into User Awareness and Preventive Measures. 14045, pp. International Conference on Human-Computer Interaction. Springer, Cham
Aiman A (2020) Scammers even more active during this MCO period. Retrieved from Free Malaysia Today: https://www.freemalaysiatoday.com/category/nation/2020/04/07/scammers-even-more-active-during-this-mco-period/
Aizenkot D (2021) The predictability of routine activity theory for cyberbullying victimization among children and youth: risk and protective factors. J Interpers Violence 37(13-14):1–26
Akdemir N, Lawless CL (2020) Exploring the human factor in cyber-enabled and cyber-dependent crime victimisation : a lifestyle routine activities approach. Internet Res 30(6):1665–1687
Algarni A (2019) What message characteristics make social engineering successful on Facebook: The role of central route, peripheral route, and perceived risk. Information 10(6):1–31
Alseadoon I, Othman MF, Chan T (2014) What is the influence of users’ characteristics on their ability to detect phishing emails? Adv Comput Commun Eng Technol 315:949–962
Arachchilage NA, Love S (2014) Security awareness of computer users: A phishing threat avoidance perspective. Comput Hum Behav 38:304–312
Asfoor A, Rahim FA, Yussof S (2018) Factors Influencing Information Security Awareness of Phishing Attacks from Bank Customers’ Perspective: A Preliminary Investigation. Recent Trends in Data Science and Soft Computing, 641–654
Back S (2016) Empirical Assessment of Cyber Harassment Victimization via Cyber-Routine Activities Theory. Master’s Theses and Projects
Bernama (2019) Student loses RM19,000 to investment scam via WhatsApp. Malaysia: Free Malaysia Today. Retrieved July 18, 2021, from https://www.freemalaysiatoday.com/category/nation/2019/06/17/student-loses-rm19000-after-investment-scam-via-whatsapp/
Bernama B (2022). Painter, student fall prey to online job scam. Retrieved from New Straits Time: https://www.nst.com.my/news/crime-courts/2022/05/795871/painter-student-fall-prey-online-job-scam
Butler R, Butler M (2018) Assessing the information quality of phishing-related content on financial institutions’ websites. InfoSec 26(5):514–532
Central Bank of Malaysia (2017) Fraud and Scam Notice. Retrieved from Central Bank of Negara Malaysia: https://www.bnm.gov.my/fraud-and-scam-notices
Chaiken S (1980) Heuristic versus systematic information processing and the use of source versus message cues in persuasion. J Pers Soc Psychol 39(5):752–766
Chen R, Gaia J, Rao HR (2020) An examination of the effect of recent phishing encounters on phishing susceptibility. Decis Support Syst 133:1–14
Chen S, Chaiken S (1999) The heuristic-systematic model in its broader context. Guilford Press
Chin WW (1998) The partial least squares approach to structural equation modeling. Erlbaum, Mahwah, NJ, USA
Choi K (2015) Cybercriminology and digital investigation. LFB Scholarly, El Paso
Choi KS (2008) Computer crime victimization and integrated theory: an empirical assessment. Int J Cyber Criminol 2(1):308–333
Choi KS, Lee JR (2017) Theoretical analysis of cyber-interpersonal violence victimization and offending using cyber-routine activities theory. Comput Hum Behav 73:394–402
Choi KS, Cho SJ, Lee JR (2019) Impacts of online risky behaviors and cybersecurity management on cyberbullying and traditional bullying victimization among Korean youth: Application of cyber-routine activities theory with latent class analysis. Comput Hum Behav 100:1–10
Cilliers EJ (2017) The challenge of teaching Generation Z. PEOPLE. Int J Soc Sci 3:188–198
Cohen LE, Felson M (1979) Social change and crime rate trends: A routine activities approach. Am Socio Rev 44(4):588–608
Diaz A, Sherman AT, Joshi A (2019) Phishing in an academic community: a study of user susceptibility and behavior. Cryptologia 44(1):1–15
Digi (2023). Fake 6-Digit Verification Codes Scam on WhatsApp. Retrieved from Digi: https://help.digi.com.my/en/support/solutions/articles/70000592043-fake-6-digit-verification-codes-scam-on-whatsapp
Downs JS, Holbrook MB, Cranor LF (2006) Decision strategies and susceptibility to phishing. Symposium on Usable privacy and security (pp. 79-90). Carnegie Mellon University in Pittsburgh, PA: Association for Computing Machinery
Ebot AT (2018) How stage theorizing can improve recommendations against phishing attacks. Inf Technol People 32(4):828–857
Farkhondeh H, Harminder S, Jocelyn W (2020) The role of contextualization in users’ vulnerability to phishing attempts. Australas J Inf Syst 24:1–32
Felson M (2006) Crime and Nature. Sage, Thousand Oaks, CA
Fornell C, Larckers DF (1981) Evaluating strcutural equation models with unobservable variables and measurement error. J Mark Res 18(1):39–50
Frank-Chou Y, Abbott Chen PS, Vincent Cheng LL (2021) Mindless response or mindful interpretation: examining the effect of message influence on phishing susceptibility. Sust 13(1651):1–25
Franz A, Croitor E (2021) Who bites the hook? Investigating employees’ susceptibility to phishing: a randomized field experiment. European Conference of Information System
Frauenstein ED, Flowerday S (2020) Susceptibility to phishing on social network sites: A personality information processing model. Comput Secur 94:101862
Frauenstein ED, Flowerday S, Mishi S, Warketin M (2023) Unraveling the behavioral influence of social media on phishing susceptibility: A Personality-Habit-Information Processing model. Inf Manag 60(7):1–28
Ge Y, Lu L, Cui CY, Chen Z, Qu WN (2021) How personal characteristics impact phishing susceptibility: The mediating role of mail processing. Appl Erg 97:1–14
Ghani NM, Ghazali S (2019) The vulnerability of young women to cybercrime: a case study in Penang. ICH 2019 International Conference on Humanities. 89, pp. 443-455. European Publisher
Ghazi-Tehrani AK, Pontell HN (2021) Phishing evolves: analyzing the enduring cybercrime. Vict Offender 16(3):316–342
Goede MS, Weijer VD, Leukfeldt R (2023) Explaining cybercrime victimization using a longitudinal population-based survey experiment. Are personal characteristics, online routine activities, and actual self-protective online behavior related to future cybercrime victimization? J Crime Justice 47(4):472–491
Goel D, Jain AK (2018) Mobile phishing attacks and defence mechanisms: State of art and open research challenges. Comput Secur 73:519–544
Goh E (2022) M’sian student loses RM5.5k to scammers disguised as digital marketing agency offering her a job. Retrieved from World of Buzz: https://worldofbuzz.com/msian-student-loses-rm5-5k-to-scammers-disguised-as-digital-marketing-agency-offering-her-a-job/
Graham R, Triplett R (2016) Capable guardians in the digital environment: the role of digital. Deviant Behav 38(12):1371–1382
Grazioli S (2004) Where did they go wrong? An analysis of the failure of knowledgeable internet consumers to detect deception over the internet. Group Decis Negot 13(2):107–210
Guedes I, Martins M, Cardoso CS (2022) Exploring the determinants of victimization and fear of online identity theft: an empirical study. Secur J 21:1–26
Hair JF, Ringle CM, Sarstedt M (2011) PLS-SEM: Indeed a silver bullet. J Mark Theory Pr 19(2):139–152
Hair JJ, Black W, Babin B, Anderson R (2010) Multivariate data analysis: a global perspective (7 ed.). NJ: Prentice Hall
Hair JJ, Hufit GM, Ringle CM, Sarstedt M (2014) A Primer on Partial Least Squares Structural Equation Modelling (PLS-SEM). United Kingdom: SAGE Publications, Inc
Hanus B, Wu YA, Parrish J (2022) Phish me, phish me not. J Comput Inf Syst 62(3):516–526
Harrison B, Vishwanath A, Rao R (2016) A user-centered approach to phishing susceptibility: The role of a suspicious personality in protecting against phishing. 49th Hawaii International Conference on System Sciences (HICSS), (pp. 5628–5634). Hawaii
Hasan MS, Rahman RA, Abdillah SF, Omar N (2020) Perception and awareness of young internet users towards cybercrime: evidence from Malaysia. J Soc Sci 11(4):395–404
Henseler J, Ringle CM, Sarstedt M (2015) A new criterion for assessing discriminant validity in variance-based structural equation modeling. J Acad Mark Sci 43:115–135
Hindelang MJ, Gottfredson MR, Garofalo J (1978) Victims of personal crime: An empirical foundation for a theory of personal victimization. Cambridge, MA
Holt TJ, Bossler AM (2009) Examining the applicability of lifestyle-routine activities theory for cybercrime victimization. Deviant Behav 30(1):1–25
Hong Y, Furnell S (2021) Understanding cybersecurity behavioral habits: Insights from situational support. J Inf Secur Appl 57:1–9
House D, Raja MK (2019) Phishing: message appraisal and the exploration of fear and self-confidence. Behav Inf Technol 39(11):1–21
Hsieh ML, Wang KSY (2018) Routine activities in a virtual space: A Taiwanese case of an ATM hacking spree. Int J Cyber Criminol 12(1):333–352
Hutchings A, Hayes H (2009) Routine activity theory and phishing victimisation: who gets caught in the “Net”? Curr Issues Crim Justice 20(3):433–452
Jansen J, Leukfeldt R (2016) Phishing and malware attacks on online banking customers in the Netherlands: A qualitative analysis of factors leading to victimization. Int J Cyber Criminol 10(1):79–91
Johnson PE, Grazioli S, Jamal K, Zualkernan IA (1992) Success and failure in expert reasoning. Organ Behav Hum Decis Process 53(2):173–203
Johnson PE, Grazioli S, Jamal K, Berryman RG (2001) Detecting deception: Adversarial problem solving in a low base-rate world. Cogn Sci 25(3):355–392
Kabiri S, Choi JY, Shadmanfaat SM, Lee J (2020) Cyberstalking victimization: an empirical assessment of RAT among female Iranian College Students. J Interpers Violence 37(9-10):1–27
Kai L, Wu Y, Sun IY (2023) Telecommunication and cyber fraud victimization among Chinese college students: An application of routine activity theory. Criminol Crim Justice 1–19
Kaur D (2024) Malaysia faces cyberthreat surge: phishing dominates, ransomware doubles. Retrieved from Tech Wire Asia: https://techwireasia.com/2023/12/what-is-behind-the-worsening-state-of-cybersecurity-in-malaysia/
Kennison SM, Chan-Tin E (2020) Taking risks with cybersecurity: Using knowledge and personal characteristics to predict self-reported cybersecurity behaviors. Front Psychol 11:1–9
De Kimpe L, Walrave M, Hardyns W, Pauwels L, Ponnet K (2018) You’ve got Mail! Explaining individual differences in becoming a phishing target. Telemat Inf 35(5):1277–1287
Kock N (2015) Common method bias in PLS-SEM: A full collinearity assessment approach. Int J E-Collab 11(4):1–10
Kritzinger E, von Solms SH (2010) Cyber security for home users: a new way of protection through awareness enforcement. Comput Secur 29(8):840–847
Kuss DJ, Griffiths MD (2011) Online social networking and addiction: a review of the psychological literature. Int J Environ Res Public Health 8(9):3528–3552
Kwak YS, Lee SY, Damiano A, Vishwanath A (2020) Why do users not report spear phishing emails? Telemat Inf 48:1–11
Lalitha M, Balakrishnan M, Zarina S (2017) Cyber security behaviour among higher education students in Malaysia. J Inf Assur Cyber secu, 1–13
Lastdrager EE (2014) Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Sci 3(1):1–10
Leanna I (2020) Predicting online target hardening behaviors: an extension of routine activity theory for privacy-enhancing technologies and techniques. Deviant Behav 42(12):1–18
Lee H, Choi K (2021) Interrelationship between Bitcoin, ransomware, and terrorist activities: criminal opportunity assessment via cyber-routine activities theoretical framework. Vict Offenders 16(3):363–384
Lei W, Hu S, Hsu C (2022) Unveiling The process of phishing precautions taking: the moderating role of optimism bias. Comput Secur 29:1–25
Leon S (2018) Service mobile apps: a millennial generation perspective. Ind Manag Data Syst 118(9):1837–1860
Leukfeldt ER (2014) Phishing for suitable targets in The Netherlands: Routine activity theory and phishing victimization. Cyberpsychol Behav Soc Netw 17(8):551–555
Leukfeldt ER, Yar M (2016) Applying routine activity theory to cybercrime: a theoretical and empirical analysis. Deviant Behav 37(3):263–280
Lew S, Tan GW, Loh XM, Hew JJ, Ooi KB (2020) The disruptive mobile wallet in the hospitality industry: An extended mobile technology acceptance model. Technol Soc 63:1–10
Llinares FM, Moneva A (2019) What about cyberspace (and cybercrime alongside it)? A reply to Farrell and Birks "Did cybercrime cause the crime drop?". Crime Sci 8(12):1–5
Luo C, Luo X, Chatzberg L, Sia C (2013) Impact of informational factors on online recommendation credibility: The moderating role of source credibility. Decis Support Syst 56:92–102
Manoharan S, Katuk N, Hassan S, Ahmad R (2022) To click or not to click the link: the factors influencing internet banking users’ intention in responding to phishing emails. Inf Comput Secur 30(1):37–62
Martens M, De Wolf R, De Marez L (2019) Investigating and comparing the predictors of the intention towards taking security measures against malware, scams and cybercrime in general. Comput Hum Behav 92:139–150
Marzbali MH, Abdullah A, Javad M (2020) Surveillance and guardianship attitudes: Role of multiple mediators. J Malays Inst Plan 18(2):82–103
Maxis (2023) Browsing Maxis Safely. Retrieved from Maxis: https://www.maxis.com.my/en/bewareofscams/
McCormac A, Zwaans T, Parsons K, Calic D, Butavicius M, Pattinson M (2017) Individual differences and information security awareness. Comput Hum Behav 69:151–156
MCMC (2020) Internet Users Survey 2020. Retrieved from Malaysian Communications and Multimedia Commission: https://www.mcmc.gov.my/skmmgovmy/media/General/pdf/IUS-2020-Report.pdf
MCMC (2023) Malaysian Communications and Multimedia Commission. Retrieved from Internet Users Survey 2022: https://mcmc.gov.my/skmmgovmy/media/General/IUS-2022.pdf
MCMC (2024) Phishing Attack. Retrieved from Malaysian Communictations and Multimedia Commission: https://www.mcmc.gov.my/en/faqs/phishing-attack/1-what-is-phishing
Metzger MJ, Suh JJ (2017) Comparative optimism about privacy risks on Facebook. J Commun 67(2):203–232
Milani R, Caneppele S, Burkhardt C (2020) Exposure to cyber victimization: results from a Swiss Survey. Deviant Behav 43(2):1–14
Mohd NF, Mohd MA (2021) Phishing as cyber fraud: the implications and governance. Hong Kong J Soc Sci 57:120–133
Mohd S, Senadjki A, Rahim SR, Nathan TM, Lee CY, Wahab MA (2016) Cybercrime Among Malaysian Youth. Behind the Scenes: The Ugly and Bad Side of Modern Technology on Youth. Retrieved from https://www.researchgate.net/publication/334824052_Cybercrime_among_Malaysian_Youth
Moti Z, Galit K, Dušan Lesjak ŁW, Fatih C, Hamdullah NB (2020) Cyber security awareness, knowledge and behavior: a comparative study. J Comput Inf Syst 62(1):82–97
Musuva PM, Getao KW, Chepken CK (2019) A new approach to modelling the effects of cognitive processing and threat detection on phishing susceptibility. Comput Hum Behav 94:154–175
MyCERT (2021) Incident Statistics. Retrieved from MyCERT, Malaysia Computer Emergency Response Team: https://www.mycert.org.my/portal/statistics-content?menu=b75e037d-6ee3-4d11-8169-66677d694932&id=477c37dd-ba64-4dd2-87ad-ff0bfc1d8bf2
Naci A, Christopher JL (2020) Exploring the human factor in cyber-enabled and cyber-dependent crime victimisation : a lifestyle routine activities approach. Internet Res 30(6):1665–1687
Nagy S (2017) The impact of country of origin in mobile phone choice of Generation Y and Z. J Manag Train Ind 4(2):17–29
Ngo FT, Paternoster R (2011) Cybercrime victimization: an examination of individual and situational level factors. Int J Cyber Criminol 5(1):773–793
Ngo FT, Piquero AR, LaPrade J, Duong B (2020) Victimization in cyberspace: is it how long we spend online, what we do online, or what we post online? Crim Justice Rev 45(4):1–22
Noble SM, Haytko DL, Phillips J (2009) What drives college-age Generation Y consumers? J Bus Res 62:617–628
Olivia Tan SL, Rossanne GV, Nasreen K, Shereen K (2020) Cybersecurity and privacy impact on older persons amid COVID-19: A socio-legal study in Malaysia. J Res Soc Educ 2(2):72–76
Paek SY, Nalla MK (2015) The relationship between receiving phishing attempt and identity theft victimization in South Korea. Abbr: Int J Law Crime Just 43(4):626–642
Parsons K, Butavicius M, Delfabbro P, Lillie M (2019) Predicting susceptibility to social influence in phishing emails. Int J Hum Comput Stud 128:17–26
Pascal (2024) Spimming Cyber Security. Retrieved from https://eggheads.ai/spimming-cyber-security/
Podsakoff PM, MacKenzie SB, Lee JY (2003) Common method biases in behavioral research: a critical review of the literature and recommended remedies. J Appl Psychol 88(5):879–903
Prasad R, Rohokale V (2020) Cyber Security: The Lifeline of Information and Communication Technology. Switzerland: Springer International Publishing
Pratt TC, Holtfreter K, Reisig MD (2010) Routine online activities and internet fraud targeting: extending the generality of routine activity theory. J Res Crime Delinq 47(3):267–297
Rahman HI (2018) Political messages processing of presidential candidate through heuristic and systematic model in the 2014 Presidential election in Indonesia. Int J Sci Res 7(7):1167–1175
Raj PS (2021) Critical Need for Digital Financial Literacy. Retrieved from Federation of Malaysian Consumers Asscociations: https://www.fomca.org.my/v1/index.php/fomca-di-pentas-media/fomca-di-pentas-media-2021-21/1460-critical-need-for-digital-financial-literacy
Reynald D (2010) Guardians on Guardianship: Factors affecting the willingness to supervise, the ability to detect potential offenders, and the willingness to intervene. J Res Crime 47(3):358–390
Reyns BW (2015) A routine activity perspective on online victimisation: Results from the Canadian General Social Survey. J Financ Crime 22:396–411
Reyns BW, Henson B (2015) The thief with a thousand faces and the victim with none: identifying determinants for online identity theft victimization with routine activity theory. Int J Offender Ther Comp Criminol 60(10):1–20
Ribeiro LL, Guedes IS, Cardoso CS (2024) Which factors predict susceptibility to phishing? An empirical study. Comput Secur 136:1–12
Rizzoni F, Magalini S, Casaroli A, Mari P, Dixon M, Coventry L (2022) Phishing simulation exercise in a large hospital: A case study. Digit Health 8:1–13
Sarker O, Jayatilaka A, Haggag S, Liu C, Babar MA (2024) A Multi-vocal Literature Review on challenges and critical success factors of phishing education, training and awareness. J Syst Softw 208:1–25
Saudi MM, Ismail S, Tamil EM, Mohd YI (2007) Phishing: Challenges and issues in Malaysia. Int J Learn 14(8):79–88
Schafeitel-Tähtinen T, Koskinen J, Helenius M (2024) Measuring cybersecurity teaching: case University students in Finland. Int J Learn Teach 10(4):481–490
Shang Y, Wang K, Tian Y, Zhou Y, Ma B, Liu S (2023) Theoretical basis and occurrence of internet fraud victimisation: Based on two systems in decision-making and reasoning. Theoretical basis and occurrence of internet. Front Psychol 14:1–14
Shmueli G, Sarstedt M, Hair JF, Cheah J-H, Ting H, Vaithilingam S, Ringle CM (2019) Predictive model assessment in PLS-SEM: guidelines for using PLSpredict. Eur J Mark 53(11):2322–2347
Singh MM, Frank R, Zainon WM (2021) Cyber-criminology defense in pervasive environment: A study of cybercrimes in Malaysia. Bull Electr Eng Inf 10(3):1658–1668
Singh K (2013) Big dip in phishing attacks in Malaysia, but …. Retrieved from Digital News Asia: https://www.digitalnewsasia.com/security/big-dip-in-phishing-attacks-in-malaysia-but
Singh S (2021) Fresh graduate conned of almost RM139,000 in online scam. Retrieved from The Star: https://www.thestar.com.my/news/nation/2021/07/30/fresh-graduate-conned-of-almost-rm139000-in-online-scam
Smith T, Stamatakis N (2021) Cyber-victimization trends in Trinidad & Tobago: The results of an empirical research. Int J Cybersecur Intell Cybercrime 4(1):46–63
Sommestad T, Karlzén H (2019) A meta-analysis of field experiments on phishing susceptibility. APWG Symposium on Electronic Crime Research (eCrime). Pittsburgh, PA, USA
Start.io (2024) Messaging App Users in Malaysia. Retrieved from Start.io: https://www.start.io/audience/messaging-app-users-in-malaysia
Statista (2019) Statista. Retrieved from Number of cyber threat incidents reported to CyberSecurity Malaysia 2018 by type: https://www.statista.com/statistics/1043272/malaysia-cyber-crime-incidents/
Sturman D, Valenzuela C, Plate O, Tanvir T, Auton JC, Bayl-Smith P, Wiggins MW (2023) The role of cue utilization in the detection of phishing emails. Appl Erg 106:1–13
Suganya V (2016) A review on phishing attacks and various anti phishing techniques. Int J Comput Appl 139(1):20–23
Sun JC, Yu SJ, Lin SS, Tseng SS (2016) The mediating effect of anti-phishing self-efficacy between college students’ internet self-efficacy and anti-phishing behavior and gender difference. Comput Hum Behav 59:249–257
Tan B (2023) Scams on the rise in Malaysia: Survey finds phone calls most popular route, followed by WhatsApp. Retrieved from MalayMail: https://www.malaymail.com/news/malaysia/2023/12/19/scams-on-the-rise-in-malaysia-survey-finds-phone-calls-most-popular-route-followed-by-whatsapp/108274
Valecha R, Chen R, Herath T, Vishwanath A, Wang J, Rao HR (2015) An exploration of phishing information sharing: A heuristic-systematic approach. 2015 IEEE 9th International Symposium on Intelligent Signal Processing (WISP). Fort Worth
Verkijika SF (2019) “If you know what to do, will you take action to avoid mobile phishing attacks”: Self-efficacy, anticipated regret, and gender. Comput Hum Behav 101:286–296
Vishwanath A, Harrison B, Ng YJ (2018) Suspicion, cognition, and automaticity model of phishing susceptibility. Commun Res 45(8):1146–1166
Vishwanath A, Herath T, Chen R, Wang J, Rao R (2011) Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decis Support Syst 51(3):576–586
Wall JD, Warkentin M (2019) Perceived argument quality’s effect on threat and coping appraisals in fear appeals: An experiment and exploration of realism check heuristics. Inf Manag 56(8):1–13
Wang JG, Herath T, Chen R, Vishwanath A, Rao HR (2012) Phishing susceptibility: an investigation into the processing of a targeted spear phishing email. IEEE Trans Professio Commun 55(4):345–362
Watson J, Webster RT (2002) Analyzing the past to prepare for the future: writing a literature review. MIS Q 26(2):xiii–xxiii
Wei YH (2014) Investigating the use of mobile instant messaging and its impacts. 1-9. School of Computer Science,University of Birmimgham, Birmingham, United Kingdom
Whitty MT (2019) Predicting susceptibility to cyber-fraud victimhood. J Financ Crime 26(1):277–292
Williams EJ, Polage D (2018) How persuasive is phishing email? The role of authentic design, influence and current events in email judgements. Behav Inf Technol 38(2):1–15
Wong A (2021) A female Malaysian student got scammed and lost RM84,600 for investing in Bitcoin. Melaka, Malaysia: Tech Nave. Retrieved from https://technave.com/gadget/A-female-Malaysian-student-got-scammed-and-lost-RM84-600-for-investing-in-Bitcoin-22745.html
Workman M (2008) A test of interventions for security threats from social engineering. Inf Manag Comput Secur 16(5):463–483
Wright R, Chakraborty S, Basoglu AM (2009) Where did they go right? Understanding the deception in phishing communications. Group Decis Negot 19(4):391–416
Wright R, Johnson, SL, Kitchens B (2020) A multi-level contextualized view of phishing susceptibility. Soc Sci Res Netw 1–0
Xiao M, Wang R, Chan-Olmsted S (2018) Factors affecting YouTube influencer marketing credibility: a heuristic-systematic model. J Media Bus Stud 15(3):188–213
Yar M (2005) The novelty of cyber crime: An assessment in light of routine activity theory. Eur J Criminol 2(4):407–427
Yeoh A (2023) New scam sees groups on WhatsApp and Telegram claiming to ‘collect funds’ on behalf of Bank Negara. Retrieved from The Star: https://www.thestar.com.my/tech/tech-news/2023/02/03/new-scam-sees-groups-on-whatsapp-and-telegram-claiming
Zainal NC, Puad MH, Sani NF (2022) Moderating effect of self-efficacy in the relationship between knowledge, attitude and environment behavior of cybersecurity awareness. Asian. Soc Sci 18(1):55–64
Zhang W, Luo X, Burd SD, Seazzu AF (2012) How could i fall for that? Exploring phishing victimization with the Heuristic-Systematic Model. 45th Hawaii International Conference on System Sciences, (pp. 2374–2380)
Zolkiffli J, Bakar NA, Ya’acob S, Salehuddin H (2023) The Assessment of Online Games’ Cyber Security Awareness Level Based on Knowledge, Attitudes, and Behaviour Model (Vol. 1825). Springer, Cham
Acknowledgements
This work was supported by Multimedia University Malaysia under the MMU Postdoctoral Research Fellow Grant (Grant No. MMUI/240043).
Author information
Authors and Affiliations
Contributions
Chin Lay Gan: Conceptualization, Project administration, Funding acquisition, Literature Review, Methodology, Survey development, Data collection and analysis, Writing – original draft; Yi Yong Lee: Literature Review, Methodology, Survey development, Data collection and analysis, Writing – original draft; Tze Wei Liew: Survey development, Data collection, Writing – review and editing.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Ethical approval
The questionnaire and methodology for this study were approved by the Research Ethics Committee of Multimedia University Malaysia (Ethical Approval Number = EA0302022). The data collection was done in accordance with the research protocol and guidelines approved by the university.
Informed consent
Informed consent was obtained from all individual participants included in the study. All the respondents were informed that the data collected would be treated with the strictest confidentiality, and they were anonymized. Respondents were also informed that they had the decision to withdraw at any time.
Additional information
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
About this article
Cite this article
Gan, C.L., Lee, Y.Y. & Liew, T.W. Fishing for phishy messages: predicting phishing susceptibility through the lens of cyber-routine activities theory and heuristic-systematic model. Humanit Soc Sci Commun 11, 1552 (2024). https://doi.org/10.1057/s41599-024-04083-1
Received:
Accepted:
Published:
DOI: https://doi.org/10.1057/s41599-024-04083-1
