Graduation Year

2024

Document Type

Dissertation

Degree

Ph.D.

Degree Name

Doctor of Philosophy (Ph.D.)

Degree Granting Department

Criminology

Major Professor

George Burruss, Ph.D.

Committee Member

C. Jordan Howell, Ph.D.

Committee Member

John Cochran, Ph.D.

Committee Member

David Maimon, Ph.D.

Abstract

Methods of obtaining sensitive information from Internet users have evolved consistently as technology has advanced and millions of mobile device users communicate through text (SMS) messaging daily, making them a target for smishing attacks. Smishing (short for SMS phishing) is a form of cybercrime where an offender will send fraudulent text messages attempting to gather sensitive information or convince the user to click on a malicious link. These messages often appear legitimate and rely on tactics like convincing users that immediate action needs to be taken. Smishing has become so widespread that in 2020, the Texas Attorney General issued a statement warning citizens of a large smishing scam claiming to be a package delivery notice from various delivery companies, including a malicious link which redirected users to a fake website. Additionally, many common services providers use text messages to communicate legitimately with clients. Mobile device users must differentiate between legitimate and fraudulent messages, remain vigilant about potential threats, and decide whether to interact with text messages providing links. The current study combined survey data with simulated smishing messages. Its goal was to determine whether an integrated theoretical model could explain variation in protection motivation, specifically, users’ intention to click on links from unknown sources. Simulated attacks did not elicit any clicks, indicating a potential issue with the data collection process. While an optimist would hope that the entire sample were savvy enough to not click on a simulated attack, the combination of a non-urgent narrative and a practical research challenge makes the likelihood greater that some unforeseen barrier to delivery occurred. Many messages were undelivered due to a spam filter by the carrier, suggesting that protective measures are helping reduce the rate of successful delivery of attacks, simulated or otherwise. Theoretical findings suggest that protection motivation can be influenced, through a combination of fear and efficacy. In addition, the severity of the threat had a positive influence on fear. The data suggest that many individuals report the intention to engage in protective behaviors, however, without behavioral data, it is unclear whether the decision to engage in protective behavior is sufficient to prompt action. Additionally, the data exposes a validity concern with the measurements of key variables. While the operationalization of key measures was adapted from previous studies (Boss et al., 2015; Johnston & Warkentin, 2010; Myryy et al., 2009), there is room for improvement. The study highlights important theoretical findings and informs future efforts to collect simulated attack data. Understanding mobile phone users’ decisions to engage in protective behaviors to protect against identity theft is an important component to preventing victimization. The findings suggest that educating individuals on the threat, while reinforcing both response and self-efficacy, can improve individual decisions to engage in protective behaviors.

Download

Share

COinS