To the extent that phishing has become a serious threat to information security, there has been rather limited theory-grounded research on this burgeoning phenomenon. In this paper, we develop a theoretical model of victimization by phishing based on the Heuristic–Systematic Model of information processing. We argue that the Heuristic–Systematic Model offers an ideal theoretical framework for investigating the psychological mechanism underlying the effectiveness of phishing attacks. An exploratory experiment is presented to validate the research model based on the theory.