Asked in a survey to distinguish malicious emails from legitimate ones, nearly everyone in a group of 53 undergraduates failed.
The results from a new study by researchers at North Carolina State University found most people are overconfident in their ability to spot phishing attacks directed at them.
“Everyone’s susceptible,” said psychology professor Christopher Mayhorn, one of the study’s authors. “But there’s relationships that make some people more susceptible.”
Before taking the test, 89% of the group had said they were “confident" in their ability to tell the difference between an authentic email and one sent by a scammer. But when put to the test, just 7.5% of the participants were able to spot all the fake emails. And more than half of the group missed half of the fake emails and deleted at least one authentic email.
Females, people who were overconfident before the test, and people described as introverted were more likely to struggle with distinguishing the emails.
The findings are alarming given the growing personalization of phishing attacks, in which scammers try to lure personal and proprietary information out of victims by posing as entities such as banks, airlines, stores and government agencies.
In some cases, scammers draw people to open websites or attachments that unleash viruses, keystroke-tracking software or other malware onto a victim’s computer. As described in today’s paper, the phishing attacks are becoming more damaging.
Mayhorn and the research team are completing several studies to help them produce a tutorial that will teach people about phishing. The project is being funded by the National Security Agency, and Mayhorn said he hopes to release the app late next year.
He noted that training could be more effective than the widening array of software being developed to stem phishing.
“If people get frustrated with those tools, they tend to turn it off,” Mayhorn said. “That’s why a lot of research in the past has discussed that it’s a human problem. As long as there’s a human in the loop, something’s always going to be exploited.”
Existing tutorials also are ineffective because they aren’t based on science, Mayhorn said.
“Just like the phishing, it has to target people who are explicitly interested in clicking," he said. "It has to be quick—under 20 minutes, and it has to focus on the the things that really need to be learned by that particular individual."
The latest study also found that nearly one in three asked someone else for help when confronted with a potential phishing attack. One in 10 actually contacted law enforcement or the entity supposedly sending the email. About 15% of the undergraduates said they've clicked on a link in a phishing email, with 8% of them saying they ended up with malware on the computer.
Those numbers fall in line with data from the email security provider Proofpoint Inc., whose application analyzes emails for phishing attacks. Proofpoint said about 10% of people clicked on a phishing link in a recent email pretending to be from the retailer Wal-Mart. What’s worrisome is that clickrate is 10 times more than the one for links in legitimate emails from stores.
In a prior study, North Carolina State's research team found that Americans are less susceptible than people in India. The Americans were more likely to notice visual clues such as the padlock icon when browsing secure websites. They also looked for misspellings, hovered over links to see what site it would take them to or sought additional information to verify the legitimacy of an online retailer. One caveat in the study was the Indian sample was considerably younger, who tend to be more likely to click on links.
The team's first study found that Americans do pretty well at recognizing how phishing works. But one in five respondents said they fell victim to an attack, with many feeling embarassed or less trusting as a result.
Future studies will assess the susceptibility of other cultures including people in China, and people who work for government agencies.