Regardless of the amount of training and technology applied to phishing prevention, people are going to click on links, trust messages from supposedly known sources and get into trouble online.
A recent academic paper collates the results of an experiment conducted with more than 1,200 German university students on the factors contributing to their willingness to click on a link in a message sent to them, either an email or a Facebook message.
The experiment described in the paper, “Unpacking Spear Phishing Susceptibility,” written by Zinaida Benenson, Freya Gassmann, and Robert Landwirth of the Friedrich-Alexander-Universitat Erlangen-Nurnberg and the Universitat des Saarlandes of Germany, concludes that curiosity is the No. 1 reason users are likely to interact with the contents of a message. This flies in the face of a decade’s-worth of awareness training and dire stories of nation-states infiltrating the highest levels of government with a well-crafted email or social media message.
“These results show that people’s decisional heuristics are relatively easy to misuse in a targeted attack, making defense especially challenging,” the researchers wrote.
The experiment was first described last summer during a talk at the Black Hat conference in Las Vegas.
Phishing remains the most reliable means of gaining a foothold on an internal network. Attackers are adept at spoofing the sender’s email address, know to whom messages should be crafted and how, and understand that a personalized message and a logo familiar to the target are often enough to get inside the firewall of an organization.
The results presented in this paper, however, may indicate that phishers may be working too hard.
The 1,255 students were, in January 2014, sent either email or Facebook messages in the academic experiment. The message promised a link from a phony person about pictures from a phony party. Those who clicked were shown an “Access Denied” message and their clicks rates were recorded in the background. The researchers used 280 Facebook users and 975 email users with a comparable genders and ages. The researchers’ hypothesis that message reception via Facebook would correlate to a higher success rate was corroborated, more so than four other hypotheses described in the paper.
In this experiment, 42.5 percent of Facebook users clicked on the link messaged to them while 20 percent of email users clicked. The researchers then asked the participants open-ended questions giving them the opportunity to explain why they clicked.
“By far the most frequent reason was ‘Curiosity,'” the researchers wrote. “These participants explained that they knew that the pictures cannot be for them, but were interested in the supposedly funny or private content.”
The next most popular reason was that some sort of context around the message applied to the user, such as the possibility of knowing someone who attended the fictional party. Other users posited they may have known the sender, or were confident that existing security such as antivirus would protect them.
For every reason users clicked, there were similar reasons why they did not. Those who didn’t most frequently opted not to because the sender was unknown to them or there was a strong assumption the message was phishing or some other type of fraud. Others were skeptical of the context of the message that it did not fit their personal experience, for example, while others are more privacy or security conscious and don’t click on links by rule.
Regardless, the susceptibility of Facebook users to click on links certainly stood out to the researchers.
“The special characteristics of the Facebook platform, such as informal communication and easy ways to find the profile of a recent acquaintance, might have made our message especially plausible there,” they wrote. They also said that users handle messages on Facebook differently than they would email, and that could be a contributing factor. For example, users scan notifications quickly and may not pay attention to certain details as they would in an email.
The academics also point out that vigilance against phishing may have unintended consequences. For examples, a number of current spam and phishing campaigns are using invoices as lures. But extra care with such attachments might mean that a user misses one, and this could begin to negatively affect job performance.
“Under these circumstances, the employees are likely to disregard this kind of user education attempts, because the only way for them to get their job done in time is to process their emails as quickly as possible, without ‘wasting’ time with extra security checks,” they wrote.