So much for counter-phishing training: Half of people click anything sent to them Even people who claimed to be aware of risks clicked out of curiosity.
SEAN GALLAGHER 8/31/2016
Sean is Ars Technica’s IT Editor. A former Navy officer, systems administrator, and network systems integrator
Security experts often talk about the importance of educating people about the risks of “phishing” e-mails containing links to malicious websites. But sometimes, even awareness isn’t enough. A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages—even though most of them claimed to be aware of the risks.
The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1,700 test subjects—university students—from fake accounts.
The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data—some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year’s Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message “access denied,” but the site logged the clicks by each student.
The messages that addressed the targets by name scored clicks from 56 percent of e-mail targets and 37 percent of Facebook message recipients. But while the less-targeted messages in the second test only yielded 20 percent results for the e-mails, they scored 42 percent via Facebook messages.
“The overall results surprised us, as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links,” Dr Benenson said in a FAU posting on the research. “And only 20 percent from the first study and 16 percent from the second study said that they had clicked on the link.” But in fact, of those claiming they were security savvy, “we found that 45 and 25 percent respectively had clicked on the links,” Dr Benenson said.
For those who admitted to clicking on the link, the majority said they did so out of curiosity. Half of those who didn’t were warned off because they didn’t recognize the sender’s name, and a small minority avoided clicking because they were concerned about the privacy of the person who may have accidentally sent them the link. “I think that with careful planning and execution, anyone can be made to click on this type of link, even if it’s just out of curiosity,” Benenson said.
Given the vast amount of personal data that’s available to attackers—especially thanks to breaches like the one at the Office of Personnel Management, for example—crafting that sort of message for targets of interest has gotten a lot easier. The bottom line is that telling people not to click strange links is not going to be enough.