Cyber security threats are increasingly becoming a problem for companies and consumers. Every day, scammers send out fake emails in the hopes of taking advantage of some poor, unsuspecting person, and a new study from Carnegie Mellon’s Security and Privacy Institute shows why the ploys are so effective.
Simply put, our overconfidence in being able to detect these harmful messages may be contributing to our downfall. Cylab researcher Dr. Casey Canfield says that the study showed consumers were most in danger when they felt most comfortable.
"When making decisions about phishing emails, people were more cautious when they were unconfident and perceived very negative consequences of opening a phishing email. Unfortunately, they were often overconfident so they would still fall for phishing attacks,” she said.
Separating out the scams
The study involved participants who were tasked with reading 38 separate emails; half of them were legitimate messages, but the other half were phishing emails. For each email, participants were asked if they believed it was a phishing email, what action they should perform if they were right, how confident they were in their choice, and what they thought the consequences would be if they fell for the phishing attempt.
While the researchers said that participants were generally more cautious of each email due to the nature of the study, they still weren’t very able to perceive the phishing emails from the legitimate ones. The average rate of success for identifying the phishing messages was only just over 50%, though the researchers note that around 75% of the phishing links were not clicked.
While some participants had a high rate of identifying the scam emails, Canfield notes that participation bias definitely played a part. "Some users were able to identify a vast majority of the phishing emails, but only because they were biased to think everything was a phishing attack. So they didn't necessarily have a high ability to tell the difference between phishing and legitimate emails,” she said.
Still, the researchers say that some of the decisions that participants made would have jeopardized whole computer systems if they had been made in real life. They believe that more should be done to educate consumers about their ability to spot a phishing attack and what the consequences might be. One suggested method, called “embedded training,” would involve sending out fake phishing emails that teach a user about these scam messages if they’re clicked.
The full study has been published in Human Factors.