Why people still fall for phishing emails

Photo (c) AdobeStock

Security expert says overconfidence plays a huge role

Emails that pop into your inbox, appearing to be from a bank, utility, or shipping company, are favorite vehicles for scammers.

These phishing emails are intended to hook you, persuading you to click on a link or provide logins, passwords, and other sensitive data. Many of these scams are seemingly easy to spot, but millions of people still fall for them.

H.R. Rao, a security expert at the University of Texas at San Antonio (UTSA), did a study to find out why. He concludes that too many consumers are overconfident in their ability to determine which email is for real and which one is a scam.

Rao thinks most people believe they're smarter than the criminals behind these schemes, and that is one reason so many fall easily into the trap. Other recent research on the subject has reached similar conclusions.

"A big advantage for phishers is self efficacy," Rao, a UTSA College of Business faculty member, said. "Many times, people think they know more than they actually do, and are smarter than someone trying to pull of a scam via an e-mail."

Remember the Nigerian prince?

Long-time internet users have seen all sorts of phishing emails. A decade or so ago, it was very common to hear from a deposed Nigerian prince who was desperate to get his fortune out of the country and just needed access to your bank account to accomplish that.

But if that is still your view of what a phishing email is, Rao says you could be vulnerable to today's updated, refreshed phishing schemes. Today, he says phishing emails come disguised as messages from companies, and even people, that the recipient knows and trusts.

"They're getting very good at mimicking the logos of popular companies," Rao said.

Speaks from experience

Rao speaks from experience. Last year he says he got an email that appeared to come from UPS, informing him there was a problem with a package he had sent. Since he had just sent out a package via UPS, Rao said his initial reaction was that the message was legitimate.

Remember that the scammer is playing a numbers game. If he sends out 20 million messages that there is a problem with a UPS shipment, the majority of recipients would disregard the message because they had not sent anything recently using UPS.

But suppose 40,000 of the recipients had just sent a package with the carrier. If half fell for the scheme, the scammer would have ensnared 20,000 victims.

Overconfidence is a killer

"In any of these situations, overconfidence is always a killer," Rao said.

In a recent study, participants were asked to judge a large number of emails, identifying the ones that were real and the ones that were fakes. Participants also gave the reasons for their conclusions.

Rao and his colleagues found overconfidence played a major role when participants misidentified a scam email as real.

The defense against these schemes, says Rao, is a healthy dose of skepticism about any email that lands in your inbox.

In the event of a message from UPS that there is a problem with your shipment, don't click on a link. Instead, contact UPS customer service directly.

Take a Home Warranty Quiz. Get matched with an Authorized Partner.