The study by German researchers found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages. What is worse is that they had previously indicated that they were aware of phishing risks.
The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1,700 test subjects—university students—from fake accounts.
The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data—some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year’s Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message “access denied,” but the site logged the clicks by each student.
The messages that addressed the targets by name scored clicks from 56 percent of e-mail targets and 37 percent of Facebook message recipients. But while the less-targeted messages in the second test only yielded 20 percent results for the e-mails, they scored 42 percent via Facebook messages.
FAU Computer Science Department Chair Dr Zinaida Benenson was stunned by the results as more than 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links. But 45 percent had clicked on the links.
For those who admitted to clicking on the link, the majority said they did so out of curiosity. Half of those who didn’t were warned off because they didn’t recognise the sender’s name, and a small minority avoided clicking because they were concerned about the privacy of the person who may have accidentally sent them the link.
“I think that with careful planning and execution, anyone can be made to click on this type of link, even if it’s just out of curiosity,” Benenson said.