You might not fall for that faux Nigerian prince who urgently needs you to fork over $5,000 so you can rake in a cool million, but you might fall for well-disguised phishing scams, according to a study from Carnegie Mellon University.
The study, conducted by Carnegie Mellon’s CyLab Security and Privacy Institute, showed a set of participants information about phishing before asking them to evaluate 38 different emails. Half of the emails were legitimate. The other half were phishing scams.
Participants answered questions about which emails were phishing scams, what action they would perform, their confidence level in their choices, and the perceived consequences of falling for the phishing email.
On average, participants were only able to correctly identify just over half of the phishing emails presented to them. In terms of behavior, three-quarters of the phishing links were left unclicked.
Additionally, the participants’ confidence levels were not always calibrated with their ability. People were more cautious when they were unconfident and perceived very negative consequences for opening a phishing email. Overconfident people typically fell for phishing emails.
“Despite the fact that people were generally cautious, their ability to detect phishing emails were poor enough to jeopardize computer systems,” said Casey Canfield, a CyLab researcher with the university’s Department of Engineering and Public Policy.
The researchers involved in the study said they believe training people to identify phishing emails may not necessarily make them better at telling the difference, but it might make them think twice about opening them.
“It seems like those trainings may not always be making people better at telling the difference, but it’s probably making them more cautious,” said Canfield. “Helping people tell the difference may not be as useful as encouraging them to be more cautious.”
Filed Under: Test + measurement • test equipment