We have all probably seen one before. An e-mail from a relative of a late Nigerian prince who seeks international financial support. If you’d be kind enough to help promptly, surely you can expect an insurmountable reward. It is what most people recognise as a phishing e-mail – and most of you will probably ignore it right away, unless you might be in for an entertaining digital interaction. But what if I tell you that the following e-mail is also a phishing scam?
Cybercriminals have moved on, too. They use more sophisticated tactics that make you believe their message is plausible. Think of the countless COVID-19 related scams during the recent pandemic, up to grand romance scammers like the ‘Tinder swindler’. It should neither come as a surprise that nearly half of today’s security breaches involve phishing. The risks of online deceptions need to be taken seriously. However silly a digital message may seem, criminals only need one individual to fall for them.
In my publication at the international Symposium on Usable Privacy and Security last month in Boston, we were interested in what factors make people particularly susceptible to phishing e-mails. We designed a study that allowed us to compare how good (or bad) people are at detecting phishing e-mails when they could only see e-mail header details versus when they saw full e-mails. The intuition behind it was that 1. phishing e-mails attempt to impersonate someone legitimate, and 2. when you pay close attention to the sender details in the e-mail header information, you should often be able to tell if the given e-mail is suspicious or not. For instance, by checking a sender’s e-mail address, their e-mail domain and whether certain parts match with their displayed name. Simultaneously, it is much easier for anyone to write a convincing e-mail message and adjust layouts. We therefore expected people to be much better at detecting phishing e-mails with clearly suspicious details in the sender information when they were only presented with the e-mail headers, instead of the full e-mails. To our surprise, this was not the case.
People were much worse at detecting phishing e-mails based on only e-mail header information compared to full e-mails. This means that most people did not recognise the suspicious signals in the e-mail headers, which implies that we need better methods to educate the public about how to interpret online information.
Next, we looked at whether certain personal traits were related to being better or worse at detecting phishing. Previous studies have for instance found that older people and females were worse at detecting such online scams. However, many of these works relied on university student participants and were not representative of the general population. Our study included 252 people representative of the British population and found no such relations. We therefore cannot say that people from a certain demographic are necessarily worse at detecting phishing. This is important, because it shows that we need to look at different factors that explain why people fall for them in order to provide more effective solutions. Our earlier results suggest that we should focus on augmenting people’s general knowledge of how to interpret online information, rather than targeting our efforts to specific groups only.
Given these findings, I have been developing and testing prototypes of various e-mail security features to augment users’ e-mail processing tasks. This has been an extremely insightful exercise and we plan to publish our findings in the next big security conference. For now, remember to double check the sender details before taking any further action on messages you receive online or on your phone. When in doubt, ask around or search for what others say about the sender's details on the world wide web.
Follow me on LinkedIn and/or subscribe below to stay in the loop.