LAS VEGAS — An information technology expert gave a talk last Wednesday on the most effective ways hackers use scam emails, and the most surprising insight gleaned was that even a person who knows all the tricks can still fall for them.
At the Black Hat security conference, Dr. Zinaida Benenson presented her findings from two studies on phishing attacks — where hackers send emails to their targets enticing them to click on a “poison” link or run malicious software — which found that people often click, even if they don’t know the sender.
And that’s still the same even when those same people have computer knowledge, know unknown links can be dangerous to click on, or that email sender’s addresses can be faked to make it seem like the message came from someone else. The studies found all of these factors as “not significant.”
“We know that humans can be exploited and they fall for the same thing all the time,” she said.
Benenson, a professor at The University of Erlangen-Nuremberg who leads the “Human Factors in Security and Privacy” research group, conducted two separate studies on university students with her fellow researchers that simulated phishing attacks over email and Facebook. The first study’s email looked like this:
In the first study, 45% of people clicked on the link, while in the second, only 20% did so. The reason for the big difference, Benenson said, was due to her second round of emails not addressing the recipient by name.
Most people said curiosity was the reason behind their click, though a surprising number trusted their computer or university to protect them. “My computer blocks access if there is a virus problem,” one student told the researchers.
“I use Firefox and MacOS, so I’m not afraid of viruses,” said another.
Even Benenson’s own curiosity got the best of her in some examples she presented to the audience. In one case, she received an email from someone (which she anonymized) claiming to be a reporter from CNN providing a link to his work. She was excited she might speak with a reporter.
“What do you think I did?” she asked the audience. “I clicked.”
She also fell for others, like this one:
Benenson’s research highlights one of the biggest problems people and companies encounter when trying to keep safe online. More than 90% of targeted attacks begin with spear-phishing emails that are often successful, despite security awareness training and high-profile hacks over the last decade.
She suggested companies could use a “reporting” feature to flag suspicious emails or use digital signatures (although these can still be overcome by a determined attacker). Others, however, suggest there has to be a technical solution to overcome the curiosity gap Benenson’s research identifies.
“The user is not the problem,” Malcolm Harkins, Chief Security and Trust Officer at Cylance, told Tech Insider in May. “It was a failure in the technology to protect them and to protect the compute device.”