Why Do People Fall for Phishing Scams?
Phishing scams are those fake emails that try to get you to click on them and either share sensitive information (such as your bank account number of password) or install malware.
We (the founders of Wombat Security) began looking at how to protect people from phishing scams back in 2005, and started by examining why people fall for these scams in the first place. A common problem here is that computer experts tend to have a blind spot, in that they have been using computers for so long, that they don’t realize what it’s like to be a novice anymore. It can be hard to understand how novices make their decisions. Unfortunately, the conventional wisdom among computer experts is that “users are stupid” or “users should pay attention more”, but this kind of sentiment isn’t helpful in building solutions that actually work.
We conducted a number of interviews, lab studies, and remote user tests to get a better sense as to what factors people took into account when gauging the trustworthiness of different kinds of email and web sites. Here, we will discuss the results of just the interviews and lab studies.
We found a number of surprises. Only about half of the participants we interviewed knew what web browser URLs were, and even then didn’t ever consider them to be suspicious. Other work has shown that people focus on the visual appearance of web sites in determining trust, not realizing how easy it is for criminals to copy-and-paste entire web sites.
When asked about suspicious emails, only about half reported being cautious when asked about financial information, and very few people realized how important it was to keep passwords secret.
Perhaps most surprising for us was how fragile people’s knowledge was. In some lab studies, we asked people to respond to a series of emails, some of them legitimate and some phish. While people were very suspicious of an email that took them to a bank site, many of these same people went on to login to an ecommerce site that was fake. This suggested to us that people were good at identifying specific kinds of scams (in particular, financial ones), but didn’t have the skills to transfer their knowledge to other domains because they were focused only on surface characteristics. That is, they focused on the specific kind of scam, rather than being suspicious of emails asking for personal information or looking at the URL.
People also had poor strategies when it came to identifying suspicious emails. The most frequent strategies people used to identify legitimate emails were: (a) this email appears to be for me, (b) it’s normal to hear from companies you do business with, and (c) reputable companies will send emails. Unfortunately, none of these actually help in identifying phishing scams.
You can read more about our work here:
J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.