Did you know that if you have some awareness or knowledge about phishing attacks, you may be far more likely to fall for a phishing scam?
It's true. A 2018 study performed by researchers at the University of Maryland, Baltimore County (UMBC) has found an unexpected correlation between subjects who claimed to be knowledgeable about phishing attacks and their susceptibility to phishing attacks—that knowledge actually increased their likelihood of being duped! Before exploring these findings in depth, however, we need to understand what a phishing attack is and what it looks like.
What is a Phishing Attack?
Phishing is a type of attack where a hacker sends you an email trying to trick you into doing something they want, like sending money or coughing up your credentials (passwords). Frequently this is done with a link directing you to a page that prompts you to input personal information or other protected information. While the email and site page seem to be from a reputable site, it actually is a clever fake created by the hacker.
What makes this attack so simple is that the email will normally be labeled as some kind of alert, or will offer a reward that you must claim within the next 24 hours, like a $100 Amazon gift card. Hackers often use this approach to invoke urgency that requires your immediate attention. Most email systems should be able to differentiate between real and spam emails by forwarding the spam to your junk folder, but there are always a few that are bound to slip into your inbox.
How Do You Prevent A Phishing Attack?
One way to protect yourself method is by using an anti-phishing solution. Another way is by manually checking if the source of the email matches the company’s real site page. Unless you already have the website bookmarked, do a search of the company name and follow the URL to the correct site. Once there, you should see if the page platform matches the one from the link given in the email. This is the only true way to know if you are the target of a phishing scam. Sometimes the email can give other clues, like grammatical errors or addressing you as “Dear Customer,” rather than by your real name. Unfortunately, a smart scammer can easily fix these mistakes and still present the email as legitimate.
Phishing Email Research Findings
Now, back to the UMBC phishing study. Researchers sent three separate groups of students (1,350 in total) a series of phishing attack emails, as follows:
- A PayPal bill from a third-party merchant requesting information on a recently placed order.
- An email from a UMBC weekend festival, called Quadmania, asking recipients to click a link indicating they had won a $100 Amazon gift card.
- An email from the school’s Division of Information Technology that asked the user to verify their account information within 48 hours. To appear like the school had authorized the request, the email even included a reference to the Quadmania email as a way to increase credibility.
The findings offered some of the expected results:
- STEM majors, especially those in engineering and IT, had lower click rates (65-70%).
- Students who majored in the Arts, Humanities, and Social Sciences, had higher click rates of 80%.
Out of these individuals, 1,246 of subjects (a whopping 92%) opened the phishing email, with 59% clicking on the link. But what really caught the researchers off-guard were the amount of students who clicked on the links and expressed knowledge of phishing attacks in a post-attack survey. "Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing,” according to the research group.
Researchers concluded that those who responded to the survey may have overestimated their understanding of phishing scams, or that overconfidence among the technically-inclined may cause them to fall for scams. There are other explanations of course. The researchers acknowledge that the survey was done post-experiment, when phishing was naturally top-of-mind for the subjects. However, the high open and click rates certainly show, unsurprisingly, how vulnerable users are to being phished. It’s worth noting though that this has been documented before; at the 2018 Node Summit, security firm Snyk recounted an internal Salesforce phishing test in which developers were the second most likely employee group, after marketers, to fall for phishing tricks.
To Know or Not to Know, That is the Question
This begs the question, how effective is an awareness-based regimen to combat phishing? There are strong opinions both for and against training users against these types of attacks. Our take is that awareness is certainly a good thing, but that it’s far more effective when delivered in an organic fashion integrated into a user’s normal activity during teachable moments. And it’s best to complement training with an anti-phishing solution that actually protects end users while they’re being educated.