Research looks at why phishing attacks are so hard to avoid

Share

Written by
Zinaida_Benenson
Zinaida Benenson presenting her research at the Black Hat security conference in Las Vegas (Black Hat USA 2016)

LAS VEGAS — Zinaida Benenson, a computer researcher at Germany’s Friedrich-Alexander University, has found the ideal employee to avoid a phishing attack.

This employee is highly trained, knows that any person in their life could turn on them at any second and can operate impeccably while understanding the looming deception that could creep into their inbox at any time.

There is one hang up with this employee. They don’t exist.

Benenson created this straw man position — what she called ‘James Bond mode’ — to drive home the point that all the in-house training and personal vigilance related to phishing attacks is never going to surpass humans’ inherent curiosity.

During a Wednesday session at the 2016 Black Hat USA security conference, she highlighted two studies she and a team of researchers conducted to find out what drove people to click on links from phishing emails.

The first study, conducted in September 2013, sent university students an email or Facebook message instructing them to look at pictures from a previous week’s party via a hyperlink to a cloud-based photo application. The email was designed to be from someone respondents never had contact with and the Facebook message was attached to dummy accounts that presented very little of the sender’s identifying information.

Researchers found that 56 percent of the email recipients and 38 percent of the Facebook recipients clicked on the link. However, when the research team followed up, only 20 percent of the entire respondent pool remembered clicking the link, despite the fact the research showed 45 percent actually clicked the link.

A second study conducted in January 2014 tweaked the malicious message: It again included a link to a photo site, but this time it was geared toward an album of photos from a New Year’s Eve party. Clicks from Facebook were higher than the email (42.5 percent to 20 percent), despite a lower overall percentage (25 percent) of people clicking through.

When respondents were asked why they clicked on the link, more than a third said they did so out of curiosity, despite knowing they weren’t in any pictures. Additionally, 27 percent of clickers explained that they could identify with the situational context given in the message, such as actually having been at a New Year’s Eve party with unknown people. Moreover, 16 percent thought that they knew the sender.

Benenson said the lesson learned from the studies is that with the right design or timing, even highly aware people are going to click on links if they fit into the context of their everyday life.

“People are people. They are curious. They don’t think in the moment,” she said. “When they see a message that interests them, they just think.”

Benenson said even she has fell victim to clicking links in emails before realizing they could have contained malicious payloads. She pointed to an email from a supposed CNN journalist who wanted an interview, one from an academic journal she wasn’t familiar with filled with jumbled links and a bank notice that she haphazardly passed along to the security team before realizing that if it was loaded with suspicious malware, it could have disrupted the bank’s system if they opened it on their networks.

So while organizations do all they can to prevent people from opening suspicious emails, she stressed that trying to move humans away from their own innate decision-making process could result in diminished use of email altogether.

“We should think about the price people will have to pay for this. They will have to be in ‘James Bond mode,’ which is not natural for people,” she said.  “We don’t know what kind of defense is efficient for humans, but we should not make people abstain from their usual decisional heuristics. They will freak out. Don’t push them into ‘James Bond mode.’“

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.

-In this Story-

Cybersecurity, phishing, spearphishing, Tech
TwitterFacebookLinkedInRedditGoogle Gmail