A little phishing knowledge may be a dangerous thing
Boffins find those who know about phishing more likely to be duped than the less informed
Phishing works more frequently on those who understand what social engineering is than on those who live in blissful ignorance, or so a study of students at University of Maryland, Baltimore County suggests.
Citing IBM data suggesting human error is a factor in 95 per cent of security incidents, researchers from the school's department of computer science and electrical engineering conducted a phishing test to assess the relationship between demographic factors and susceptibility to phishing.
(The Register is having trouble imagining how humans wouldn't be involved in most security incidents since even automated systems get set up by someone at some point.)
UMBC's boffins – Alejandra Diaz, Alan Sherman, and Anupam Joshi – conducted three types of phishing attacks earlier this year on separate groups of 450 students, covering a total of 1,350 individuals. Of these, 1,246 (92 per cent) opened a phishing email for least one of the experiments. About 59 per cent of these students clicked on a phishing link. And among the subset of students who responded to the post-attack survey (482), 70 per cent had clicked on a phishing link.
As a point of comparison, when Michigan's Department of Information Technology conducted a security audit last year, it found among 5,000 randomly selected employees that 32 per cent opened the phishing message, 25 per cent clicked on the link in the message, and 19 per cent submitted their credentials through the phishing website loaded by the link.
The first of these phishing messages was designed to look like a PayPal bill from a third-party merchant. The email attempted to trick the user into clicking on a link purporting to provide details for a supposedly placed order.
The second presented itself as a message about Quadmania, a UMBC weekend festival. It said the recipient had won a $100 Amazon prize and asked the recipient to click the provided link.
The third claimed to be a message from the school's Division of Information Technology. It asked the user to verify his or her UMBC account credentials within 48 hours and made reference to the Quadmania phishing message to sound more credible.
Some of their findings fit with what you might expect. STEM majors – especially engineering and IT majors – had lower click rates (65 per cent in the College of Engineering and Information Technology, and 70 per cent in College of Natural and Mathematical Sciences) than those in the College of Arts, Humanities, and Social Sciences (80 per cent).
While gender was not statistically significant, older students were more inclined to avoid clicking than their juniors. Similarly, time spent on the computer influenced susceptibility, with those spending 0-4 hours much more likely to click than those spending 4-8 hours or 8-12 hours connected. And, unsurprisingly, increased cyber training correlated with lower click rates.
But awareness of phishing was found to increase vulnerability to it.
If Shadow Home Sec Diane Abbott can be reeled in by phishers, truly no one is safeREAD MORE
"Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness," the study says. "Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing."
The researchers say they're at a loss to explain this, allowing it's possible that survey responses about phishing experience may have been skewed by the experience of being phished. They also speculate that users who fell for the phishing scheme might overestimate their knowledge of phishing.
Overconfidence among the technically inclined has been detected elsewhere. At the Node Summit earlier this year, Guy Podjarny, CEO and cofounder of security biz Snyk, recounted an internal Salesforce phishing test that found developers were the second most likely employee group, after marketers, to fall for phishing tricks.
According to the Anti-Phishing Working Group (APWG), there were 233,040 phishing sites detected in Q2 2018, down from 263,538 in Q1 2018. The number of phishing reports submitted to the APWG was 264,483, about the same as the 262,704 reported in 1Q 2018. ®
Sponsored: Becoming a Pragmatic Security Leader