A study in which researchers sent phishing emails to 1,350 students has yielded a startling find: those who believe they know how to tell a phishing scam from a genuine email are actually more susceptible to the attack.
The study by the University of Maryland, Baltimore County (UMBC) involved various phishing tests to assess whether any demographic segments were more susceptible to phishing attacks.
Responses were gathered from students in disparate , from engineering and mathematics to arts and social sciences. Researchers demonstrated that phishing awareness, hours spent on the computer, cyber training, cyber club or cyber scholarship affiliation, age, academic year, and college affiliation significantly affected student susceptibility.
Some interesting findings emerged, including that older students were more able than their younger peers to spot a phishing email and avoid clicking on the links inside. Less surprising results were those by gender, described by the researchers as not statistically relevant, while engineering and IT majors had some of the lowest click rates.
What was not so anticipated, though, was that students who boasted about their knowledge of phishing and how to avoid it were actually more susceptible than those who were less confident in their ability to sniff out phishing.
As many as 59% of subjects who opened the phishing email also clicked on its phishing link, and approximately 70% of those subjects who participated in an additional demographic survey clicked on the bait links inside.
“Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness,” paper authors Alejandra Diaz, Alan T. Sherman, and Anupam Joshi said. “Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing.”
UMBC researchers are the first to admit they have no convincing explanation for this surprising find, but they ventured a couple of guesses nevertheless:
For one, they theorize that falling victim to a phishing scheme in the past might increase a user’s awareness about phishing. In other words, those clumsy enough to fall for a phishing scheme may become proportionally more skeptical of the contents of their inbox overnight. The logic behind this assumption is sound from a psychological perspective, so it’s reasonable that previous experience indeed played an important factor in the results.
“In hindsight, it might have been wiser to have asked in the post-event survey what was the level of phishing awareness the user had when they opened the phishing email,” the researchers were careful to point out.
Their second hypothesis – likely also a correct scenario and a contributing factor to the finding – is that respondents who fell for the phish were simply over-confident in their knowledge about phishing.
“Typically, the most important and devastating vulnerability a company can have is its very own people,” the authors said, citing an IBM study. “The human factor, or error, is responsible for 95% of security incidents. Malicious actors aim to use social engineering to exploit users into giving up valuable and confidential information […] We hope our results will help businesses and colleges improve their cybersecurity practices,” they noted.