A new study aims to identify the sort of people who are most likely to fall for phishing scams – and has found that women, introverts and the overconfident are more likely to confuse “real” email with phishing scams.
Introverts are more likely to delete legitimate email thinking it is a scam, women are more likely to open phishing emails – and almost everybody is overconfident about their ability to spot fraudulent emails.
Kyung Wha Hong of North Carolina State University is studying the relationship between personality traits and susceptibility to phishing, in an effort to profile those most likely to fall victim. The project – part-funded by the NSA – aims to build new anti-phishing tools.
In “Keeping Up With the Joneses: Assessing Phishing Susceptibility in an E-mail Task,” Kyung Wha Hong’s participants completed a personality survey, and then asked them to read legitimate and spam emails, deleting them if they were suspicious.
Overall, people performed badly. Although 89% of the participants said they were confident in their ability to identify malicious e-mails, 92% of them misclassified phishing e-mails.
52% of participants misclassified more than half the phishing e-mails, and 54% deleted at least one authentic e-mail.
Women were less likely to identify phishing emails than men, the study found. People who self-reported as “less trusting, introverts, or less open to new experiences” were more likely to delete legitimate e-mails.
The paper will be presented at the upcoming 2013 International Human Factors and Ergonomics Society Annual Meeting.
ESET Senior Research Fellow David Harley warns that phishing emails are evolving rapidly to become more convincing in a detailed blog post here. Crucially, such emails are often getting through to inboxes of well-defended mail services – meaning that they may find a fresh audience. Harley says, “Right now malware and phishing forms apparently from reputable companies seem to be particularly successful at getting through mail services with exceptionally good filtering.”
Author Rob Waugh, We Live Security