Study: Half of people click on unknown sender links
Phishing is one of the biggest threats on the Internet. Attacks use it to gain access to login or financial information, or to scam users right away.
With phishing being a thing for longer than a decade, one could assume that users are aware of the risks that clicking on links or attachments in emails, chats or on websites poses, but that is apparently not the case.
A recent study at the German Friedrich-Alexander University concluded that 56% of email recipients and 40% of Facebook users clicked on links from unknown senders.
The research team conducted two studies in which they sent email messages and Facebook messages to about 1700 students of the University.
The messages were adapted to the target group. Messages in both studies claimed that the link pointed to images of a party of the previous weekend. They were signed with a common name for the age group.
A click on the link would open a web page that would simply show an access denied message. All clicks were logged this way, and that's how the researchers managed to get the stats for both studies.
Studies were slightly different in topic. In the first study, test subjects were addressed by first name. Test subjects were not addressed by first name in the second study, but additional details about the party were listed instead.
Also, for the Facebook study, profiles were created that offered varying degrees of public information. Some with photos and timeline information, others with no photos and minimal content.
The results were astonishing: 56% of email recipients and 38% of Facebook users clicked on the link in the first study. In the second study -- the one without the test subject's first name -- email clicks dropped down to 20% but Facebook clicks increased to 42%.
78% of all study participants stated in a questionnaire that "they were aware of the risks of unknown links". Interestingly enough, only 20% of the first study and 16% of users in the second study confirmed that they clicked on that link.
The researchers believe that the discrepancy between actual clicks and claimed clicks comes down to users simply forgetting the message that they clicked on as nothing happened.
The large majority of test participants who remembered clicking on the link stated that curiosity got the better of them. Others stated that they knew someone with the name, or that they had been to the party.
Participants who did not click on the link stated that they did not click because they did not recognize the sender's name, and some even stated that they wanted to protect the sender's privacy by not looking at the photos.
Closing Words
A large number of test subjects, 78%, claimed they knew about the dangers of clicking on links. Still, about 50% did click anyway when presented with a chance to do so.
The attack in the study was targeted and used information that the students could relate to, but that is not an excuse for falling for it. It is plausible however that targeted attacks have a higher success rate than generic phishing attacks.
It would be interesting to know if some of the students opened the link in a secure environment, but it seems unlikely that many would have.
A very simple option to check out a link without loading it in your own browser or on your own system is to use a web service for it.
GTMetrix is designed to test the speed of a website, but it will display the content of the page that it checks as well.
1700 participants is not an awful lot to come to a conclusion, and it would be interesting if the study would be repeated in other regions of the world.
Now You: Will users ever learn?
I very rarely get phishing emails, but upon reflection, that’s part of the problem. I remember I got a phishing email 2 months ago to connect me to my credit card site, and I almost clicked it, because I made an online purchase a week before. You have to keep on your toes, but it’s hard to do as you age…
I have no empathy for people who get burned because they refuse to heed good advise. If you know better and you click click click, then you deserve to suffer the consequences. Sometimes it has to hurt for a lesson to be learned.
I am not surprised by the results of this survey, however dismissing it as ‘people are just curious’ is rubbish. It is people being irresponsible or foolish. If you know better, get a grip. I get even more infuriated when these very same ingrates exhibit outrage and go looking for someone other than themselves to blame.
.
Maybe the “idiot” part arises from people who click links from senders like MagicJack claiming that a 38 minute phone call was made–in the heading. Enraged, because they don’t have a MagicJack device/account, they click the link; end of story.
Or the people who receive emails from seemingly legitimate sources from any number of name brand sources who claim this or that which prompts an indignant knee-jerk response to send the company a scathing complaint. One came to my Inbox from UPS the other day claiming someone had changed my password.
Think first . . . do I have a UPS account? Go to site and request new password with email on file. I don’t have a UPS account. Maybe call just to make sure. No account. Delete, delete.
This means that more than half of the email users in the world have “perceptual handicaps.” Like Ryan Lochte.
Opening links isn’t a security issue. It’s just an issue when after opening it you fill out the form with your data. Just because someone opens a link doesn’t mean the person would blindly follow the instructions and give away personal data.
@Herbert, If only that were true, sadly nefarious links can and have infected many people in the past.
Firstly you have the obvious exploits with Adobe Flash, Microsoft Silverlight, and Java that can infect a machine without the need for user interaction, even without those extra’s installed or blocked it’s still possible to get infected through Javascript, something (afaik) most browsers have enabled by default, then there’s simple browser exploits that take advantage of yet to be patched bugs in the browser.
Opening a link provided on an email is also confirming you’ve received the mail and, depending on the link, if it includes the email address, confirming your address. Even if the destination is healthy many companies provide links transiting through trackers before arriving to the site, be it healthy. I more than once could not acknowledge email sent by a company I know simply because they provided such links and because those links had been blocked by my HOSTS file (category : trackers). So it may be a privacy issue even if security is not involved.
Concerning links in the wild, having a look at them, where do they lead to, is a minimum. And of course, guess we all know that or perhaps not, never download and run an exe file : never. And beware of other formats as well, pdf for instance. Download if you wish and analyze first (with i.e VirusTotal) should be systematic. I’m afraid many users don’t know that, doesn’t mean they’re stupid only ignorant. But if they’ve been told and haven’t registered the info in their little brains then they certainly do have a problem.
I saw that headline, but the correct headline is “half of the participating students at a particular university”, and given that the same twits also gave their support for withdrawing the First Amendment, I’m not surprised at all that they did something else stupid. They agree to whatever you ask them to do. They never learned to say no.
“Curiosity killed the cat”. Human being are a curious lot and even when they know the risks, will still explore whatever is presented to them.
Personally I never click on anything. So far so good.s
I’m trying to find a positive side… Let’s say “As long as people will click on things so easily the criminals won’t bother developing better threats, so most of us are safe”?
Not in the iPad era where users are wrongfully thought that they will get no malware from AppStore (which is true, for the most part) while forced to only use it, but applying this notion to the entire internet and/or every other device they own.. that is not an iToy.
Personally I don’t even open an e-mail if I have not requested it in the first place. I’m marking it as read and move it away from inbox. IF I have doubts I’ll use Tor for opening any link within such an e-mail, with scripting blocked in uB0.
@ Yuliya
“every other device they own that is not an iToy”
Discrimination against Apple users ! Is this an offence ? Nah :-)
Ofcourse not :) I have nothing against the users. I used iPhones. Until I realised better alternatives exist. But I think some people seem just too devoted to certain brands. Ah well..
I took a jab at aPple because they’re the ones who invented the one button phone/device. Apparently someone thought that more than one button would be too confusing.
IQ of 100 is considered the statistical median not an average…. This means that more than half of our society are fucking idiots
A lawyer would state that 50% + 1 of the users, hence statistically speaking of this audience as well, are smart!
Not sure being “aware” has anything to do with intelligence, I’ve read not later than this morning that being excessively aware (to the point of building a bubble wall around oneself, trusting no one) was relevant of idiots. We also know that if being naive can correlate to an “insufficiently deployed” intelligence, on the other hand being “innocent” (natural trend to emphasize on the best) is not incompatible with being aware (perceiving nevertheless the worst). What I mean to say is that you can be perfectly stupid (for whatever that means) and never get caught with tricks as well as the opposite. It’s not obvious. Behaving in such a way to avoid the bad can also lead to missing the best, testing is a risk, life is a risk, the point is to evaluate the risk and we may sometimes mistake in that evaluation. That’s how I see it.
@ beerpatzer
Are you talking about me ! (drool) :-)
I almost never click on links from KNOWN senders. (I trust no one.)
hi, same here i have ten thous plus unread emails and unless i know the sender etc there is zero chance getting anywhere near link
I never click on links :)
Then you’ve never forgotten a password, never activated a new account, and don’t have a favorite site where you buy stuff. One does still, of course, hover ALL links to read the link target before following them. :)
P.S. Copy-pasting is the same as clicking.
Martin, do you think it safe for me to click on the GTMetrix link you kindly provided above?
[From a fan of recursive conundrums.]
It seems like there would be a strong bias for those results being lower than reality. If someone did not check their email or did not notice the message in their inbox, there would be no click. Did the study authors account for this?
The study has not been published yet.