Phishing is one of the biggest threats on the Internet. Attacks use it to gain access to login or financial information, or to scam users right away.
With phishing being a thing for longer than a decade, one could assume that users are aware of the risks that clicking on links or attachments in emails, chats or on websites poses, but that is apparently not the case.
A recent study at the German Friedrich-Alexander University concluded that 56% of email recipients and 40% of Facebook users clicked on links from unknown senders.
The research team conducted two studies in which they sent email messages and Facebook messages to about 1700 students of the University.
The messages were adapted to the target group. Messages in both studies claimed that the link pointed to images of a party of the previous weekend. They were signed with a common name for the age group.
A click on the link would open a web page that would simply show an access denied message. All clicks were logged this way, and that's how the researchers managed to get the stats for both studies.
Studies were slightly different in topic. In the first study, test subjects were addressed by first name. Test subjects were not addressed by first name in the second study, but additional details about the party were listed instead.
Also, for the Facebook study, profiles were created that offered varying degrees of public information. Some with photos and timeline information, others with no photos and minimal content.
The results were astonishing: 56% of email recipients and 38% of Facebook users clicked on the link in the first study. In the second study -- the one without the test subject's first name -- email clicks dropped down to 20% but Facebook clicks increased to 42%.
78% of all study participants stated in a questionnaire that "they were aware of the risks of unknown links". Interestingly enough, only 20% of the first study and 16% of users in the second study confirmed that they clicked on that link.
The researchers believe that the discrepancy between actual clicks and claimed clicks comes down to users simply forgetting the message that they clicked on as nothing happened.
The large majority of test participants who remembered clicking on the link stated that curiosity got the better of them. Others stated that they knew someone with the name, or that they had been to the party.
Participants who did not click on the link stated that they did not click because they did not recognize the sender's name, and some even stated that they wanted to protect the sender's privacy by not looking at the photos.
A large number of test subjects, 78%, claimed they knew about the dangers of clicking on links. Still, about 50% did click anyway when presented with a chance to do so.
The attack in the study was targeted and used information that the students could relate to, but that is not an excuse for falling for it. It is plausible however that targeted attacks have a higher success rate than generic phishing attacks.
It would be interesting to know if some of the students opened the link in a secure environment, but it seems unlikely that many would have.
A very simple option to check out a link without loading it in your own browser or on your own system is to use a web service for it.
GTMetrix is designed to test the speed of a website, but it will display the content of the page that it checks as well.
1700 participants is not an awful lot to come to a conclusion, and it would be interesting if the study would be repeated in other regions of the world.
Now You: Will users ever learn?
If you like our content, and would like to help, please consider making a contribution: