Our brains work hard to spot phishing scams, but still often fail

Filed Under: Featured, Phishing

Image of brain courtesy of ShutterstockScientists have found a significant increase in brain activity related to problem-solving and decision-making when we're trying to tell if a webpage is legitimate or not, and when we're processing browser warnings about potential malware-infected sites.

Despite the extra brain-power called on by these tasks, it seems we're still pretty bad at spotting fake sites, averaging just a 60% accuracy rate.

Unsurprisingly, more impulsive personalities tend to apply less thinking to such tasks.

These are the findings of a study by a mixed group of computer scientists and psychologists at the University of Alabama at Birmingham, who had their test subjects look at real and fake versions of web pages, and malware alerts and other less serious messages, while scanning their brains with a functional Magnetic Resonance Imaging (fMRI) machine.


The phishing test consisted of real login pages and faked versions from a range of websites often targeted by phishing, including online services such as Facebook, Gmail, Hotmail, LinkedIn, Twitter and Yahoo!, shopping sites like Amazon and eBay, and financial sites including PayPal and Wells Fargo Bank.

The fakes were split into easy and hard varieties, with the standard clues such as lookalike URLs, wonky fonts, iffy grammar and outdated graphics.

Participants correctly identified roughly 77% of the real sites, 57% of the "easy" fake sites and just 34% of the "difficult" ones, making for an overall accuracy of just over 60%.

As the study's writers point out, this isn't much better than what we would expect if the sites were labelled based on random guesswork.

Brain scans taken during the tests showed increased activity in brain regions associated with paying attention, strategic and controlled approaches to tasks, memory accessing, and decision-making, as compared to similar scans taken when simply viewing webpages with no task assigned.


In the malware warning test, participants read snippets of news items. At the same them as reading these they were shown a popup featuring either a warning about malware, with a request for confirmation before proceeding, or a general, nonthreatening comment or question with a similar yes/no response.

Click-through rates showed an accuracy of around 67% for the non-warning popups, and almost 89% for the warning ones, for an overall average accuracy of 81%.

Scan data from this test showed more brain activity when the warnings appeared than when simply reading news, and a statistically significant further increase from the non-warning popups to the warning ones. Participants also spent slightly longer (~4.2 seconds) processing the non-warning messages than the warning ones (~3.7 seconds).

So it may seem like our brains are kicking in when required to protect us from wandering into danger online, but our lack of knowledge or caution is holding us back.

For the impulsiveness component, participants were rated on the Barratt Impulsiveness Scale, using a survey to classify them, and in both parts of the test the more impulsive individuals displayed less increase in brain activity when faced with tricky problems.

Sadly, figures are not provided on how this hastiness affected the overall accuracy scores.

The caveats

Of course this is just a single study, and as the scientists themselves point out, suffers from a lot of factors which may well influence the results.

To start with, thanks to the costliness of MRI time, the sample size is fairly small with just 25 participants, although other fMRI-related studies have suggested a fairly accurate representative sample can be picked up from just 20-24 test subjects.

Those 25 were all university students aged 19-32, so not necessarily a good reflection of society in general despite selecting from a diverse range of backgrounds and study subjects.

Also, thanks to the MRI scanner, none of the participants had any metal implanted in their body, and pregnant women and breastfeeding mothers were excluded, as were diabetics, anaemics and psychotropic drug users. Just one of the sample was left-handed.

Crucially, the nature of the test meant the participants were not in a normal web-browsing setting, instead lying flat and as still as possible in a large and noisy machine, viewing the customised test pages on a low-resolution (640 x 480) screen.

They were also instructed to try to spot fake or real pages, something which in real life most people are unlikely to think about of their own accord, despite all efforts to persuade them to do so.

Nevertheless, the study presents some interesting initial findings, and could lead the way to much more scientific understanding of how our brains respond to different kinds of warnings, and how we identify spoofing and faking.

This could help design much more effective warning mechanisms, and also guide future educational programmes to keep the next generation much more on its toes when venturing online.

Of course, it won't be long before the bad guys are getting their own MRI scanners so they can work on improving their social engineering techniques...

Image of brain courtesy of Shutterstock.

, , ,

You might like

5 Responses to Our brains work hard to spot phishing scams, but still often fail

  1. Stomper42 · 584 days ago

    I would very much like it if this paper was used to create a web based training aid, to help internet users spot phishing sites.

  2. ODA155 · 583 days ago

    I must be getting all of the phishing email from the dumb "phishermen" because I have a clipboard outside of my cubicle dedicated to phishing email that I encourage folks to look at... part of my on ging security awareness program.

    • There's a theory that all the "dumb" phishing is actually part of a cunning ploy - we're bombarded by obvious fakes, so we start thinking it's easy to spot this kind of stuff, then when a more carefully-crafted one shows up, we see it doesn't have any of the usual "tells" and assume it must be legit.

      Much more likely that the dumb ones are just from dumb people though. Keep up the awareness project :)

      • Paul Ducklin · 582 days ago

        It doesn't have to be a deliberate ploy - but assuming you are bound to spot the bad email every time because you can do so most of the time is indeed a risky approach.

        It's like not bothering with your seat belt because getting into a collision is much rarer than completing your journey safely. Or not taking rain gear on a mountain hike "because last time I was up here it was hot and sunny all day long."

  3. Sue Horwood · 568 days ago

    The last few days I have been receiving the most ridiculously bad phishing scam emails. They come from supposedly me @hotmail.com to me @hotmail.com (obviously someone is spoofing my email address) and in the text say Apple has sent them and refer to my Apple ID being used to download World War Z from the Apple store. Yesterdays version made mention of my credit card being used for this purpose. Hovering over the links supplied they lead to 3 different websites, none of them Apple. And no I didn't click on any links.

    As I do not have an Apple ID, nor have I ever used a credit card online, nor do I ever send myself emails it is obvious the sender has no idea of how to phish properly. They have however learned how to spoof my email account.

    What concerns me is that some people will fall for nonsense like this and I am unsure how to report these emails. If I click them as phishing I'm worried it would block me from, or suspend, my very busy hotmail account. Please tell me how to proceed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.