40% of Facebook users click on phishy links. Do you?

A new study has found that up to 56% of email recipients and about 40% of Facebook users clicked on a link from an unknown sender that could have been crawling with malware, for all they knew.

Because curiosity.

Because, specifically and click-baitishly, “photos from a New Year’s Eve party?! Bring it on!!”

The initial results of the study, which comes from the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, and which was led by FAU Computer Science Department Chair Dr. Zinaida Benenson, were released at the Black Hat conference last month.

The experiment entailed two studies in which the researchers sent fake messages, under false names, to about 1,700 FAU students, either via email or Facebook.

They signed the messages with one of 10 of the most common names for the target group’s generation.

Both the email and the Facebook messages included a link and text that claimed it was for a page with images of a party the previous weekend.

Those test subjects who clicked on the link were taken to a page that displayed the message “access denied” and enabled the researchers to measure the rates at which the targets clicked through.

Then, they sent a questionnaire to the test subjects. It did three things:

  1. Asked them to rate their own awareness of security.
  2. Explained the experiment.
  3. Asked them why they did or didn’t click on the link.

In that first study, the researchers had addressed the test subjects by their first names.

In their next study, the researchers didn’t address the targets by their first names, but they did feed them more specific information about the party where the photos were supposedly taken: a New Year’s Eve party the week before, the fake messages claimed.

As far as their bogus senders’ accounts went, the researchers filled in the Facebook profiles with public timelines and photos. They also created less public profiles without photos and only a minimum of information.

The results of the two studies:

  • In the first study, which addressed the targets by their first names, 56% of the email recipients and 38% of the Facebook message recipients clicked on the links.
  • In the second study, where the first names were dropped but the specificity of the phishing message upped the curiosity factor, only 20% of email recipients clicked through, while the percentage of Facebook users who clicked went up to 42%.

The researchers were surprised, Dr. Benenson said. Judging by the subjects’ self-reporting, one would assume that most were too savvy to click on risky links.

The reality was that there were a good amount of click-happy subjects who denied, or were oblivious about, their unwise ways:

The overall results surprised us, as 78% of participants stated in the questionnaire that they were aware of the risks of unknown links. And only 20% from the first study and 16% from the second study said that they had clicked on the link.

However, when we evaluated the real clicks, we found that 45 and 25% respectively had clicked on the links.

Were the test subjects embarrassed? Did they deny having clicked through because they were chagrined when they realized how much damage it could have done to their computer security?

No, the researchers don’t think so. Rather, they think the discrepancy can be traced to the fact that the participants simply forgot that they’d clicked on the link after they did it.

A large majority of those who clicked on the link said that they did it out of curiosity: they wanted to see the photos, or they were curious to know who the sender was.

Some said they knew somebody by the same name as the sender or that they’d been to a party the previous week, attended by people they didn’t know.

Half of those who resisted clicking said that what kept them away was not recognizing the sender’s name.

Out of the non-clickers, 5% said they wanted to protect the sender’s privacy by not looking at photos that weren’t meant for them, Dr. Benenson said.

These are the conclusions she said could be drawn from the studies:

I think that, with careful planning and execution, anyone can be made to click on this type of link, even it’s just out of curiosity. I don’t think 100% security is possible. Nevertheless, further research is required to develop ways of making users, such as employees in companies, more aware of such attacks.

She’s not alone in that belief: researchers recently determined that up to 87% of people ignore security warning popups.

Ignore, as in, scarcely any brain activity showed up when test subjects were measured via FMRI (functional magnetic resonance imaging) as security warnings interrupted them while they were trying to do other things, such as input their login or enter a validation code.

It’s not just security awareness that matters, obviously. There are other things, such as our own brains’ inability to do two things at once, that get in the way of security.

As the FAU experiment showed, plenty of subjects clicked on suspicious links even though they were aware of the risks.

You can tell people how risky it is to click on suspicious links until you’re blue in the face, but how do you get over the hurdle that nature has erected by making humans naturally curious?

That curiosity has put humans on the moon and brought about the eradication of smallpox.

Readers, how would you go about designing security training to take curiosity into account – the type of curiosity that leads to the far less noble ends of malware infection or identity theft?

Please share your thoughts in the comments section below.