Learning to Spot Phishing Emails
Wednesday, October 5, 2016 @ 12:10 PM gHale
Millions of phishing emails make it to your inbox, uncaught by your email client’s spam filter. Unfortunately, too many slide past our own judgment and end up clicked on and opened.
When that happens, game over.
“Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems,” said Casey Canfield, a researcher from Carnegie Mellon’s Department of Engineering and Public Policy regarding a study out of the CyLab Security and Privacy Institute.
In the study, Canfield and colleagues showed a set of participants information about phishing before asking them to evaluate 38 different emails, half of which were legitimate and half were phishing. For each email, participants answered questions about whether the email was phishing, what action they would perform, their confidence in their choices, and the perceived consequences of falling for the email if it was phishing.
On average, participants were only able to correctly identify just over half of the phishing emails presented to them. Participants displayed more caution when it came to their behavior: Roughly three-quarters of the phishing links were left un-clicked.
“Some users were able to identify a vast majority of the phishing emails, but only because they were biased to think everything was a phishing attack,” Canfield said. “So they didn’t necessarily have a high ability to tell the difference between phishing and legitimate emails.”
What’s more, participants’ confidence levels were not always calibrated with their ability.
“When making decisions about phishing emails, people were more cautious when they were unconfident and perceived very negative consequences of opening a phishing email,” Canfield said. “Unfortunately, they were often overconfident so they would still fall for phishing attacks.”
Based on the results, the authors of the study suggest interventions such as providing users with feedback on their abilities and emphasizing the consequences of phishing attacks. One effective training method that companies commonly use is sending out fake phishing emails and teaching a user about phishing emails if they open the email, Canfield said. This training method, called “embedded training,” was originally developed by the CyLab Usable Privacy and Security Lab.
“It seems like those trainings may not always be making people better at telling the difference, but it’s probably making them more cautious,” Canfield said. “Helping people tell the difference may not be as useful as just encouraging them to be more cautious.”
Click here to take the phishing email detection skill quiz.