A 15-month study of 14,773 people found that many could be tricked into clicking phishing emails but that crowdsourced reporting of phishing was one of the most effective ways of tackling the problem. The study was conducted by Daniele Lain, Kari Kostiainen and Srdjan Capkun of the Department of Computer Science in ETH Zurich, and they claim it is the largest study of its type with respect to both the duration of the experiment and the number of people involved. The researchers sent a series of eight different phishing messages to a subset of the 56,000 employees of a single company to see how they would respond and whether their actions would show any correlations to their personal details, their work situation, and any training or warnings they had received.
It is often said that anyone can fall for a phishing message but that is not what was shown by this study. Just over two-thirds of the 14,773 subjects ignored all eight of the phishing messages sent by the researchers. That almost one-third clicked on at least one phishing message during the 15 months of research led the academics to conclude that many will eventually fall for a phishing message if they receive sufficiently many. No one can completely relax because there is always the risk that a phishing message uses names and language that coincides with the real-life expectations of the recipient of a message, causing them to drop their guard. However, the study showed that some people are significantly more likely to click on phishing messages than others. About 10 percent of the experimental subjects clicked on more than one phishing message, and one person clicked on six of them!
When we take the number of clicks into account, it is apparent that some people are significantly more likely to click on a phishing message. The risk factors to look for are as follows.
- Age. People under 20 years old are most likely to treat a phishing message like a real one.
- Computer skills. Lower skill means increased vulnerability.
- Computer use. Employees who routinely perform repetitive specialist tasks on computers are more likely to fooled by a phishing message.
This study found no difference between response rates for men and women, which contradicts the findings of previous studies. Another interesting observation was that training did not improve choices made by those people who received it. However, applying simple warning messages to the top of email messages is effective, and they are as effective as more complicated warning messages.
Training may not have worked, but I would be tempted to conduct a similar study of staff and to use it to identify the 10 percent who repeatedly click on phishing messages so they can be given advice about how to behave when receiving an unfamiliar email. It might feel kinder to treat everyone the same, but if half of all the clicks on malware come from just 10 percent of the user base then it makes little sense to devote only 10 percent of resources to mitigating the risk those employees pose to the rest of the organization. If subsequent monitoring shows their choices do not improve then serious consideration should be given to limiting their access to communications systems and other systems so any mistakes they make will cause less harm.
Instead of focusing on the ‘repeated clickers’, the good news is that a large population of users can also be very effective at identifying phishing messages. This is what the researchers wrote about the reporting of phishing messages:
Our experiment shows that crowdsourced phishing detection enables organizations to detect a large number of previously unseen real phishing campaigns with a short delay from the start of the campaign. The processing pipeline that we developed as part of our experiment also shows that the operational load of phishing report processing can be kept small, even in large organizations. Our study also demonstrates that a sufficiently high number of employees report suspicious emails actively over long periods of time.
The reporting mechanism introduced by the study involved a simple button which was added to the Outlook client used by company employees. The new reporting button was advertised to all employees by a company newsletter which was circulated before the experiment began. A subset of the population was especially active in reporting phishing emails, and the reports from this group tended to be very accurate, with few false positive reports. Overall, two-thirds of all phishing reports identified genuine phishing messages or the messages created by the researchers. Many of the researcher’s messages were reported upon within 5 minutes of their having been sent.
The study was about phishing emails, but these findings suggest different ways of thinking about how to tackle the misuse of other communications channels too. Many people will fall for phishing messages but many other people are good at identifying them, and will do so diligently and rapidly. Giving users the tools to easily report phishing campaigns should prove to be at least as efficient as trying to create algorithms that identify dangerous messages. Using the two approaches in concert will lead to far better results overall.
You can read the full text of “Phishing in Organizations: Findings from a Large-Scale and Long-Term Study” by Daniele Lain, Kari Kostiainen and Srdjan Capkun if you click here.