Researchers have found that approximately half of all users will click on links sent to them from unknown senders despite knowing the risks of phishing and a malware infection.
Dr. Zinaida Benenson of the Computer Science department at the Friedrich-Alexander-Universität (FAU) Erlangen-Nürnberg led the experiment, for which she and her team sent scam email and Facebook messages to 1700 FAU students under a false name. The clickbait messages enticed each recipient to click on a URL that purportedly linked to a page hosting images of them at a party.
Whenever someone clicked on the link, they landed on a page displaying the message, "Access Denied." This allowed the research team to track the participants' click rate.
The experiment consisted of two separate studies. In the first study, the researchers addressed each student by their first name. They excluded the recipient's name in the second study, but they provided more detailed information about the fake party.
Overall, Dr. Benenson's team found about half (56 percent of e-mail recipients and 38 percent of Facebook users) clicked on the link in the first study. Fewer e-mail recipients clicked on the link in the second study (only 20 percent), but even a greater percentage of those who received the link via Facebook (42 percent) fell for the scam.
Those results surprised Dr. Benenson. After the experiment concluded, she reached out to the 1700 students to explore their reasoning for their actions. Her questionnaire found that a majority of those who interacted with the clickbait knew the risks of doing so but went ahead and clicked anyway.
As she explains in a press release issued by FAU:
"The overall results surprised us as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links. And only 20 percent from the first study and 16 percent from the second study said that they had clicked on the link. However, when we evaluated the real clicks, we found that 45 and 25 percent respectively had clicked on the links."
Okay...accepting that some students didn't remember they clicked on the message, why did so many participants fall for the scam?
Most answered they were curious about the pictures. Others said the scam's scenario (a party) fit their recent activities.
And there you have it. Those responses illustrate why social engineering works. It's not about exploiting security vulnerabilities. It's about exploiting the human psyche, which includes playing to a user's curiosity and common habits, such as college students going to a party.
With that being said, Dr. Benenson thinks users will continue to fall for clickbait and other common types of scams. But she doesn't think we should give up there:
"I think that, with careful planning and execution, anyone can be made to click on this type of link, even it’s just out of curiosity. I don’t think one hundred percent security is possible. Nevertheless, further research is required to develop ways of making users, such as employees in companies, more aware of such attacks."
Let's hope Dr. Benenson or some other team of researchers reaches a breakthrough soon.