Valimail Survey Finds Older Americans Better at Identifying Fake Emails - But Average Success Rates Very Low Among All Groups
SAN FRANCISCO, Nov. 2, 2018 - Valimail, the only FedRAMP-authorized provider of email authentication, released a new report indicating that the majority of Americans are unable to consistently differentiate fake email messages from legitimate ones.
Based on a survey of 1,079 U.S. adults conducted by Valimail, the report suggests that aside from a general inability to properly identify fraudulent emails, consumers tend to give the benefit of the doubt to emails that match their own political preferences. For example, only 36 percent of Democrats correctly identified a fake email from Senate candidate Beto O’Rourke, while only 20 percent of Republicans could spot a fraudulent campaign email from incumbent Texas Senator Ted Cruz. In both of these instances, the opposite party had more success at correctly identifying the fakes.
"The results of this survey confirm what nation-states and bad actors have known for years: that email is incredibly vulnerable to impersonation, and is therefore a prime channel for spreading misinformation, malware, and fraud,” said Alexander García-Tobar, CEO and co-founder of Valimail. “More concerning is the fact that consumers’ trust in their public leaders and political candidates can be so easily abused for financial or political gain, when the tools to combat these types of attacks are readily available.”
The survey provided participants with screenshots of 11 emails. Five were authentic messages that had been distributed during the previous weeks and six were fakes — either actual fake messages found in the wild, or images that were based on real emails, but which Valimail had doctored using common techniques utilized by email fraudsters. Eight of the 11 were political in nature, with two authentic and two fake emails each from both major political parties.
Other key findings of the report include:
- On average, respondents correctly identified 4.98 messages (out of 11), or a little less than half.
- Only 31 percent of respondents had received anti-phishing training at any point. There is virtually no difference between the scores of those who received training vs. those who didn’t (4.98 vs 4.97).
- Older age groups tended to score better, with those 75 or older registering the highest scores overall. However, the 18-24 age group scored better than the 45-54 age group. No age group correctly identified more than half of the emails.
- Only one person answered every question correctly. No person scored fewer than four correct.
Respondents were also asked to share the methods they typically use to identify phishing emails. The vast majority of people (910) responding to the survey wrote that they look for suspicious requests in the email text, followed by poor spelling or grammar (798) and checking the “From” field (724). These methods cannot be considered reliable indicators, as they are all susceptible to deception.
The report also includes quotes from some of the survey takers about their experiences with actual phishing scams, indicating that the problem is real — and is ongoing. “I've seen plenty of them [phishing emails],” wrote one respondent. “The worst are the ones that purport to be from your bank. They have to really be studied.” Another respondent said simply: “My grandma lost hundreds to a phishing scam. It's heartbreaking.”
The full results of the survey can be found here.