Today Valimail released the results of a survey we conducted to test Americans’ ability to distinguish fake campaign emails from authentic ones.
Out of 1,079 respondents, the average number of correct responses was 4.98 out of 11, or slightly under 50 percent. In other words: When it comes to distinguishing real emails from fake ones, we’re not doing so hot.
How We Did The Test
Using SurveyMonkey, we provided participants with screenshots of 11 emails. For each one, we asked respondents to tell us whether they thought it was real, fake, or they couldn’t tell.
Five were authentic messages that had actually been distributed by political campaigns during the previous weeks. Six were fakes — either actual fake messages found in the wild, or else messages that were based on real emails but which we had doctored, using common techniques utilized by email fraudsters.
Eight of the 11 were political in nature, with two authentic and two fake emails each from both major political parties.
What We Found
Overall, people are not very good at identifying fake emails, with a success rate that’s well under 50 percent (4.98 correct answers out of 11).
That’s not surprising, though, and it’s not necessarily cause for making people feel bad. It’s difficult to ascertain the legitimacy of an email just by looking at a screenshot. (Though we did include some obvious “tells” in the manufactured fakes, which anyone taking the survey could have spotted if they looked carefully.)
In a “live” situation, recipients would also be able to inspect email message headers, mouse over links to see if they point to suspicious-looking URLs, or start composing a reply to the message to see if the recipient (the Reply-to address) is different from the apparent From address.
However, it’s worth noting that these tests aren’t reliable, either. All of these checks may fail with garden-variety deceptions used by real phishing attacks: From field spoofing, lookalike domains that use Unicode characters making them absolutely indistinguishable from the real thing, etc.
One surprise: In general, the older people are, the better they are at distinguishing fake vs. real emails. Maybe experience does count for something!
Danger to Democracy?
More troubling, we found a strong suggestion that people are easier to fool if messages appear to come from political parties they’re sympathetic to.
For example, we simulated fake messages from two candidates for U.S. Senate in Texas: Beto O’Rourke, a Democrat, and Ted Cruz, a Republican. Our test also included real examples of emails from each campaign.
- On the fake O’Rourke screenshot, Democrats (0.36) were worse than the average of 0.43 at identifying it as a fake, while Republicans (0.50) were better than average.
- On the authentic O’Rourke email, Democrats (0.43) scored above the average of 0.40, while Republicans scored slightly below (0.38).
Meanwhile, for Cruz emails, the situation was reversed.
- On the authentic Cruz email screenshot, Democrats’ success rates aligned with the overall average (0.38), but Republicans were much better at correctly identifying it as a legitimate email (0.49).
- On the fraudulent Cruz screenshot, Democrats performed better than average (0.27 to 0.25), but Republicans did worse (0.2).
The survey also showed that on average, Republicans were slightly better at identifying emails correctly (5.18 out of 11 correct) than Democrats (5.02 out of 11), and that unaffiliated people (4.93) and independents (4.79) did even worse. These are slight differences, however, and this is not a formal, scientific survey. More research would be needed to determine if these differences are statistically significant.
Summary and Solutions
Most Americans are unable to reliably tell the difference between fake and real emails. Fraudsters and hackers target email because it is particularly vulnerable to fraud: Fraudulent emails can be made to look and feel exactly like real email.
A key component of the problem is that email programs were built without requiring sender authentication. As a result, cybercriminals have been able to exploit email for monetary extortion, blackmail, and illegally entering networks for the purposes of system compromise. In recent years, email fraud has been used to subvert political discourse and even attempt to hack the electoral system.
Indeed, it is quite easy to send messages that look like they’re from elected officials or political campaigns, as several samples used in this report demonstrate.
Solving this problem will require a concerted effort by political campaigns — and others — to deploy email authentication, so legitimate messages from a campaign get delivered and all unauthorized spoofs never even reach citizens’ inboxes.
Also, for full protection, email authentication should be used with other, complementary forms of email security such as spam filters and secure email gateways. Together, these technologies provide a layered defense for domain owners, enabling them to protect their domains, their brands, and their political integrity.
Download the full report to learn how easy it is to fool people with fake campaign emails.
And if you want to see whether your own domain can be spoofed, use our free, instant domain checker.