Dmarc as a Service

Study: Even sophisticated users can’t resist clicking on links in emails

All too often, companies respond to the threat of phishing attacks by punishing the employees who fell for them and by promising to educate their staff better. That’s missing the point, as recent research out of Germany proves. It turns out that even sophisticated users are remarkably easy to trick into clicking on URLs in email and Facebook messages.

In the study, researchers sent simulated spear phishing messages from fake accounts to 1,700 university students. What they found is that if email messages addressed the recipients by name, there was a 56% chance that the recipient would click on the link. It helped that there was an enticing promise behind the link: The phishing emails promised to show pictures from a New Year’s Eve party that had happened just the week before.

Researchers were surprised at that high rate of click-through, especially since 78% of the students had told them in a survey that they were aware of the dangers of clicking on unknown links.

The study is a mini-illustration of how to design an effective spear-phishing email: Use a common name for the fake account it’s coming from, address it to the recipient by name, and promise something timely that intrigues the recipient’s sense of curiosity or voyeurism.

But it also illustrates that training alone is ineffective in stopping phishing emails. The students were aware of the risks, and they still clicked on the links.

The problem is, many email messages don’t carry enough intrinsic information to allow even sophisticated users to distinguish legitimate from illegitimate emails.

Email authentication can help, by indicating whether a sender really does have the right to use the email address shown in their “From” field. That’s why it’s such a good step forward that Gmail recently started flagging non-authenticating messages with a question mark in place of the usual avatar.

If you combine signals like Gmail’s with user education, you’ll be much more effective at keeping users from clicking on bad links. But education alone is not going to cut it. Especially when New Year’s Eve party photos are involved.