More than 50 percent of people will click on an unknown link out of curiosity in a trend that could be exposing millions to hackers.
The initial results of the study is from the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany. It was led by FAU Computer Science Department Chair Dr. Zinaida Benenson. The results were released at the Black Hat conference last month.
The experiment entailed two studies in which the researchers sent fake messages, under false names, to about 1,700 FAU students, either via email or Facebook.
They signed the messages with one of 10 of the most common names for the target group’s generation.
Both the email and the Facebook messages included a link and text that claimed it was for a page with images of a party the previous weekend.
Those test subjects who clicked on the link were taken to a page that displayed the message “access denied” and enabled the researchers to measure the rates at which the targets clicked through.
Then, they sent a questionnaire to the test subjects. It did three things:
- Asked them to rate their own awareness of security.
- Explained the experiment.
- Asked them why they did or didn’t click on the link.
In that first study, the researchers had addressed the test subjects by their first names.
In their next study, the researchers didn’t address the targets by their first names, but they did feed them more specific information about the party where the photos were supposedly taken: a New Year’s Eve party the week before, the fake messages claimed.
The researchers filled in the Facebook profiles with public timelines and photos. They also created less public profiles without photos and only a minimum of information.
The results of the two studies:
- In the first study, which addressed the targets by their first names, 56% of the email recipients and 38% of the Facebook message recipients clicked on the links.
- In the second study, where the first names were dropped but the specificity of the phishing message upped the curiosity factor, only 20% of email recipients clicked through, while the percentage of Facebook users who clicked went up to 42%.
When asked why they clicked on the link, the large majority of participants said that it was due to curiosity with regard to content of the photos or the identity of the sender. Other users said that they knew someone with the sender’s name or had been to a party the previous week where there were people they did not know.
"Conversely, one in two of the people who did not click on the link said that the reason for this was that they did not recognise the sender’s name. Five percent stated that they wanted to protect the sender’s privacy by not looking at photos that were not meant for them," Dr. Benenson said. "I think that, with careful planning and execution, anyone can be made to click on this type of link, even it’s just out of curiosity," Dr. Benenson said. "I don’t think one hundred percent security is possible. Nevertheless, further research is required to develop ways of making users, such as employees in companies, more aware of such attacks."