CybersecurityOur ability to spot phishing e-mails is far from perfect

Each year, tens of millions of phishing e-mails make it to your inbox, uncaught by your e-mail client’s spam filter. Of those, millions more slide past our own judgment and are clicked and opened. A recent study out of Carnegie Mellon’s CyLab Security and Privacy Institute has revealed just how likely we are to take the bait.

“Despite the fact that people were generally cautious, their ability to detect phishing e-mails was poor enough to jeopardize computer systems,” says Casey Canfield, a CyLab researcher from Carnegie Mellon’s Department of Engineering and Public Policy.

Canfield’s study was recently published in the journal Human Factors. Those interested can test their own phishing e-mail detection skills in our brief online quiz.

CyLab reports that in the study, Canfield and her colleagues showed a set of participants information about phishing before asking them to evaluate thirty-eight different e-mails, half of which were legitimate and half were phishing. For each e-mail, participants answered questions about whether the e-mail was phishing, what action they would perform, their confidence in their choices, and the perceived consequences of falling for the e-mail if it was phishing.

On average, participants were only able to correctly identify just over half of the phishing e-mails presented to them. Fortunately, participants displayed a little more caution when it came to their behavior: roughly three-quarters of the phishing links were left un-clicked.

“Some users were able to identify a vast majority of the phishing e-mails, but only because they were biased to think everything was a phishing attack,” Canfield says. “So they didn’t necessarily have a high ability to tell the difference between phishing and legitimate e-mails.”

What is more, participants’ confidence levels were not always calibrated with their ability.

“When making decisions about phishing e-mails, people were more cautious when they were unconfident and perceived very negative consequences of opening a phishing e-mail,” Canfield says. “Unfortunately, they were often overconfident so they would still fall for phishing attacks.”

Based on the results, the authors of the study suggest interventions such as providing users with feedback on their abilities and emphasizing the consequences of phishing attacks. One effective training method that companies commonly use, Canfield explains, is sending out fake phishing e-mails and teaching a user about phishing e-mails if they open the e-mail. This training method, called “embedded training,” was originally developed by the CyLab Usable Privacy and Security Lab.

“It seems like those trainings may not always be making people better at telling the difference, but it’s probably making them more cautious,” Canfield says. “Helping people tell the difference may not be as useful as just encouraging them to be more cautious.”

— Read more in Casey Inez Canfieldet al., “Quantifying Phishing Susceptibility for Detection and Behavior Decisions,” Human Factors (25 August 2016) (doi: 10.1177/0018720816665025)