Stressed for a Bit? Then Don’t Click It, Cybersecurity Experts Advise
As far as phishes go, this was a fancy phish. There was no mention of a large sum of money from an African prince, for example, and there were no outright spelling mistakes or gross grammatical errors.
“These were well-crafted emails deliberately designed to trick people and tailored to the organization,” said Jessica Baweja, a psychologist and an author of the study. “It was much harder to detect than the average phish.”
Each participant received one of four different versions of a message about an alleged new dress code to be implemented at their organization. The team tested three common phishing tactics separately and together. Here’s what they found:
· Urgency. 49 percent of recipients clicked on the links. Sample text: “This policy will go into effect 3 days from the receipt of this notice…acknowledge the changes immediately.”
· Threat. 47 percent clicked. “…comply with this change in dress code or you may be subject to disciplinary action.”
· Authority. 38 percent clicked. “Per the Office of General Counsel…”
· The three tactics together: 31 percent clicked.
While the team had expected that more tactics used together would result in more people clicking on the message, that wasn’t the case.
“It’s possible that the more tactics that were used, the more obvious it was a phishing message,” said author Dustin Arendt, a data scientist. “The tactics must be compelling, but there’s a middle ground. If too many tactics are used, it may be obvious that you’re being manipulated.”
In day-to-day operations, PNNL tests its staff with fake phishing emails periodically. Typically around just 1 percent of recipients will click. Far more employees spot the phish early on and provide crowd-sourced alerting to the Laboratory’s cybersecurity experts, said Joseph Higbee, PNNL’s chief information security officer. When a real phishing email is detected, the Laboratory purges the system of all instances of the email immediately. The information is frequently shared with other DOE laboratories.
Human-Machine Teaming to Reduce Cybersecurity Risk
How can companies and employees use this data to reduce the risk?
“One option is to help people recognize when they are feeling distressed,” said Fallon, “so they can be extra aware and cautious when they’re especially vulnerable.”
In the future, one option might be human-machine teaming. If an algorithm notes a change in a work pattern that might indicate fatigue or inattention, a smart machine assistant could suggest a break from email. Automated alerts are becoming more common, for instance, when a driver drifts unexpectedly and the car issues a warning about fatigue. The researchers noted that the potential benefits of input from a machine assistant would need to be weighed against employee privacy concerns.
“It can be hard to see email as a threat,” said Baweja. “Our ancient brains aren’t wired to equate email with scary things. You’re working through emails all day and it’s routine; there’s little reason to think they could harm you or our organization.
“Organizations need to be thinking about how to encourage people to make good choices. People overestimate their ability to detect phishing emails,” she added.
PNNL researchers are continuing the work, but with a twist. Instead of asking what makes people more vulnerable to phishing, they will conduct a small study of people who resisted the bait, to learn more about their traits and state of mind as they monitor their email.
Tom Rickey is Senior Science Writer at PNNL. The article was originally posted to the website of the Pacific Northwest National Laboratory (PNNL).
