Recently,  Zinaida Benenson, Freya Gassmann, and Robert Landwirth of  Friedrich-Alexander-Universit¨at Erlangen-N¨urnberg, Germany and  Universit¨at des Saarlandes, Germany respectfully conducted research on the habits of an individual clicking on a spear phishing message. Their findings were both surprising and interesting.

They conducted an experiment testing whether a person will click on a link in an email or in a Facebook message. The experiment was set up as such; “In a nutshell, we conducted a field experiment where we sent to the participants an email or a personal Facebook message with a link from a non-existing person, claiming that the link leads to the pictures from a party. When clicked, the corresponding webpage showed the “access denied” message. We registered the click rates, and later sent to the participants a questionnaire that asked about the reasons for their clicking behavior.” Very interesting groups to target as the message was vague enough to still draw interest to get people to click and see. 

The group recruited for the experiment was as such; “We recruited 280 Facebook users (80 male, 200 female) and 975 email users (265 male, 710 female). Groups have a comparable gender structure with 27% and 29% of male participants, respectively. Other demographic characteristics of participants were not collected at the time of recruitment, but later during the survey. Therefore, these characteristics are only known for the survey participants.” “The participants for the email-based study were recruited using the internal student mailing list of our university, whereas the participants for the Facebook based study were recruited via the Facebook student groups of several German universities” The study seemed to focus on people around the ages of 18-23.

The results for clicking on the link were as followed; “The most frequent reason was Curiosity. The second place was taken by the explanations that the message fits the Context. Some participants clicked in the course of an Investigation. Participants also expressed trust into some technical measures. Eight participants said that they were anxious that a stranger might actually have pictures of them.” This shows that people and the feeling of not knowing is a string driving force to click on links in emails and messages despite possibly feeling that the link could be malicious in nature.

The results for not clicking on the link were; “The most prominent reason for not clicking was the Unknown sender name. Many participants indicated that they suspected the link to contain malware or be fraudulent. Some people reasoned that the context of the message reception did not fit. Almost 10% of users said that they acted according to a specific rule of conduct. Respecting Privacy of other people.” This shows that most people who do not know the sender will just not click the link despite the context of the message.

In the end this study shows that people are still the greatest weakness when it comes to malicious actors gaining access to your organization’s network and system. There our many reasons why a person will click on a link in a message or why they won’t but one thing is for sure that it will eventually happen. The key for any organization is to make sure it happens less frequently and to make sure the impact is minimized and quickly discovered. There are many measures that can be done and put in place to mitigate your organization’s exposure such as;

  • Having a multi-factor authentication system in place
  • Having an IAM system in place
  • Education and training to employees

To read the full Unpacking Spear Phishing Susceptibility report click here

To learn more about preventative measure that your organization can take to prevent phishing attacks contact Sath and watch our webcast, Protecting from Phishing, on our past events page.