Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3 Signs You're Phishing Bait

Beware, introverts and overconfident people. Phishers love to fool you, email security researchers say.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
Are you overconfident, introverted or female? Then you might be more susceptible to phishing attacks, in which emails with malicious links or attachments are disguised to make them appear to be legitimate.

Those findings come from "Keeping Up With the Joneses: Assessing Phishing Susceptibility in an E-mail Task," a research paper that's due to be presented at the International Human Factors and Ergonomics Society Annual Meeting next month. The study, which was authored by five researchers at North Carolina State University (NC State), is part of a phishing-defense research project funded by the National Security Agency.

For the study, the NC State researchers combined personality assessments with tests of students' ability to correctly classify emails as being legitimate or suspicious in targeting for deletion. They also assessed people's ability to mark as "important" emails that required responses or follow-on actions.

[ Are you scam savvy? Protect yourself: How To Spot A Facebook Scam. ]

"The results showed a disconnect between confidence and actual skill, as the majority of participants were not only susceptible to attacks but also overconfident in their ability to protect themselves," said Kyung Wha Hong, the lead author of the paper, in a statement. Notably, 89% of the study participants said they were skilled at recognizing malicious emails, but researchers saw 92% of participants misclassify at least some phishing emails. Furthermore, 52% of participants misclassified over half of the phishing emails, and half of participants deleted at least one legitimate email, believing it to be malicious. All told, only 2% of participants managed to not mishandle either phishing or legitimate communications.

Thus the "Joneses" research paper's conclusion: "gender, dispositional trust, and personality appear to be associated with the ability to correctly categorize emails as either legitimate or phishing."

Paper co-author Christopher B. Mayhorn, an NC State psychology professor, said the dispositional trust finding -- which refers to people's self-assessment of their own expertise -- wasn't a surprise, but that the personality results were. He said the verdict's still out on whether women are more likely phishing victims than men, owing to the groups of students involved having hailed only from the university's psychology and computer science (CS) departments.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/14/2013 | 8:10:54 PM
re: 3 Signs You're Phishing Bait
I know an older woman who fell for a phishing scheme and got money taken from a bank account. I had wondered who fell for such things...

A nice lady and more, I think, naive than overconfident. This was several years ago, and I'd say the phishing attempts I've received have gotten MUCH more sophisticated since then. (Her identity also was stolen for a Twitter account recently, but that's another story.)

Jim Donahue
Managing Editor
InformationWeek
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
8/14/2013 | 9:12:18 PM
re: 3 Signs You're Phishing Bait
I wonder how many man hours we all put in advising family members about phishes. I know some of them look quite convincing to my parents, who are not introverted or overconfident. Age surely factored into this study as well.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/16/2013 | 1:31:56 PM
re: 3 Signs You're Phishing Bait
Do the researchers plan to do a follow up study with a broader pool of people?
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
8/16/2013 | 2:59:20 PM
re: 3 Signs You're Phishing Bait
I have developed special methodologies for automatically detecting pfishing attempts and am launching a company that is sure to make millions of dollars as a cloud service. I have several investors lined up, but we need a bit more venture capital to complete development. An investment of just $10,000 will secure you a 51% stake in the company and a guaranteed profit stream of hundreds of thousands of dollars per year. If you would just respond with your name and social security number...
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/21/2013 | 3:17:42 PM
re: 3 Signs You're Phishing Bait
David, the answer is yes. So far, they're planning follow-on studies with professionals, and have preliminary (though as yet unanalyzed) data from a government agency.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.