Security awareness training or no, users will keep clicking on dodgy links
There is no way to make humans never click on potentially dangerous links they receive, as the right combination of curiosity, context, and emotions will always beat security awareness training, says Zinaida Benenson, researcher and associate professor at the University of Erlangen-Nuremberg.
In fact, security awareness training that includes the sending of fake spear phishing emails can negatively influence user effectiveness, as well as social relationships within the organization (if the emails are sent from an address that’s made to look like it came from a colleague).
Employees become more suspicious and mistrustful, and that’s not conducive to good work. Normal people cannot function well in a “James Bond mode,” notes Benenson.
At Black Hat USA 2016, she presented the results of two tests that she and her colleagues performed on 1600 university students, which involved sending them an email or a Facebook message with a link from a non-existing person, claiming that the link leads to the pictures from a party last week:
In the first study, the message addressed to the recipient by a (random) name, and the photos were from last week’s party. In the second, the name was omitted, and the photos were from New Year’s party.
Later, they were asked why they clicked or didn’t click on the link, and they gave different combinations of reasons.
34% followed the link because they were curious, 27% because the content of the message fit their New Year party (the context was right). 17% were unsure, but still curious and decided to investigate, and 16% thought they recognized the sender. 7% through “Really, pictures of me?” (again, curiosity), 3% clicked on the link automatically. And 11% decided to click on it even if they thought it was possible for it to be malicious, as they believed that their system is secure.
Those who didn’t click on it were mostly stopped by a combination of the following: they didn’t know the sender (51%), believed it was scam, fake, or phishing (44%), the message didn’t fit their New Year’s Eve celebration or way of life (the context was wrong), and some didn’t want to see the pictures because they suspected that they were not the intended receiver of the message.
Also, if the message names a recipient, links in emails are more likely to be opened that those in Facebook messages. The opposite was true when the message didn’t contain the name of an intended recipient. But Berenson says there were other differences in the two studies, which might have influenced that result.
But even if the two studies can’t offer absolute results – as the thoughts in people’s heads at the moment of clicking are, after all, self-reported – it seems obvious that, sooner or later, everyone will click on a suspicious link. It’s only a matter of time and of the right message, moment, and emotional state.
After all, even she, as knowledgeable as she has become about the threat of clicking on potentially malicious links, has occasionally clicked on one before making sure it was not dangerous.
“Trust and social relationships, decisional heuristics that make our life easier, and also natural and creative human traits such as curiosity, will remain exploitable forever, as humans (hopefully) cannot be patched against these exploits,” Benenson and her colleagues noted, and added that everything points to the conclusion that the protection of the users and organizations against phishing threats should rely on technical and in-depth, rather than perimeter defense.
But even with security awareness training and technical defenses, some attacks are bound to come through, and people will still occasionally make mistakes, she says. We should expect that, and realise that a perfect result is simply not possible.