Most people believe they’re smarter than the criminals behind phishing schemes, which is why so many fall easily into a trap, a new study found.
“A big advantage for phishers is self-efficacy,” said H.R. Rao, AT&T Distinguished Chair in Infrastructure Assurance and Security at The University of Texas at San Antonio (UTSA). “Many times, people think they know more than they actually do, and are smarter than someone trying to pull off a scam via an email.”
However, phishing has continued to evolve with the Internet. It’s no longer strangers posing as troubled Nigerian princes looking to cheat the average person out of their credit card information. Instead, phishing emails often look like messages from companies anyone would recognize and trust.
“They’re getting very good at mimicking the logos of popular companies,” Rao said.
Rao said he was actually nearly caught up in a phishing scam last year, when an email that appeared to be from UPS informed him that there was a problem with a package he had sent. Even Rao, a highly experienced cybersecurity researcher, nearly fell for the scam, as he happened to have recently mailed a package via UPS.
“In any of these situations, overconfidence is always a killer,” he said.
Rao’s study, which he collaborated on with colleagues from The University of Texas at Arlington and Columbia College, utilized an experimental survey that had subjects choose between the genuine and the sinister emails that he and his colleagues had created for the project. Afterward, the subjects explained why they made their choices, which allowed Rao to classify which type of overconfidence was playing a role in their decision-making processes.
“Our study’s focus on different types of over-confidence is unique, and allows us to understand why certain tactics appeal to different people,” Rao said. “It helps us to figure out ways to teach people to guard against these kinds of methods.”
At the end of the day, people will continue to be victimized by phishing scams until the public becomes better educated and, subsequently, less overconfident, Rao said. He suggested citizen workshops or even an online game that would inform people of the newer every day dangers of the Internet.
“Thousands of emails are sent out every day with the aim of harming someone or gaining access to their financial information,” Rao said. “Avoiding that kind of damage is entirely in our own hands.”