Phishing still fools people, but at least more are cautious

Carnegie Mellon CyLab challenges you to phishing detection test; NIST worries about security fatigue

Phishing still fools people, but at least more are cautious
Credit: Thinkstock

While people still have a really hard time telling the difference between legit and phishing emails, at least there is enough awareness of the phishing threat that many people will err on the side of caution when it comes to clicking on links.

This was one finding from Carnegie Mellon University's CyLab in a study titled "Quantifying Phishing Susceptibility for Detection and Behavior Decisions" that published recently in the journal Human Factors.

MORE: New tech can help catch spearphishing attacks

If at this point you are shaking your head at those silly fools who would fall for phishing messages, try CyLab's phishing detection quiz and see if you're still feeling so smug afterwards.

"Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems," says Casey Canfield, a CyLab researcher from Carnegie Mellon's Department of Engineering and Public Policy, in a statement.

Canfield and her colleagues found in a study in which participants were asked to evaluate more than three dozen emails that people on average were only able to spot about half the phishing emails. But to their credit, they didn't click on 75% of the phishing links. Turns out, people do tend to fear for the worst these days when presented with unfamiliar links.

IT departments can help improve end users' network safety by providing them with feedback about their online habits and emphasizing what can happen if bad links are clicked, the researchers say. One method of the latter is embedded training, a CyLab-developed method of teaching end users about phishing if they do click on a bogus link sent by the organization.


Of course more security training, on top of the numerous password changes and other online hygiene preached by organizations these days can also take a toll on end users.

A new study from the National Institute of Standards and Technology (NIST) that was published in IEEE's IT Professional journal found that most regular computer users get "security fatigue" that can lead to unintentionally risky online behavior. 

"The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people's everyday life," cognitive psychologist and co-author Brian Stanton said in a statement. "It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet. If people can't use security, they are not going to, and then we and our nation won't be secure." 

Based on study findings, the researchers shared three ways to ease security fatigue:

  1. Limit the number of security decisions users need to make; 
  2. Make it simple for users to choose the right security action; and
  3. Design for consistent decision making whenever possible.

All easier said than done, but worth a shot. 

MORE: Right back at you tech vendors -- OUR independent study of YOUR independent research

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10