Users fail to identify phishing attacks, study says

Computer users are good at detecting malware, but not phishing, research has found. So scientists want to completely revolutionize how phishing is detected. They have a unique idea.

Phishing malware research

Computer users don't spend enough time looking for phishing indicators, says a new study based on tracking eye movement and brain activity.

Users fail "at detecting phishing attacks even when they are mentally engaged in the task and subconsciously processing real sites differently from fake sites," Nitesh Saxena, one of the University of Alabama at Birmingham scientists involved in the study, said in an article on the university's website

The scientists want to find a way to track subconscious detection of phishing and get users to recognize attacks consciously.


The researchers found the opposite to be true when it came to malware—the gaze patterns studied showed that computer users are reading warnings.

"Users were found to be frequently reading, possibly comprehending, and eventually heeding the message embedded in the malware warning, such as the one provided by common browsers," the article reads.

And they "heed the warnings a large majority of the time," graduate student Ajaya Neupane, who contributed to the study, said in the article.

Malware, for the purposes of this study, is classed as web-based attacks which "deploy software to infect computers with viruses while users browse the web," the website says.


But it was in the phishing study that users failed to observe the signs of attack, at least consciously.

Phishing is usually when legitimate-appearing emails are sent out to trick users into providing personal information or downloading malware.

In the phishing attacks, the users' susceptibility tended to be based on their personalities, the researchers found.

"The more attentive they are by nature, the more likely they are to detect the phishing attacks," Saxena says on the website.


The researchers were studying non-technical responses to detecting attacks—in other words, how a human would detect an attack—rather than technology like anti-malware software.

Non-technical detecting of the masqueraded communications involves observing nuances about the email in comparison with legitimate ones.

But it's in the technical aspect that the results of the study could be important.

Future technical anti-phishing and anti-malware solutions might involve mechanisms that use "real-time neural and eye-gaze features" in order to infer a user's "alertness state," the website says.

From that information, it could be possible to find out whether the computer user could be relied on at that particular time.

Users failing

An important discovery that the scientists made was that, in many cases, the user's brains subconsciously detected the scam, but not consciously.

The user failed to detect the scam even though the eye movements and brain activity indicated that they saw them. That was an attentiveness issue, specific to phishing and malware.

Determining whether a user is attentive or inattentive could be used in the development of tools to combat attacks.

"We can begin thinking about developing ways to automatically detect whether users are attentive or inattentive, and whether they subconsciously detected a phishing attack," Neupane says on the website.


Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022