Homo sapiens click on links in clunky, non-personalized phish mails. They just do. We’ve seen research suggesting a small percentage are simply wired to click during their online interactions. Until recently, the “why” behind most people’s clicking behaviors remained something of a mystery. We now have more of an answer to this question based on findings from German academics. Warning: IT security people will not find their conclusions very comforting.
Attention Marketers: High Click-Through Rates!
According to research by Zinaida Benenson and her colleagues, the reasons for clicking on phish bait are based on an overall curiosity factor, and then secondarily, on content that connects in some way to the victim.
Get the Free Pen Testing Active Directory Environments EBook
The research group used the following email template in the experiment, and sent it to over 1200 students at two different universities:
The New Year’s Eve party was awesome! Here are the pictures:
http://<IP address>/photocloud/page.php?h=<participant ID>
But please don’t share them with people who have not been there!
See you next time!
<sender’s first name>
The message, by the way, was blasted out during the first week of January.
Anybody want to guess what was the overall click-through rate for this spammy message?
A blazing 25%.
Marketers everywhere are officially jealous of this awesome metric.
Anyway, the German researchers followed up with survey questions to find the motivations behind these click-aholics.
Of those who responded to the survey, 34% said they were curious about the party pictures linked to in the mail, another 27% said the message fits the time of year, and another 16% said they thought they knew the sender based on just the first name.
To paraphrase one of those cat memes, “Humans is EZ to fool!”
The clever German researchers conducted a classic cover-story design in their experiment. They enlisted students to ostensibly participate in a study on Internet habits and offered online shopping vouchers as an incentive. Nothing was mentioned about phish mails being sent to them.
And yes, after the real study on phishing was completed, the student subjects were told the reason for the research, the results, and given a good stern warning about not clicking on silly phish mail links.
Benenson also gave a talk on her research at last year’s Black Hat. It’s well-worth your time.
Phishing: The Ugly Truth
At the IOS blog, we’ve also been writing about phishing and have been following the relevant research. In short: we can’t say we’re surprised by the findings of the German team, especially as it relates to clicking on links to pictures.
The German study seems to confirm our own intuitions: people at corporate at jobs are bored and are finding cheap thrills by gazing into the private lives of strangers.
Ok, you can’t change human nature, etc.
But there’s another more disturbing conclusion related to the general context of the message.The study strongly suggests the more you know and can say about the target in the phish mail, the more likely it is that they will click. And in fact in an earlier study by Benenson, a 56% click-rate was achieved when the phish mail recipient was addressed by name.
Here’s what they had to say about their latest research:
… fitting the content and the context of the message to the current life situation of a person plays an important role. Many people did not click because they learned to avoid messages from unknown senders, or with an unexpected content … For some participants, however, the same heuristic (‘does this message fit my current situation?’) led to the clicks, as they thought that the message might be from a person from their New Year’s Eve party, or that they might know the sender.
Implications for Data Security
At Varonis, we’ve been preaching the message that you can’t expect perimeter security to be your last line of defense. Phishing, of course, is one of the major reasons why hackers find it so easy to get inside the corporate intranet.
But hackers are getting smarter all the time, collecting more details about their phishing targets to make the lure more attractive.The German research shows that even poorly personalized content is very effective.
So imagine what happens if they gain actual personal preference and other informational details from observing victims on social media sites or, perhaps, through a previous hack of another web site you engage with.
Maybe a smart hacker who’s been stalking me might send this fiendish email to my Varonis account:
Sorry I didn’t see you Black Hat this year! I ran into your colleague Cindy Ng, and she said you’d really be interested in research I’m doing on phishing and user behavior analytics. Click on this link and let me know what you think. Hope things are going well at Varonis!
Bob Simpson, CEO of Phishing Analytics
Hmmm, you know I could fall for something like this the next time I’m in a vulnerable state.
The takeaway lesson for IT is that they need a secondary security defense, one that monitors hackers when they’re behind the firewall and can detect unusual behaviors by analyzing file system activity.
Want to find out more, click here!
Did you click? Good, that link doesn’t point to a Varonis domain!
Another conclusion of the study is that your organization should also undertake security training, especially for non-tech savvy staff.
We approve as well: it’s a worthwhile investment!