Published: November 2007
Study Finds Skeptical Nature is a Good Defense to Fraud
A study at Washington State University finds that If you’re not easily taken in by e-mail “phishing” attempts and other fraudulent Internet scams designed to get you to reveal sensitive personal information, it may not be so much a result of your online experience and computer savvy as a natural reflection of your own personality.
PULLMAN, Wash. – A recent study at Washington State University (WSU) attempts to discover what key knowledge, experience and traits come into play in determining who may fall prey to "phishing." Phishing is defined as online scams aimed at getting people to reveal credit card and social security information, bank account numbers and personal passwords.
The research involved an elaborate effort to trick more than 300 WSU undergraduates into revealing what they had been told was their “super secret” personal departmental passcode.
The “bait” used by researchers conducting the study was a phishing e-mail designed to look as if it had been sent by someone from the university’s technology group. The e-mail exhibited many of the fairly sophisticated features of most real-world phishing attempts, including a contrived sense of urgency meant to prompt the recipient into responding without giving the matter much thought.
Kent Marett, who oversaw the research, said 32 percent of the student respondents revealed their passcodes, despite the fact that they had been frequently instructed not to reveal the information to anyone, required at the time the codes were issued to sign non-disclosure agreements, and previously attended class modules on Internet safety and security. The balance of the subjects either detected that the e-mail was a scam, refused to reveal their passcodes as instructed, or simply did not respond.
Of particular interest to Marett and Ryan Wright – the graduate student who devised the phishing experiment – was the fact that even though it was conducted using three separate e-mailings with varying degrees of authenticity, the inclusion of “clues” which might raise questions about the validity of the e-mail was shown to have little or no bearing on whether the students took the bait.
“One batch was sent from a legitimate WSU e-mail address, another from a mock address designed to give some appearance of a valid WSU e-mail address, and another from a purely generic address (Mail.com) unlike anything typically used by the university,” Wright said. “What we found was that the use of visible clues – such as a questionable address, intentional typos or oddly phrased language – really didn’t even come into play in our subjects’ perceptions of whether there was a risk associated with revealing their information.”
Researchers said those who revealed their passcodes tended to score lower than their classmates in general confidence in their own computer skills, their degree of online experience, and their overall awareness of computer security issues. They were also more likely to describe themselves as relatively less suspicious than those who declined to reveal the information. There was no difference between those who fell prey and those who did not in terms of their disposition to trust people and their assessments of Internet risk. This suggests that it was not in fact the “trusting” souls, in terms of the Internet or otherwise, who were duped. Rather, it seems to be the uninformed and unaware.
A relatively high number of those who declined to reveal their passcodes simply cited the fact that the request was contrary to their earlier instructions or a violation of the terms of the non-disclosure pact, he said. By refusing to reveal the information as a matter of policy, they effectively avoided the need to determine whether the e-mail was deceptive – a result which tends to suggest customer efforts by financial institutions to make customers aware that they do not solicit personal information online may be well-directed.
Respondents who actually detected the e-mail as a scam tended to have more online experience than those who revealed their passcodes, Marett said. Increased computer and Internet experience was less common to those who identified the scam, however, than was their mutual predisposition to be skeptical or suspicious by nature.
Nationwide, data compiled by Microsoft and Phishing.org suggests 57 million Americans may have already been targeted by e-mail phishing attempts. Roughly five percent of those targeted – or nearly 3 million people – are estimated to have fallen victim to such scams, resulting in what may be more than $900 million in estimated financial losses. According to the same source, in the process, more than 100 corporate and commercial brand names and identities – 92 percent of which are those of financial institutions – have been counterfeited or “highjacked” through the creation of fraudulent Web sites that closely mimic those of legitimate businesses.
For More Information
{encode="[email protected]" title="Kent Marett"}, WSU Management Information Systems Department, 509-335-7640
Download File
No Download Available