Who still falls for phishing scams? More people than you’d think. Over a million Canadians have handed over information to scammers—and it’s not just old people at risk. Recently, researchers managed to trick a bunch of undergraduates with a phishing scam.
A study presented at the International Conference on System Sciences managed to trick 68% of its participants into falling for a scam. Researchers said they were careful to create an “information rich” email with graphics, logos, and other brand markers to ensure that their phishing email looked legitimate. Study coauthor Arun Vishwanath also said “The text is carefully framed to sound personal, arrest attention, and invoke fear. It often will include a deadline for response for which the recipient must use a link to a spoof ‘response’ website. Such sites, set up by the phisher, can install spyware that data mines the victim’s computer for usernames, passwords, address books, and credit card information.”
What does he mean by ‘invoke fear’? Well, in the actual email sent by researchers to study participants, undergrads were told that there was an error in the student’s account settings and they were given an enclosed link, which led them to a spoofed version of their account page. They were also told that if the error wasn’t resolved in a short time, they’d lose access to their account, thus encouraging quick responses. Researchers used a reply-to address and a sender’s address which both contained the name of the university, which, coupled with an information-rich email, gave the illusion of official correspondence.
“‘Presence’ makes a message feel more personal, reduces distrust, and also provokes heuristic processing, marked by less care in evaluating and responding to it,” he says. “In these circumstances, we found that if the message asks for personal information, people are more likely to hand it over, often very quickly,” Vishwanath says.