+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Even this expert on hackers got tricked into clicking a scam email

Aug 10, 2016, 03:54 IST

Paul Szoldra/Business Insider

LAS VEGAS - An information technology expert gave a talk last Wednesday on the most effective ways hackers use scam emails, and the most surprising insight gleaned was that even a person who knows all the tricks can still fall for them.

Advertisement

At the Black Hat security conference, Dr. Zinaida Benenson presented her findings from two studies on phishing attacks - where hackers send emails to their targets enticing them to click on a "poison" link or run malicious software - which found that people often click, even if they don't know the sender.

And that's still the same even when those same people have computer knowledge, know unknown links can be dangerous to click on, or that email sender's addresses can be faked to make it seem like the message came from someone else. The studies found all of these factors as "not significant."

"We know that humans can be exploited and they fall for the same thing all the time," she said.

Benenson, a professor at The University of Erlangen-Nuremberg who leads the "Human Factors in Security and Privacy" research group, conducted two separate studies on university students with her fellow researchers that simulated phishing attacks over email and Facebook. The first study's email looked like this:

Advertisement

Black Hat USA

In the first study, 45% of people clicked on the link, while in the second, only 20% did so. The reason for the big difference, Benenson said, was due to her second round of emails not addressing the recipient by name.

Most people said curiosity was the reason behind their click, though a surprising number trusted their computer or university to protect them. "My computer blocks access if there is a virus problem," one student told the researchers.

"I use Firefox and MacOS, so I'm not afraid of viruses," said another.

Even Benenson's own curiosity got the best of her in some examples she presented to the audience. In one case, she received an email from someone (which she anonymized) claiming to be a reporter from CNN providing a link to his work. She was excited she might speak with a reporter.

Advertisement

Black Hat USA

"What do you think I did?" she asked the audience. "I clicked."

She also fell for others, like this one:

Black Hat USA

Advertisement

Benenson's research highlights one of the biggest problems people and companies encounter when trying to keep safe online. More than 90% of targeted attacks begin with spear-phishing emails that are often successful, despite security awareness training and high-profile hacks over the last decade.

She suggested companies could use a "reporting" feature to flag suspicious emails or use digital signatures (although these can still be overcome by a determined attacker). Others, however, suggest there has to be a technical solution to overcome the curiosity gap Benenson's research identifies.

"The user is not the problem," Malcolm Harkins, Chief Security and Trust Officer at Cylance, told Tech Insider in May. "It was a failure in the technology to protect them and to protect the compute device."

NOW WATCH: Milo Yiannopoulos defends his Leslie Jones tweets: All I did was crack a few jokes about a Hollywood star

Please enable Javascript to watch this video
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article