Half Of People Click Anything Sent To Them

Want to know why phishing continues to be one of the most common security issue? Half of the people will click on anything without thinking twice ArsTechnica reports: A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages -- even though most of them claimed to be aware of the risks. The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month's Black Hat security conference. Simulated "spear phishing" attacks were sent to 1,700 test subjects -- university students -- from fake accounts. The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data -- some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year's Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message "access denied," but the site logged the clicks by each student.

Browser bugs

If "clicking on something" is all that it takes to infect your computer, then that is a really shitty crappy browser.

This is what happens

This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.

Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.

Re:This is what happens

[amicusNYCL]

Yeah you're exactly right, the half of the population who click on anything would totally not do that if only they could see the protocol. Because that's what was keeping everyone safe for so many years back in the halcyon days of innocence when everyone used IE6 and malware was non-existent.

I don't think the URL field has been dumbed down at all, it hides things that you don't generally need to see (there's still an indicator if the page is secured or not, instead of expecting random people to know the difference between "http://" and "https://"), and it emphasizes things that are more important, like making the root domain stand out and writing the rest in a lighter shade. That actually helps people who got sent to facebook.com.pwned.net figure out which site they're actually on, it doesn't make anyone stupider. I can look at the URL and obviously tell that I'm on a subdomain of slashdot.org, because the root domain is written darker.

And the status bar? Really, grandma? Can you name a single browser that does not show the URL of a link that you're pointing to when you point at it? Why have an area of the UI dedicated to showing that, which isn't being used if you're not hovering over a link? If you're thinking of some other purpose of the status bar that we've lost without a replacement, just what sage advice do you think it was dispensing that we need to bring back?

Re:This is what happens

Yeah, no. People will click regardless, I've seen people go through hoops to be able to access links sent to them that first the email client, then the antivirus, then the web browser all tried to stop them.

People are stupid, it doesn't matter how much information you give them or don't give them, they will click.

Re:This is what happens

[Nunya666]

This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.

Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.

This also happens because companies use 3rd-party email providers, which cause email links for banks and credit card companies to point to some3rdparty.com instead of the bank itself.

I regularly forward that crap back to the bank's spam/phishing prevention email address. I always start the email with something like "this looks like a phishing attempt."

Re:This is what happens

[i.r.id10t]

To be fair, some of us click the links within a VM just to see what kind of nastiness is hiding on the other end.

As for the status bar simple javascript can keep it covered with something else... or do you not remember the scrolling ticker tape status bars on the pages of the late 90s and early 00s?

Re:This is what happens

[Sigma+7]

do you not remember the scrolling ticker tape status bars on the pages of the late 90s and early 00s?

That's dwarfed by other nasty Javascript effects, such as inhibiting right-clicks, move/shake the browser window, make popups, modal alert() loops that require restarting the browser, etc.

In any case, Firefox finally added a checkbox somewhere in 1.x to prevent Javascript from doing the most common annoyances. A little on the late side, but at least it can get stopped.

Re:This is what happens

[Waccoon]

Can you name a single browser that does not show the URL of a link that you're pointing to when you point at it?

To be fair, most pages use Javascript to handle links, so even the damn Back button doesn't work anymore, let alone the status bar.

Another innovation of modern "apps."

Re:This is what happens

[houghi]

The general public was unable to enter the URL when Google (or Bing) became their homepage. Give people a homepage with Google and the ability to add the URL at the top and ask them to go to a website.

Ask this at people around you for whom IT stuff is just things they use to get what they want. You can even give them your tablet or PC. Many people will just fill out the address in the middle.

Re:This is what happens

[AmiMoJo]

Browser makes need to take a much stronger position on removing/limiting stupid web technologies.

Flash should have died years ago. Audio should default to off with a per-site permission required, and no audio from 3rd party sources. Javascript should have features like pop-up dialogues and on-click removed, or at least limited to trusted sites. Redirects should require confirmation from the user. Cookies should default to blocked. AdBlocking should be standard, and probably block most 3rd party content too.

You can get all that stuff with add-ons, but if the major browser vendors (so, Google) started making these the default settings it would force sites to be fully compatible with them.

Re:This is what happens

[wardrich86]

Yup. To this day I can't understand why "Hide known extensions" is enabled by default. Seems like the one of the worst possible things you could do.

Re:This is what happens

[dpidcoe]

Yeah you're exactly right, the half of the population who click on anything would totally not do that if only they could see the protocol. Because that's what was keeping everyone safe for so many years back in the halcyon days of innocence when everyone used IE6 and malware was non-existent.

Even if you're dumb enough to click anything and everything, your brain is pretty good at pattern matching. Even the worst offenders when it comes to irresponsible computer usage generally at least subconsciously notice when a URL says something like somenefariousprotocol://Bank0fAmerica.com instead of https://bankofamerica.com./ Speaking from some pretty extensive experience scamming people in EvE Online, I can tell you that even the slightest deviation from what's expected by the target (even if it's not something they're normally consciously aware of) is often enough to jog even the dumbest persons brain into suspicious mode (and if not that, at least a more observative mode) and ruin the entire thing.

Re:This is what happens

[lsatenstein]

This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.

Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.

left-half right-half

or

top-half, bottom-half

Half the people, ehh

Re: This is what happens

[amicusNYCL]

There's nothing about a URL that I 'don't need to see'.

I completely understand that, I often find myself browsing web pages and wondering "wait a second, is this web page being served to me over the gopher protocol, or NNTP?" And then, because I understand that I can actually change settings in my browser, I go to the settings page and check the box to show the full URL and think to myself "oh wow! It turns out that this web page is actually served using the hyper text transfer protocol, I totally wasn't expecting that!"

Show me fancy highlighting and crap and as an attacker the first thing I'm going to do is figure out how to highlight things

OK, then I guess the world is waiting for your exploit where you cause the browser to highlight arbitrary parts of the URL. I'm sure that something like that would create a pretty nice payday for you, so since that's the first thing you're going to do then you should get right on it.

There are too many idiots using dangerous things they don't understand.

Right, and your solution is to throw more information which they also don't understand at them.

Re:This is what happens

[amicusNYCL]

Audio should default to off with a per-site permission required, and no audio from 3rd party sources. Javascript should have features like pop-up dialogues and on-click removed, or at least limited to trusted sites. Redirects should require confirmation from the user. Cookies should default to blocked.

If all of those suggestions were implemented then the very first thing that people would want to do when they start a browser on a new computer is to go enable everything so that websites work again. The #1 search terms would all involve "how do I change my browser so websites work", and then we're right back to the start.

I'm sorry if you're personally annoyed that web pages are able to play audio, but it was added in HTML 5 for a reason. I don't think that audio is an inherent security threat.

Hardly any sites use pop-up dialogs in Javascript at this point. If you're talking about something other than the standard alert, prompt, confirm, etc, then you're suggesting that Javascript shouldn't be able to modify the DOM at all, which is not a step in the right direction. Now we're back to the days of static web pages. We moved on for a reason. Requiring users to click a confirm button every time their browser is asked to redirect would only result in people clicking confirm buttons on their browser as fast as possible without reading what the browser is asking them to confirm. We've seen that before. Blocking cookies by default means people can't log in to sites. So, again, the #1 search term is now how to configure the web browser so that sites work, and none of the problems have actually been addressed.

if the major browser vendors (so, Google) started making these the default settings

If Google made those the default settings then people can't use Maps or Gmail any more. Here's something to think about, I'm not sure if you've fully considered this. There was a time when Firefox was initially fighting against IE6, and it looked like Firefox was destined to become to most popular browser. All of a sudden Google releases Chrome, and they were talking about things like tab process separation, a much faster Javascript engine, etc. Over the next couple years they poured development effort into improving their Javascript engine, and it forced all of the other vendors to do the same because they were getting absolutely destroyed in the Javascript benchmarks. Javascript performance in the days of IE6 vs. Firefox is completely pathetic to the state of the art today, and that's because Google made Javascript their priority so that they could do things on the internet that weren't possible with the older browsers and their slow and buggy implementations.

Microsoft had nearly killed IE development when Firefox was released, future upgrades were only going to be part of new Windows versions. They had defeated Netscape, the browser war was over, they won. Firefox was already out for 4 years by the time they released IE7, and it was nearly a cosmetic upgrade, it had all of the same shit performance as IE6. IE8 was hardly any better, but it did actually have better Javascript performance and fixed a few rendering bugs and added support for some newer technologies, and that's because a year before it was released Google came out with Chrome and changed the web browser game. Everyone else had to try to match Chrome's performance or answer questions like why Gmail runs like shit in their browser. Now Microsoft is fully committed to their browser again, Firefox has respectable Javascript performance, and all of that is thanks to Google because they wanted to write web applications that were complex enough to require a high-performance Javascript implementation.

Now you're suggesting that they should disable it by default. Sorry, but it's not going to happen.

Re:This is what happens

[amicusNYCL]

What "nefarious protocol" are you referring to? And, for that matter, why the hell are browser vendors adding support for things that are clearly nefarious?

Scammers use HTTP/HTTPS, why do they need to even use another protocol?

Re:This is what happens

[amicusNYCL]

Mobile doesn't really have a hover event either, at least not until phones can detect the presence of your finger pointing at something before you touch the screen. There's not really a way to enable that for mobile at all (status bar or no) other than showing the URL you just clicked on and requiring a confirmation to go there, which isn't something that people would accept. In addition to doubling the number of clicks that browsing requires, it's again going to lead to the situation where people blindly click on Confirm or OK buttons without reading anything.

That UI bar can be, and is often turned off on some browsers.

That's actually an option I don't see in my browser, I don't see a way to disable that. A quick search doesn't show results for recent versions of Chrome or Firefox, and IE/Edge aren't even in the top results.

Amicus be nice.

But sarcasm is how I show love.

Re:This is what happens

[dpidcoe]

What "nefarious protocol" are you referring to?

I have no idea, you were talking about protocols so I thought you had something in mind. Replace it with whatever other slightly off looking malicious link you'd like if it makes more sense that way.

Re:This is what happens

[AK+Marc]

The problem is that there isn't GPS to cover. If every link you hovered over that "looked" like a URL, but had an underlying URL that didn't match were highlighted in red, that would be better. But because so many things have redirects, cross site ads and things, nobody wanted to let the unwashed masses know what a real mess the Internet is. So we get everything cleaned, hidden, and looking nice, even when everyone's doing worst practices all day long.

Re:This is what happens

[AK+Marc]

The icon tells you the extension type. Anyone who knows what the extensions mean knows that an EXE icon next to CelebrityNudes.PDF means "don't open". The problem it solved by hiding is that nobody looked at the extension before clicking anyway. So it was a horrible thing, that's no worse than the previous thing.

Re:This is what happens

[knorthern+knight]

> The icon tells you the extension type.

Uhmmm... not always. If someone is malicious enough to write/deploy malware, they're malicious enough to tamper with the program icon. And, yes, you can edit/replace the default icon of a program http://stackoverflow.com/quest... The developer is asking on stackoverflow about getting a custom icon to display on the executable. Sticking in a "textfile" or "pdf" icon into an exe file is relatively easy.

Re:This is what happens

[RockDoctor]

To be fair, most pages use Javascript to handle links, so even the damn Back button doesn't work anymore, let alone the status bar.

I don't think that I've ever seen that, though I'll be looking for it in the future.

"most sites"? Really? got any numbers to back that up? Or do you mean "most sites that I use" (checks : it's not an AC comment), which may be a very different thing.

Re:This is what happens

[RockDoctor]

This also happens because companies use 3rd-party email providers, which cause email links for banks and credit card companies to point to some3rdparty.com instead of the bank itself.

You have a bank that conducts business my EMAIL ??? Who the hell are they, so I can avoid them?

Personally, I much prefer to check out my bank's security by kicking the bottom of the door as I walk in, to check if it sounds rotten. I do log onto my bank account every month or three - in fact I'll need to do it on Monday night - but I do that by typing the appropriate address into the location bar.

Re:This is what happens

[KozmoStevnNaut]

Both Firefox and Chrome pop up the link destination when you hover over a link. It's just like having the status bar, but it doesn't take up space when you don't need it.

Re:This is what happens

[Nunya666]

This also happens because companies use 3rd-party email providers, which cause email links for banks and credit card companies to point to some3rdparty.com instead of the bank itself.

You have a bank that conducts business my EMAIL ??? Who the hell are they, so I can avoid them?

Is it really that bad for a bank to send an email alert that a payment is due? Or that this month's electronic statement is available?

I don't think so.

Re:This is what happens

[RockDoctor]

So, you don't know your own finances. Right.

Re:This is what happens

[Rakarra]

Mobile doesn't really have a hover event either, at least not until phones can detect the presence of your finger pointing at something before you touch the screen. There's not really a way to enable that for mobile at all (status bar or no)

I've seen this implemented on my browser on my android phone using the standard built-in browser, whatever came with Android 4.4. If I click and hold somewhere on a webpage, it'll pop up a context menu AND it acts like a hover. I hit 'back' to get rid of the context menu, and the end result is I got a hover without a click. It's clunky and slow, but it works.

Re:This is what happens

[wardrich86]

Not only to mention the amount of faith this guy has in people not opening shit that they shouldn't.

Re:I don't believe this

[hcs_$reboot]

Difference is, when you receive a link, its actual domain name is not displayed along with the link, as on /. (the only people likely to click your link either don't know goatse, or want to have another look at it!)

Color me surprised

[Feral+Nerd]

Half Of People Click Anything Sent To Them

Actually 49.5% of people click anything sent to them, another 49.5% double click anything sent to them. The remaining 1% are nerds who know better.

Re: Color me surprised

[Creepy]

And to riff off an old tech support joke, they're called foot pedals, not mice.

If you've never heard that one, here it is with a few others. I literally got the "Press Any Key" one working tech support, so yes I believe them. Compaq offered free tech support in the early days and people would call them for all kinds of reasons without actually trying anything, so that doesn't surprise me at all. Note I didn't work for Compaq, I did tech support contracting work for Bell Atlantic and we had a business relationship with Compaq. Specifically what that was is something I signed a form not to disclose.

Re: Color me surprised

[kenh]

100% of the people who clicked on them don't use Linux.

I believe that, because the percentage of actual Linux desktop users represents a rounding error in most surveys. Last I looked, Windows ME was still more popular/prevalent as a desktop OS than Linux.

Re: Color me surprised

[dpidcoe]

And to riff off an old tech support joke, they're called foot pedals, not mice.

Unrelated to the discussion thread but completely related to that anecdote: I knew an electrical engineer with bad carpel tunnel who made a foot pedal for clicking the mouse buttons. He also stripped the guts from a gyro mouse and mounted them on a headset. I think the controls were basically left foot to click, right foot to tell the gyro mouse to start tracking, and then he'd hunt and peck type holding a stylus in each fist. Watching him operate his computer was hilarious. His head would be twitching and jerking all over the place to an accompaniment of seemingly random foot stomps and fits of what looked like overhanded stabbing of the keyboard with a pair of pencils.

People actually click on email links?

[hackel]

I actually get really frustrated because 99% of all email links cannot be clicked because of embedded tracking information. It makes pretty much any email newsletter/update/etc. completely useless. I spend far too much time going to a website and finding something I want to look at, all because I refuse to click on a link that contains tracking information. I can't believe so many people, especially students, are dumb enough to do this. And yet, I can believe it. It's just sad.

Re:People actually click on email links?

[hcs_$reboot]

Usually just removing the final GET part with an ID gives you the same page, without reference tracking (e.g. the ad-story below about lenovo is "http://news.lenovo.com/news-releases/lenovo-reveals-yoga-book-2-in-1-tablet-for-productivity-and-creativity.htm?CID=ww:lenovosocial:r5kzwy", remove the CID part and no more tracking). Then use Ghostery to disable all necessary trackers

Re:People actually click on email links?

Mailchimp. 99% of the time the person doing the tracking is the person who sent you the email, from the list that you signed up for, and the link usually points to their own site. The bulk mailer being used automatically does the link replacement.

Curious, do you use google.com? Note the cloaked tracking on every link in their search results. Don't like that? (I don't) Use duckduckgo.com (and let the Russians have the info instead).

So, um, yeah.

Re:People actually click on email links?

So you've willingly given your email address X to a website and expressed an interest in subject Y in doing so (thus linking X and Y), yet you won't click a convenient link that pretty much only re-affirms that initial X-Y link because...?

Re:People actually click on email links?

[RockDoctor]

I actually get really frustrated because 99% of all email links cannot be clicked because of embedded tracking information.

Hmmm, An option that might be useful could be mapping (some control key+ CLICK) to "present URL in editable window and then follow link after editing".

I regularly chop of all that tracking shit when forwarding links to people. It does get tedious after a time.

Re:People actually click on email links?

[hackel]

Clean Links (https://addons.mozilla.org/en-US/firefox/addon/clean-links/) is a great help for that, but it's not perfect. So many email links aren't in a form that you can manually clean, they just reference their tracking IDs, which have to be redirected server-side.

Re:People actually click on email links?

[RockDoctor]

Oh, links you RECEIVE in email. I don't think I've seen that as a problem in either Yahoo or Gmail. Hotmail is a terminal mail service for me - mail in, nothing out by mail, but no I don't see that problem there either. Plenty of spam, but not that problem. I get a mail from my electronics supplier, and I open a new tab, type in the suppliers home page, and then log in. No problems that I see.

You insensititve clod!

[PPH]

I can't click anything! I read my e-mail with elm.

Re:You insensititve clod!

[Rick+Zeman]

I can't click anything! I read my e-mail with elm.

Pine is not elm.

Not a completely accurate check

[davidwr]

Did they test for people who did "due diligence" before going to the site then, seeing no known threat, click anyway?

Did they test for people who went back and re-visited the sites with the "bad" links on them using a testbed/honeypot environment then "clicked through" to the "bad" site?

Re:Not a completely accurate check

No. No they didn't. Because, whom the fuck would do that??!!!

Re:Not a completely accurate check

[Dunbal]

No one, but there's always a smart-ass who says he would have, if he had actually bothered to visit the site.

Re:Not a completely accurate check

[rtb61]

The average IQ is 100, which means half the population has a lower IQ than 100. Learning and retaining computer security is not easy, in fact logically all those below, say 120, struggle with it. Want secure systems, take out the flexibility and ensure they can only do what they were designed to do in the manner they were designed to do it. For most people, the need computers to be like other fixed electrical appliances, that is just the way it is.

Re:Not a completely accurate check

[ITRambo]

So they need Chromebooks, something dumbed down that can do everything 80% of our customers want to do, surf and read email. Self updating is nice also.

Re:Not a completely accurate check

[Buchenskjoll]

No. No they didn't. Because, whom the fuck would do that??!!!

Who would do that. Whom told you to write it like that?

Re:Not a completely accurate check

[david_thornley]

You aren't aware that most of experimental psychology is the psychology of Western college freshmen taking psychology courses? (Yes, this is a big problem.)

Imagine the stupidity of the average person

[penguinoid]

Imagine the stupidity of the average person -- then realize that half of them are dumber than that.

Re:Imagine the stupidity of the average person

[hcs_$reboot]

dumb != uneducated

Re:Imagine the stupidity of the average person

[hondo77]

Imagine citing George Carlin for that quote.

Re:Imagine the stupidity of the average person

[penguinoid]

Some of them are even dumb enough to think that "average" and "median" are the same thing.

And some are even too dumb to know that in a normal distribution, they are.

Re:Imagine the stupidity of the average person

[Dunbal]

And likewise educated != smart.

Re:Imagine the stupidity of the average person

[ShanghaiBill]

And some are even too dumb to know that in a normal distribution, they are.

IQ is normalized (by definition), but we are talking about stupidity, with is the reciprocal of intelligence. The inverse of a normalized function is not another normalized function. You can see this in practice: There are a lot more really stupid people than really intelligent people. The distribution is skewed.

 

Re:Imagine the stupidity of the average person

[Pfhorrest]

Some are even dumb enough to think that "average" only means "mean", and that a median isn't a kind of average...

Re:Imagine the stupidity of the average person

[hambone142]

The majority of people believe in an invisible friend in the sky.

Re:Imagine the stupidity of the average person

[penguinoid]

The majority of people believe in an invisible friend in the sky.

And is that being stupid? I mean, they're wrong, but the vast majority of people are wrong about all kinds of things, particularly as displayed in optimism and overconfidence. (In fact, religion is a subset of optimism and overconfidence.) And yet, though many studies show cynical depressed people tend to be more accurate than happy optimists, I wouldn't call them smarter.

People are irrational, but smart irrational people can deal with their irrationality (often by using irrational means).

Re:Imagine the stupidity of the average person

[mwvdlee]

I don't have to imagine; I'm seeing it right here.

Re:Imagine the stupidity of the average person

[AmiMoJo]

Sanity is defined by the norm, not by what is rational. Few people believe in leprechauns and green men from Mars, so people who genuinely do are considered outside the norm and probably mentally ill. On the other hand, lots of people believe in some kind of omnipotent, invisible, magical being(s) so despite there being about an equal amount of evidence as there is for the leprechauns it's considered perfectly normal, good even.

Re:Imagine the stupidity of the average person

[ausekilis]

Mr. Carlin? Is that you?

Re:Imagine the stupidity of the average person

[david_thornley]

Actually, no. The majority of people believe in God*, but God is not normally envisioned as invisible or in the sky.

*A slight majority of humanity is Christian or Muslim, and there are some other monotheistic beliefs.

Re:Imagine the stupidity of the average person

[K10W]

Some are even dumb enough to think that "average" only means "mean", and that a median isn't a kind of average...

oh if only I had mod points, never when I neeed them most. Please upvote this if you have some, getting tired of people thinking just that. From assumed majority science/IT educated community it worries me

Re:Imagine the stupidity of the average person

[RockDoctor]

Only in some countries with remarkably stupid populations.

Re:Imagine the stupidity of the average person

[popoutman]

The majority of people believe in an invisible friend in the sky.

And is that being stupid?

Yes.

About half, eh?

[Dunbal]

Those are the people we put on the "B" Ark.

Re:Sheep are among us

[Dunbal]

High school students are told that Pavlov taught dogs how to drool with a bell, because it sounds nice. In reality Pavlov drilled holes into dogs' stomachs and stuck a catheter in there through their abdominal walls, and measured the pH and enzyme content of gastric secretions when he rang the bell. Needless to say the dogs died after the experiment.

Re:I don't believe this

[quenda]

(the only people likely to click your link either don't know goatse, or want to have another look at it!)

Both will be disappointed. The joke *depends* on slashdot showing the domain.

The goatse.cx website has been shut down long ago. Go see for yourself. I dare you :-) Look at the reflection in a polished shield like Perseus, if you don't trust an random internet stranger.

I think we know the punchline

[fustakrakich]

The other half are liars, right?

Re:I don't believe this

[hcs_$reboot]

Seems to work though, see for yourself http://goatse.cx .

Solution

[Tablizer]

Goatse cured me of that habit.

In Soviet Russia

[davidwr]

Half of all web browsers CLICK YOU.

We're okay!

[Pseudonym]

Slashdotters never RTFA, so we're good.

Re:Sheep are among us

[Princeofcups]

High school students are told that Pavlov taught dogs how to drool with a bell, because it sounds nice. In reality Pavlov drilled holes into dogs' stomachs and stuck a catheter in there through their abdominal walls, and measured the pH and enzyme content of gastric secretions when he rang the bell. Needless to say the dogs died after the experiment.

It can be exhilarating to know that common knowledge is wrong, and you know the truth, but in thin case, you are the one who is wrong. Pavlov did research on the digestive system, which used catheters as you described. However, when it came to his conditioning research, drooling was the quantitative result that was recorded. And he did use a bell, as well as other stimuli.

Click?

[darkain]

If by "click", you mean having an automated tool running inside of a VM scan URLs inside of emails to determine their contents before allowing the email to pass through to my inbox? Then sure!

In other words, their definition of a "click" is honestly far too loose.

Also, of the percent that "didn't click", how many of those messages were properly caught by spam filtration systems?

Really, this isn't a study about click through rates at all, more like someone having a predetermined subject they want to publish, and build a "test" around it to make it look a certain way.

But

[bigdavex]

100% of us clicked on this story's comment section. Suckers.

how come

[iggymanz]

how come my employer gets 90% of their people from the dumber half of the populace?

For even more fun, put a "Try Again" button

[aussersterne]

beneath the "access denied" and watch a few of them try for 10 minutes straight to load it by clicking again and again, then leave it open and tap it once or twice a day for two weeks before giving up.

I know a couple people like this. You ask, "But what if the link is malware?" and they respond with "But what if it's something great?"

On a similar note, I once sent a bad link by accident to a person who was in college at the time. I then sent a follow up email saying, "Sorry, bad link. Try this one."

They then called me an hour later to say that they kept trying the first link I'd sent, but couldn't get it to load, and asked if there was anything I could do to help. I said, "But I thought I mentioned—that was a broken link, it doesn't work. I sent the right one!" And they responded with a variation on the above—"I know, but you never know, maybe I'd like it! I'd at least like to see it!"

Well

[ruir]

Half of people click on this rubbish articles too. Is this the slashdot I used to know?

Re:Well

[Jeremi]

Half of people click on this rubbish articles too. Is this the slashdot I used to know?

Yes: it was always like this.

Totally agree

[Archfeld]

Agreed, that is why you override that setting and unhide registered file types, and show system files, in addition to showing the status bar on your browser and explorer. I have to ask was it Micro$loth that first hid extensions or crApple, I genuinely don't remember but it seemed a bad decision either way.

Re:Totally agree

[david_thornley]

Pre-OSX MacOS files had two four-byte identifiers, for file type and subtype. Applications (to be run) had 'APPL' in the file type and the application name in the subtype. Other files would have the application name that created them or would run them in the type, and what they individually were in the subtype. Post-OSX, file names did have extensions, but the extensions did not determine what could execute, that being determined by the permission bits.

It was a long time ago, but I believe CP/M figured that anything with a .COM extension was runnable, and MS picked up on that.

Re:how to get it to 99%

make the link look like a cute kitty cat curled up with a computer mouse with a caption: "click me"

I tried your "click me", but it doesn't seem to be working.
Do I need to upgrade to Windows 10 to see the kitty?

Clickbait and switch

[simplypeachy]

Half of "people" don't - according to the summary, half of "university students" click anything. There's a fair difference if you ask me. The irony of a clickbait article about impulse clicking...

Re:Clickbait and switch

[Lab+Rat+Jason]

I came here to say exactly this! 1700 college students does not a representative population make...

Re:Clickbait and switch

[simplypeachy]

You wouldn't believe it!

Text browsers?

[popoutman]

At least my main email client is a text-only client, and I can follow the link with something that is definitely not going to get triggered by a drive-by. And that's to check out strange links that I may get in email, even from people I have previously been in contact with. I definitely don't follow links. Still, on the phone, I may be exposed to vulnerabilities in the non-standard email client I use.

I do..

[kenh]

I do click - I right-click on most everything that arrives in my inbox, just to see where it leads.

But I believe it - here in America, nearly half of all Americans vote for [Democrats|Republicans] without giving it a second thought...

0.00001% chance of imagined success

[Impy+the+Impiuos+Imp]

MileyAndTayTayDoingIt.exe

Hmmmmmm...if it is true, worth it!

Re:I don't believe this

[sirber]

This site can’t be reached

Sample bias

[damaki]

Come on, how come any publication could be considered as interesting or serious when it uses exclusively students as a sample?

Ahh thank-you

[Archfeld]

Thanks for the info. It makes much more sense when you explain it that way and still sounds more secure. Cheers and have a good day.