Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half Of People Click Anything Sent To Them (arstechnica.com)

Posted by msmash on from the security-woes dept.

Want to know why phishing continues to be one of the most common security issue? Half of the people will click on anything without thinking twice ArsTechnica reports: A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages -- even though most of them claimed to be aware of the risks. The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month's Black Hat security conference. Simulated "spear phishing" attacks were sent to 1,700 test subjects -- university students -- from fake accounts. The e-mail and Facebook accounts were set up with the ten most common names in the age group of the targets. The Facebook profiles had varying levels of publicly accessible profile and timeline data -- some with public photos and profile photos, and others with minimal data. The messages claimed the links were to photos taken at a New Year's Eve party held a week before the study. Two sets of messages were sent out: in the first, the targets were addressed by their first name; in the second, they were not addressed by name, but more general information about the event allegedly photographed was given. Links sent resolved to a webpage with the message "access denied," but the site logged the clicks by each student.

9 of 156 comments (clear)

  1. This is what happens by Anonymous Coward · · Score: 5, Interesting

    This is what happens when browser makers hide the status bar, hide the location url/protocol and generally dumb down the location parts of the UI.

    Removing those essential browsing elements are like removing streets signs because everyone has a GPS, bring back the status/url bars and educate people to know what their function is.

    1. Re:This is what happens by amicusNYCL · · Score: 5, Insightful

      Yeah you're exactly right, the half of the population who click on anything would totally not do that if only they could see the protocol. Because that's what was keeping everyone safe for so many years back in the halcyon days of innocence when everyone used IE6 and malware was non-existent.

      I don't think the URL field has been dumbed down at all, it hides things that you don't generally need to see (there's still an indicator if the page is secured or not, instead of expecting random people to know the difference between "http://" and "https://"), and it emphasizes things that are more important, like making the root domain stand out and writing the rest in a lighter shade. That actually helps people who got sent to facebook.com.pwned.net figure out which site they're actually on, it doesn't make anyone stupider. I can look at the URL and obviously tell that I'm on a subdomain of slashdot.org, because the root domain is written darker.

      And the status bar? Really, grandma? Can you name a single browser that does not show the URL of a link that you're pointing to when you point at it? Why have an area of the UI dedicated to showing that, which isn't being used if you're not hovering over a link? If you're thinking of some other purpose of the status bar that we've lost without a replacement, just what sage advice do you think it was dispensing that we need to bring back?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  2. Color me surprised by Feral+Nerd · · Score: 5, Funny

    Half Of People Click Anything Sent To Them

    Actually 49.5% of people click anything sent to them, another 49.5% double click anything sent to them. The remaining 1% are nerds who know better.

  3. People actually click on email links? by hackel · · Score: 5, Insightful

    I actually get really frustrated because 99% of all email links cannot be clicked because of embedded tracking information. It makes pretty much any email newsletter/update/etc. completely useless. I spend far too much time going to a website and finding something I want to look at, all because I refuse to click on a link that contains tracking information. I can't believe so many people, especially students, are dumb enough to do this. And yet, I can believe it. It's just sad.

  4. Imagine the stupidity of the average person by penguinoid · · Score: 5, Funny

    Imagine the stupidity of the average person -- then realize that half of them are dumber than that.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:Imagine the stupidity of the average person by Pfhorrest · · Score: 4, Insightful

      Some are even dumb enough to think that "average" only means "mean", and that a median isn't a kind of average...

      --
      -Forrest Cameranesi, Geek of all Trades
      "I am Sam. Sam I am. I do not like trolls, flames, or spam."
    2. Re:Imagine the stupidity of the average person by hambone142 · · Score: 4, Insightful

      The majority of people believe in an invisible friend in the sky.

  5. About half, eh? by Dunbal · · Score: 4, Funny

    Those are the people we put on the "B" Ark.

    --
    Seven puppies were harmed during the making of this post.
  6. Click? by darkain · · Score: 4, Insightful

    If by "click", you mean having an automated tool running inside of a VM scan URLs inside of emails to determine their contents before allowing the email to pass through to my inbox? Then sure!

    In other words, their definition of a "click" is honestly far too loose.

    Also, of the percent that "didn't click", how many of those messages were properly caught by spam filtration systems?

    Really, this isn't a study about click through rates at all, more like someone having a predetermined subject they want to publish, and build a "test" around it to make it look a certain way.