The Five Strategies Users Use to Determine Phishing: Which Work and Which Don’t?
Verizon estimates that 90% of all data breaches originate from phishing and according to the Anti Phishing Working Group, the number of phishing websites are at an all-time high right now.
Several research studies show that users, both technically advanced and more novice, have a hard time figuring out if a website or email is real or fake. Even when people know that they are supposed to identify spoofed sites in research experiments, they get it wrong.
When reviewing a real website, almost half of the users thought it was a fake one, and similarly, half thought a spoofed site was real. It is therefore not surprising that the average user in a natural setting, stressed at work or at home, makes mistakes.
We click on phishing links in emails or visit spoofed sites, sometimes we realize this and sometimes we don’t. Although user training and security awareness programs can help, both in reducing the number of incidents, but more importantly to guide users on what to do when they realize they have done something wrong, often the damage has already been done.
In our most recent experiment, we prepared eight spoofed versions of popular websites and nine legitimate ones. We then presented these 17 pages in a random order and asked users with various technical backgrounds and experience to decide if the page they are looking at is spoofed or legitimate. On average, 70% correctly identified the spoofed sites, with 90% the best performance for identifying a spoofed site and 50% the worse.
