Researchers investigate user behaviour when unknown messages are received online
Most people know that e-mails and facebook messages from unknown senders can contain dangerous links. However, many users still click on them - and Dr. Zinaida Benenson from the Chair of Computer Science 1 at Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) has investigated why. The results of the experiment were clear: up to 56 percent of e-mail recipients and around 40 percent of facebook users clicked on a link from an unknown sender although they knew of the risks of their computer becoming infected with a virus. And the main reason? Curiosity.
For the experiment Dr. Benenson - whose research focuses on the human factors in IT security infrastructure - and her team conducted two studies in which they sent around 1700 FAU students e-mails or facebook messages under a false name. They adapted the fake messages to the target groups by signing them with one of the ten most common names for the target group's generation. In both of the studies the text claimed that the link in the message was to a page with images of a party the previous weekend. If the recipient clicked on the link they were directed to a page with the message 'access denied". This enabled the researchers to register the click rates. They then sent a questionnaire to all of the test subjects which first asked them to rate their own awareness of security before explaining the experiment and asking them about the reasons they did or did not click on the link.
In the first study the researchers addressed the test subjects by their first names. In the second, by contrast, they did not address them personally but gave more specific information about the occasion on which the photos were supposedly taken - a New Year's Eve party the week before. For the facebook messages the researchers created profiles with a public timeline and photos, as well as less public profiles without no photos and only a minimum amount of information. There were different results in each study. 56 percent of the e-mail recipients and 38 percent of the facebook message recipients in the first study clicked on the links. In the second study the percentage of e-mail recipients who did so went down to 20 percent, while the percentage of facebook users who did so went up to 42 percent.
"The overall results surprised us as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links," Dr. Benenson says. "And only 20 percent from the first study and 16 percent from the second study said that they had clicked on the link. However, when we evaluated the real clicks, we found that 45 and 25 percent respectively had clicked on the links." The researchers believe that this discrepancy could be due to participants simply forgetting the message with the link after having clicked on it.
When asked why they clicked on the link, the large majority of participants said that it was due to curiosity with regard to content of the photos or the identity of the sender. Other users said that they knew someone with the sender's name or had been to a party the previous week where there were people they did not know.
"Conversely, one in two of the people who did not click on the link said that the reason for this was that they did not recognise the sender's name. Five percent stated that they wanted to protect the sender's privacy by not looking at photos that were not meant for them," Dr. Benenson explains. But what conclusions can be drawn from the experiment? "I think that, with careful planning and execution, anyone can be made to click on this type of link, even it's just out of curiosity," Dr. Benenson says. "I don't think one hundred percent security is possible. Nevertheless, further research is required to develop ways of making users, such as employees in companies, more aware of such attacks."
Dr. Benenson presented her findings at the Black Hat Conference: https://www.blackhat.com/us-16/briefings.html#exploiting-curiosity-and-context-how-to-make-people-click-on-a-dangerous-link-despite-their-security-awareness