Several research studies show that users, both technically advanced and more novice, have a hard time figuring out if a website or email is real or fake. Even when people know that they are supposed to identify spoofed sites in research experiments, they get it wrong.
When reviewing a real website, almost half of the users thought it was a fake one, and similarly, half thought a spoofed site was real. It is therefore not surprising that an average user in a natural setting, stressed at work or at home, makes mistakes.
We click on phishing links in emails or visit spoofed sites, sometimes we realize this and sometimes we don’t. Although user training and security awareness programs can help, both in reducing the number of incidents, but more importantly to guide users on what to do when they realize they have done something wrong, often the damage has already been done.
In our most recent experiment, we prepared eight spoofed versions of popular websites and nine legitimate ones. We then presented these 17 pages in random order and asked users with various technical backgrounds and experiences to decide if the page they are looking at is spoofed or legitimate. On average, 70% correctly identified the spoofed sites, with 90% the best performance for identifying a spoofed site and 50% the worse.
The experiment produced similar numbers for the legitimate sites. On average, 65% were correctly identified as legitimate, one (best) site got 95% and one (worst) got 50% correct answers.
To better understand the strategies behind the users’ decisions, we interviewed the participants. We’ve broken down their strategic decisions into five categories.
Strategy one was to study the site design. Ninety percent of the participants mentioned this as one of the strategies used for determining legitimacy. Interestingly, this strategy didn’t influence the outcome significantly. There was even a tendency that this strategy led to the wrong answer.
Similar results were measured for evaluating the site functionality (Strategy 2) and the site information (Strategy 3). A more successful strategy used by 80% of the participants was to investigate the site URL (Strategy 4). Participants who said they used this strategy (at least once) got 75% correct answers, while the ones not using this strategy at all got 44% correct. Similar numbers were also found for the strategy of using security indicators in the browser (Strategy 5).
We saw that participants who used a combination of strategy 1,2, and 3, but not the other two categories performed worst, with an average success rate of 44%.
On average, 70% correctly identified the spoofed sites.
Those using strategies 4 and 5 performed best with an average success of 80%.
These findings in our experiment are in line with previous studies done by other researchers.
So, very little progress has been made over the last few years. Speculating, we don’t see any real progress in the nearby future either. Successful phishing is therefore something we need to live with and handle in other ways.
With awareness and continued training, a company can decrease phishing incidents and limit the impact. However, most research shows that this will not stop phishing completely or even limit the damages. So, what can we do? Should we just roll over and claim defeat?
Of course not, with threat models, we can model our users and what assets they have access to in our IT infrastructure. This model can help us to figure out which users have access to sensitive data or other key assets.
With this information, we can make changes that decrease risk. The knowledge that some users have access to things they shouldn’t have access to is important to have, as is identifying users that should get more awareness training to increase the chances of them acting in the right way.
Furthermore, by running breach simulations on these models, we can also show how an attack from one phished user cascades through the systems and leads to high impact incidents. The main upside with models and simulations is that one can test the current situation and also add new defenses or change the architecture to see if the risks change and how the attack paths vary.