<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=62700&amp;fmt=gif">
Valimail’s Email Authentication as a Service ™ gives you full control and visibility of your email services.

Study: Even sophisticated users can’t resist clicking on links in emails

Clicking links is irresistible
Photo credit: Tim Franklin Photography

All too often, companies respond to the threat of phishing attacks by punishing the employees who fell for them and by promising to educate their staff better. That’s missing the point, as recent research out of Germany proves. It turns out that even sophisticated users are remarkably easy to trick into clicking on URLs in email and Facebook messages.

In the study, researchers sent simulated spear phishing messages from fake accounts to 1,700 university students. What they found is that if email messages addressed the recipients by name, there was a 56% chance that the recipient would click on the link. It helped that there was an enticing promise behind the link: The phishing emails promised to show pictures from a New Year’s Eve party that had happened just the week before.

Researchers were surprised at that high rate of click-through, especially since 78% of the students had told them in a survey that they were aware of the dangers of clicking on unknown links.

The study is a mini-illustration of how to design an effective spear-phishing email: Use a common name for the fake account it’s coming from, address it to the recipient by name, and promise something timely that intrigues the recipient’s sense of curiosity or voyeurism.

But it also illustrates that training alone is ineffective in stopping phishing emails. The students were aware of the risks, and they still clicked on the links.

The problem is, many email messages don’t carry enough intrinsic information to allow even sophisticated users to distinguish legitimate from illegitimate emails.

Authenticated v. Unauthenticated email
Google now flags non-authenticating emails with a question-mark avatar (right).

Email authentication can help, by indicating whether a sender really does have the right to use the email address shown in their “From” field. That’s why it’s such a good step forward that Gmail recently started flagging non-authenticating messages with a question mark in place of the usual avatar.

If you combine signals like Gmail’s with user education, you’ll be much more effective at keeping users from clicking on bad links. But education alone is not going to cut it. Especially when New Year’s Eve party photos are involved.

Security Phishing

Valimail’s Email Authentication as a Service ™ gives you full control and visibility of your email services.
The ValiMail Blog: Return to Sender

The ValiMail Blog: Return to Sender

Everything you ever wanted to know (but were afraid to ask) about email authentication DMARC, SPF, DKIM, and how they can stop fraud and phishing.