Think you can spot a phishing email? Think again

People may not be as good as they think they are at spotting phishing scams, according to researchers at the Missouri University of Science and Technology.

Dr Casey Canfield, Missouri S&T assistant professor of engineering management and systems engineering, worked with Carnegie Mellon University colleagues Baruch Fischhoff and Alex Davis on the study, which measures how well people’s confidence in their ability to detect phishing matches with reality.

Study participants were shown a series of legitimate and phishing emails and then asked questions to determine if they could identify the two types. Researchers then asked how confident they were about their answer and how negative the consequences would be if they missed a phishing email. The results show that when people were 90-99 percent confident they had correctly identified an email as either phishing or legitimate, in fact they were only identifying phishing emails correctly about 56 percent of the time.

"You should just be pretty suspicious in general with email," says Dr Canfield. "People definitely tended to be overconfident in their ability to spot phishing emails."

Canfield then took the research a step further by comparing participants' answers with what was actually happening on their computers. The researchers used data from the Security Behavior Observatory at Carnegie Mellon -- a long-term study in which every action on a volunteer's computer is monitored. Using those same study participants, Canfield found an interesting correlation.

"Surprisingly, we saw that people with better metacognition tended to be better at protecting themselves," says Dr Canfield. "They had fewer malicious files on their computers. My previous study looking at performance metrics was inconclusive."

She suggests that artificially increasing the number of phishing emails people receive could potentially improve their ability to distinguish scams from legitimate messages. "One of the challenges with phishing emails is that you don’t necessarily get feedback on whether or not you made the right decision. You may have malicious files on your computer, but you may never know. You may just be a portal to some other target. Without that feedback, it's really hard for people to learn whether they’re good at detecting phishing emails."

The research implies that training using fake phishing emails is therefore likely to be an effective means of combating attacks, though Canfield says further research into the subject is needed.

The full report is available in the journal Metacognition and Learning.

Image Credit: Ivelin Radkov/Shutterstock