Phishing scams and the human brain
By John Hawes March 14, 2014
- Our brains work hard to spot phishing scams, but still often fail: Study
- More impulsive personalities tend to apply less thinking to such tasks
SCIENTISTS have found a significant increase in brain activity related to problem-solving and decision-making when we're trying to tell if a webpage is legitimate or not, and when we're processing browser warnings about potential malware-infected sites.
Despite the extra brain-power called on by these tasks, it seems we're still pretty bad at spotting fake sites, averaging just a 60% accuracy rate.
Unsurprisingly, more impulsive personalities tend to apply less thinking to such tasks.
These are the findings of a study by a mixed group of computer scientists and psychologists at the University of Alabama at Birmingham, who had their test subjects look at real and fake versions of webpages, and malware alerts and other less serious messages, while scanning their brains with a functional Magnetic Resonance Imaging (fMRI) machine.
The phishing test consisted of real login pages and faked versions from a range of websites often targeted by phishing, including online services such as Facebook, Gmail, Hotmail, LinkedIn, Twitter and Yahoo!, shopping sites like Amazon and eBay, and financial sites including PayPal and Wells Fargo Bank.
The fakes were split into easy and hard varieties, with the standard clues such as lookalike URLs, wonky fonts, iffy grammar and outdated graphics.
Participants correctly identified roughly 77% of the real sites, 57% of the ‘easy’ fake sites and just 34% of the ‘difficult’ ones, making for an overall accuracy of just over 60%.
As the study's writers point out, this isn't much better than what we would expect if the sites were labelled based on random guesswork.
Brain scans taken during the tests showed increased activity in brain regions associated with paying attention, strategic and controlled approaches to tasks, memory accessing, and decision-making, as compared to similar scans taken when simply viewing webpages with no task assigned.
In the malware warning test, participants read snippets of news items. At the same time as reading these, they were shown a popup featuring either a warning about malware, with a request for confirmation before proceeding, or a general, non-threatening comment or question with a similar yes/ no response.
Click-through rates showed an accuracy of around 67% for the non-warning popups, and almost 89% for the warning ones, for an overall average accuracy of 81%.
Scan data from this test showed more brain activity when the warnings appeared than when simply reading news, and a statistically significant further increase from the non-warning popups to the warning ones.
Participants also spent slightly longer (~4.2 seconds) processing the non-warning messages than the warning ones (~3.7 seconds).
So it may seem like our brains are kicking in when required to protect us from wandering into danger online, but our lack of knowledge or caution is holding us back.
For the impulsiveness component, participants were rated on the Barratt Impulsiveness Scale, using a survey to classify them, and in both parts of the test the more impulsive individuals displayed less increase in brain activity when faced with tricky problems.
Sadly, figures are not provided on how this hastiness affected the overall accuracy scores.
Of course this is just a single study, and as the scientists themselves point out, suffers from a lot of factors which may well influence the results.
To start with, thanks to the costliness of MRI time, the sample size is fairly small with just 25 participants, although other fMRI-related studies have suggested a fairly accurate representative sample can be picked up from just 20-24 test subjects.
Those 25 were all university students aged 19-32, so not necessarily a good reflection of society in general despite selecting from a diverse range of backgrounds and study subjects.
Also, thanks to the MRI scanner, none of the participants had any metal implanted in their body, and pregnant women and breastfeeding mothers were excluded, as were diabetics, anaemics and psychotropic drug users. Just one of the sample was left-handed.
Crucially, the nature of the test meant the participants were not in a normal web-browsing setting, instead lying flat and as still as possible in a large and noisy machine, viewing the customised test pages on a low-resolution (640 x 480) screen.
They were also instructed to try to spot fake or real pages, something which in real life most people are unlikely to think about of their own accord, despite all efforts to persuade them to do so.
Nevertheless, the study presents some interesting initial findings, and could lead the way to much more scientific understanding of how our brains respond to different kinds of warnings, and how we identify spoofing and faking.
This could help design much more effective warning mechanisms, and also guide future educational programmes to keep the next generation much more on its toes when venturing online.
Of course, it won't be long before the bad guys are getting their own MRI scanners so they can work on improving their social engineering techniques ....
John Hawes is technical consultant and Test Team director at Virus Bulletin, running independent anti-malware testing there since 2006. He wrote this for the Sophos Naked Security blog here, and it is being reprinted on DNA with its kind permission.
Online scams: You can never be too careful
Information security is about you … yes, you!
Slightly more spam, even more insidious techniques: Kaspersky Lab
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.