Research looks at why phishing attacks are so hard to avoid

During a Wednesday session at the 2016 Black Hat USA security conference, researcher Zinaida Benenson highlighted two studies​ she and a team of researchers conducted to find out what drove people to click on links from phishing emails.
email, phishing, spearphishing, business email compromise, malware
(Getty Images)

LAS VEGAS — Zinaida Benenson, a computer researcher at Germany’s Friedrich-Alexander University, has found the ideal employee to avoid a phishing attack.

This employee is highly trained, knows that any person in their life could turn on them at any second and can operate impeccably while understanding the looming deception that could creep into their inbox at any time.

There is one hang up with this employee. They don’t exist.

Benenson created this straw man position — what she called ‘James Bond mode’ — to drive home the point that all the in-house training and personal vigilance related to phishing attacks is never going to surpass humans’ inherent curiosity.


During a Wednesday session at the 2016 Black Hat USA security conference, she highlighted two studies she and a team of researchers conducted to find out what drove people to click on links from phishing emails.

(Black Hat 2016 USA)

Zinaida Benenson addresses Black Hat 2016 in Las Vegas. (Black Hat 2016 USA)

The first study, conducted in September 2013, sent university students an email or Facebook message instructing them to look at pictures from a previous week’s party via a hyperlink to a cloud-based photo application. The email was designed to be from someone respondents never had contact with and the Facebook message was attached to dummy accounts that presented very little of the sender’s identifying information.

Researchers found that 56 percent of the email recipients and 38 percent of the Facebook recipients clicked on the link. However, when the research team followed up, only 20 percent of the entire respondent pool remembered clicking the link, despite the fact the research showed 45 percent actually clicked the link.

A second study conducted in January 2014 tweaked the malicious message: It again included a link to a photo site, but this time it was geared toward an album of photos from a New Year’s Eve party. Clicks from Facebook were higher than the email (42.5 percent to 20 percent), despite a lower overall percentage (25 percent) of people clicking through.


When respondents were asked why they clicked on the link, more than a third said they did so out of curiosity, despite knowing they weren’t in any pictures. Additionally, 27 percent of clickers explained that they could identify with the situational context given in the message, such as actually having been at a New Year’s Eve party with unknown people. Moreover, 16 percent thought that they knew the sender.

Benenson said the lesson learned from the studies is that with the right design or timing, even highly aware people are going to click on links if they fit into the context of their everyday life.

“People are people. They are curious. They don’t think in the moment,” she said. “When they see a message that interests them, they just think.”

Benenson said even she has fell victim to clicking links in emails before realizing they could have contained malicious payloads. She pointed to an email from a supposed CNN journalist who wanted an interview, one from an academic journal she wasn’t familiar with filled with jumbled links and a bank notice that she haphazardly passed along to the security team before realizing that if it was loaded with suspicious malware, it could have disrupted the bank’s system if they opened it on their networks.

So while organizations do all they can to prevent people from opening suspicious emails, she stressed that trying to move humans away from their own innate decision-making process could result in diminished use of email altogether.


“We should think about the price people will have to pay for this. They will have to be in ‘James Bond mode,’ which is not natural for people,” she said. “We don’t know what kind of defense is efficient for humans, but we should not make people abstain from their usual decisional heuristics. They will freak out. Don’t push them into ‘James Bond mode.’“

Contact the reporter on this story via email at, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts