You can be the smartest security buff in the world, yet researchers could probably still trick you into clicking on a dangerous link.
Zinaida Benenson, who leads a group that aims to understand human factors in security and privacy at the University of Erlangen-Nuremberg in Germany, set out to find out why people decide to click or not to click on potentially malicious links. That’s usually the first step into launching a malware attack, installing ransomware, or stealing data.
Benenson will this week tell attendees at her Black Hat talk in Las Vegas that anyone can be tricked into clicking on a dangerous link — despite their security awareness.
“By a careful design and timing of the message, it should be possible to make virtually any person to click on a link, as any person will be curious about something, or interested in some topic, or find themselves in a life situation that fits the message content and context,” said Benenson, who she shared with me her findings ahead of her talk on Wednesday.
She said that even with effective training — such as awareness into phishing emails and malware — it would be “highly unrealistic” to expect a person not to fall for clicking on a malicious link.
The research builds on her 2014 study which determined that email was still the best way to trick a person into clicking on a malicious link.
Often people make mistakes because of two factors: context and curiosity.
Adding context to the malicious email was “by far the most frequent reason” for clicking, such as content or context in of the message that fits the current life situation of the person, the research said. In other words, if a person was at a party last week and someone sends them a “link” to photos, they’re more likely to click on that link. If a person’s job requires processing invoices, they’re more likely to click on a ransomware file labeled as an invoice.
“We show that curiosity (or interest in the topic) and context of the attack play the most important role in the unsafe decision making of the users, thus making thwarting skillful attackers a difficult task,” says the research.
But good luck trying to mitigate against this human-level type of vulnerability, says Benenson.
“Natural and creative human traits, such as curiosity, will remain exploitable forever, as humans (hopefully) cannot be patched against these exploits,” she said.