How persuasive is a well-crafted phishing message? How many people will click on the link given in it? And what exactly is the effect of a personal salutation starting off such a message? It’s what students at the University of Twente (UT) wanted to find out. They sent out nearly 600 fake emails to members of their Faculty of Industrial Design Engineering. Their findings are quite remarkable.
The messages informed recipients in English that:
“Due to recent changes of the UT computer system, some complications emerged between our database servers. This system, which contains your username and password, is not correctly synchronized.”
The aim was to lure people to a fake website where they would be asked to log on with their faculty username and password. Two variations were sent: one email started off with a general salutation (Dear staff member), the other contained a personalised greeting (Dear Mrs Smith).
Thirty-two percent of the employees who received the general email visited the website; 19 percent filled out a form asking for personal information. The figures for the personalised emails were notably higher: 38 percent went to the website; 29 percent provided confidential data.
“Phishing emails are becoming increasingly sophisticated and more and more of these messages are personalised,” says cybersecurity professor Marianne Junger of the IEBIS Department at the University of Twente. The assumption that personalised email scams are more effective appears to be right. “Apparently, people are sensitive to email content. In this case, it led them to believe that a quick response was necessary.”
Junger emphasises that it would be wrong to think that only stupid people fall for phishing scams. “People tend to presume that another person’s communication is honest. This has to do with truth bias, people’s basic desire to believe what they hear and see.”
The survey was carried out with the prior approval of the faculty’s ethics committee and the university’s HR department. The data entered by the employees has not been stored.