Contact: 509/335-3583, rstrenge@wsu.edu
A Skeptical Nature May be Your Best Defense Against Online Frauds
A study by graduate student Ryan Wright and Assistant Professor Kent Marett, of the WSU College of Business, involved an elaborate 'phishing attempt' to trick more than 300 WSU undergraduates enrolled in an introductory MIS class into revealing what they had been told was their “super secret” personal departmental passcode.
If you're not easily taken in by e-mail "phishing" attempts and other fraudulent Internet scams designed to get you to reveal sensitive personal information, it may not be so much a result of your online experience and computer savvy as a natural reflection of your own personality.
That's the strong suggestion from a recent study at Washington State University intended to discern what key knowledge, experience and traits come into play in determining who may be more or less likely to fall prey to scams aimed at getting them to reveal credit card and social security information, bank account numbers and personal passwords online.
Data compiled by Microsoft and Phishing.org suggests some 57 million Americans may have already been targeted by e-mail phishing attempts seeking to direct them to fraudulent Web sites where sensitive personal data can be collected. Roughly five percent of those targeted - or nearly 3 million people - are estimated to have fallen victim to such scams, resulting in what may well be more than $900 million in estimated financial losses.
In the process, more than 100 corporate and commercial brand names and identities - 92 percent of which are those of financial institutions - have been counterfeited or "highjacked" through the creation of fraudulent Web sites that closely mimic those of legitimate businesses, according to estimates by the same sources.
Conducted within the Management Information System Department of the WSU College of Business, the research into how individual traits may come into play in computer users' responses to phishing attempts involved an elaborate effort to trick more than 300 WSU undergraduates enrolled in an introductory MIS class into revealing what they had been told was their "super secret" personal departmental passcode.
The "bait" used by researchers conducting the study was a phishing e-mail designed to look as if it had been sent by someone from the university's technology group. The e-mail exhibited many of the fairly sophisticated features of most real-world phishing attempts, including a contrived sense of urgency meant to prompt the recipient into responding without giving the matter much thought.
Kent Marett, the WSU assistant professor who oversaw the research, said 32 percent of the student respondents revealed their passcodes, despite the fact that they had been frequently instructed not to reveal the information to anyone, required at the time the codes were issued to sign non-disclosure agreements, and previously attended class modules on Internet safety and security. The balance of the subjects either detected that the e-mail was a scam, refused to reveal their passcodes as instructed, or simply did not respond.
Of particular interest to Marett and Ryan Wright - the WSU MIS graduate student who devised the phishing experiment - was the fact that even though it was conducted using three separate e-mailings demonstrating varying degrees of authenticity, the inclusion of "clues" which might raise questions about the validity of the e-mail was shown to have little or no bearing on whether the students were deceived.
"One batch was sent from a legitimate WSU e-mail address, another from a mock address designed to give some appearance of a valid WSU e-mail address, and another from a purely generic address (Mail.com) unlike anything typically used by the university," Wright said. "What we found was that the use of visible clues - such as a questionable address, intentional typos or oddly phrased language - really didn't even come into play in our subjects' perceptions of whether there was a risk associated with revealing their information."
Ultimately, the primary distinctions between those who revealed their personal information and those who did not were developed through a survey conducted to assess various aspects of the students' perceptions of their own personality traits, computer knowledge and proficiency, and Internet experience.
As might be expected, the researchers said those who revealed their passcodes tended to score lower than their classmates in general confidence in their own computer skills, their degree of online experience, and their overall awareness of computer security issues. They were also more likely to describe themselves as relatively less suspicious than those who declined to reveal the information.
Another interesting finding was that there was no difference between those who fell prey and those who did not in terms of their disposition to trust people and their assessments of Internet risk. This suggests that it was not in fact the "trusting" souls, in terms of the Internet or otherwise, who were duped. Rather, it seems to be the uninformed and unaware.
A relatively high number of those who declined to reveal their passcodes simply cited the fact that the request was contrary to their earlier instructions or a violation of the terms of the non-disclosure pact, he said. By refusing to reveal the information as a matter of policy, they effectively avoided the need to determine whether the e-mail was deceptive - a result which tends to suggest customer efforts by financial institutions to make customers aware that they do not solicit personal information online may be well-directed.
Respondents who actually detected the e-mail as a scam tended to have more online experience than those who revealed their passcodes, Marett said. Increased computer and Internet experience was less common to those who identified the scam, however, than was their mutual predisposition to be skeptical or suspicious by nature.
"One of the things we may want to look at more closely in future research is what specific types of online experiences our respondents have and whether there's any correlation between those experiences and their inclination to be trustful or suspicious," Marett said. "After all, you can have hundreds of hours of experience on the Internet, but if you're just researching your homework, it can be a substantively different experience than if you spend a lot of time interacting with other users in online communities."
While there has been a good deal of research into technical aspects of computer and Internet security, Marett said academic research into security aspects of online interactions among users have become a focus relatively recently.
Such research will continue to be a strong focus for the WSU's MIS Department, he said, and may ultimately extend beyond security issues involving e-commerce, social networking and identity theft into efforts to better understand and address more personal security issues and threats, such as cyber-stalking and online sexual predation.