By now, most Internet users are fully aware of the risks inherent with logging on – or at least, we should know them. Yet the fact that people still fall for phishing emails, click on suspicious links, and ignore the security warnings from their antivirus software says that despite all of the warnings, all of the bad experiences, and all of the time and money lost to viruses, malware, and data breaches, we still haven’t learned to avoid falling victim to cybercrime.
Case in point? Phishing. According to the Verizon Data Breach Investigations Report, almost a quarter of all phishing emails that are sent are opened — and of those that are opened, one in 10 users actually clicks on the links included in the email. The average time it takes for a phishing attack to be launched and for someone to take the bait? 82 seconds. That’s right: A criminal can launch a phishing attack, and less than two minutes later, have enough information to gain access to sensitive information and wreak havoc.
It should be no surprise, then, that as many as two-thirds of all data breaches and major security incidents stem from phishing emails. Despite having been warned against opening emails or clicking on links contained in emails from strangers, people are still doing it.
The question is why? Why do people, many of whom could be considered savvy computer users, continue to ignore the warnings? The short answer is, “They can’t help it.”
The Brain and Security Warnings
Earlier this year, researchers at Brigham Young University working with Google released the findings of a study that looked at user responses to security warnings — or more specifically, why it appears that most people ignore them. The research stemmed from earlier research that the search giant conducted on its own Chrome browser in which security warnings were ignored 70 percent of the time.
By analyzing brain scans taken when users viewed security warning, the BYU study determined that most people stop responding to security warnings after the first time they see them. In fact, most people clicked through security warnings in less than two seconds — not nearly enough time to process the warning and make an appropriate decision.
Researchers suspect that there are several reasons for user’s lack of response to security warnings:
Habituation. Security warnings are so common that they just become part of the background. This is particularly pervasive when the user ignores a security warning, such as one related to an SSL certificate, and nothing happens. Later on, the same warning is more likely to be ignored.
Lack of understanding. Many security warnings are delivered in technical language that the average user doesn’t understand. Google found that when it removed highly technical language from its warnings, and put the warning in plain language, user response increased.
Warnings without consequences. Unless users understand exactly what will happen when they complete their action, they are not likely to click on the link. Many of the top antivirus programs have now begun including details about possible consequences of clicking a link or opening an email; for example instead of just saying “This site may be dangerous,” the warning will detail the dangers, such as phishing or malware injections.
Simple human curiosity. Phishing emails often work because they tap into innate human behaviors. Not only are messages about banking or credit cards likely to get a response, since most people are concerned about their finances, but a study by an email security company found that women are often likely to respond to messages that appear to come from social networks (like a friend request or comment on Facebook) while men are likely to respond to messages relating to money, power, and sex. In other words, people open emails that they believe are suspicious simply because they are curious, and don’t want to make the mistake of ignoring something important.
False sense of security. Finally, people ignore security warnings or advice because they don’t think it applies to them. They don’t think they have anything of value to a hacker, or that their security software (or more accurately, their employer’s software) will protect them. They think that by avoiding certain types of websites, they are safe. In other words, they let their guard down, when constant vigilance is necessary.
So how does one stay safe in a dangerous online world? Constant vigilance, up-to-date security tools, and paying attention to warnings are all important. Even if you don’t understand a security warning, it’s best to heed it and be safe, not sorry. Delete the suspicious emails — no matter how curious you are — and use strong passwords. When you do, you can avoid being a cybercrime statistic.