Think you know a phishing email when you see one? Not so fast. Most people are overconfident when it comes to identifying potentially dangerous emails and often get it wrong.
According to new research from the University of Texas at Arlington, our judgmental confidence exceeds our actual performance in decision making when identifying a malicious email. As a result, we’re even more at risk of breach than ever, even when we think we’re safe.
Overconfidence in Phishing Email Detection was published recently in the Journal of the Association for Information Systems.
In the study, about 600 people took part in the experiment to see if they could recognize phishing emails. Each participant was shown 18 emails from banks like Bank of America and Chase. About half of them were legitimate emails from those banks. The other half were phishing emails purporting to be from these companies.
Simple things like being familiar with the business sending the email increased overconfidence and by placing a greater cognitive effort into examining these emails can decrease this overconfidence. That may be easier said than done, though.
“We found out that many people are overconfident. In other words, a lot of people thought they had made correct judgment on an email, yet they did not. Their confidence is a poor indicator for their actual performance,” said co-author Jinggou Wang. “Therefore, one suggestion from the study is that following one’s confidence on judgment to take subsequent actions on an email may not be recommended.”
The study proves that phishing, although a classic method of infiltration, is still an effective way to dupe people. We deal with so many messages daily that it’s easy to fall for the scams at least half of the time.
Wang is currently in the middle of further research into phishing that looks at how users respond to phishing emails when they discover them. “They might just decide to delete everything, which isn’t effective or worthwhile,” he said.
The researchers believe that by analyzing how people identify and react to phishing emails will help businesses and users alike get better at reducing the amount of malicious emails sent and received.