When people hear about tragedies or awful events, most feel empathy for those involved, but don’t consider the possibility that something bad could conceivably happen to them. There are tons of examples.
“Sure, my friend’s uncle was diagnosed with cancer, but that won’t happen to me.” “I heard someone was mugged on this street last month, but it’s my fastest route home. I’ll be fine.”
Other people’s problems are, well, other people’s problems. Others may have been stupid, arrogant, or just plain unlucky, but “I’ll do better.” It’s human nature, but this tendency to assume bad things won’t happen to us can often lead to disaster. Now, a new study from New York University finds that most people are way too confident in their ability to avoid online scams.
This research focused specifically on phishing scams and found that we usually believe we are far less likely to fall for such a scam than other people. In many instances, people will overlook “base rate information” or statistics that suggest they may fall victim to a scam. For example, even if a 25-year old were to be presented with a stat such as “80% of 18-28 year-olds will fall for an online scam at least once,” that individual will still insist it won’t happen to them.
Phishing scams, or fake emails sent out to millions of email addresses to try and gather personal information, have become ultra common. If you have an email address, you’ve received a phishing email. These malicious emails masquerade as real correspondences from legitimate businesses in an attempt to trick people into foolishly providing passwords, billing info, and other sensitive information.
Making matters worse, these phishing attempts have increased by over 600% since the beginning of the COVID-19 pandemic! Just because we’re all stuck inside, that doesn’t mean the people behind these insidious attacks are taking a vacation. If anything, they have more time to refine their work. This, combined with the fact that millions of people all over the world have started working from home, has led the study’s authors to conclude that COVID-19 may gravely damage the world’s “cyber health” before this viral ordeal is over. If remote workers aren’t able to recognize these phishing scams, they could jeopardize the online security of both themselves and the companies they work for.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency even issued an alert back in March warning of the cyber risks associated with working from home.
“This study shows people ‘self-enhance’ when assessing risk, believing they are less likely than others to engage in actions that pose a threat to their cybersecurity–a perception that, in fact, may make us more susceptible to online attacks because it creates a false sense of security,” says study author Emily Balcetis, an associate professor in New York University’s Department of Psychology, in a university release.
Whether any of us would like to admit it or not, we all see ourselves through rose-tinted glasses. Recent research has even concluded that our minds sometimes erase memories of ourselves acting selfishly. Why? No one wants to see themselves as a toxic person, or in this case, as a careless or gullible person. It’s this natural tendency to assume one can do no wrong that sets the stage perfectly for phishing emails to wreak havoc.
“This effect is partially explained by differences in how we use base rate information, or actual data on how many people are actually victimized by such scams,” adds study co-author Quanyan Zhu, a professor at NYU’s Tandon School of Engineering. “We avoid it when assessing our own behavior, but use it in making judgments about actions others might take. Because we’re less informed in assessing our actions, our vulnerability to phishing may be greater.”
So, to test out how people assess their online vulnerabilities, a series of experiments involving college undergraduates were conducted by the study’s authors. Participants were presented with a series of phishing emails, and told right off the bat the offers were fake. These scam emails tried to entice readers to click the links or perform other actions (download files, update passwords) by offering prizes or access to supposed online accounts.
After taking a look at the phishing messages, half the participants were asked to estimate the likelihood that they would fall for one of the scams, while the other half were asked about the chances of “someone like them” falling victim to one of the fake emails.
As all participants were asked to answer those questions, they were simultaneously given some base rate information to help with their predictions. That information was real data from other American universities on phishing email success rates. Here’s an example of one piece of data shared with participants: “37.3% of undergraduate students at a large American university clicked on a link to sign an illegal movie downloading pledge because they thought they must in order to register for classes.”
The research team used eye-tracking technology to determine if each participant read the given statistics while providing their answers.
All in all, the experiment’s results showed major evidence of participants performing “self-enhancement” if asked to evaluate their cybersecurity skills. Additionally, most participants didn’t even read the provided statistics when answering questions about their personal chances of falling victim to an online scam.
“In a sense, they don’t think that base rate information is relevant to their own personal likelihood judgments, but they do think it’s useful for determining other people’s risk,” explains Balcetis.
The full study can be found here, published in Comprehensive Results in Social Psychology.
John Anderer is a frequent contributor for Ladders News.