Research shows people are overconfident about identifying phishing emails

People may not be as cyber-savvy as they believe they are when it comes to identifying email phishing scams, according to Missouri S&T researchers. But employers may benefit from teaching employees how to spot phishing by regularly sending them fake phishing emails.

Phishing is a method of gathering personal information, banking and credit card details, and passwords through links in messages, that on the surface, appear to be legitimate.

"You should just be pretty suspicious in general with email," says Dr. Casey Canfield, Missouri S&T assistant professor of engineering management and systems engineering. "People definitely tended to be overconfident in their ability to spot phishing emails."

Canfield's latest study, published with open access this month in the journal Metacognition and Learning, examined metacognition metrics around phishing—or individuals' understanding of their ability to detect phishing emails. Canfield worked with Carnegie Mellon University colleagues Baruch Fischhoff and Ales Davis on the study, which measured how well people's confidence in their ability to detect phishing matched with reality.

Study participants viewed a series of legitimate and phishing emails and answered questions to determine if they could identify the two types. Researchers then asked how confident they were about their answer, and how negative the consequences would be if they missed a phishing email.

The researchers found that when people were 90-99% confident they had correctly identified an email as either phishing or legitimate, they only identified phishing emails correctly about 56% of the time.

Canfield then took the research a step further by comparing their answers with what was actually happening on their home computers. The researchers used data from the Security Behavior Observatory at Carnegie Mellon—a long-term study in which every action on a volunteer's computer is monitored. Using those same study participants, Canfield found an interesting correlation.

"Surprisingly, we saw that people with better metacognition tended to be better at protecting themselves," says Canfield. "They had fewer malicious files on their computers. My previous study looking at performance metrics was inconclusive."

Canfield suggests that artificially increasing the number of phishing emails people received could potentially improve their ability to distinguish scams from legitimate messages.

"One of the challenges with phishing emails is that you don't necessarily get feedback on whether or not you made the right decision," says Canfield. "You may have malicious files on your computer, but you may never know. You may just be a portal to some other target. Without that feedback, it's really hard for people to learn whether they're good at detecting phishing emails."

That's why Canfield suggests that a training program where employers send fake phishing emails could be beneficial.

"It's as an opportunity for people to get feedback on how they're doing," she says. "With the fake phishing email, you click on it and get sent to a page that tells you that you clicked on a phishing email. With legitimate emails, you get that feedback loop. You email someone, and they email you back. You have a conversation with someone."

Canfield says further research into the subject is needed, but her research would support such employer interventions.