We've all seen it before: a message in our inbox that appears to be from our bank or even someone from our company accompanied by a convincing message as to why we must click a link or download an attachment. But clicking the link won't take the recipient to vital information that will save their bank account or deliver an urgent message from a colleague. Instead, the link will require the recipient to enter sensitive information – often a username and password – or the download will infect their computer. These breaches, otherwise known as phishing scams, have affected millions of people and large corporations and continue to get more and more sophisticated.
As scammers get better at disguising themselves and tricking people, how many people are falling for it? Does the media coverage of major phishing scandals (like Hillary Clinton's emails) make the American public better at identifying a scam? We surveyed over 900 people about their knowledge of phishing and analyzed data from the FBI Internet Crime Report to see how cybercrimes have changed over time. Keep reading to see what we found.
Our society has largely turned digital. And while technology has expanded businesses, connected people, and led to lifesaving innovations, it makes users incredibly vulnerable to cyberattacks. New scams are constantly making headlines, warning users to stay away from specific links, emails, and even personal messages. But compared to other threats, is phishing increasing?
Between 2015 and 2018, the total number of victims affected by phishing scams increased by 59%, making it the sixth-largest increase over those years. While business email compromise or email account compromise (BEC/EAC) increased by 160%, there were a significantly greater number of victims affected by phishing in 2018. Compared to 20,373 victims of BEC/EAC, phishing affected 26,379 people in 2018.
What Is Phishing?
Despite a growing number of victims, the majority of people said they knew what phishing is and could accurately define it. Eighty-eight percent of respondents were able to match phishing with the definition of “unsolicited email, text messages, and phone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials.” While knowing what phishing is can help people avoid becoming victims, it may not always prevent people from falling for it. In fact, there are psychological reasons for being a scam victim, which hackers know well and use accordingly.
Not Just Emails
Phishing is incredibly widespread and well-known – after all, the technique began through email back when AOL was the top provider. To this day, email remains the largest source of phishing scams, and the public seems to be aware. Only 2% of respondents said they didn't believe phishing took place over email. However, they were a bit more ignorant when it came to other mediums. While 30% said they didn't believe phishing occurred over social media, these platforms have become increasingly susceptible to cyberattacks, including phishing.
Aside from emails and social media, scammers also infect devices and gather personal information. This is often done through malware, or fraudulent software that attacks your computer rather than protects it. While phishing through malware is also risky for the hacker – it's expensive and easily traceable – the method is often sophisticated enough to take over a victim's entire computer. From copying keystrokes and watching every page opened to recording through the camera and microphone, malware gives hackers access to everything. Despite the severity, 47% of respondents said they don't believe phishing can take place over fraudulent software.
Beliefs about phishing also seem to be heavily tied to generation. While baby boomers associated phishing with email, 41% didn't believe it could be done over social media, and nearly 60% percent didn't associate phishing with fraudulent software. On the other hand, while 3% of millennials didn't believe phishing could occur over email, three-fourths said it could happen over social media, and 56% percent thought it could take place through fraudulent software.
Avoid the Hook
Knowing about phishing and being aware of the consequences don't necessarily translate into correctly identifying a scam. To find out how well the public can pick up the fake from the real, we put our respondents to the test. Americans seemed to be pretty split – while only 5% got all questions correct, only 12% got them all wrong. Over three-fourths of respondents failed to identify a fake link from Google Docs and an email from a student's high school. Americans were slightly more likely to identify a fake email from Google Slides, but phishing emails from Microsoft Support were the easiest to catch.
On the flip side, 68% and 69% of respondents were able to identify legitimate emails from Spotify and iCloud, respectively. While hackers are becoming increasingly savvy at making illegitimate emails appear real, there are specific signs that can prevent people from being victims.
Identifying a phishing email was slightly easier for Gen Xers – while 39% of baby boomers and millennials were able to spot a phishing scam, 41% of Gen Xers could as well. Despite the slim difference between generations, baby boomers were the most likely to identify fake Google Doc links, while Gen Xers were the most likely to identify a phishing email from Microsoft Support.
Experience typically increases people's ability to differentiate the real from the fake, but with scammers always one step ahead of the public, time doesn't seem to be on the generations' side. Considering this, exposure may be paramount for identifying cyberattacks. Taking online quizzes that stay up to date with the latest methods may help people be more familiar with potential scams.
Signs of a Scam
Gathering advice from those who nailed every question, we were able to narrow down the top ways to avoid phishing scams. Eighty-six percent of the people said they abstain from clicking, downloading, or opening anything from an anonymous sender. A majority also said they use an email spam filter and ignore any email whose sender is unfamiliar.
Expecting perfection from companies was also a useful tactic – those who got every question right were 31 percentage points more likely to say that they avoid phishing scams by distrusting any email with typos. Along with these tips, the Federal Trade Commission urges consumers to be aware of emails that alert recipients of suspicious activity or login attempts, claim there's a problem with an account or payment, or ask for personal information confirmation.
Phishing has been around since the dawn of the internet. What started as AOL messages and emails requesting account and payment verification has turned into illegitimate emails, social media messages, and even software programs.
As hackers get increasingly skilled in masking their scams, the American public struggles to identify the real from the fake. Staying informed and up to date on the latest tactics, while ensuring your computer and mobile devices are safe with protection software, is the only way to help avoid getting caught by the hook.
To conduct this study, we collected responses from 933 people. Of those 933 people, 47% were men, and 53% women. 397 were millennials, 352 were a part of Generation X, 142 were baby boomers, 34 were a part of Generation Z, and six were from the silent generation.
There were no qualifying questions, but respondents were disqualified and excluded from the survey if they failed an attention-check question that was located about halfway through the survey.
At the beginning of the survey, respondents had to say that they were comfortable being quizzed about phishing scams.
Internet crime figures come from the FBI's annual Internet Crime Report. The definition of phishing comes from the same report. Venues where phishing can take place originate from the University of Massachusetts Amherst Information Technology Department. Strategies to avoid phishing scams originate from the Better Business Bureau.
The data shown here depends on self-reported experiences with phishing scams. There are several problems that stem from self-reported data, including, but not limited to, selective memory, exaggeration, and telescoping. We can't be certain how closely our results match up to reality.
Fair Use Statement
While most people say they know what phishing is, many can't spot it. With phishing on the rise, the need to inform people about avoiding it is more important than ever. Do your part by sharing this study with your followers. All we ask is that you include a link back to this page and for it to be for noncommercial use.