- Oct 23, 2012
- 12,527
A research has recently discovered that over 50% of internet users will fall for clickbait, and open links sent by unknown people, despite awareness of possible malware contraction or the risk of identity theft.
The experiment, which consisted of two studies, was conducted by the Friedrich-Alexander-Universität Erlangen-Nürnberg in Germany, led by Dr. Zinaida Benenson of the university's Computer Science department. Both of the studies sent scam emails and Facebook messages to 1700 students of the university under an unknown name. The messages tried to lure the recipients, by urging them to click on the link provided, which purportedly contains images of them at a party.
However, upon opening the link, the recipients were greeted by an "Access Denied" warning. This then enabled the researchers to register the click rates.
The first study addressed the test subjects in the alleged party images message by their first names. Meanwhile, the second one did not personally address the subjects, but provided more specific information regarding the occasion where the photos of the fake party were allegedly taken.
The researchers found that in the first study, 56 percent of the e-mail recipients opened the clickbait link, while 38 percent was recorded on Facebook. As for the second version of the experiment, only 20 percent of email recipients got curious and opened the link, but the percentage of Facebook users who clicked went up to 42 percent.
The experiment, which consisted of two studies, was conducted by the Friedrich-Alexander-Universität Erlangen-Nürnberg in Germany, led by Dr. Zinaida Benenson of the university's Computer Science department. Both of the studies sent scam emails and Facebook messages to 1700 students of the university under an unknown name. The messages tried to lure the recipients, by urging them to click on the link provided, which purportedly contains images of them at a party.
However, upon opening the link, the recipients were greeted by an "Access Denied" warning. This then enabled the researchers to register the click rates.
The first study addressed the test subjects in the alleged party images message by their first names. Meanwhile, the second one did not personally address the subjects, but provided more specific information regarding the occasion where the photos of the fake party were allegedly taken.
The researchers found that in the first study, 56 percent of the e-mail recipients opened the clickbait link, while 38 percent was recorded on Facebook. As for the second version of the experiment, only 20 percent of email recipients got curious and opened the link, but the percentage of Facebook users who clicked went up to 42 percent.
Moreover, the researchers sent a questionnaire to all the test subjects, which asked them to rate their own awareness of computer security before they explained all about the experiment. They also asked them why they clicked, or did not click on the clickbait link. Benenson states:
"The overall results surprised us as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links. And only 20 percent from the first study and 16 percent from the second study said that they had clicked on the link. However, when we evaluated the real clicks, we found that 45 and 25 percent respectively had clicked on the links."
When the subjects were asked why they clicked on the link, a majority answered that it was out of curiosity regarding the content of the photos or the identity of the sender. Others stated that the fake sender name provided in the message sounded familiar, or because they really had been to a party the week before.
These responses validate the reasons why clickbait is an effective method of social engineering online. The method was designed to induce curiosity or shock among the audience, which will lead to a clickthrough. While there are some who innocently do it (sorry about that), cybercriminals also utilize it, in order to spread malware and other things that may make a computer or mobile phone go haywire.
Dr. Benenson caps her study with a concluding statement:
"I think that, with careful planning and execution, anyone can be made to click on this type of link, even it's just out of curiosity. I don't think one hundred percent security is possible. Nevertheless, further research is required to develop ways of making users, such as employees in companies, more aware of such attacks."
Source: Friedrich-Alexander-Universität Erlangen-Nürnberg via Bleeping Computer