By Liam Duffett –
We always hear stories about how people receive an email or other message from a relative, revealed later to be a phishing attack, but how likely are people to actually open these emails? I have taken the liberty of testing such an example upon some of my closest relatives, parents, cousins, aunts/uncles, and grandparents. My goal is to answer the prior question, and I hypothesize that at least half of my tested relatives will fall prey to my trap.
As a first step, I selected 13 relatives as targets and asked them all for their emails, as I didn’t know all of them. Due to the fact that this would be a dead giveaway, I contacted a 14th relative, whom I was positive knew the others, and they agreed to help me in my experiment. This person would become the sender of the emails. Next, I made a simple program in Microsoft Visual Studio that would serve as a “game” that the sender “made” and wanted others to try for feedback.
Next I uploaded this program to a file hosting site online and wrote out an email with a link to the “game” download.
Then, I sent the email to the sender along with a list of the other emails to send and BCC it to, mine included. Finally, a week later, I spoke with everyone about the email and noted whether or not they had seen the email and opened the program. I also answered any questions that they had concerning my experiment. In addition, I also marked down who had confronted the sender about the email.
As one concluding step, I will also send out a link to this blog to all email recipients in case they had a question they didn’t ask at the time.
Results and Conclusion
Of the thirteen people who were sent the email, I was only able to re-contact twelve of them. The thirteenth has yet to respond to any form of communication, be it text, call, or email. Narrowing down the participants further, four of the remaining twelve did not see the email for varying reasons, narrowing the email receivers down to eight. The reasons behind why the four did not see the email includes not checking their email in the time period between sending and re-contacting as well as the email ending up in spam. Results from the remaining eight are as follows:
As suggested by the charts above, the results failed to support the hypothesis that half of the participants would open the program, revealing that only one of the eight opened it. I also do not believe that a one in eight chance of phishing attacks resulting in success is accurate, given the tiny population of participants, there may have been a bottleneck effect at work. It is interesting however, that five of the eight relatives that received the email confronted the sender, showing their caution towards the email.
If the results that I have from these eight people were to be accurate however, then I would be wondering why phishing/social engineering rates are as low as they are. According to Trustwave’s 2016 Global Security Report, phishing/social engineering makes up eight percent of all computer compromises (2016 Trustwave Global Security Report). If phishing really did have a twelve and a half percent success rate, then I think it would quickly become the most widely used method of compromise. Furthermore, it would also become known as a problem, awareness of it would be raised, people would be more cautious, and thus the percent chance of phishing success would drop rapidly. As a result, less acts of phishing would occur and the chance of success would be far less than twelve and a half percent.
Andrews, B., Barak, A., Chechik, D., Chowdhuri, A., Edmund, C., Davidi, A., …, Wooten, A. (n.d.). 2016 Trustwave Global Security Report. p. 23. Retrieved November 27,