Some attempted online scams are pretty obvious: those of us who are internet savvy, for example, are unlikely to reply to emails promising us millions of pounds worth of Bitcoin, no matter how often they land in our inbox.
Others, however, are harder to detect — and we may be overestimating our ability to do so, according to a new study in Comprehensive Results in Social Psychology from E. Blair Cox and colleagues at New York University. It finds that people tend to believe they are less likely to fall for such scams than others, and that this assumption can actually put them at more risk.
First, 146 participants were presented with 12 phishing emails, based on real examples: one invited participants to test a new iPad, for example, whilst another said that the user’s Amazon password needed updating. Participants were either asked to indicate how likely they were to partake in the requested action (e.g. clicking a link or downloading an attachment), or how likely “someone like them” — a student of the same age and gender at the same university — would be to do so. In the first half of the experiment, participants were told the emails were phishing attempts, and in the second were told the emails were legitimate opportunities.
Participants also saw “base rates”: true percentages of a similar student population that had engaged in each behaviour, such as “37.3% of undergraduate students at a university clicked on a link to sign an illegal movie downloading pledge, because they thought they must in order to register for classes”.
When the emails were described as phishing attempts, participants predicted they were less likely to engage with the email than someone like them. Participants also showed no signs of using base rates to predict their own behaviour, while those who rated others’ behaviour did seem to use this figure as a guide. When told the emails were legitimate, there was no difference between the two groups. Two follow-up studies found the same results.
Next, the team looked at how (and how often) people use base rate information to make judgements about themselves and others, replicating the methods of the first three studies and adding eye gaze tracking. A total of 160 participants were presented with the same 12 phishing emails from the previous studies, and their eye movement was tracked as they estimated how likely they would be to engage with the emails. They were then asked to indicate how many times they had looked at the base rate information when considering their answers.
Again, participants believed they were less likely than others to fall for an online scam. And, as the eye tracking confirmed, they were also less likely to look at base rate information when considering their own choices, compared to when predicting someone else’s behaviour. However, they didn’t seem to be aware of this.
This, the team suggests, leaves many of us less than secure when it comes to our online lives: if we don’t take into consideration how often people fall for scams, we are unlikely to realise how susceptible we are ourselves. Companies may also do well to take heed — base rates are often shared with employees to encourage better security practices, but these results suggest that may not work. New approaches may be more successful.
There are also millions of people who don’t have digital literacy skills: in the UK alone, 8% of people (4.3 million) are estimated to have no basic skills at all. But even if you are someone who knows their way around the internet — or even if you genuinely are unlikely to fall for a scam — the results are a reminder that it’s never good to make assumptions when thinking about our own vulnerabilities or assessing our levels of risk.