i had lunch with Aaron Emigh today and he reminded me about a fascinating study from the Informatics department at Indiana University (they are doing great work there):
this is an incredible paper which details a study where they sent a general phishing email to 94 students and 15 of them (or 16%) fell for the attack and entered their login and password in an obviously fake site. 16% is an extremely high number.
but it gets worse.
the research sent the same phishing email to an additional 487 students … but the email had one twist … is was sent from someone they knew (they got the information from mining Facebook). this time 349 people — or a staggering 72% — were victims of the phishing attack.
summation: i highly recommend reading the paper on Social Phishing by Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer … thanks Aaron!
Excellent, this confirms what I said quite a while ago. It’d be tremendously easy to create a bot that can skim people’s MySpace profiles and pick a ‘top friend’ to send an email from. Excitingly scary.
We (at Jupiter Research) did some survey work a couple years ago that indicated over 40% of people use the same username and password at all the sites they visit online — clearly the potential for using phished identities is pretty substantial. And its taken quite a few years for these new enhanced security measures that banking sites are now making people go through to come about, and not by their choice either…