i had lunch with Aaron Emigh today and he reminded me about a fascinating study from the Informatics department at Indiana University (they are doing great work there):
this is an incredible paper which details a study where they sent a general phishing email to 94 students and 15 of them (or 16%) fell for the attack and entered their login and password in an obviously fake site. 16% is an extremely high number.
but it gets worse.
the research sent the same phishing email to an additional 487 students … but the email had one twist … is was sent from someone they knew (they got the information from mining Facebook). this time 349 people — or a staggering 72% — were victims of the phishing attack.
summation: i highly recommend reading the paper on Social Phishing by Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer … thanks Aaron!