Most People Can’t Tell the Difference Between a Real Website and a Scam

Image: Maarten van Maanen/Flickr

In addition to being frustrating and potentially financially devastating, there’s something just plain embarrassing about getting phished. No one likes to be fooled and reveal themselves as gullible, even if the phishers on the other side are working their asses off to do so.

Yet a new study reveals that security companies are onto something when they describe web users as guileless rubes who can’t wait to spray their personal information across the internet. The study looked at how accurately users were able to identify fake websites, and watched how their brains decided which malware warnings to heed and which to ignore. It found that web users are, by at least one their metrics, indeed a bunch of rubes.

Researchers from the department of computer sciences and information and the department of psychology at the University of Alabama-Birmingham used brain imaging to watch what really goes on in a user’s brain when security questions arise.

Image: UAB

Using an fMRI machine to watch the brain, researchers had user determine which websites were the authentic, real deal and which ones were the deceitful imitators. Then the users were asked to read several news articles and in the course of doing so, where interrupted by pop-ups—some benign, some were malware warnings.

So first, the good news: Internet users weren’t just naively clicking through pop-ups without thinking about it. The same decision-making regions of the brain lit up in both tasks, with the exception of one group.

“Not all individuals are alike,” study co-author Nitesh Saxena said . “We found a negative correlation of impulsivity and brain activity. Highly impulsive people probably just hit ‘yes’ when they are stopped by a malware warning asking if they want to proceed.”

As an anxiety-ridden, overly cautious individual, I’ll cop to getting some satisfaction from hearing that the impulsive exhibit less brain activity. But even when all the attention, decision-making and problem-solving areas of the brain lit up, when people were asked to identify between real and fake websites, they couldn’t do much better than just picking randomly.

The participants—who it should be noted were college students and so don’t really have a good excuse—correctly identified roughly 77 percent of the real sites, 57 percent of the “easy” fake sites and just 34 percent of the “difficult” ones, making for an overall accuracy of just over 60 percent.

“That may be because they don’t know what to look for,” explained Saxena. “When they look at a website, they might be paying attention only to the look and feel of the website instead of the URL, which is often a real indicator.”

Don’t tell this Amazon anything. Image: UAB

The easy sites had cheap, imitative, logos and spelling errors, while the harder fake sites looked good, but still had fake URLs. If the URL is such an important indicator of validity, maybe browsers would do better not hiding it away? Just a suggestion.

The study’s authors said that the lack of reflection by some people indicated that there was an upside to security that could be made more user specific. Previous work in this area had indicated that users were just clicking past malware, but this study proves that that isn’t the case for many, as the same regions of the brain lit up when deciding between fake and real websites and fake and real malware warnings.

It’s a positive sign. Some, even on this very website, have accused people leading cushy internet lives, living in the city, of letting their guards down too much. But in a conclusion that makes more sense with each internet commenter I read, it seems we’re still defensive, this UAB study indicates, but we just don’t know right from wrong.