Skip to content
Naked Security Naked Security

40% of Facebook users click on phishy links. Do you?

More than half of those who got a phishy email and about 40% of Facebook users clicked on a link from an unknown sender that could have been crawling with malware, for all they knew.

A new study has found that up to 56% of email recipients and about 40% of Facebook users clicked on a link from an unknown sender that could have been crawling with malware, for all they knew.

Because curiosity.

Because, specifically and click-baitishly, “photos from a New Year’s Eve party?! Bring it on!!”

The initial results of the study, which comes from the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, and which was led by FAU Computer Science Department Chair Dr. Zinaida Benenson, were released at the Black Hat conference last month.

The experiment entailed two studies in which the researchers sent fake messages, under false names, to about 1,700 FAU students, either via email or Facebook.

They signed the messages with one of 10 of the most common names for the target group’s generation.

Both the email and the Facebook messages included a link and text that claimed it was for a page with images of a party the previous weekend.

Those test subjects who clicked on the link were taken to a page that displayed the message “access denied” and enabled the researchers to measure the rates at which the targets clicked through.

Then, they sent a questionnaire to the test subjects. It did three things:

  1. Asked them to rate their own awareness of security.
  2. Explained the experiment.
  3. Asked them why they did or didn’t click on the link.

In that first study, the researchers had addressed the test subjects by their first names.

In their next study, the researchers didn’t address the targets by their first names, but they did feed them more specific information about the party where the photos were supposedly taken: a New Year’s Eve party the week before, the fake messages claimed.

As far as their bogus senders’ accounts went, the researchers filled in the Facebook profiles with public timelines and photos. They also created less public profiles without photos and only a minimum of information.

The results of the two studies:

  • In the first study, which addressed the targets by their first names, 56% of the email recipients and 38% of the Facebook message recipients clicked on the links.
  • In the second study, where the first names were dropped but the specificity of the phishing message upped the curiosity factor, only 20% of email recipients clicked through, while the percentage of Facebook users who clicked went up to 42%.

The researchers were surprised, Dr. Benenson said. Judging by the subjects’ self-reporting, one would assume that most were too savvy to click on risky links.

The reality was that there were a good amount of click-happy subjects who denied, or were oblivious about, their unwise ways:

The overall results surprised us, as 78% of participants stated in the questionnaire that they were aware of the risks of unknown links. And only 20% from the first study and 16% from the second study said that they had clicked on the link.

However, when we evaluated the real clicks, we found that 45 and 25% respectively had clicked on the links.

Were the test subjects embarrassed? Did they deny having clicked through because they were chagrined when they realized how much damage it could have done to their computer security?

No, the researchers don’t think so. Rather, they think the discrepancy can be traced to the fact that the participants simply forgot that they’d clicked on the link after they did it.

A large majority of those who clicked on the link said that they did it out of curiosity: they wanted to see the photos, or they were curious to know who the sender was.

Some said they knew somebody by the same name as the sender or that they’d been to a party the previous week, attended by people they didn’t know.

Half of those who resisted clicking said that what kept them away was not recognizing the sender’s name.

Out of the non-clickers, 5% said they wanted to protect the sender’s privacy by not looking at photos that weren’t meant for them, Dr. Benenson said.

These are the conclusions she said could be drawn from the studies:

I think that, with careful planning and execution, anyone can be made to click on this type of link, even it’s just out of curiosity. I don’t think 100% security is possible. Nevertheless, further research is required to develop ways of making users, such as employees in companies, more aware of such attacks.

She’s not alone in that belief: researchers recently determined that up to 87% of people ignore security warning popups.

Ignore, as in, scarcely any brain activity showed up when test subjects were measured via FMRI (functional magnetic resonance imaging) as security warnings interrupted them while they were trying to do other things, such as input their login or enter a validation code.

It’s not just security awareness that matters, obviously. There are other things, such as our own brains’ inability to do two things at once, that get in the way of security.

As the FAU experiment showed, plenty of subjects clicked on suspicious links even though they were aware of the risks.

You can tell people how risky it is to click on suspicious links until you’re blue in the face, but how do you get over the hurdle that nature has erected by making humans naturally curious?

That curiosity has put humans on the moon and brought about the eradication of smallpox.

Readers, how would you go about designing security training to take curiosity into account – the type of curiosity that leads to the far less noble ends of malware infection or identity theft?

Please share your thoughts in the comments section below.


Security 101. If you have a computer (or smart phone), burn it. Or, become a super geek and learn all about security, in which case the day after you learn it all, it will all become outdated and useless. If you have to use one for work, only do exactly what you are told to. Do not surf. The Internet is dangerous, you will see things you wish you never did, you will learn how corrupt and evil world leaders are, your sexual mind will be destroyed with extremes. Cute images of cats will be your only relief. Your home will get filthy from neglect due to not leaving your computer. If you play video games someone will get angry at you and send a real swat team to kill you. If you report on corruption, drugs will be sent to your house to get you arrested. If you help the free projects like ToR by running a node, you will be raided by police. Most people that use the internet will have PII stolen from them. Burn it, burn it now and never look back. I can hardly wait to retire – if my savings aren’t stolen before then….


Great question. Curiosity is such a powerful force that (un)common sense has trouble even keeping abreast, let alone keeping it in check.

I don’t watch the E! channel or the Kardashians, but I can’t deny an occasional burning curiosity at the checkout line. It’s nearly always over something I couldn’t care less about, but it’s still tugging at primitive areas of my brain, toward the Guilty Pleasures Event Horizon**.

That curiosity may have put humans on the moon and brought about the eradication of smallpox, but during security training we need to remind more users more frequently that it also killed the cat.

** (sounds like the name of a seedy nightclub)


On a more realistic note; I encourage people that have – Curiosity, (with or without tech skills) to use a program called Sandboxie. It was gobbled up by a security firm a year or two ago but is still free (5 sec nag screen) and supported. Even when the worst of malware has hit me and blacked out my screen, a reboot and I was back to normal. It’s also a great analysis tool to see what some malware does, so you can recover other systems.
Of course the free tools for malware scans, and if you have a spare computer using things like Sophos free firewall for home is a great option, and a learning tool.
If you really like to live on the edge and try malicious (not delicious) sites, I strongly recommend using a bootable hardware write protect USB stick or CD/DVD that is write protected.
If you have any tech ability – absolutely keep a cloned image of your OS (I like clonezilla) on hand to get your system back up if an event happens. A spare HD is very cheep, to store images, or be the image.
None of the above covers protecting your PII really. For that I recommend (and use) one system only for banking type activity, no surfing at all (good option for the bootable write protected media)


From working with several thousand home-users, the only truly effective training I have seen is when they get the bill for repairing, recovering, or replacing their computer and data in the aftermath of clicking on the wrong link.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!