An online scam is born every minute, and we can’t help being fooled by them, suggests preliminary research recently presented at the Black Hat Conference earlier this August in Las Vegas, Nevada.

Researchers led by Dr. Zinaida Benenson of the University of Erlangen-Nuremberg in Germany recruited over 1,600 university students to take part in a pair of online experiments. In the first, students were contacted by a completely fictional stranger, either through Facebook or email, that addressed them by name and asked them to click on a link supposedly holding photos from a New Year’s party the two had attended the week before. In the second, the stranger did the same but without calling them by their name and gave more specific information about the party. Despite most of the students knowing better, 56 percent of email users and 38 percent of Facebook users in the first study clicked the links regardless. The more impersonal approach was less successful, but 20 percent and 42 percent of email and Facebook users still clicked on through, respectively. Afterwards, the researchers revealed their deception and had the students fill out a survey about why they had either chosen to click the link or steered clear of it.

"The overall results surprised us as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links," Dr. Benenson said in a statement.

Though the researchers routinely switched the gender, Facebook information, and name of the stranger, these factors didn’t influence people’s willingness to click on the link. The most consistent explanation for why they clicked was plain old curiosity, with 34 percent saying as much. Twenty-seven percent were fooled by the content of the message, believing the stranger’s description of the party fit a recent party they attended; 16 percent thought they really did know the stranger; and 11 percent believed they were safe from malware and viruses even if the link was dangerous. Non-clickers were more likely to be internet savvy or just polite.

“Conversely, one in two of the people who did not click on the link said that the reason for this was that they did not recognize the sender's name,” said Benenson. “Five percent stated that they wanted to protect the sender's privacy by not looking at photos that were not meant for them.”

Perhaps most interesting was the fact that clickers weren’t good at telling researchers what they had done. In the first study, for instance, only 20 percent of those surveyed said they had clicked the link, compared to the 45 percent who actually did. While forgetfulness could be one reason for the gap, the researchers speculated, it doesn’t seem far fetched that those users were simply embarrassed to admit their mistake (thankfully the link only went to a barren website with an “access denied” message).

In either case, the results illustrate an important reality of online security, according to Benenson, namely that no one is completely safe.

“I think that, with careful planning and execution, anyone can be made to click on this type of link, even it's just out of curiosity,” Dr. Benenson said. “I don't think one hundred percent security is possible. Nevertheless, further research is required to develop ways of making users, such as employees in companies, more aware of such attacks.”

Source: Benenson Z, Gassmann F, Landwirth R. Exploiting Curiosity And Context: How To Make People Click On A Dangerous Link Despite Their Security Awareness. Black Hat Conference. 2016.