Being too confident can overshadow one’s judgment of malicious emails
The more confident a person is in their ability to spot a malicious email, the less likely they are to pick out the bad ones, findings of a new academic research suggest.
The paradox is that people who take the time to check the validity of an email – exercising caution with every message they receive – tend to be better at keeping phishing attacks at bay.
Being too confident can overshadow one’s judgment, according to the study published in the journal ‘Metacognition and Learning’. Researchers, therefore, suggest employers do more to improve their employees’ ability to spot phishing emails.
READ MORE: Should you snoop on your employees’ emails?
What are phishing attacks?
Phishing emails are emails designed to trick recipients into giving out personal data, such as passwords and account numbers, by passing off as legitimate messages from businesses, colleagues and contacts in other organizations.
A recipient who unsuspectingly clicks on a link, downloads a file or enters information asked for in a phishing email ends up granting the attacker access to the recipient’s home or company computer.
Cautious vs ‘overconfident’
With attackers often gaining entry through email, it pays to be “suspicious in general,” said Dr. Casey Canfield, assistant professor of engineering management and systems engineering at the Missouri University of Science and Technology, who led the research.
Dr. Canfield, along with peers from Carnegie Mellon University, showed study participants a set of legitimate emails and phishing emails, and asked them to identify the malicious ones.
The subjects then rated how confident they were in their selection and assessed what negative consequences they believe would arise from having missed phishing emails.
The results showed participants who felt 90% to 99% confident in their ability to detect phishing emails were only able to identify them correctly 56% of the time.
“Surprisingly, we saw that people with better metacognition tended to be better at protecting themselves,” Dr. Canfield said.
Metacognition entails being aware of one’s decisions and actions – and people who exhibited higher levels of it reportedly faced lower cybersecurity risks from having had fewer malicious files.
Employers should thus train their staff by sending them fake emails that would teach them to identify phishing attacks.
“It’s as an opportunity for people to get feedback on how they’re doing,” Dr. Canfield said.
Feedback, she said, is crucial when helping employees sharpen their judgment.
“With the fake phishing email, you click on it and get sent to a page that tells you that you clicked on a phishing email. With legitimate emails, you get that feedback loop. You email someone, and they email you back. You have a conversation with someone,” she said.