Messages containing links to malware-infected websites represent a serious threat. Although success rates of such attacks have been verified in various academic experiments over the past 10 years, and also by many organizations during security awareness assessment programs using diverse commercial tools, little is known about why people decide to click or not to click. To this end, we conducted two experiments where we sent to over 1700 university students an email or a Facebook message with a link from a non-existing person, claiming that the link leads to the pictures from the party last week. When clicked, the corresponding webpage showed the "access denied" message. We registered the click rates, and later sent to the participants a questionnaire that first assessed their security awareness, and then informed them about the experiment and asked them about the reasons for their clicking behavior. When addressed by first name, 56% of email and 38% of Facebook recipients clicked. When not addressed by first name, 20% of email and 42% of Facebook recipients clicked. At the same time, only around 15% of questionnaire respondents said that they clicked on the link. We do not know whether they were lying or truly could not remember. I discuss the implications of both possibilities in the talk.
Respondents of the survey reported high awareness of the fact that clicking on a link can have bad consequences (82%). However, statistical analysis revealed that this was not connected to their reported clicking behavior. By far the most frequent reason for clicking was curiosity about the content of the pictures (40%) or the personality of the sender (20%), followed by the explanations that the content or context of the message fits the current life situation of the person, such as actually knowing somebody with this name, or having been at a party with unknown people last week.
In this talk I will discuss further reasons for clicking and not clicking, providing evidence that by a careful design and timing of the message, it should be possible to make virtually any person click on a link. I will also discuss why sending people messages with "phishy" links and other baits might have unintended negative consequences instead of increasing their security awareness.