Bruce Schneier notes a recent study on phishing that found that over 70% of people will click on a link if it looks like it’s coming from someone they know, and jokes about men being suckers for the ladies, what with them being 15% more likely to click if the email comes from the fairer sex. (Although I should also note that, in general, women were 10% more likely to click than men. :)
I think an interesting addition to this research would be an analysis of how the baton is passed between people, and how often it does laps. In this research the names and email addresses probably came from a control set, however in reality phishers get them from address books stolen by a trojans on compromised computers.
Obviously the stolen address book must come from a common contact if both names are in it, but the ruse will be much more successful if the source or target is the owner of the address book, and the opposite number someone in it. And around we go. So what we have here is actually a Six Degrees Of Separation Möbius Strip Of Stupidity.
Another study Bruce notes only serves to highlight the naivety of modern man. Although the response rate isn’t enumerated, a professor at Indiana University has found that people are willing to respond to fraudlent emails if the attacker identifies the first four digits of their credit card number, instead of the usual last four.
You all know why they use the last four, right? If you don’t and the first four digits of your card are 4539, this is Mmbaza from Bank of Ireland and I’d like to talk to you about a trust account in the name of Mrs. Charles J. Haughey and a transaction which will fall in your favour to the tune of 10% of Thirty Million Euros.