Technological approaches have undeniably had an impact. Spam filters and similar tools stop about 90 percent of malicious emails. But that still leaves 10 percent. Given the sheer volume of email, most people are still confronting potentially dangerous emails on a daily or near-daily basis.
Current user-based interventions aren’t solving the problem either. Certainly, education can help people learn to recognise signs an email may be suspicious. However, 65 percent of companies that have been victims of phishing attacks had previously performed some form of training, says Russello.
Lottridge, Koh, Russello and their colleagues, who include a PhD student, a visiting professor from Canada and three psychology researchers, want to focus on something new: the individuals involved and the circumstances in which they receive phishing attacks.
Different email situations
It’s not hard to imagine situations when you might react differently to emails. On a good day, you might arrive at work well-rested and sip your coffee calmly as you read your several messages. Now imagine arriving frazzled on a Monday morning after an insomniac night and hairy commute only to find dozens, maybe hundreds of emails have piled up since your sick day on Friday. Oh, and you have a meeting shortly that may touch on the contents of some of those emails.
Currently, none of these factors make any difference to your email software, though you might be a lot more likely to hurriedly scan messages in the latter situation – and maybe click on a suspicious link.
Koh, Russello and Lottridge envision a system that would take a back seat in the relaxed scenario but “swoop in for extra support,” as Lottridge puts in, in the high-stress situation. The system they envision would also be personalised, because people might react to situations in different ways and need different kinds of support, whether it’s a reminder to slow down when they’re jumpy or auto-translation when they’re tired.
Though the three computer scientists have been examining this area for a few years, they consider themselves to be in the early stages of the project because it’s such a new area of research. Other researchers have examined aspects of users such as personality, culture and age, but these factors can’t be changed, while situations could be, says Lottridge.
Email design
Lottridge’s background in user experience – she used to research UX for Yahoo in Silicon Valley – has given her the tools to consider various aspects of email design and how they might influence users.
For example, many email service providers use a “clean” design that emphasises an email sender’s name over their email address. However, usernames are easy to manipulate, whereas there’s a world of difference between your.boss@yourcompany.com and your.boss@q3794pa23xx.com.
That’s not to say the clean design is always wrong, but “if you receive an email from someone you’ve never heard from before, maybe the visual presentation could be changed to make certain things very salient,” says Lottridge.