Somewhere in cyberspace, someone is creeping on your Facebook page, studying your LinkedIn account, scoping out your company’s website and Googling your name. Using information you trust, she is crafting the perfect email, and it’s headed for your inbox.
In one click, a split second, you hand over the keys to your little kingdom: passwords, retirement accounts, credit cards.
But what if this personal crisis became a national crisis? What if you are the CEO of a multinational corporation or a top-level politician? In that case, the livelihood of millions might be at stake, or democracy threatened.
In their studies on phishing — and spear phishing, in particular — University of Florida Professors Daniela Oliveira and Natalie Ebner have found that older adults are particularly vulnerable to phishing. And their status as leaders of industry or politics make them favorite targets for phishing attacks known as spear phishing.
Phishing is a form of social engineering — using deception to get someone to reveal personal or financial information, which can then be used fraudulently.
“When I started researching phishing and aging with Natalie, I learned how important this demographic is,” says Oliveira, a term professor in the Warren B. Nelms Institute for the Connected World. “It was like a spiritual awakening.”
At the annual research conference of the Florida Institute for Cybersecurity Research, Oliveira gave a presentation titled, “Why You Should Care About Older Adults’ Susceptibility to Phishing — Implications for Corporate Security and Democracy.”
While older adults are connected to the internet at a lower rate than younger adults, by 2020, 20 percent of the U.S. population will be 65 or older, and this demographic, Oliveira points out, controls more than half of the nation’s financial wealth. Age often equates to political status, too.
“People in this age group occupy many positions of power,” Oliveira says. “Many societal decisions related to finance, politics and law are made by older adults.
“But unfortunately, as we age, our cognitive abilities decline,” Oliveira says.
Older people are high in crystallized intelligence, which is based on experience and ability to see the big picture. But fluid intelligence — how fast our brains process information and how our memory works — declines with age, and that can make older adults susceptible to spear phishing.
“Research shows that sensitivity to deception decreases as you age, and you become more trusting,” Oliveira says. “What a dangerous combination.”
Oliveira’s and Ebner’s research groups set out to understand how susceptible people are to weapons of influence in social engineering.
They examined seven weapons of influence:
Authority: People tend to say yes to requests from authority figures.
Scarcity: An offer or opportunity seems more valuable when it is perceived as scarce.
Commitment: Once people take a stand, they have difficulty behaving in a way inconsistent with that stand.
Liking: People comply with requests from people they perceive as similar to them (age, country of origin, alma mater).
Reciprocation: People tend to return a favor.
Social proof: When in doubt, people follow what others do.
Perceptual contrast: When two items are presented consecutively in a way that makes the first item appear more attractive than it actually is.
One or more of these seven weapons can be used across one or more of six life domains: legal, ideological, social, health, security and financial.
The researchers recruited 158 participants, who were told they were participating in a study of how people use the internet. The participants received emails for 21 days. Once a day, they received a simulated phishing email that varied according to weapon of influence and life domain.
In one, for example, the researchers emailed the participant a notice of a parking violation, and sent a link for paying or disputing the fine. The email looked and sounded official, and combined authority as the weapon of influence in the legal life domain. In another, they used commitment as the weapon in the ideological life domain, asking email recipients to sign a petition for animal rights, again a seemingly harmless and official-looking email.
In the study, 43 percent of participants fell for at least one of the phishing emails. The study also found older adults were more likely to fall for a phishing email than younger adults, and older women were the most susceptible of all. Participants also were asked to rate their own susceptibility to phishing. Although older adults self-reported that they would not click a phishing email, their actual behavior showed the exact opposite.
“The problem occurs when social engineering via deceptive arguments influences us into performing an action that could go against our best interests and benefit the social engineer,” Oliveira says. “Influence is the key to social engineering, and research shows influencing people is a piece of cake.”
Social media, Oliveira says, can be a social engineer’s best friend. Things that seem innocuous provide fodder for phishing attacks, such as company employees taking pictures of their cubicles and coworkers, or posting pictures that contain company badges, or clients tagging a company on Twitter or Facebook. The blending of personal and professional social media also works to the social engineer’s advantage.
Imagine, Oliveira says, that you are an older gentleman, a stamp collector, and the CEO of a major company. You don’t have a Facebook account, but your daughter does and comments regularly on family life and her yoga classes. You get an email from someone who says, “Hi, I’m in your daughter’s yoga class. My grandfather has a huge collection of stamps from the 1950s, and he wants to sell them. Here’s a link to a website, so you can see them.”
The phishing attack appeals to scarcity — it’s not every day rare stamps become available — and the person appears to know your daughter. You click.
“The generation that is turning 65 and still active includes people who make important decisions for us — politicians, supreme court justices, CEOs. These people are targets, and the attacks are becoming more sophisticated,” Oliveira says.
“We say ridiculous things, like don’t click links. How do you operate on the internet if you don’t click links?”