Skip to main content

Who's Most Likely to Get Phished?

A new study suggests we're all vulnerable, but Internet denizens are at greatest risk for high-tech phishing schemes.
(Photo: kleuske/Flickr)

(Photo: kleuske/Flickr)

Identity theft is a little like a UFO encounter. You may not be very sure what's going on, and even if other people believe your story, they may not trust you enough to give you a loan or hire you for a new job. Unfortunately, the risk for identity theft seems to be higher than that of spotting a UFO: According to new research, we're all vulnerable to phishing, though gamers and others who spend a lot of time on the Internet may be at highest risk for some of the most sophisticated phishing efforts.

If the term "phishing" is somehow unfamiliar, it's an old idea based on a simple formula: ask and you shall receive. In the old days, a criminal pretending to be, say, a banker might call someone up and solicit enough account information to drain a trusting victim's savings.

These days, phishing attacks take the form of emails crafted to look just like what you'd expect from your bank—or some other business or government agencies—except that they encourage you to divulge personal information, such as a password or social security number. More sophisticated approaches lure users in with the latest games or cheap gadgets, then upload malware that collects and reports sensitive private information.

Tech savvy had no effect at all on whether someone fell victim to cybercrime, and there was no evidence cybercriminals went after wealthy or high-income targets.

But who do phishing schemes target? And who falls for them? Perhaps, some have suggested, the elderly are most frequently the victims here. Maybe it depends on your operating system or tech savvy; for years, Macintosh enthusiasts insisted they were less vulnerable to malicious software, only to discover that, well, they weren't. Or, as recent FBI reports suggest, phishers might target specific individuals based on their wealth or where they work, a practice called spear phishing.

To test those hypotheses and a few others, criminologist Rutger Leukfeldt of NHL University of Applied Sciences in Leeuwarden, the Netherlands, reviewed data from a 2013 survey he and colleagues had conducted on Dutch cybercrime. Of the 10,314 Dutch citizens who responded, 9,163 said they used the Internet, one in six reported having malware on their computers, and just over half a percent said they'd fallen for a conventional phishing scam.

But when Leukfeldt looked at the data again, some surprising trends—or lack thereof—emerged. When it came to phishing and malware, hardly anything distinguished victims from other computer users, except that the more time people spent on the Internet, the more likely they were to be victims of malware. High-visibility activities such as online shopping, downloading videos, or gaming were particularly associated with malware infection.

Perhaps most surprisingly, tech savvy had no effect at all on whether someone fell victim to cybercrime, and there was no evidence cybercriminals went after wealthy or high-income targets. That suggests the only thing individuals can do to protect themselves is simply use the Internet less—it's up to businesses themselves to protect their customers, Leukfeldt argues.

Leukfeldt presented the paper last month at the 2015 International Conference on Cyber Security.

Quick Studies is an award-winning series that sheds light on new research and discoveries that change the way we look at the world.