People still have a hard time identifying phishing emails.

Photo: Shutterstock

Phishing scams are one of the most common tricks that criminals use online. Most of us know about them and know to avoid them. But it turns out that people are still pretty bad at actually identifying phishing attempts.

A study by researchers at Carnegie Mellon University’s College of Engineering found that the average person can only correctly identify phishing attempts about half the time.

“Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems,” says study co-author Casey Canfield, a researcher in the university’s Department of Engineering and Public Policy.

Even though the subjects guessed incorrectly half the time, about three-quarters of the phishing emails weren’t opened. Many people have been conditioned to not trust unsolicited emails.

Some overcautious users incorrectly identified innocent emails as phishing scams, too.

“Some users were able to identify a vast majority of the phishing emails, but only because they were biased to think everything was a phishing attack,” Canfield says. “So they didn’t necessarily have a high ability to tell the difference between phishing and legitimate emails.”

What does this have to do with business? Well-meaning people at your workplace may open phishing emails and send sensitive information to the fake site. These emails can also take people to a site with malware that can infect your business’s entire computer network.

The study’s authors suggest that helping users to identify phishing emails could be as effective as improving spam filters’ ability to catch phishing attempts.

One method companies use a lot is sending out fake phishing emails and teaching a user about phishing if they actually open the email.

“Those trainings may not always be making people better at telling the difference, but it’s probably making them more cautious,” Canfield says.

What methods do you use to help your employees identify phishing emails? Please share your tips and questions in the comments.