Why do older people have such trouble detecting phishing emails?
Thereโs a guy at work, pretty sharp, who is in his early 60s. Not cognitively impaired in any way. Has worked in IT for many years.
He got some phishing email that said something about, โSome questions on your expense report hotel bookingโ with of course a link to click on something.
I know because he read that part out loud. And literally before I could say โDonโt click on that!โ (which I got the first words out) he clicked on it.
I ran over and pulled out his network cable. Machine completely infected, but no damage done because I jerked the cable within two seconds.
I literally heard the first few words and knew it was a phishing email. How could he not tell definitively?
The company I work for has been a target of various spear phishing attacks because we hold a lot of highly-sensitive corporate data. Suspect some of the spear phishing is corporate espionage attempts.
But the questions remains: why are older people generally so susceptible to such attacks?
Reflexes?
Not growing up in an environment where people use social engineering to obtain information or to do things they shouldn’t? More residual trust in authority? You would think younger people would be better, but the amount of shit that’s laid out freely through social media makes me think otherwise.
I’m not sure how I managed to learn that some sites and emails were fake or attack sites and others weren’t and I’ve been on the internet in some form or capacity since my early teens. I didn’t have an email address of my own until I was in college.
I think it has something to do with building a gestalt. Just like I can often these days identify wildlife with only a brief fleeting glimpse of less than a second, I can do the same with phishing emails. Honed over years in both cases, though I am pretty good in novel situations, too.
There are no merely sufficient clues alone, but the totality is the indication.
Unfortunately another person at the company got the email, and he was suckered in by it. At the other office, so I or the actual security person wasn’t able to intervene.
Also over 50…no one under 50 here clicked on it or was fooled for a second.
Slightly off grammar; weird phrasing, a link without an explanation, odd and/or underwhelming graphics.
Obviously the totality is important. But the person you mentioned works in IT, so it’s not building a gestalt so much as as listening to an instinct. This person must have seen thousands of emails and websites, certainly more than your average 60 year old.
That’s why I think it’s about an underlying instinct. If you’ve read Catch Me If You Can, the guy gets all kinds of information that he shouldn’t be able to get in large part because the people he met were so trusting.
You might be right with the tendency to greater trust being the key. I hadn’t considered that before. But it seems to be the only thing that fits the evidence.