Everyone is susceptible to phishing, a social engineering technique that takes a variety of shapes and forms to target Internet users and extort valuable information from them. While much is known about phishing, less is understood about its association with demographic variables (e.g., age and gender). Some studies, however, have targeted the demographics of phishing in an attempt to understand why certain age groups are more susceptible than others and how to pose a remedy to the situation. Understanding who are the most likely targets would help to pinpoint the issues that need to be addressed through a new generation of phishing defense solutions and interventions involving an age-tailored training and prevention approach.
According to Kaspersky Lab Research, “1 in 5 phishing scams targets Facebook”; however, other social media sites, like Twitter and Instagram for example, have been the target of highly effective scams. Young adults are one of the demographic groups with the highest presence on these sites, and they are more likely to be exposed and become easy targets for online phishers. In fact, according to a UK-government-backed research by Get Safe Online, adults under 25 are more likely to fall victim to phishing attacks than web surfers over 55: Their findings show 11% of younger adults 18-25 against only 5% of the over-55s. The conclusions were that younger adults were surely more trusting when it came to online communication and were also more likely to click on unsolicited e-mails. A 2010 study also portrayed similar findings; the Demographics and Phishing Susceptibility study found “younger people in the 18 – 25 age group are more frequently falling for phishing” than other sections of the population.
Why Phish Young Adults?
There may be several reasons for phishers to want illegitimate access to a youth’s account on Facebook or any other social network, as mentions Nadezhda Demidova’s Securelist analysis, including:
- to spread spam, phishing links or malware;
- to hijack or defraud the accounts of friends and adult family members;
- alternatively, to collect information on specific people for some other motive
Adolescents are probably the best target for phishers. In fact, while younger children are still under a stricter control by parents and older adults tend to be more cautious in their online exchanges, teenagers tend to fall for phishing attacks because they are generally more careless and overly trusting; they are also, nowadays, more technically savvy and can often easily circumvent parental controls and restrictions. They are one of the groups that make more frequent use of online applications, from social networks to gaming apps and multimedia sharing sites.
Teenagers are also more likely to start new friendship relationships online than other age groups. A 2014-15 survey showed how American teens, were increasingly making friends online. The findings show “57% of teens ages 13 to 17 have made a new friend online, with 29% of teens indicating that they have made more than five new friends in online venues.” The interesting fact is that most of these friendships remain confined to the digital space with only 20% of surveyed teens meeting an online friend in person afterward. Older children also tend to treat online relationship in similar ways than they would traditional face-to-face ones, and this is the context in which phishers can thrive. Verifying the identity of an online acquaintance is a tricky business, and trusting teenagers can unintentionally disclose private information online to malicious hackers that have befriended them in social groups or online gaming situations portraying themselves as fellow adolescents.
How are Young Adults Phished?
Malware-based phishing is still a standard way for the illegal acquisition of sensitive data, as well as impersonification of a legitimate entity or friend in the attempt to persuade others to provide the desired information. In the case of young adults, a lot of contacts come through favorite communication means, social networks and smartphones, that can easily expose them to both threats. According to the American Academy of Pediatrics (AAP), “more than half of adolescents visit a social media site more than once a day, and 75% have cell phones, which are often used for texting and instant messaging.” The findings from the AAP comprehensive study on the impact social media has on kids, and families found that “22 percent of teenagers log onto their favorite social media sites more than 10 times a day.”
Phishers have tuned their techniques to fit the specific characteristics of this age group. Often, in fact, they play the card of emotions to trick users into clicking on links or responding to information requests by creating a sense of urgency. This works well with teens who are more likely to act on impulse more than other age groups.
In a paper by the University of Florida and New York University, it is outlined how “successful [spear phishing] emails employ psychological weapons of inﬂuence and relevant life domains.” The study the universities carried forward lasted 21 days and was conducted with 158 participants from several age groups. It was found that younger adults, when targeted by phishers, were more susceptible to “scarcity,” basically when an opportunity was portrayed to be limited in availability. “An adversary can leverage this principle by tricking an Internet user into clicking on a malicious link to avoid missing out on a once-in-a-lifetime opportunity.”
The results of the study show clearly, then, as different age groups react to different triggers when targeted by phishers, it is essential that training and security solutions are devised in an age-targeted way to address each group’s specific vulnerabilities.
Steps for Preventing Young Adults Phishing
A lot can be done to help teenagers be more resilient to scams targeting them specifically.
Parents have the not enviable task of placing boundaries to protect young users who, in many cases, are more technically savvy and online-smart than their guardians. Setting up parental controls that are age-appropriate is still a viable option, but these technical barriers are not a complete safety net or completely immune from circumvention attempts.
Ethical Hacking Training – Resources (InfoSec)
Although it is obviously impossible to prevent young adults from using social networks and exchanging information in their online communities of friends, it is therefore important to share with children of all ages awareness tips and information that are appropriate for their situation. Knowing that hackers leverage on the need for friendship and sharing as well as on the emotional response of older children in that very particular stage of their development towards adulthood, teenagers need to be made savvy of the few actions that can help them deflect most scams: They could use simple measures like the following:
- Don’t click directly on links that are sent via e-mail
- Don’t ever release passwords or login information
- Disregard ads that notify of any winnings; it is doubtful that lottery winners will ever be notified through a screen popup
- Do not volunteer any information in response to any e-mail that discusses money, inheritance, sudden good fortune or help in moving funds from one account to another
Also, learn to recognize red flags:
- Fraudulent websites often appear incorrect with extra letters or symbols as well as misspellings. Look for the https protocol or secure logo in the URL bar to be on the safe side
- When hovering on a link in an e-mail, make sure the address points to the site you intend to visit. It might be very different than what you see written out in the text of the message
- If an offer is too good to be true, then one can expect a potential scam with add-on inquiries
Communication is also a great tool, although sometimes difficult to use with older children. Here are a few actions that parents, and guardians can take:
- Know your kids’ online habits and who he or she may be talking to in Internet chat rooms and through instant messaging
- Ask questions on their friends and be familiar with their online social networking or gaming activity
- Rather than to block all social media usage, try to participate actively by showing interest in their online friendships and activities
- Don’t rely only on technical computing tools. While the phishing filter is a nice security feature on the Web browser that once activated serves as protection, scams are being openly distributed via social media and continue to thrive past any technical filters
- Educate yourself. FTC’s consumer information on Protecting Kids Online is a great source in ensuring they make safe and responsible decisions
- Involve the younger adults in the digital protection of your household by emphasizing their crucial role. Understanding the importance of their responsibility in the safety of the home network is a great motivation to pay more attention to their online presence
- Help children become aware by sharing with them awareness tips and encourage them to access the material that can be easily found online
Prevention begins with phishing awareness training at any age. A great option is simulation tools, like Security IQ’s PhishSim, a proprietary anti-phishing training platform that is a simulator to learn to detect and avoid phishing attacks. The automated education tool enables users to create their own phishing attack emails or make use of templates to enhance resilience and quicker recognition of typical phishing attempts. The more educated the young users are about their information security and privacy online, the more effectively they can anticipate risks and respond to threats. Moreover, online, there are plenty of free resources and phishing simulators that can help.
Bear in mind; no one is too smart to fall for scams. Phishing remains a genuine threat to adolescents in today’s digital world. Time and again, scammers will use phishing as a preferred attack vector and will target applications and cyber-venues where younger adults are more likely to be operating. Scams can go far and have lasting consequences. A few months ago, for example, Twin Start Credit Union warned of a phishing scam mainly targeting older teenagers and young adults, “groups [that] generally have less of an income stream and are more susceptible to being tricked into giving their information for what turns out to be crimes/fraud in exchange for monetary payments.” Victims were convinced to open an account or release info on their accounts already in place and give full access to the scammer after been reassured of not being legally liable for any activity and being lured with an easy way of making money legally. This type of scam can have a number of legal impacts on the youngster and affect his or her financial future for years.
Lesson learned. This shows how protecting this age group is paramount. Awareness is always the most effective solution to help learn to identify phishing and other scams. Anti-phishing education at home or school is sure to trigger a drop-in susceptibility to cyber-attacks for this peculiar age group and ensure a savvier prosecution of teenagers’ cyber lives towards adulthood.
American Academy of Pediatrics. (2011, April). The Impact of Social Media on Children, Adolescents, and Families. Clinical Report, Volume 127 / Issue 4. doi:10.1542/peds.2011-0054
Brecht, D. (2016, May 20). Phishing Attacks by Demographic. Retrieved from
Correa, D. (2015, July 6). Women more susceptible to phishing than men. Retrieved from https://www.scmagazineuk.com/women-more-susceptible-to-phishing-than-men/article/534337/
Cranor, L., Sheng, S., Holbrook, M., Downs, J., & Kumaraguru, P. (2010). Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Intervention. Retrieved from http://lorrie.cranor.org/pubs/pap1162-sheng.pdf
Demidova, N. (2014, June 11). Social network frauds. Retrieved from https://securelist.com/social-network-frauds/63855/
Gavett B.E., Zhao R., John S.E., Bussell C.A., Roberts J.R., & Yue C. (2017, February 3). Phishing suspiciousness in older and younger adults: The role of executive functioning. PLoS ONE 12(2): e0171620. https://doi.org/10.1371/journal.pone.0171620
Get Safe Online. (2017, October 23). Caught on the net! Retrieved from https://www.getsafeonline.org/news/caught-on-the-net/
Human Factors and Ergonomics Society. (2013, July 25). Profile of likely e-mail phishing victims emerges in human factors/ergonomics research.
ScienceDaily. Retrieved from www.sciencedaily.com/releases/2013/07/130725091238.htm
Kaspersky Lab. (n.d.). Internet Safety on Twitter. Retrieved from https://www.kaspersky.com/resource-center/preemptive-safety/twitter-tips-for-parents-of-teens
KidsHealth. (n.d.). Teaching Kids to Be Smart About Social Media. Retrieved from http://kidshealth.org/en/parents/social-media-smarts.html
Lenhart, A. (2015, August 6). Teens, Technology and Friendships. Retrieved from http://www.pewinternet.org/2015/08/06/teens-technology-and-friendships/
Muncaster, P. (2017, February 8). Social Media Phishing Attacks Soar 500%. Retrieved from https://www.infosecurity-magazine.com/news/social-media-phishing-attacks-soar/
Muncaster, P. (2017, October 24). Young Adults More Likely to Fall for Phishing Scams. Retrieved from https://www.infosecurity-magazine.com/news/young-adults-more-likely-fall/
Patil, A. (2013, October 9). Phishers Use Malware in Fake Facebook App. Retrieved from https://www.symantec.com/connect/blogs/phishers-use-malware-fake-facebook-app
Ragan, S. (2013, October 1). Study links phishing vulnerabilities to personality traits. Retrieved from https://www.csoonline.com/article/2134031/network-security/study-links-phishing-vulnerabilities-to-personality-traits.html
Stern, A. (2014, June 23). Social Networkers Beware: Facebook is a Major Phishing Portal. Retrieved from https://www.kaspersky.com/blog/1-in-5-phishing-attacks-targets-facebook/5180/
TeenSafe Inc. (2017, May 15). Should Parents Monitor Their Children’s Social Media? Retrieved from https://www.teensafe.com/blog/parents-monitor-childrens-social-media/
TwinStar Credit Union. (2017, May 15). New scam targeting teens and young adults. Retrieved from https://www.twinstarcu.com/content/new-scam-targeting-teens-and-young-adults
US-CERT. (2017, January 24). Security Tip (ST04-014): Avoiding Social Engineering and Phishing Attacks. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-014