The internet has been around long enough that you would think most people know better than to click an untrustworthy link from someone they do not know, but according to a new study by the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, a majority of people still take the bait.

Zinaida Benenson, chair of computer science at FAU, conducted the study and found that around 56 percent of email users and 40 percent of Facebook users will click on a link from an unknown sender. Even more upsetting, many of these users knew of the risks involved and chose to click the link anyway.

“The overall results surprised us as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links,” Benenson said. “‘And only 20 percent from the first study and 16 percent from the second study said that they had clicked on the link. However, when we evaluated the real clicks, we found that 45 and 25 percent respectively had clicked on the links.”

When asked why they clicked the link despite knowing the risks, many users responded that they were simply curious about the identity of the person who sent the link or what the link itself actually contained.

Of the users who chose to not click the link, only half said that it was because they did not know the person who sent it to them. The reasons for others varied, but around 5 percent did respond that they wanted to respect the privacy of the sender by not viewing photos that had not been meant for them. In light of these results, Benenson doubts that true security is achievable.

“I think that, with careful planning and execution, anyone can be made to click on this type of link, even it’s just out of curiosity,” Benenson concluded. “I don’t think one hundred percent security is possible. Nevertheless, further research is required to develop ways of making users, such as employees in companies, more aware of such attacks.”

This is why your IT guy hates you

Following a sketchy link on your own device is bad enough, but corporations around the world are constantly dealing with issues caused by employees who get duped into following a link they shouldn’t have while using a company computer. This leads to viruses, compromised passwords, and a host of other problems that cost companies valuable resources, and sometimes the breach is so severe that it damages the company’s reputation.

One of the most high-profile examples of how phishing has affected a business is the 2013 Target breach, which exposed personal data of up to 110 million Target customers. The breach began as a malware-laced phishing attack on one of Target’s contractors, and it eventually cost the company tens of millions of dollars in a class action lawsuit.

Unfortunately, phishing preys on bad judgment, which is not something your company’s cybersecurity department is capable of fixing. Not until we all get replaced by AIs, anyway.

Image credit: kleuske/Flickr/CC by 2.0