You know those weird emails that try to trick you into handing over your information? Turns out they work way better than you'd expect, according to a new study from Google and the University of California, San Diego.
Certain websites included in phishing emails successfully lure users up to 45 percent of the time, according to the study, which came out on Thursday. Once on the bogus pages -- which tend to imitate legitimate sites, like Google itself, in an effort to obtain people's private details -- 14 percent of people unwittingly submit their information to hackers. Researchers said the percentage of people who get tricked was "much higher" than they expected.
To gather this data, Google and UCSD looked at 100 phishing emails picked out of a random sample self-reported by Gmail users. The researchers also reviewed a random sample of 100 phishing websites caught by Google's Safe Browsing system to further understand how the scams work. These websites were all created through Google Forms, which is how researchers were able to access the data.
The researchers were then able to look back and see how people interacted with the emails and websites. Even on the worst-performing phishing websites, 3 percent of users still submitted their data. On the most effective phishing sites, as many as 45 percent did.
Google notes in its write-up that this is big business for scammers, as one attacker can be responsible for millions of phishing emails.
Once a hacker is able to access someone's account, they spend an average of three minutes figuring out how much it's worth, and will apparently move on if the account doesn't seem valuable enough. According to the study, hackers use Gmail's own search function to figure out if an account is worth their time, looking for terms like "wire transfer" and "bank."
What happens next probably won't surprise you: The hacker tries try to get money from an account's contact list. They send emails to the person's friends, family and colleagues with fake stories like "we were mugged last night in an alley" in the hopes of getting them to send cash.
Google's advice for staying safe? Enable two-step verification on your email account, and report any suspicious emails instead of responding to them. And if you suspect your account has been compromised -- maybe because you've belatedly realized that something seemed off about the website you visited, or because a friend has asked you about the weird email they just got from your address -- you should work as quickly as possible to regain control. Twenty percent of hackers access compromised accounts within 30 minutes of getting their credentials, the study says.
These scams have long been a problem online, but recent examples are particularly concerning. A cyberattack against JPMorgan Chase brought the issue back into the spotlight earlier this year. That hack affected up to 76 million households, leaving an untold number of individuals vulnerable to potential phishing efforts.