In the realm of internet activity, there are a lot of different ways that scammers and hackers can nab your personal information. All too often, though, the victim of the data theft accidentally does the dirty work for the scammer.

If a hacker can get you to click on a link and install a virus on your own computer, his job is done. All he has to do is sit back and mine your data, including your contacts list, your usernames and passwords, even stored information locked up in your documents, depending on the type of virus he sent you.

Given the threat of malicious software downloads, you’d think that people wouldn’t still fall for this tactic. Unfortunately, it’s all too common, and hackers are happy to up their game with new methods of encouraging you to fall for it. Whether it’s sending you an email that appears to come from someone you know (through either spoofing the sender’s account or hacking into their account), or trapping you with a text message from an unknown phone number that claims to include “crazy” pictures of you, there’s no end to their creativity in trying to phish you out.

But there’s another trick up the hacker’s sleeves when it comes to phishing, and that’s social media click bait. Click bait is a term that usually applies to “news” articles that are shared online. They might have scandalous-sounding headlines like, “You won’t believe what (insert celebrity name here) wore on the red carpet!” but the goal is simply to get you to click on the link. Typically, click bait is relatively harmless, other than making money for the website in advertising revenue every time someone clicks. The “bait” doesn’t have to be an article, though; it could just as easily be a post on your timeline or a private message with something enticing, like, “Check out these pictures of you from last weekend!”

A new study took a hard look at how easy it is for scammers to lure us in with phishing emails and click bait. In an experiment involving nearly 2000 email and social media users, the target groups were sent either an email or a social media message that offered them photos of themselves that someone had taken. The results were pretty surprising:

“In the first study, which addressed the targets by their first names, 56% of the email recipients and 38% of the Facebook message recipients clicked on the links… In the second study, where the first names were dropped but the specificity of the phishing message upped the curiosity factor, only 20% of email recipients clicked through, while the percentage of Facebook users who clicked went up to 42%.”

Unfortunately, the experiment concluded with a questionnaire for the test subjects and the results were puzzling. 78% of the respondents said they were unaware of the danger of clicking on an unexpected link. Even more interesting, the questionnaire asked the respondents whether or not they had clicked on the link. Only 20% in the first group had said they did, and 16% in the second group admitted it; of course, the researchers could track the links, and found that the numbers were actually 45% and 25%, respectively.

This lack of awareness coupled with an underlying understanding that we shouldn’t be clicking on messages we can’t verify is actually very telling from a security standpoint. It means that greater awareness of the threat needs to be shared, but also that many users understand there is some kind of risk, even if they don’t know what it is.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.