New study highlights risk of fake popup warnings for Internet users

Real Windows Security Warning

A new study by researchers at North Carolina State University shows that most Internet users are unable to distinguish genuine popup warnings messages from false ones – even after repeated mistakes. The fake ones were designed to trick users into downloading harmful software.

"This study demonstrates how easy it is to fool people on the Web," says study co-author Dr. Michael S. Wogalter, professor of psychology at NC State. The study examined the responses of undergraduate students to real and fake warning messages while they did a series of search tasks on a personal computer connected to the Internet.

Typical Fake Pop-up Warning

The real warning messages simulated local Windows operating system warnings, whereas fake messages were popup messages emanating from an exterior source via the Internet.

Real Windows Security Alert

The physical differences between the real and the fake messages were subtle, and most participants did not discern them. Participants were fooled by the fake messages 63 percent of the time, hitting the "OK" button in the message box when it appeared on the screen despite being told that some of what they would be seeing would be false.

The ways people responded could potentially open them up to malevolent software, such as spyware or a computer virus, Wogalter says. Safer options, such as simply closing the message box, were infrequently chosen. The study was led by psychology graduate student David Sharek and co-authored by undergraduate Cameron Swofford.

Typical Fake Pop-up Alert

Wogalter notes that companies and other credible entities may want to incorporate additional unique features into the real messages to allow people to differentiate between genuine warning messages and fake popups. However, he says, "I don't know if you could develop a legitimate message that could not be duplicated and used illegitimately."

Wogalter says the results of the study highlight the need to educate Internet users to be cautious. "Be suspicious when things pop up," Wogalter says. "Don't click OK – close the box instead." ###

The study was published Sept. 22 in Proceedings of Human Factors and Ergonomics Society.

Note to editors: The study abstract follows.

"Failure to Recognize Fake Internet Popup Warning Messages"
Authors: David Sharek, Cameron Swofford and Michael Wogalter, North Carolina State University.
Published: Sept. 22 in Proceedings of Human Factors and Ergonomics Society

Abstract: "Warning, your computer is infected with spyware. Windows needs to download and install the anti-spyware updates to remedy this issue. Click OK to begin." This is just one example of many popup warnings that spyware and malware creators use to try to mislead unsuspecting Internet users into downloading potentially harmful software. Falling prey to an illegitimate message could produce negative consequences that vary from bothersome computer performance to complete system failure. The purpose of this study was to determine which visual design cues, if any, would alert people to the illegitimacy of fake popup warning windows while browsing the Internet. Results indicated that most people did not behave in a cautious manner upon presentation of three different fake popup warning windows. Implications of the research are discussed.

Contact: Matt Shipman matt_shipman@ncsu.edu 919-515-3470 North Carolina State University