The average American cannot reliably distinguish between fake and legitimate election campaign emails, according to a study by Valimail. In the weeks leading up to the US midterm elections, Valimail surveyed 1,079 US adults and found that, on average, respondents could discern the legitimacy of just 4.98 out of 11 emails.
Only one respondent correctly categorized all 11 emails. Individuals over 65 were slightly better at identifying emails correctly than younger respondents, and Republican respondents scored marginally higher than Democrats. Overall, however, the results were fairly consistent across the board. Notably, respondents were more likely to fall for a fake email if the email purported to come from their preferred political party.
“The results of this survey confirm what nation-states and bad actors have known for years: that email is incredibly vulnerable to impersonation, and is therefore a prime channel for spreading misinformation, malware, and fraud,” said Valimail’s CEO Alexander García-Tobar. “More concerning is the fact that consumers' trust in their public leaders and political candidates can be so easily abused for financial or political gain, when the tools to combat these types of attacks are readily available.”
All of the fake emails used in this survey contained visible tells that could have been detected by careful observers. Valimail notes, however, that phishing emails are often visually indistinguishable from legitimate ones. Attackers can also use field-spoofing and lookalike domains to further their deception.
While Valimail's study concentrates on election influence operations, there are broader principles in play here that any organization could apply. Employees need new-school security awareness training that uses real-world examples to teach them the red flags (PDF) to look for and techniques they can use to verify the authenticity of emails.
Valimail's report is here: https://www.valimail.com/resources/report/real-vs-fake-email-test-results/