December 06, 2018

Does having autism make you more vulnerable to cyber phishing attacks?

Written by

Profile SaxenaNitesh Saxena, Ph. D. An interdisciplinary research study led by the University of Alabama at Birmingham’s Department of Computer Science delved into the correlation between social health disorders and cyber phishing, a type of social engineering attack usually deployed against average (healthy) computer users to steal their personal data, in regard to whether or not individuals who suffer from autism spectrum disorder are more susceptible to counterfeit websites than those without autism. The study results indicated that was not the case. 

Due to diminished social skills, the study began under the theory that individuals who have ASD are more likely to be deceived when it comes to phishing attacks.

“Based on this premise we suspected that people with autism may be more prone to phishing attacks compared to those without the disorder,” said Saxena, the lead faculty investigator on the study and professor in the Computer Science department, who runs the SPIES lab there and NSF-funded CyberCorps program.

Autism Spectrum Disorder, a unique developmental disorder, is one of the fastest-growing developmental disabilities in the United States. ASD has increased from 1 in 88 children in 2008, to 1 in 68 children in 2014.

For this study, the UAB research team performed phishing detection in a controlled lab setting with two different groups. Each group had 15 participants, one diagnosed with autism and the others without. Each group was asked to distinguish real versions of particular websites from their fake counterparts.

Given the known gullibility and social vulnerability of users with autism, the research team had hypothesized that individuals with autism would be more prone to phishing attacks in comparison to the participants without autism.

Contrary to predictions, both participants with and without autism performed nearly as well in identifying the fake websites, with no statistically significant differences. However, participants with autism spent significantly longer on real websites than the fake websites. Both groups did slightly better in identifying fake websites when they were familiar to them.

Overall, the study’s findings showed that individuals who were on the autistic spectrum may not be more prone to phishing attacks compared to people without autism. Saxena said the results show that users with autism may be equally capable to individuals without autism in detecting phishing websites. In fact, the study noted that their detailed-oriented nature may make them better equipped to combat phishing attacks.

“While our findings do not show evidence that people with autism are more susceptible to phishing attacks, future studies are warranted with larger samples of users,” said Saxena. “Recruiting large sample of users with autism is a challenge in conducting such research which requires collaborations from the community as a whole.”

Other researchers on this project are the former Department of Computer Science’s graduate students, Ajaya Neupane and Kiavash Satvat; and the Department of Psychology’s faculty Despina Stavrinos, Ph.D., and graduate student Haley Johnson Bishop.