i had lunch with Aaron Emigh today and he reminded me about a fascinating study from the Informatics department at Indiana University (they are doing great work there):
this is an incredible paper which details a study where they sent a general phishing email to 94 students and 15 of them (or 16%) fell for the attack and entered their login and password in an obviously fake site. 16% is an extremely high number.
but it gets worse.
the research sent the same phishing email to an additional 487 students ... but the email had one twist ... is was sent from someone they knew (they got the information from mining Facebook). this time 349 people -- or a staggering 72% -- were victims of the phishing attack.
summation: i highly recommend reading the paper on Social Phishing by Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer ... thanks Aaron!