autism phishing expedition

A press release from the University of Alabama describes this conference abstract:

Social engineering is a well-established and well-studied threat especially against healthy computer users. Little studied, however, is the level of vulnerability to social engineering attacks against people with medical conditions. Social disorders in particular may make people more susceptible to such attacks. In this paper, as an initial line of investigation into this understudied research line, we launch a study of phishing, a prominent social engineering attack, against people suffering from autism spectrum disorder, a unique developmental disorder characterized by hampered social skills and communication. We present a study of phishing detection with two groups of participants each with 15 participants, one diagnosed with autism and other without autism, in which they were asked to distinguish real versions of certain websites from their fake counterparts. Given the known gullibility and social vulnerability of users with autism, our study is designed to test the hypothesis that individuals with autism will be more prone to such attacks in contrast to healthy participants of prior studies. Our results, however, do not support this hypothesis demonstrating that participants with autism are not more vulnerable to phishing attempts. We attribute this result to the unique characteristics of users with autism including attention to detail, strong memory of factual information and diverse way of thinking, which are skills that folklore assumes may actually make users with autism highly qualified for cybersecurity careers. Overall, our work serves to demonstrate that targeted (spear) phishing attacks against Internet users suffering from autism may not be more successful compared to untargeted attacks against the user population without autism. It also highlights that social disorders may not necessarily facilitate social engineering attacks.

As an autistic cybersecurity professional, I think this is annoying but illustrative.

The press release explains that the study was led by a guy from the computer science department who specializes in security. You can see what probably happened here. They probably saw the Wired article about how autistic people are the answer to the world’s computer security problems. Somebody was skeptical. They went straight to Wikipedia, which said autistic people lack social skills. Social skills….social engineering…cloning some web pages isn’t so hard…find some autistic people and you’ve got a publication!

Being autistic is not, in itself, “unhealthy.”

The terms “social skills” and “communication” are broad enough to be meaningless. It doesn’t look like anyone thought about WHY we’re supposed to be bad at phishing detection, except that phishing is a form of “social engineering.” We’e just generally “gullible” and “socially vulnerable,” i.e., the normal people single us out for torment. Like…a couple times in childhood, people said they’d be my girlfriend as part of a prank to make me look stupid. Why is that supposed to predict my ability to judge if is a legit URL?

It doesn’t. They had to think about it harder after the fact. Oh wait…autistic people have high attention to detail, where the sign of phishing is that little details are wrong. The press release also explains that autistic people spent longer on real websites than fake ones, i.e., they were probably more thorough.


“While our findings do not show evidence that people with autism are more susceptible to phishing attacks, future studies are warranted with larger samples of users,” said Saxena. “Recruiting large sample of users with autism is a challenge in conducting such research which requires collaborations from the community as a whole.”

There MUST be something wrong with autistic people, and we’re going to find it!

Why would an autistic person want to work with this guy?

Normal researchers with the most tangential connection to autism are allowed to basically talk out of their ass and keep autism stigma alive, and their university PR department will help them get the message out.