Another experiment targeted Indiana University professors, prompting them to use their university-issued passwords to get onto a site that appeared to be hosted outside of the school. Most were duped.
"We sent them to a page that said 'service temporarily unavailable, please try again later.' That would stimulate people's interest and many people returned," he said. "It was nice to see computer scientists never fell for the experimental attack when it was sent by a stranger. ... It was a wakeup call that the people in the School of Education did not distinguish whether it was from a friend or someone unknown to them."
One finding could have been predicted by anyone: Men are more likely to click on a link sent to them by a female than by a male. But the study dug up some more surprising facts by targeting e-mail addresses from a social networking site that listed political affiliations.
"It was delightful for me to see that people on the far left and far right were much more vulnerable than people in the middle, which confirms to me that they're crazier than the rest of us," Jakobsson said.
In another study, Jakobsson and his wife exposed weaknesses in eBay's system that allows communication between buyers and sellers. A recipient of an e-mail sees a yellow button that says "respond now," but the button carries no information about the intended recipient. Jakobsson pasted the button onto a spoofed e-mail to a victim, making it appear to be a legitimate e-mail from an eBay user. Instead, the victim -- or, in this case, research subject -- is taken to a site with a URL that's similar to eBay's but was actually run by Jakobsson.
The researchers spoke with eBay after performing their experiment.
"Just a few months after we performed this experiment and told them the results, this attack started to happen in the wild, pretty big-scale too," he said. "We were terrified that we caused it to happen."
It turned out the same type of attack had already been occurring, but on a smaller scale, so Jakobsson was off the hook. He said eBay officials reacted positively to his research because it gives them information that can help improve security. For reasons related to public relations, eBay doesn't experiment on its own customers, he said.
There are several good reasons to perform such experiments, Jakobsson argues. They improve phishing countermeasures by discovering what works and what doesn't. Jakobsson said one experiment showed 400 subjects one of two AT&T links: one with the company name in the URL or one with the phrase "accountonline.com."
The accountonline.com link was the real one used by AT&T -- yet users deemed it less trustworthy than the one with AT&T's name in the URL. Phishers seem to know this already, as they tend to register domain names that look similar to the site they want people to think they are logging on to.
"Custom name attacks are remarkably successful," Jakobsson said.
Experiments can help researchers predict trends by discovering what human vulnerabilities haven't been exploited yet, Jakobsson said.
Although some argue users can't be taught to avoid online attacks, Jakobsson thinks his research can lead to better education methods. Some common advice is so vague that it's pretty much useless, he said, leaving lots of room for improvement.
"The technical component is important, but it's not all," Jakobsson said.
