Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

<b>Technology News:</b> Study examines why phishing tricks work. By John Stokdyk

by
4th Apr 2006
Save content
Have you found this content useful? Use the button above to save it to your profile.

Four out of 10 phishing sites fooled typical web users in a study carried out by US academics.

Researchers at Harvard University and the University of California, Berkeley, collected samples of phishing sites and then carried out a useability study in which 22 participants were asked to decide which ones were fraudulent. The survey found that participants made incorrect choices 40% of the time, with the most sophisticated phishing websites fooling 90% of participants.

One reason for the high deception rate was because 23% of participants did not pay attention to warning signals from the address bar in their browser or the security indicators, the study found.

Popup warnings about fraudulent certificates were also found to be ineffective: 15 out of 22 participants proceeded without hesitation when presented with warnings. In an other example of user ignorance, many were not aware that a closed padlock in the browser frame indicates that the page is delivered via a server with a Secure Socket Layer (SSL). Some phishing sites incorporate a padlock, but within the web page rather than the browser "chrome".

The samples collected for the study included some sophisticated visual treatments as well as tricks such as obscuring underlying text with realistic images that link to the rogue data collection site or images that emulate ordinary browser windows.

The study quoted estimates that 5% of web users have been tricked into giving their details to spoof websites, amounting to losses of $1.2bn for US banks and credit card companies in 2003.

Given the scale of the problem, the researches argue that traditional cryptography-based security, which focuses on what can be protected, should be refined with an approach based more on useability principles. For example, rather than putting icons on the periphery of the browsers, they suggest using colours in the address bar to warn of a site's dubious status (for example green for trusted, amber for suspicious and red for known phishing site). The project team is now testing a new approach that will enable a remote server to prove its identity in a way that is easy for a user to verify (exploiting the human ability to easily match images) but difficult to spoof.

'Why Phishing Works' can be downloaded from the Harvard University website.

Tags:

Replies (1)

Please login or register to join the discussion.

Dennis Howlett
By dahowlett
04th Apr 2006 14:29

there's a simple answer
If you're on eBay or use PayPal, the simplest way to check is to forward the unopened email to [email protected]/paypal.com

They usually respond within 5 minutes. Another way is to roll the mouse over the links in the email to view the URI. You can usually tell if it's a scam by looking at the link.

Bottom line - most phishing scams are pretty crude - if you know how to tackle them.

BTW - Firefox does a pretty good job of warning users if there is a suspected scam.

Thanks (0)