Most people have received an e-mail purporting to be from a bank or other online service that asks for personal and financial details. Occasionally, it has been for a bank or service for which the recipient is a customer. Even in that situation, many people still know to be wary.
For their paper, titled "Why Phishing Works," (PDF here) Rachna Dhamija of Harvard University and Marti Hearst and J.D. Tygar of the University of California at Berkeley, conducted tests on a small sample of users. They found that 90 percent of subjects were unable to pick out a highly effective phishing e-mail when simply judging whether or not it was genuine.
Equally relevant, in terms of ensuring that e-commerce and online banking can survive the damage to consumer confidence created by phishing, a large number of subjects were unable to pick out genuine e-mails. This could lead to wary consumers avoiding such online services altogether.
The researchers put together a carefully spoofed Bank Of the West e-mail that directed recipients to the phishing Web site www.bankofthevvest.com (with a double "v" instead of "w"), complete with a padlock in the content, spoofed VeriSign logo and certificate validation seal, and a pop-up consumer security alert. Presented with this, 91 percent of participants guessed it was legitimate.
Presented with a genuine E*Trade e-mail that directed recipients to a legitimate secure site with a simple, graphic-free design optimized for mobile browsers, 77 percent of participants guessed it to be a fake.
One of the reasons consumers fall for phishing scams could be because too many simply blunder into the trap. Nearly a quarter of participants in the research study didn't look at the address bar, status bar or security indicators on the phishing sites.
This makes them easy targets for those criminals exploiting tactics such as URLs that differ from a legitimate one by just one character, replacing the letter "l" with a number "1" or even an uppercase "I" in the e-mail message, where the HTML in the URL can hide its true identity, for example.
Similarly, the paper adds, people don't understand the syntax of domain names. "They may think www.ebay-members-security.com belongs to www.ebay.com," it states.
Other visual items can be deceptive. Users may see a familiar padlock icon in the HTML of the page and assume that is a guarantee of security. However, such icons can easily be added to the page.
Speaking at the E-Crime Congress in London last week, Bernhard Otupal, a crime intelligence officer for high-tech crime at Interpol, said consumers are not only still falling for this kind of scam in large numbers, but they're even making matters easier for the criminals with shocking levels of ignorance.
"There needs to be some responsibility from users," Otupal said. "Recently a number of users fell victim to phishing attacks from a group claiming to be a well-known bank. People entered bank details who weren't even the bank's customers."
The "Why Phishing Works" paper claims it found no difference in susceptibility based on age. However, separate research out from market research agency YouGov suggested there are some differences.
Asked whether the threat of cybercrime has made them act more cautiously, only 58 percent of respondents ages 18 to 29 said yes, compared with 79 percent of respondents over 50.
Likewise, 80 percent of those younger respondents said they make decisions about who they deal with online based on security, while for the older demographic the figure was 93 percent.
Will Sturgeon of Silicon.com reported from London.
