April 3, 2006 10:20 AM PDT

The secret of phishers' success

Three U.S. academics have published research into why phishing scams are still finding success, years after widespread public warnings first appeared.

Most people have received an e-mail purporting to be from a bank or other online service that asks for personal and financial details. Occasionally, it has been for a bank or service for which the recipient is a customer. Even in that situation, many people still know to be wary.

For their paper, titled "Why Phishing Works," (PDF here) Rachna Dhamija of Harvard University and Marti Hearst and J.D. Tygar of the University of California at Berkeley, conducted tests on a small sample of users. They found that 90 percent of subjects were unable to pick out a highly effective phishing e-mail when simply judging whether or not it was genuine.

related story
Neighborhood watch for phishing
Volunteers work to take down fraud sites.

Equally relevant, in terms of ensuring that e-commerce and online banking can survive the damage to consumer confidence created by phishing, a large number of subjects were unable to pick out genuine e-mails. This could lead to wary consumers avoiding such online services altogether.

The researchers put together a carefully spoofed Bank Of the West e-mail that directed recipients to the phishing Web site www.bankofthevvest.com (with a double "v" instead of "w"), complete with a padlock in the content, spoofed VeriSign logo and certificate validation seal, and a pop-up consumer security alert. Presented with this, 91 percent of participants guessed it was legitimate.

Presented with a genuine E*Trade e-mail that directed recipients to a legitimate secure site with a simple, graphic-free design optimized for mobile browsers, 77 percent of participants guessed it to be a fake.

One of the reasons consumers fall for phishing scams could be because too many simply blunder into the trap. Nearly a quarter of participants in the research study didn't look at the address bar, status bar or security indicators on the phishing sites.

This makes them easy targets for those criminals exploiting tactics such as URLs that differ from a legitimate one by just one character, replacing the letter "l" with a number "1" or even an uppercase "I" in the e-mail message, where the HTML in the URL can hide its true identity, for example.

Similarly, the paper adds, people don't understand the syntax of domain names. "They may think www.ebay-members-security.com belongs to www.ebay.com," it states.

Other visual items can be deceptive. Users may see a familiar padlock icon in the HTML of the page and assume that is a guarantee of security. However, such icons can easily be added to the page.

Speaking at the E-Crime Congress in London last week, Bernhard Otupal, a crime intelligence officer for high-tech crime at Interpol, said consumers are not only still falling for this kind of scam in large numbers, but they're even making matters easier for the criminals with shocking levels of ignorance.

"There needs to be some responsibility from users," Otupal said. "Recently a number of users fell victim to phishing attacks from a group claiming to be a well-known bank. People entered bank details who weren't even the bank's customers."

The "Why Phishing Works" paper claims it found no difference in susceptibility based on age. However, separate research out from market research agency YouGov suggested there are some differences.

Asked whether the threat of cybercrime has made them act more cautiously, only 58 percent of respondents ages 18 to 29 said yes, compared with 79 percent of respondents over 50.

Likewise, 80 percent of those younger respondents said they make decisions about who they deal with online based on security, while for the older demographic the figure was 93 percent.

Will Sturgeon of Silicon.com reported from London.

See more CNET content tagged:
phishing, respondent, bank, participant, phishing Web site


Join the conversation!
Add your comment
Secrets of Phishers' Success`
At 57, I got my first computer 7 months ago. Long before that, I read and heard many stories about Phishing, and they all said "Banks do not do this by Email". Two weeks after getting my computer I received my first 2 Phishes'. One claiming to be from my bank, and one claiming to be from Pay Pal. I remembered what I read and heard and deleted the Emails. Why do they respond to these Emails? Simple, for the same reason people will open anything that says "Do Not Open".s They just have to know,"Why Not, What are they trying to deprive me of"? Isn't that why Pandora opened the box.
Posted by CrackedCracklinLover (1 comment )
Reply Link Flag
Being wary is not good enough ...
... being able to tell the difference between a legitimate and a phishing email/site is much more important. Deleting suspected emails (even though not 100% sure they are phishings) is easy enough. But what if some of them are legitimate and there is a genuine need to separate them from the rest? It's like the fear of getting ripped off by auto mechanics. Just avoiding them all together is probably not a good idea. There is a real need for secured online transactions. Just as the only sure way to avoid getting ripped off by auto mechanics is to recognize bogus recommendations, the only way to avoid phishing is recognize the phishs from the legitimate. I know, not everyone has the time or the patience to learn a whole new area of expertise, especially older folks, but that's the price of evolution, of living in an increasingly sophisticated world. Well, everyone has to start somewhere. For me, the biggest payback with just a small amount of effort is to learn the Internet domain system. This will tell you at a glance, in most cases, whether an email is phish or not. The next thing to learn is: (due to visual spoofing) unless you absolutely trust the link, _always_ type the address into the browser instead of clicking on a link. These two things will drastically reduce the chance of falling victim to a phishing scam.
Posted by thanhvn (51 comments )
Reply Link Flag
The secret of phishers' success
I have been working with Internet access longer than I care to recall. In a recent test of 10 sample e-mails, I called all 10 phony, when actually 8 out of 10 were phishing attacks. I doubt a financial institution could send me an e-mail now without there being a good change it would be routinely deleted as another spoof. The bogus e-mail has eroded the credibility of legitimate e-mail. As people continue to be taken in by phishing attacks, it only perpetuates the problem, as the scammers are continually rewarded for their efforts.
Posted by YankeeZ (5 comments )
Reply Link Flag
Why phishing works
Tell 1,000 people that the moon is made of cheese and someone will believe you. This is why phishing works. Send 100,000 emails and you've got 100 people's bank details and you can clean them out. That's a nice profit for a day's work.

I really don't understand why people have problems telling real from fake emails. You just need to ask one question:

Does this email ask me to click a link and type in my details?

* Yes - it's a scam
* No - it's real

Your bank has your details and it won't ask you to click a link and type them in. It doesn't forget what they are, it doesn't have technical problems, and security upgrades don't go wrong.

If someone knocked on your door and said "I'm from the bank. Please tell me your bank account details and credit card number." Would you tell them? I suspect some people would though - presumably those that think the moon is made of cheese.
Posted by RolandWad (4 comments )
Reply Link Flag
US academics wrong
Just read the paper by these US academics and they've got it all wrong. What they did was created 20 fake websites and asked people if they could tell they were real or fake. Now that's hard and you don't need to educate people to be able to detect fake websites, you just need to stop them going there in the first place. Don't these acedemics realise that most phishing starts off with an email? If people can spot fake emails, they won't ever get to the website, so they don't need to know how to spot fakes. There's a simple solution:

Don't click links in emails!

You'll never get caught out by phishing. It requires no skills and no knowledge.
Posted by RolandWad (4 comments )
Reply Link Flag
It's the email
Agree with your comments. But I'm afraid that we will never get people to stop clicking links. Therefore, until there is some technology that can block phishing emails before they ever reach a user, it will be better to eliminate clickable links in emails from banking and other financial institutions. One of my banks is already doing this. This may sound like an impossible solution, but consider this:
The only people who can get phished are those doing online financial transactions. Those are people who have a login and password. These customers also have an email address known to the bank, and therefore can be contacted by their bank. The banks should start an educational campaign for its online customers on how to bookmark the proper bank URL, and the banks must use plain text email with no links to do this. No click, no phish. This is not the cure-all, but if you get bombarded by plain text email from the bank telling you how to access their web sites, and are also told never to click on links in an email from any bank, because a legitimate bank will not send email with links, we won't have to worry about spoofed web sites.
Posted by howiem (16 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.