By Will Sturgeon, 3 April 2006 11:35
NEWS
It may seem incredible to those who know to be wary of any solicitation for personal details over email, but consumers are still falling for phishing scams in their droves.
Now three academics from US universities Harvard and Berkeley have published research into just why these scams are still finding success several years after widespread warnings first appeared.
Most of us will have received an email purporting to be from a bank or other online service claiming to require our personal and financial details for any number of reasons. Occasionally it will have been for a relevant bank or service of which we are a customer, but many people still know to be wary.
For their paper, entitled 'Why Phishing Works', Rachna Dhamija of Harvard, and Berkeley's Marti Hearst and JD Tygar conducted tests on a small sample of users and found that 90 per cent of subjects were unable to pick out a highly effective phishing email when simply judging whether or not it was genuine.
Equally relevant, in terms of ensuring ecommerce and online banking can survive the damage to consumer confidence created by phishing, a large number of subjects were unable to pick out genuine emails. This could lead to wary consumers avoiding such online services altogether.
Presented with a carefully spoofed Bank Of the West email which directed recipients to the phishing website www.bankofthevvest.com (with a double 'v' instead of 'w'), complete with a padlock in the content, spoofed Verisign logo and certificate validation seal, and a pop-up consumer security alert, 91 per cent of participants guessed it was legitimate.
Presented with a genuine Etrade email that directed recipients to a legitimate secure site with a simple, graphic-free design optimised for mobile browsers, 77 per cent of participants guessed it to be a fake.
One of the greatest reasons consumers fall for phishing scams is because too many simply blunder into the trap. Nearly a quarter of participants in the research didn't look at the address bar, status bar or security indicators on the phishing sites.
This makes them easy targets for those criminals exploiting tactics such as similar URLs which differ by just one character. Replacing the letter 'l' with a number '1' or even an upper case 'i' in the email where the html in the email can hide its true identity, for example.
Similarly the paper adds users don't understand the syntax of domain names. "They may think www.ebay-members-security.com belongs to www.ebay.com," it states.
Other visual items can be deceptive. Users may see a familiar padlock icon in the html of the page and assume that is a guarantee of security. However, such icons can easily be added to the page.
Speaking at the E-Crime Congress in London last week, Bernhard Otupal, a crime intelligence officer for high-tech crime at Interpol, said consumers are not only still falling for this kind scam in large numbers but they're even making matters easier for the criminals with shocking levels of ignorance where the crime is concerned.
"There needs to be some responsibility from users," said Otupal. "Recently a number of users fell victim to phishing attacks from a group claiming to be a well-known bank. People entered bank details who weren't even the bank's customers."
The 'Why Phishing Works' paper claims it found no difference in susceptibility based on age. However, separate research out today from YouGov, revealed there are some differences among the ages.
Asked whether the threat of cyber-crime has made them act more cautiously, only 58 per cent of respondents aged 18 to 29 said yes, compared to 79 per cent of respondents aged over 50.
Likewise, 80 per cent of those younger respondents said they make decisions about who they deal with online, based on security while for the older demographic the figure was 93 per cent.
Comments
There are 7 comments. Join the discussion
1. Neil Kenyon
Many on-line banks add to the confusion by sending out legitimate emails, eg to tell you that your credit card statement is ready and include a url for the website inviting you to click it, login and view your statement.
Elsewhere eg on the website, they advise you NOT to click on a url in an email and then login!
2. Warren Swaine
Did it really need university research to conclude that people fall for phishing scams because they leave their brains behind when looking at the world through a browser? What next, exciting new study to reveal all about bears and woods?
3. anonymous
Phishing works for one reason and one reason only - because people are stupid.
Phishing is no different than standing on the high street wearing a fake "NatVVest" uniform and then asking for people's bank details or bank cards.
Anyone that hands them over, whether on the high street or the internet, is too stupid to deserve any sympathy. More relevantly, why should the rest of us have to live our lives around rules desgined to protect against their stupidity.
In the offline world anyone with an ounce of intelligence finds themselves constantly burdened with petty and annoying regulations designed to protect useless idiots from their own stupidity.
Do we really want the same on the internet? Personally I don't. Why not let all the stupid people fall for phishing scams? Once they've lost enough money they will no doubt be put off using the internet ... at which point only people with a modicum of common sense will be left on the internet, and phishing will die off.
Good riddance to them! It's worth noting that the same applies to spam. The only reason there is so much spam is because there are so many people stupid enough to click on emails telling them which small-cap stock to buy or whatever. If all the stupid people stopped using the internet the rest of us wouldn't have to spend $30 a year for anti-spam software.
4. Ken Berman
Phishing will continue to work as long as we believe that teaching people about IT means learning how to make text bold and how to put formulas in spreadsheets. Too many of our basic IT "key skills" are based on which buttons/menu items to click in Microsoft software and far too few on general principles and e-safety.
Even the ECDL, supposedly THE must have basic IT literacy qualification, barely covers use of the internet, as opposed to using IE (not the same thing!).
It's time we stopped teaching only skills and started teaching processes and critical thinking - "why have I been sent this e-mail for a bank I don't have an account with?" for example.
5. George Preston
To lame the blame for this at the door of consumers is unreasonable. In particular, the customers who filled in details for a bank they weren't customers of could simply have thought that company politics/acqusitions/mergers were the cause.
I am an IT professional and am amazed at how legitimate emails can look - and I would give up trying to explain to someone non-technical (or even just slightly ofay with the net) the differences between e8ay.co.uk and ebay.co.uk - there's no point, because at every turn we are presented with 'wacky' branding and potty names for companies. People are desensitised to slight changes in identification nowadays, probably because, ironically, their bank has changed its name and branding four times in the last year and they no longer identify it.
The article contradicts itself somewhat, citing security artifacts that can be easily faked (padlock sign, https://, etc), then saying that cunsumers should be on the lookout for these?! More control needs to be put in place for pages on the web. Shaking windows, fancy graphics and plugins everywhere might look good and make the marketing-types smile, but these come with a downside; poor security and more unwanted inteference with the browsing experience.
6. Richard
Blame the Banks, not the customers:
Last night I tried to log onto my bank's new site: It should have displayed my chosen visual images, to prove that it was the genuine web site. (As recently lauded by Silicon.com.)
However, it "failed to recognise" my PC and demanded that I typed extra security information: It then refused this security information.
By this time, I was concerned that something criminal was happening, although the "padlock" apparently gave the correct site ID, certificate, etc.
Apparently, it is just multiple implementation errors on their web site. Apparently, they are planting a "cookie" on the customer's PC and then checking it during the next log-on.
For security reasons, all of my PCs delete cookies, caches etc. when the browser is closed!
If the bank's latest "security" procedures are this daft, don't blaim the customers.
ps. The bank's "help" desk don't know what a cookie is, ...and they don't give help!
7. Roy Corneloues
Some of the blame has to be aportioned to ICann and the other TLD controllers. Anyone can simply turn up and buy a domain name without giving suitable reasons why, especially if it contains part or all of a well known brand.
Even with the the play on words/characters people are being allowed to regsiter names without providing legitimate contact details or being questions as to why the domain is needed.
Surely it must also be possible to trawl name servers for the existence of sub-domains which again play with the brand names.
While criminals are still able to undermine this most basic customer interface to the net these things are going to continue.