• On MovieTome: Megan Fox on TRANSFORMERS 2!
advertisementTomTom ONE 130. Buy Now $149.95

April 3, 2006 10:20 AM PDT

The secret of phishers' success

By Will Sturgeon
Special to CNET News.com

Related Stories

Security Bites Podcast

 August 7, 2006

Phishers set hidden traps on eBay

 March 31, 2006

Fighting fraud by baiting phishers

 March 31, 2006

Australia forces ISPs to attack spam

 March 29, 2006

Antispam confab looks beyond filters

 March 28, 2006

Alert sounds alarm on phishing imposters

 March 28, 2006

Interpol: Give us tools to fight cybercrime

 March 21, 2006
Three U.S. academics have published research into why phishing scams are still finding success, years after widespread public warnings first appeared.

Most people have received an e-mail purporting to be from a bank or other online service that asks for personal and financial details. Occasionally, it has been for a bank or service for which the recipient is a customer. Even in that situation, many people still know to be wary.

For their paper, titled "Why Phishing Works," (PDF here) Rachna Dhamija of Harvard University and Marti Hearst and J.D. Tygar of the University of California at Berkeley, conducted tests on a small sample of users. They found that 90 percent of subjects were unable to pick out a highly effective phishing e-mail when simply judging whether or not it was genuine.

related story
Neighborhood watch for phishing
Volunteers work to take down fraud sites.

Equally relevant, in terms of ensuring that e-commerce and online banking can survive the damage to consumer confidence created by phishing, a large number of subjects were unable to pick out genuine e-mails. This could lead to wary consumers avoiding such online services altogether.

The researchers put together a carefully spoofed Bank Of the West e-mail that directed recipients to the phishing Web site www.bankofthevvest.com (with a double "v" instead of "w"), complete with a padlock in the content, spoofed VeriSign logo and certificate validation seal, and a pop-up consumer security alert. Presented with this, 91 percent of participants guessed it was legitimate.

Presented with a genuine E*Trade e-mail that directed recipients to a legitimate secure site with a simple, graphic-free design optimized for mobile browsers, 77 percent of participants guessed it to be a fake.

One of the reasons consumers fall for phishing scams could be because too many simply blunder into the trap. Nearly a quarter of participants in the research study didn't look at the address bar, status bar or security indicators on the phishing sites.

This makes them easy targets for those criminals exploiting tactics such as URLs that differ from a legitimate one by just one character, replacing the letter "l" with a number "1" or even an uppercase "I" in the e-mail message, where the HTML in the URL can hide its true identity, for example.

Similarly, the paper adds, people don't understand the syntax of domain names. "They may think www.ebay-members-security.com belongs to www.ebay.com," it states.

Other visual items can be deceptive. Users may see a familiar padlock icon in the HTML of the page and assume that is a guarantee of security. However, such icons can easily be added to the page.

Speaking at the E-Crime Congress in London last week, Bernhard Otupal, a crime intelligence officer for high-tech crime at Interpol, said consumers are not only still falling for this kind of scam in large numbers, but they're even making matters easier for the criminals with shocking levels of ignorance.

"There needs to be some responsibility from users," Otupal said. "Recently a number of users fell victim to phishing attacks from a group claiming to be a well-known bank. People entered bank details who weren't even the bank's customers."

The "Why Phishing Works" paper claims it found no difference in susceptibility based on age. However, separate research out from market research agency YouGov suggested there are some differences.

Asked whether the threat of cybercrime has made them act more cautiously, only 58 percent of respondents ages 18 to 29 said yes, compared with 79 percent of respondents over 50.

Likewise, 80 percent of those younger respondents said they make decisions about who they deal with online based on security, while for the older demographic the figure was 93 percent.

Will Sturgeon of Silicon.com reported from London.

See more CNET content tagged:
phishing, bank, participant, phishing Web site, recipient

Add a Comment (Log in or register) 7 comments
Secrets of Phishers' Success`
by CrackedCracklinLover April 3, 2006 12:09 PM PDT
At 57, I got my first computer 7 months ago. Long before that, I read and heard many stories about Phishing, and they all said "Banks do not do this by Email". Two weeks after getting my computer I received my first 2 Phishes'. One claiming to be from my bank, and one claiming to be from Pay Pal. I remembered what I read and heard and deleted the Emails. Why do they respond to these Emails? Simple, for the same reason people will open anything that says "Do Not Open".s They just have to know,"Why Not, What are they trying to deprive me of"? Isn't that why Pandora opened the box.
Reply to this comment
Being wary is not good enough ...
by thanhvn April 3, 2006 1:19 PM PDT
... being able to tell the difference between a legitimate and a phishing email/site is much more important. Deleting suspected emails (even though not 100% sure they are phishings) is easy enough. But what if some of them are legitimate and there is a genuine need to separate them from the rest? It's like the fear of getting ripped off by auto mechanics. Just avoiding them all together is probably not a good idea. There is a real need for secured online transactions. Just as the only sure way to avoid getting ripped off by auto mechanics is to recognize bogus recommendations, the only way to avoid phishing is recognize the phishs from the legitimate. I know, not everyone has the time or the patience to learn a whole new area of expertise, especially older folks, but that's the price of evolution, of living in an increasingly sophisticated world. Well, everyone has to start somewhere. For me, the biggest payback with just a small amount of effort is to learn the Internet domain system. This will tell you at a glance, in most cases, whether an email is phish or not. The next thing to learn is: (due to visual spoofing) unless you absolutely trust the link, _always_ type the address into the browser instead of clicking on a link. These two things will drastically reduce the chance of falling victim to a phishing scam.
Reply to this comment
The secret of phishers' success
by YankeeZ April 3, 2006 1:52 PM PDT
I have been working with Internet access longer than I care to recall. In a recent test of 10 sample e-mails, I called all 10 phony, when actually 8 out of 10 were phishing attacks. I doubt a financial institution could send me an e-mail now without there being a good change it would be routinely deleted as another spoof. The bogus e-mail has eroded the credibility of legitimate e-mail. As people continue to be taken in by phishing attacks, it only perpetuates the problem, as the scammers are continually rewarded for their efforts.
Reply to this comment
Why phishing works
by RolandWad April 4, 2006 5:29 AM PDT
Tell 1,000 people that the moon is made of cheese and someone will believe you. This is why phishing works. Send 100,000 emails and you've got 100 people's bank details and you can clean them out. That's a nice profit for a day's work.

I really don't understand why people have problems telling real from fake emails. You just need to ask one question:

Does this email ask me to click a link and type in my details?

* Yes - it's a scam
* No - it's real

Your bank has your details and it won't ask you to click a link and type them in. It doesn't forget what they are, it doesn't have technical problems, and security upgrades don't go wrong.

If someone knocked on your door and said "I'm from the bank. Please tell me your bank account details and credit card number." Would you tell them? I suspect some people would though - presumably those that think the moon is made of cheese.
Reply to this comment
US academics wrong
by RolandWad April 4, 2006 8:36 AM PDT
Just read the paper by these US academics and they've got it all wrong. What they did was created 20 fake websites and asked people if they could tell they were real or fake. Now that's hard and you don't need to educate people to be able to detect fake websites, you just need to stop them going there in the first place. Don't these acedemics realise that most phishing starts off with an email? If people can spot fake emails, they won't ever get to the website, so they don't need to know how to spot fakes. There's a simple solution:

Don't click links in emails!

You'll never get caught out by phishing. It requires no skills and no knowledge.
Reply to this comment View reply
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET