The Secrets of Why Phishing Scams Work
From Resourceshelf, a link to a new paper from the Conference on Human Factors in Computing Systems entitled Why Phishing Works. It is written by 3 scholars from Harvard and University of California Berkeley.
Phishing describes Internet scams using emails designed to look like they come from legitimate institutions in order to con people into providing personal financial information or passwords.
From the abstract:
"To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed."
Earlier Library Boy posts on phishing and other forms of Internet fraud:
Phishing describes Internet scams using emails designed to look like they come from legitimate institutions in order to con people into providing personal financial information or passwords.
From the abstract:
"To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed."
Earlier Library Boy posts on phishing and other forms of Internet fraud:
- More IT security threats on the horizon (March 9, 2005)
- Phishing Resources (July 5, 2005)
- Legal Systems Can't Stop Cybercrime (July 7, 2005)
- The Fight Against Phishing Sites (October 18, 2005)
- How to Fight Phishing (October 31, 2005)
- New Website on Internet Scams and Fraud (November 23, 2005)
- Data Security - Year in Review 2005 (December 16, 2005)
- Report on Future Trends in Malware, Spyware, Viruses and Other Baddies (January 11, 2006)
Labels: e-mail, IT security
0 Comments:
Post a Comment
<< Home