Why does phishing work?

It really shouldn't but it still does...

It really shouldn't but it still does...

It may seem incredible to those who know to be wary of any solicitation for personal details over email, but consumers are still falling for phishing scams in their droves.

Now three academics from US universities Harvard and Berkeley have published research into just why these scams are still finding success several years after widespread warnings first appeared.

Most of us will have received an email purporting to be from a bank or other online service claiming to require our personal and financial details for any number of reasons. Occasionally it will have been for a relevant bank or service of which we are a customer, but many people still know to be wary.

For their paper, entitled 'Why Phishing Works', Rachna Dhamija of Harvard, and Berkeley's Marti Hearst and JD Tygar conducted tests on a small sample of users and found that 90 per cent of subjects were unable to pick out a highly effective phishing email when simply judging whether or not it was genuine.

Equally relevant, in terms of ensuring ecommerce and online banking can survive the damage to consumer confidence created by phishing, a large number of subjects were unable to pick out genuine emails. This could lead to wary consumers avoiding such online services altogether.

Presented with a carefully spoofed Bank Of the West email which directed recipients to the phishing website www.bankofthevvest.com (with a double 'v' instead of 'w'), complete with a padlock in the content, spoofed Verisign logo and certificate validation seal, and a pop-up consumer security alert, 91 per cent of participants guessed it was legitimate.

Presented with a genuine Etrade email that directed recipients to a legitimate secure site with a simple, graphic-free design optimised for mobile browsers, 77 per cent of participants guessed it to be a fake.

One of the greatest reasons consumers fall for phishing scams is because too many simply blunder into the trap. Nearly a quarter of participants in the research didn't look at the address bar, status bar or security indicators on the phishing sites.

This makes them easy targets for those criminals exploiting tactics such as similar URLs which differ by just one character. Replacing the letter 'l' with a number '1' or even an upper case 'i' in the email where the html in the email can hide its true identity, for example.

Similarly the paper adds users don't understand the syntax of domain names. "They may think www.ebay-members-security.com belongs to www.ebay.com," it states.

Other visual items can be deceptive. Users may see a familiar padlock icon in the html of the page and assume that is a guarantee of security. However, such icons can easily be added to the page.

Speaking at the E-Crime Congress in London last week, Bernhard Otupal, a crime intelligence officer for high-tech crime at Interpol, said consumers are not only still falling for this kind scam in large numbers but they're even making matters easier for the criminals with shocking levels of ignorance where the crime is concerned.

"There needs to be some responsibility from users," said Otupal. "Recently a number of users fell victim to phishing attacks from a group claiming to be a well-known bank. People entered bank details who weren't even the bank's customers."

The 'Why Phishing Works' paper claims it found no difference in susceptibility based on age. However, separate research out today from YouGov, revealed there are some differences among the ages.

Asked whether the threat of cyber-crime has made them act more cautiously, only 58 per cent of respondents aged 18 to 29 said yes, compared to 79 per cent of respondents aged over 50.

Likewise, 80 per cent of those younger respondents said they make decisions about who they deal with online, based on security while for the older demographic the figure was 93 per cent.