Why phishing works

To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.

[1]  Boon-Chye Lee,et al.  To Trust or Not to Trust? A Model of Internet Trust from the Customer's Point of View , 2001, Bled eConference.

[2]  Dan J. Kim,et al.  A B-to-C Trust Model for On-line Exchange , 2001 .

[3]  B. J. Fogg,et al.  What makes Web sites credible?: a report on a large quantitative study , 2001, CHI.

[4]  M. Helander,et al.  Affective design of E-commerce user interfaces: how to maximise perceived trustworthiness , 2001 .

[5]  Matthew K. O. Lee,et al.  A Trust Model for Consumer Internet Shopping , 2001, Int. J. Electron. Commer..

[6]  Helen Nissenbaum,et al.  Users' conceptions of web security: a comparative study , 2002, CHI Extended Abstracts.

[7]  Helen Nissenbaum,et al.  Users' conceptions of web security , 2002, CHI 2002.

[8]  Thomas A. Hemphill Electronic Commerce and Consumer Privacy: Establishing Online Trust in the U.S. Digital Economy , 2002 .

[9]  Helen Nissenbaum,et al.  Users' conceptions of risks and harms on the web: a comparative study , 2002, CHI Extended Abstracts.

[10]  David Gefen,et al.  Reflections on the dimensions of trust and trustworthiness among online consumers , 2002, Data Base.

[11]  Paul A. Pavlou,et al.  Evidence of the Effect of Trust Building Technology in Electronic Markets: Price Premiums and Buyer Behavior , 2002, MIS Q..

[12]  D. R. Danielson,et al.  How do users evaluate the credibility of Web sites?: a study with over 2,500 participants , 2003, DUX '03.

[13]  Henry H. Emurian,et al.  An overview of online trust: Concepts, elements, and implications , 2005, Comput. Hum. Behav..

[14]  Rachna Dhamija,et al.  Authentication for humans: the design and evaluation of usable security systems , 2005 .

[15]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[16]  Avivah Litan Phishing Attack Victims Likely Targets for Identity Theft , 2005 .

[17]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.