Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Phishing Works

Posted by ryuzaki0 on from the lower-your-expectations dept.

h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."

5 of 293 comments (clear)

  1. I have another theory by jawtheshark · · Score: 4, Interesting
    It is summarized by: There's a sucker born every minute.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  2. DRTFA by Billosaur · · Score: 4, Interesting

    People fall for phishing because:

    1. Most are not tech savvy, and have no idea the difference between http and https, don't look at the links they click on, and can't tell a spoofed URL from a real one on sight.
    2. Most people are pretty gullible. They believe what they're told, whether by a newscaster, the President, scientists, or the glowing pixels of a web page. Critical reasoning skills are lacking.
    3. Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.
    4. Most people believe the Internet is infallible. They think every person who has a blog or web page knows what they are talking about. They think if a page looks a little like what they normally see when they bank online, that it's the same thing, even though the URLs to the links are all wrong.
    You can't protect people from themselves, although our Congress tries to do this every day by passing inane laws that protect no one but the large corporations and billionaires. People who go online will continue to be duped as long as no concerted effort is made to educate them. Cue the PSAs.
    --
    GetOuttaMySpace - The Anti-Social Network
    1. Re:DRTFA by Lumpy · · Score: 4, Interesting

      Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.

      Dude you seriousally underestimate the stupidity of the average human.

      I have seen people at the ATM intentionally swipe their card through a "card cleaner" stuck to the wall that was a reader.

      99% of the masses do not understand any of the technology they use daily in any way. They do not understand basic safety (Driving 4 feet from someone at 90mph is unsafe and stupid) and to top it off, they have to be told not to insert curling irons into a bodily orfice, and other things. Humans are too stupid to use most products safely which is why everything has a damned disclaimer on it.

      I will bet you that someone in Manhattan right now is getting a bridge sold to them, and they are seriousally considering it!

      --
      Do not look at laser with remaining good eye.
  3. I thought I did once... by BlueCodeWarrior · · Score: 4, Interesting

    I remember the one time I almost thought that I fell for a phishing scam.

    I got an email saying that my student loan company needed some more information to give me the loan. I had to log into thier website to check out what exactly it was and what I needed to send in.

    I just clicked the link in the email and typed my login information (of which the username is my SSN) and got a message to the effect of 'password incorrect, please try again.'

    I did this two or three times with some of the different passwords that I usually use...and then I thought about it.

    Oh fuck! The address bar said 'www.terri.org' and my bank was Chase. I freaked out, thinking that I'd fallen for it...

    Turns out terri is the company that processes the loan or whatever and I had just mistyped the password. But I reminded myself to not be so trusting on the internet, and always re-type the site in for things like that...

  4. 409 scams still work so why not phishing? by smooth+wombat · · Score: 4, Interesting

    If you want to see how gullible or just plain stupid people are, check out the story in my Journal titled, 'Renowned psychiatrist bilked by Nigerian scam'. It was rejected by the editors so I plunked in my Journal.

    Even after the guy knew it was a scam and promised his son he wouldn't send any more money, he still did it anyway!

    Maybe a bit different than a phishing scam but along the same lines.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower