Why Phishing Works

h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."

Short answer

[gEvil+(beta)]

Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

Re:Short answer

[plover]

In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

In the end, people may end up needing strong authentication tokens. When you go to the bank, you'll present your token so they know it's you. When you sign up for a new account, you'll get that account added to your token. And, when you hit a phishing web site, your token will light up and say "UNKNOWN WEB SITE".

And it could work both ways. If you use an ATM in a seedy bar, you could even ask your token to identify the legitimacy of the ATM.

The disadvantage, of course, is either a plethora of tokens (one per account) or every Tom, Dick and Harry shop wanting to use your token for marketing and tracking purposes.

Re:Short answer

[Sigma+7]

Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

I'd agree on the concept, but the actual cause is different. The actual reason is because people believe that the word gullible is not in the dictionary.

Recently, there was an "employment agency" that sent out paper forms to applicants which were to be filled out and mailed in with a $20 cheque for a processing fee. The forms included sections for the Social Insurance Number, Driver's License number, DOB, mother's Maiden name, and other information not normally used by employers.

Their intent was to obtain credit cards from banks with the applicant's personal information - hence, they used four different company names. The good news was that they were raided.

Re:Short answer

[slashid]

We all know that if you teach a man to phish he will eat for a lifetime....

Re:Short answer

[daveewart]

In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

I think the point is that, since you can copy verbatim the HTML of a web site, it is trivial to create an identical copy of any site. So, trying to look for similarities and differences between the sites is a pointless exercise.

The real way to avoid being stung by phishing scams is to know that emails from anyone asking for personal or private information, passwords, credit card numbers etc. are almost certainly fake.

Re:Short answer

[DdJ]

In the paper, one guy was very paranoid.

Not paranoid enough, by my standards. I don't think they mentioned one single person using any tools other than web tools. The one who looked stuff up via Yahoo was a start, but just a start.

Whenever I have the least suspicion of any web site, I start probing DNS and whois. I try to make sure information I get via non-compuer channels matches what the computer tells me, and so forth.

I wonder if I'd fall for any of the sites they used. I like to think I wouldn't, but the moment I'm sure I wouldn't, I'm pretty sure that'd put me into a state of mind that'd ensure that I would.

Nobody on the internet should ever feel safe.

(Just like real life! Why, yes, I did grow up in NYC, why do you ask?)

Re:Short answer

[rainman_bc]

What else did you expect? She'd been told that she had to do all her homework, and believed it.

Way OT now, but when I was in high school, an A was 86%, and in math and most sciences, homework counted for 10% of my grade. I was so cocky I was able to still get an A without doing any homework.

Fucked me up in University though haha...

Re:Short answer

[rmstar]

My favorite passage was the one describing how users can be fooled because they do not understand the domain name system, and thus think that, for instance www.ebay-security-users.com and www.ebay.com belong to the same hierarchy. Another similar one is the one where users fail to realize that a lock icon in the "chrome part" of the browser is somehow different from the same lock icon inside of the web page.

Phishers encounter an incredibly favorable ecosystem out there, with a high density of ignorant fools with credit cards, many of them quite ready to shell out money for herbal viagra, or to help the niece of Charles Taylor get her fortune out of Nepal. No wonder phishers strive like this.

(Yeah, I know it's not Nepal)

Social engineering anyone?

[SComps]

It works because it plays on the concept that seeing is believing; and most people will trust their eyes over their minds any day of the week.

And this might be optimistic

[plover]

The paper hints that the people selected for the study may not adequately represent the web-surfing public -- they may be "above average".

Humanity is doomed.

Re:And this might be optimistic

[Daniel_Staal]

I recently did this caluation, and it sounds relevent here...

A common formula for the IQ of a group is to take the IQ of the highest member of the group, and divide by the number of people in the group.

The highest IQ is the US is that of Marilyn Vos Savant, estimated at 228. (That's the high estimate. Might as well give the benifit of the doubt.)

The population of the US is 295,734,134, according to the CIA world factbook.

That means the IQ of the US is 7.70962746×10^-7.

I have another theory

[jawtheshark]

It is summarized by: There's a sucker born every minute.

Re:I have another theory

[eargang]

Considering 4 to 5 children are born every second, are you saying that only 0.37% of the population consists of suckers? ...have you looked around lately?

Simply because ....

[cfortin]

People are stupid. Total knuckle biters. Every one of them.

That is all ...

Not surprising

[op12]

Think of the average internet user. I'm surprised that 77% are actually looking at more than just the content. It's probably because the media has made a big thing about it (as they should).

It's like P.T. Barnum said,

[TheCoders]

"There's a sucker born every minute." Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams! It's not people like you and me that are the targets of phishing. Ask your grandmother what a URL is, and (with some exceptions, of course) you'll get a blank stare. Heck, ask the cute cocktail waitress at your local bar, and you'll get the same response (and I wonder why I can't get a date...). That's what we're up against.

Don't get me wrong, I applaud these researchers and all other approaches to making the web a safer place, but in the end, at some point you have to trust that the user is going to take resposibility for their actions. The best we can do is bring the percentages down. The problem is it is so cheap to set up a phishing web site, that even if only one in several thousand potential targets fall for it, that's usually enough to ensure a profit.

Re:It's like P.T. Barnum said,

[plover]

Actually, these guys did nothing to make the web safer. They just tested methods for phishing, and identified the ones that worked best. A good example? Bank of the West and Bank of the West are two URLS, but only one of them leads to the real site. Even font makes a difference -- look at the slashdot [] link, and check out the link preview in the status bar. The difference is surprisingly hard to catch.

I don't know which upsets me more...

[Spy+der+Mann]

the phishers or the idiots who follow them.

common sense, people!

[Geek_3.3]

When the suspect site, for arguement's sake let us say it was a credit card scam (since i had one of those a couple of days ago) asks for EVERYTHING--card #, PIN, security code, mother's maiden name, login name, and LOGIN PASSWORD, alarm bells should go off in your head. Also, it is highly unlikely that someone is going to give you a carrot on the end of a stick(in this case, $20 for a simple 3 question blurb about how the site was running or some bs like that) without a big catch involved. The obvious catch being that IT'S A SCAM.

Geez, i would feel sorry for these duped people, but it's getting harder and harder to.

It's Always Going to Work

[eldavojohn]

Why Phishing Works

Phishing will always work. The intelligence and cautiousness of the population who use the internet is represented by some form of a normal curve. On the far left, a line falls for those users who will (out of innocence or ignorance) 'bite' on a phishing site. Thanks to e-mail, it is increasingly easier for phishermen (and phisherwomen) to select a random sample from this normal curve and those that fall to the left of the threshold will invariably become victims.

To disrupt or completely stop this from happening is currently an impossible Herculean task.

Even netting one person can result in thousands of dollars worth of damages. If one in every one million phishing works, of course they'll keep doing it.

Re:It's Always Going to Work

[Aspirator]

It isn't helped by some of the 'genuine' emails one receives from
supposedly reputable financial institutions.

For example I received an email purporting to be from American Express,
one of the links in it was of the form that showed
https://www.americanexpress.com/messagecenter,
however it actually pointed to
http://www65.americanexpress.com/clicktrk/Tracking ?mid=AnIdentifyingNumber&msrc=ENG-YES&url=https:// www.americanexpress.com/messagecenter

i.e It purported to be a secure link, but actually was not.
It piped the request through another (insecure) URL.

I sent it on to the American Expresses Phishing people, and got only an
automatic reply.

Finally I phoned American Express Customer service who assured me that it was real,
on the basis that they did actually send out emails like that. (!!!!)

It showed all the hallmarks of a phishing email, and yet ultimately was genuine.

How I am ever going to explain to Aunt Mary what signs to look out for
in phishing emails, while the real financial institutions send out
stuff like this, I don't know.

You're right, it is a Herculean task.

It's all about sight, sound, and experience

[WillAffleckUW]

People believe what they see, even when they shouldn't.

People believe what they hear, even when it shouldn't be there.

And people's experience shows that 99 percent of everything they see on the Internet must be true, or it wouldn't be written down, like for example the obvious Fact that not only is the Moon made of Yellow Cheese, but it's quite tasty.

Re:The Blind Squirrel

[$RANDOMLUSER]

I've been proposing for a long time that the "Yes/No/Cancel" type dialog boxes should simply be replaced with a single "Whatever" button, as users NEVER read what the dialog box says.

Get ready for on-line voting?

[coastin]

With news of the obvious (to us geeks) like this, it won't take long for the US Congress to enact on-line voting.

"Dauh, I thought I voted for the other guy when I clicked his picture in the e-mail reminding me to vote!"

DRTFA

[Billosaur]

People fall for phishing because:

1. Most are not tech savvy, and have no idea the difference between http and https, don't look at the links they click on, and can't tell a spoofed URL from a real one on sight.
2. Most people are pretty gullible. They believe what they're told, whether by a newscaster, the President, scientists, or the glowing pixels of a web page. Critical reasoning skills are lacking.
3. Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.
4. Most people believe the Internet is infallible. They think every person who has a blog or web page knows what they are talking about. They think if a page looks a little like what they normally see when they bank online, that it's the same thing, even though the URLs to the links are all wrong.

You can't protect people from themselves, although our Congress tries to do this every day by passing inane laws that protect no one but the large corporations and billionaires. People who go online will continue to be duped as long as no concerted effort is made to educate them. Cue the PSAs.

Re:DRTFA

[Lumpy]

Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.

Dude you seriousally underestimate the stupidity of the average human.

I have seen people at the ATM intentionally swipe their card through a "card cleaner" stuck to the wall that was a reader.

99% of the masses do not understand any of the technology they use daily in any way. They do not understand basic safety (Driving 4 feet from someone at 90mph is unsafe and stupid) and to top it off, they have to be told not to insert curling irons into a bodily orfice, and other things. Humans are too stupid to use most products safely which is why everything has a damned disclaimer on it.

I will bet you that someone in Manhattan right now is getting a bridge sold to them, and they are seriousally considering it!

Re:Why phishing works

[Tux2000]

It works because a lot of people are idiots.

Not idiots, but ignorant people who don't care and don't want to know how the technology works that they use.

Tux2000

I thought I did once...

[BlueCodeWarrior]

I remember the one time I almost thought that I fell for a phishing scam.

I got an email saying that my student loan company needed some more information to give me the loan. I had to log into thier website to check out what exactly it was and what I needed to send in.

I just clicked the link in the email and typed my login information (of which the username is my SSN) and got a message to the effect of 'password incorrect, please try again.'

I did this two or three times with some of the different passwords that I usually use...and then I thought about it.

Oh fuck! The address bar said 'www.terri.org' and my bank was Chase. I freaked out, thinking that I'd fallen for it...

Turns out terri is the company that processes the loan or whatever and I had just mistyped the password. But I reminded myself to not be so trusting on the internet, and always re-type the site in for things like that...

Re:I thought I did once...

[jafiwam]

Your experience is not just a failure of attention to detail of the user.

It's a complete failure of the financial institution to realize they are creating situations where it is incredibly easy to teach bad habits.

They should not be sending emails with links in them at all. (Better yet, no emails not already contained in the online banking web site where the user is already logged in.)

So a HUGE portion of this problem is there _are_ legit emails that go out where there should be NONE.

It's a little like teaching your cute little 14 year old girl with the budding boobies that all guys really do love and respect them and are all christians and tell the truth especially if they are 40 or older and have their own van. Yeah it may be true most of the time but the concequences sure are high.

A little paranoia is a GOOD THING.

A bank expecting the average user to differentiate between good emails and bad emails is just stupid, stupid, stupid. They should KNOW better. There should be flat laws against it and the problem would go away overnight.

409 scams still work so why not phishing?

[smooth+wombat]

If you want to see how gullible or just plain stupid people are, check out the story in my Journal titled, 'Renowned psychiatrist bilked by Nigerian scam'. It was rejected by the editors so I plunked in my Journal.

Even after the guy knew it was a scam and promised his son he wouldn't send any more money, he still did it anyway!

Maybe a bit different than a phishing scam but along the same lines.

The problem goes right down to the SSL layer

[egarland]

This is a post I wrote in response to the phishing site with a valid SSL cert. I'll highlight the appropriate portion for this discussion.

SSL Certificates don't have to be signed. You can create X509 self signed certs no problem. Web browsers just don't like them and pop up all kinds of warnings.

They should tier SSL certs and make the higher level ones more difficult and time consuming to get:
0 None
1 Self Signed
2 Small business
3 Mid-sized business
4 Large business
5 Financial Institution

Browsers should display a lock with a number explaining what encryption a site used (even when none is used) and could explain the rank when the icon is moused over. Then people always would have a place to look to check the rank before deciding if they should punch information in.

The original SSL design was a good first step but it is definitely showing it's age today.

For Anti-Phishing to work it needs a UI with support right down into the SSL layer.

Currently it's next to impossible to diferentiate things on the web. It's the great equalizer, and as we are finding, it makes things *too* equal. You are on equal footing with a bank when trying to convince people to enter finantial information. We need a bit more structure, a few more checks and balances.

Nonsense

[rbowles]

Con-artists are older than recorded time. Snake-oil salesmen, crooked used-car lots, (snail) mail scams and their ilk are likely at least as prevalent even in our quasi-"Information Age".

How many educated people have bought a lemon? I've known otherwise educated, extremely intelligent college-educated (students and grads alike) who've done this. Perhaps everyone should be fully educated about the hazards of auto-buying, phishing web-sites and maybe get a medical degree for proper evaluation of physicians while they're at it.

The answer is not pamphlets and FAQs. If anything these "easy answers" only propogate the problem of people being too damn trusting. Seek your own understanding.

Re:Nonsense

[bckrispi]

The con artist is the same, but the scale is increased by an order of magnitude. If you wanted to find your mark through mail, you'd have the expense of postage and print materials. Plus the problem that once the scam is noticed, it's usually easy to trace. If you are a shady car salesman, you only have so many hours in the day to give your spiel. That, and you can usually only scam one person at a time.

Phishing is a whole new level. Crooks have instant access to *millions* of targets. Email is free. Bandwidth is cheap (or free, if you have a zombie mailing for you. And it's easy to register at offshore hosting providers, making the odds of ever being prosecuted minimal.

Take this with the knowledge that most people believe *everything* they hear on the internet if the source sounds authentic enough. I can't count the number 'urban legend' emails I get every week from friends that have been forwarded dozens of times to hundreds of people.

I fear that we have entered an "International Golden age of Fraud". It isn't going to go away.

Doesn't seem likely.

[zubinjdalal]

From the synopsis (and echoed in the paper): "The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate."

While I don't mind taking a swipe at M$ft from time to time, I find it difficult to imagine how a brightly colored red address bar (even one outside the focus of attention) with "Phishing Website" written on it will be ignored.

The only thing (and I am keeping in mind users that are not extremely tech savvy) that would be more obvious would be a "arm-like" device attached to one's monitor that points to the "Phishing Website" text displayed on the screen and whacks you on the top of your head if you still proceed to enter all your personal information in.

stop blaming users

[SuperBanana]

Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams!

From the article summary: Some users think that favicons and lock icons in HTML are more important indicators.

As some other posters pointed out, "these were above average users, we're doomed". Not exactly the world's best parallel- but if "above average" users set themselves on fire using your company's fireplace, would you say, "MAN! We have REALLY stupid users"? Maybe your manual gives improper instructions. Maybe you have a defect. If your "above average users" are fooled/tricked, then the operating system/email client/browser is failing, not the user.

Also, want to take a guess why they think that "lock icon" is so important? Because for years they've been told by "tooltips", every "consumer reporter", etc that they should look for it, "when shopping online". It's not the user's fault that they've been given information that was at best incomplete; nobody told them "the lock just means your connection to the other computer can't be decoded."

Compound this with all the problems in Outlook, IE, Windows...well...the deck is rather stacked against them. Not to mention, it used to be a lot tougher to get an SSL cert...

While ISPs learn to block...

[fak3r]

I always encourage others to 'go on the offensive' and help polute phisher's databases with the awesome site: PhishFighting.com. Set a few tabs open to fill the phisher's database with useless Data, check back later and see the site is offline (likely from the attention garnered from all the bandwidth useage!

As bosses would say "It's a win-win!"

In defense of the clueless

In defense of the clueless (NOT Jerry Taylor!) I have to ask you, how many people understand how a physical lock works? Well, all of them. You put the key in and turn it.

Few have a clue about its tumblers and other doodads and geegaws.

How many understand how a car works? "Yeah, I know how it works, you put the key in and turn it, then you drive away."

A certified Ford mechanic knows about the car's crankshaft, cylinders, pistons, fuel injectors, all the other components and how they're put together as well as you and I know how a PC and TCIP works.

You shouldn't have to know the physics of the expanding gasses in the cylinder driving the pistons (and how the valves work etc) to drive a car.

We, the nerd community, are to blame for failing to deliver something as simple as a web browser that works as easily as a door lock or a car.

And the banking industry itself should be educating the public about phishing. I get tons of mail from my bank telling me about its whiz-bang web based banking, but nary a word about phishing.

How is Average Joe supposed to know this stuff?

As to Taylor, he claims 22 years tech experience, so the man deserves more ridicule than we can possibly heap on him.

Re:In defense of the clueless

What if people bought cars like they do computers?

General Motors doesn't have a "help line" for people who don't know how to drive, because people don't buy cars like they buy computers -- but imagine if they did . . .

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "I got in my car and closed the door, and nothing happened!"
HELPLINE: "Did you put the key in the ignition slot and turn it?"
CUSTOMER: "What's an ignition?"
HELPLINE: "It's a starter motor that draws current from your battery and turns over the engine."
CUSTOMER: "Ignition? Motor? Battery? Engine? How come I have to know all of these technical terms just to use my car?"

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "My car ran fine for a week, and now it won't go anywhere!"
HELPLINE: "Is the gas tank empty?"
CUSTOMER: "Huh? How do I know?"
HELPLINE: "There's a little guage on the front panel, with a needle, and markings from 'E' to 'F.' Where is the needle pointing?"
CUSTOMER: "It's pointing to 'E.' What does that mean?"
HELPLINE: "It means that you have to visit a gasoline vendor, and purchase some more gasoline. You can install it yourself, or pay the vendor to install it for you."
CUSTOMER: "What!? I paid $12,000 for this car! Now you tell me that I have to keep buying more components? I want a car that comes with everything built in!"

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "Your car sucks!"
HELPLINE: "What's wrong?"
CUSTOMER: "It crashed, that's what went wrong!"
HELPLINE: "What were you doing?"
CUSTOMER: "I wanted to run faster, so I pushed the accelerator pedal all the way to the floor. It worked for a while, and then it crashed -- and now it won't start!"
HELPLINE: "It's your responsibility if you misuse the product. What do you expect us to do about it?"
CUSTOMER: "I want you to send me one of the latest versions that doesn't crash anymore!"

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "Hi! I just bought my first car, and I chose your car because it has automatic transmission, cruise control, power steering, power brakes, and power door locks."
HELPLINE: "Thanks for buying our car. How can I help you?"
CUSTOMER: "How do I work it?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "Do I know how to what?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "I'm not a technical person! I just want to go places in my car!"

Re:Why phishing works

[deadlinegrunt]

Otherwise known as "idiots."

I mean, really. If you fall into that category, what distinguishes you from a monkey pressing a lever?


On a long enough timeline of exposure to different situations in life we are all idiots by your criteria, instead of just being ignorant of a particular situation. Idiot has a connotation of being mentally retarded and unable to improve where being ignorant is a lack of education or knowledge.

I would not call you an idiot for being unable to descern the two terms; just ignorant - if you can't grasp this after the knowledge parted with you then you may well be an idiot. Hope this helps!

Re:Sender Policy Framework...??

[blowdart]

This would eliminate alot of question whether or not a site is legit or not.

If people published it. I've been getting chase.com phishing mails. I check SPF at the mail server, but chase has ~all, so it's a soft fail if someone sends from another server, next to useless. Same for hsbc.com, paypal.com et al.

So if the banks won't publish decent SPF records when SPF is 2+ years old now, what hope do you have of them adopting something new?

Clueless Companies

[penttan]

I have recently received some emails that I think may be legitimate but look like phishing attempts. Also Thunderbird thinks that it is a phising attempt.

I am a registered at the BBC Shop. I have allowed them to send me email and they have been sending some offers. Lately the links in the email seem to go to http://bbcshop.msgfocus.com/ with some unique id added. Even to the point that a link that has a text "bbcshop@bbc.co.uk" and looks like an email link is actually a link to a http request at the bbcshop.msgfocus.com.

All this was enough to make me not click any links. I did not find much information about msgfocus.com either.

It could be a phishing attempt. I really am not sure. On the other hand, the email has some personal addressing that matches the information I have given to the web store. Maybe BBC has decided to use some clueless emailing service. But my point is that if respectable web stores send emails that look like phishing attempts to their customers it will become more and more difficult to identify phishing in the future.

Re:The Blind Squirrel

[SdnSeraphim]

I think this is the funniest thing I have read in a long time. As a software developer for a largely computer illiterate user base, I have found that users try to get rid of dialog boxes as fast as possible, without ever reading the text. The longer the text (say over 8 words), the less likely they are to read it. Often they will always press 'yes' or always press 'no' until after a few tries they don't get the response they thought and try a different button.

I try to ask as few questions as possible. Users often don't want options, just action, and the ability to undo the action after it has happened.

Re:The Blind Squirrel

[Fareq]

In my experience, people will spend hours agonizing over little message boxes that have only an "OK" button. Seriously. People that won't read a Yes/No/Cancel will spend 15 minutes reading and re-reading the 7 words in the box that has only one option...

When I ask why, they always respond that they're not sure what to do.

When presented with a Yes/No/Cancel with 3 sentences in it, they just press enter without reading, because it's either too complicated or because it doesn't seem important. (It's just a popup box that asks a question I don't understand... but if I hit enter it goes away and I don't have to decide).

Incidentally, I partially blame all those InstallShield things that have the front screen with 3 paragraphs of text and a next button when there's really no meaningful information on the page, and nothing to do except click next to start installing the program (or cancel if you ran the installer by mistake)

From the UI side, however, I think that while OK boxes and Yes/No boxes are great, I think that OK/Cancel and Yes/No/Cancel boxes are heavily overused... If you want to ask a question where Yes/No isn't the answer, you should probably roll your own so that the buttons can be *descriptive*

Phishing works, no argument but...

[eclipz]

Sure, Phishing works. We know it does, and some of the most technical people can be caught offguard. It goes with any forgery of any secure material, be it fake IDs, S.S. Cards, etc.

However, with regard to TFA, I have some doubts about their data. First, they use *only* 22 participants, which is a horribly low number. They give no background information of how they chose them. It could have just been 22 of their friends that they could con into playing with some web pages.

Also, there are no controls with regards to the web pages. I didn't see (in the page list) two pages that would look identical and be either spoofed or real. This, to me, would be an important piece of information to support their conclusions. I personally would have had two identical web pages shown with only the browser security indicators changing. This would come a lot closer to showing people either ignore or watch those things.

It's not that I disagree with their findings, it's just it would be a lot more believable with more people and a proper writeup of the makeup of such a group. You can't get a truly random group of people, but with larger numbers you can get closer.

Maybe it's genetic

[MrNougat]

No, seriously.

I recall hearing about a study wherein monkeys were given the option of pressing one of two buttons at mealtime. Button A would always produce normal food. Button B would infrequently produce a treat, and usually produce nothing. The monkeys always pressed Button B.

(I know, you can't let monkeys starve to death in an experiment, so it wasn't perfect perhaps, but it makes my point.)

Shifting gears just a bit -- I have wondered for a long time myself how humanity has accomplished all that it has when such a large proportion of humans (those in charge of things as well as not) are complete morons. It seems to defy logic.

Let's presume that the results of that experiment are correct. (If anyone has a link to substantiate my claim, I would appreciate it.) Monkeys gamble; they try to get something for nothing instead of going for the sure steady payoff. The inference, of course, is that humans do the same thing.

Perhaps, over the long term (and I'm talking generations long), the "gambles" that individual human beings take pay off to the benefit of humanity as a whole. Think of the vast numbers of people, in attempts to invent fireworks, who must have blown their fingers or hands or heads off. People still do it. That's individual stupidity.

But we've gone to the moon, we've sent probes to far-off planets, we have a world-girdling network of communications satellites. None of that would have been possible without the moronic work of tens of thousands of individual idiots.

So, my hypothesis is as follows:

The sum of individual stupidity is communal success.

It's not tools, or language or brain size that sets humans apart from the beasts. We are more successful as a species because we are stupider as individuals.

Oh You mean like this eBay Login Page.

[MrLinuxHead]

I got "phished" a week ago from some scammer with a eBay handle of "precisionlaptops4u" looking for eBay logins. I emailed eBay and hoped they could shut the perp down. And then again yesterday I got another one. Same guy, same scam. The URL is : http://1342912795/intranet/forum/templates/subSilv er/images/wsbleh/ebay/index.html I started looking at the problem myself and put my findings at my Bloger blog. http://mrlinuxhead.blogspot.com/ Same guy is still up, and doing it today.

Re:The Blind Squirrel

[F�an�ro]

users HATE dialog boxes. I don't know whoever thought modal dialog boxes for everything where a bright idea.

The solution for that is to always make a "save" choice per default, and then allow the user to change the choice with a nonmodal, nonblocking dialog.
If the user does not want to change anything, no action is required.

Like in firefox
"this site requires additional addons, click here to install them" displayed on top of the page (and not in a dialog box).

Three words: "Outlook" and "HTML email"

[blueZ3]

If all email was plain text, phishing would decrease significantly. Unfortunately, we have "helpful" things like hyperlinks in email (a well-intentioned but bad idea) that help prepetuate this type of problem. I can't recall the last time I clicked a link in an email, but I can tell you it was a long time ago.

Chances are, if the user had to copy and paste the bank's URL out of the email, it would be a lot harder to hide the fact that the URL directs to some non-official site (bankofthevvest is a counter-example, but it would still help). Most likely, people would type in the banks URL and create a bookmark. Then when they got the email they would open their browser and click the bookmark and log in. Problem eliminated.

This isn't an IE/Outlook problem only, I admit. There are a lot of mail clients that provide this same "helpful" behavior. But as with auto-executing scripts in the OUtlook preview pane, it would be better (IMO) if they didn't.