Why Does Phishing Work?

I'm currently sitting in on one of several security presentations at CHI 2006, which focuses on such fun topics as phishing and e-mail encryption. Today's presentation ask a simple question: How do people get fooled by phishers?

It turns out the answers to that question are a bit of an eye-opener. Presenter Rachna Dhamija of Harvard University described a study she and her colleagues conducted, randomly presenting 19 real and phisher-created websites to their peers -- all educated adults, and all told that deception was at hand -- and everyone was fooled at least once.

What I found particularly distressing was what came out of the study's followup sessions, stark reminders that there's often a gap between what user interface designers consider (sometimes rightly) logical, reasonable solutions and how people work in the real world.

Not surprisingly, many respondents readily sacrifice security for convenience -- some folks simply couldn't be bothered to look for the lock icon in the status bar. But it was revealing that many people simply aren't aren't computer-savvy enough to follow the cues that have been built into browsers. While people are often told to make sure the URL of a potential fake site is legitimate, it turns out that several of these respondents didn't even know the purpose of the address bar in the browswer.

And then there were those fooled by the look and feel of the pages themselves. We all know that phishers do their best to make websites look as real as possible, so that you actually think you're at, say, the Chase Manhattan website. But as they say, the devil is in the details. The clinching details that fooled several respondents were such things as "cute" animations, or the mere presence of a Verisign logo -- something right-click-simple for anyone to copy.

While the presentation itself focused more on the end user's responsibilites, the Q&A did bring up Web designer and browser maker culpability. However, a Mozilla Foundation employee did make a good (and mildly tongue-in-cheek) point, referring to users' demands for a rich-media Web: "We could make an absolutely secure browswer; it would just remove everything that makes the Web rule so hard today."

There are some encouraging notes, however. Dhamija had a few proposals for technological solutions that reduce the inconvenience issue, which the Mozilla employee seemed eager to discuss in detail at a later date. In the meantime, we still have to work on better educating people on how to browse safely.