What makes a web site look legitimate? This question is of more than academic interest, since web surfers will only buy from sites they consider trustworthy. A recent study published by Harvard and Berkeley scholars revealed some surprising information. Keep reading to find out what phishers have already learned.
If you want to read the ten-page study itself, you can check it out at this link. But I feel that I must warn you, it’s not for those who have weak stomachs, especially if you’re a systems administrator. Of course, you could tell that much from the title: “Why Phishing Works.”
The three authors (Rachna Dhamija, J. D. Tygar, and Marti Hearst) had certain theories about why phishing attacks work, based on their analysis of a large database of captured phishing attacks. They then designed a usability study in which they enlisted 22 participants to test these theories. While the study was created to answer the question of what makes a bogus site credible, it has interesting implications for anyone dealing with web site design (including many SEOs).
As with any good study, the authors read related work, including studies of browser security and phishing. From this work and their analysis, they formulated the hypothesis that phishers take advantage of their victims in three ways. First, they count on their victims’ lack of knowledge about computer systems and security indicators. Second, they use visually deceptive text (such as “typejacking attacks” that use similar-looking URLs), images, and similar means to mask the true identity of their fake web site. Third, they simply hope the user will not pay attention to either the presence or absence of security indicators.
The nature of the study the authors devised was fairly simple. They recruited 22 participants of varying ages, education levels, computer activity/experience, and both sexes. Using a laptop computer, they presented these participants with 20 websites in a mostly random order, of which slightly less than half were legitimate, and slightly more than half were phishing websites that they copied exactly to three levels deep and put on a local server for purposes of the study.
Participants were told to “Imagine that you receive an email message that asks you to click on one of the following links. Imagine that you decide to click on the link to see if it is a legitimate web site or a ‘spoof’ (a fraudulent copy of that website).” They were told they could interact with the website as users normally would and that any website might be legitimate or not. Since they were supposed to be paying attention, the study couldn’t test the third hypothesis of how phishers count on their victims behaving, but it could test the other two.
Website Promotion 
/ 14 
