What Phishers Can Teach You - How Well Did They Do?

(Page 3 of 4 )

Before I go into the results of the study, I’d like to mention two participants that were at extreme ends of the spectrum as far as security awareness and checking for bogus web sites. The one who scored at the low end actually submitted her username and password to some websites to check whether it was a site at which she had an account. She’d used this strategy before, she said, thinking “What’s the harm? Passwords are not dangerous to give out, like financial information is.” (If you’re a sysadmin, you can be forgiven for making a dash to the bathroom before continuing).

At the other end of the spectrum in both security awareness and score was the participant who opened up a second window into which he typed all URLs by hand to compare these pages with every web site presented to him in the study. He sometimes used Yahoo as well to search for the organization. His hypersensitivity can be attributed in part to the fact that a family member of his had fallen prey to a PayPal phishing attack.

The study asked participants not only to judge whether a web site was legitimate or bogus, but how confident they were of their judgment, on a scale of 1 to 5. Interestingly, most participants were pretty confident of their judgments, whether or not they were correct. This is particularly disturbing in light of the fact that one of the phishing web sites fooled more than 90 percent of the participants. The fake web site, for Bank of the West, included the following factors that convinced most participants of its authenticity:

• “Cute” design.
  
• High level of detail.
  
• Does not ask for a great deal of information.
  
• Animated bear video which two participants believed would “take a lot of effort to copy.”
  
• Links to other sites.
  
• Link to an SSL protected web page, hosted at VeriSign, showing the SSL certificate status for the real Bank of the West web site.

Of the two participants who realized this was a spoof web site, one noticed the URL in the address bar included a doubled “v” rather than a “w” for “west,” and the other one noticed an outdated date in the content of the web page.

Disturbingly, in interviews about user knowledge of phishing and security, seven participants hadn’t even heard the term “phishing” before, and some seemed surprised that these kinds of attacks occur. Some did not know the meaning of the padlock in the address bar, and at least one participant incorrectly believed it meant the web site could not read passwords or set cookies. Only one of the participants was able to explain the purpose of SSL certificates, and he was a systems administrator.

The one quarter of participants who used strategy one to distinguish legitimate from bogus web sites were wrong 40 percent of the time. While other participants fared better, it seems clear that there is cause for concern.

Next: What Does This Mean? >>
 

More Website Promotion Articles
More By Terri Wells

Comments On: What Phishers Can Teach You

· I thought the research was rather eye-opening. Thanks for reading. Feel free to...    · Great article as always Terri.I'm wondering if you have thoughts about the...    · Thanks Caroline! Well, I wouldn't extrapolate to little dancing bears on your...   >>> Post your comment now!