Thursday, March 30, 2006

Why Phishing works

A recent study published by Rachna Dhamija of Harvard University, and J. D. Tygar and Marti Hearst of UC Berkeley addressed the question of why phishing works.

For the uninformed, phishing attempts to direct unsuspecting individuals to fraudulent websites in hopes of getting them to divulge personal information such as passwords, bank account numbers, credit card numbers, drivers license numbers, or social security numbers. Typically an email informs a potential victim that they have to update their information, or that someone has attempted to make unauthorized charges on a credit card. A sense of urgency is created by the scammers telling the intended victim that an immediate response is required to prevent further fraudulent charges. A hyperlink in the email directs the victim to a bogus website set up to look like a legitimate bank or business.

Here are a couple of sample phishing scams documented by Snopes.com:
http://www.snopes.com/inboxer/scams/bestbuy.asp
http://www.snopes.com/inboxer/scams/paypal.asp

According to the published paper:

Data suggest that some phishing attacks have convinced
up to 5% of their recipients to provide sensitive information
to spoofed websites. About two million users gave information to
spoofed websites resulting in direct losses of $1.2 billion for U.S. banks and card issuers in 2003.

The authors recently conducted a study involving 22 subjects who each viewed 20 websites and had to determine if the websites were authentic or fraudulent. The “best” phishing websites fooled 90% of the participants, and on average the group of subjects was fooled 40% of the time!

I have received many such emails, and the best ones really do look legit! How can you tell the difference?

My strategy is to search http://www.snopes.com/ . Type in the name of the business or bank in the search box, and watch what happens. Often times you’ll find the exact text of the email you received cited on the Snopes website along with an explanation of why it's a hoax.

A relatively new resource, the Anti-Phishing Working Group has posted a list of common phishing scams on their website at: http://www.antiphishing.org/phishing_archive.html

The Federal Trade Commission has some very helpful information on phishing and other online commerce topics at: http://www.ftc.gov/bcp/menu-internet.htm

The Christian Science Monitor has a very informative article about phishing here.

No comments: