Three American scholars have recently published the results of a study exploring why online fraudsters (phishers) continue to succeed despite ongoing warnings over the years.
Most people have received a phishing email purportedly from a bank or an online service asking them to provide personal financial details. In some cases, these are fake emails sent from the very bank or service that the recipient is a customer of. Regardless of the source, users are generally aware that they must exercise caution.
To produce the report titled “Why Phishing Works,” the scholars—Rachna Dhamija from Harvard University, Marti Hearst, and J.D. Tygar from the University of California—conducted a study with a small group of users. They found that up to 90% of users could not distinguish phishing emails based on their perceived authenticity.
From the perspective of ensuring that e-commerce organizations or online banks can mitigate the damage caused by online fraud, a significant number of individuals still fail to recognize trustworthy emails. This could lead users to turn away from online services altogether.
The scholars provided an example of a phishing email from the West Bank. This email redirects recipients to a fraudulent website located at www.bankofthevvest.com—note that the domain name contains two “v” characters instead of “w”—which mimics security codes, the VeriSign logo, certification seals, and even pop-up security warnings for users. An astonishing 91% of participants in the scholars’ survey believed this email was legitimate.
In contrast, an authentic email sent from E*Trade directed users to a secure, legitimate website that featured a simple interface optimized for mobile browsers. Yet, 77% of users identified this email as a phishing attempt.
One of the reasons users continue to fall prey to online fraudsters may stem from the abundance of simplistic scams that create deadly traps. Nearly a quarter of survey participants failed to notice the address bar, status bar, or security notifications on fraudulent websites.
Consequently, they easily become targets for online scammers who employ tactics like using links that differ from legitimate addresses by just one character—such as replacing the number “1” with the letter “l” or even the letter “I.”
Simply put, the report “Why Phishing Works” asserts that users lack sufficient knowledge about domain name syntax. “Users might think that the domain www.ebay-members-security.com belongs to www.ebay.com. Or sometimes, when users see the padlock icon in the browser corner, they interpret it as a guarantee of security. However, users may not realize that such icons can easily be included on these fraudulent sites. This is an example of online scam tactics.”
Speaking at the Online Crime Conference held in London last weekend, Bernhard Otupal, a high-tech crime investigator for Interpol, noted that users not only fail to detect forms of fraud but sometimes make matters easier for cybercriminals with a surprising level of indifference.
“What’s vital here is user responsibility, ” Otupal stated. “Recently, a large number of users fell victim to a phishing attack masquerading as a well-known bank. Some individuals who were not even customers of that bank were tricked into providing financial details.”
The report “Why Phishing Works” indicated that the scholars did not find any significant differences in the ages of victims of online fraud. However, some separate studies reached the opposite conclusion.
When asked whether the risks of cybercrime made them more cautious, only 58% of users aged 18 to 29 responded affirmatively, while 79% of those over 50 answered similarly.
Likewise, 80% of younger users said they often decided whom to work with based on the level of security, while the figure for older users rose to 93%.
Hoàng Dũng
