Why phishing works - Concepedia

TLDR

Phishing attacks exploit deceptive tactics that users often fail to detect, underscoring the need for protective systems that understand which strategies succeed. The study seeks to empirically determine which phishing tactics most effectively mislead ordinary users. Researchers first analyzed a large corpus of phishing attacks to generate hypotheses, then evaluated them in a usability study with 22 participants who assessed 20 websites. Findings reveal that 23 % of participants ignore browser cues, resulting in 40 % error rates, and that even sophisticated users can be fooled by visual deception, demonstrating the inadequacy of current security indicators and the need for alternative defenses.

Abstract

To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.

References

Page 1

	Year	Citations

Page 1