By now, you'd think that nobody would be gullible enough to fall for a phish. But you'd be wrong.
In fact, in a recent study by researchers at Harvard University and the University of California at Berkeley, a good fake Web site fooled 90 percent of people participating in the study.
In other words, even if you're aware of phishing and you're on the lookout for a phish, you still might get fooled. In this case, researchers showed participants various real and fake sites and asked them to identify the phish sites. Unfortunately, 90 percent of participants failed to notice that the URL given for a Bank of the West site was bankofthevvest.com. By substituting two "v's" for a "w" the phish site fooled just about all of the participants in the study.
Even more scary, the study showed that Web-savvy types were just as likely to get fooled as 'Net newbies. Other conclusions:
-- Cues that are supposed to help you figure out whether a site is legit, such as address bar, status bar or security indicators, weren't even looked at by 23 percent of participants.
-- There was no significant difference between the performance of men vs. women, older people vs. younger people or people at different education/Web savvy levels. In other words, everybody got fooled at about the same rate.
-- Other phish sites that fooled most participants included a variety of fake PayPal sites and a bogus Etrade site.
One of the main conclusions of the study is that legit Web site designers need to focus more on "what humans do well and what they do not do well." And reading URLs and looking for SSL icons are not things that humans do very well, according to the study.
The study, by Rachna Dhamija of Harvard and J.D. Tygar and Marti Hearst of Berkeley is available here (http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf#search='Why percent20phishing percent20works').
For the latest on network-oriented research at university and other labs, go to Network World's Alpha Doggs blog.