Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Slashdot Deals: Cyber Monday Sale! Courses ranging from coding to project management - all eLearning deals 25% off with coupon code "CYBERMONDAY25". ×

Why Phishing Works 293

h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."
This discussion has been archived. No new comments can be posted.

Why Phishing Works

Comments Filter:
  • Short answer (Score:5, Insightful)

    by gEvil (beta) (945888) on Thursday March 30, 2006 @12:50PM (#15027479)
    Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).
    • > > When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision!
      > Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

      Funny you should mention him, though.

      "I do not follow instructions that show up when a website that I am not familiar with appears on my computer and I do not think anyone with experience would do so either."
      - Jerry Taylor []

      Even a bli

      • by $RANDOMLUSER (804576) on Thursday March 30, 2006 @01:00PM (#15027601)
        I've been proposing for a long time that the "Yes/No/Cancel" type dialog boxes should simply be replaced with a single "Whatever" button, as users NEVER read what the dialog box says.
        • by SdnSeraphim (679039) on Thursday March 30, 2006 @02:23PM (#15028576)
          I think this is the funniest thing I have read in a long time. As a software developer for a largely computer illiterate user base, I have found that users try to get rid of dialog boxes as fast as possible, without ever reading the text. The longer the text (say over 8 words), the less likely they are to read it. Often they will always press 'yes' or always press 'no' until after a few tries they don't get the response they thought and try a different button.

          I try to ask as few questions as possible. Users often don't want options, just action, and the ability to undo the action after it has happened.
        • by Fëanáro (130986) on Thursday March 30, 2006 @03:59PM (#15029517)
          users HATE dialog boxes. I don't know whoever thought modal dialog boxes for everything where a bright idea.

          The solution for that is to always make a "save" choice per default, and then allow the user to change the choice with a nonmodal, nonblocking dialog.
          If the user does not want to change anything, no action is required.

          Like in firefox
          "this site requires additional addons, click here to install them" displayed on top of the page (and not in a dialog box).

      • Although in the case of Jerry, it's more like even a blind seal finding a club :)

        One can only hope. It's amusing to note that he tried his site from 4 different computers, expecting to find different info on each(?!), and the screaming was a nice touch. The guy he found was really nice too - I would've told him to get bent.

    • Re:Short answer (Score:5, Insightful)

      by plover (150551) * on Thursday March 30, 2006 @12:58PM (#15027584) Homepage Journal
      In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

      In the end, people may end up needing strong authentication tokens. When you go to the bank, you'll present your token so they know it's you. When you sign up for a new account, you'll get that account added to your token. And, when you hit a phishing web site, your token will light up and say "UNKNOWN WEB SITE".

      And it could work both ways. If you use an ATM in a seedy bar, you could even ask your token to identify the legitimacy of the ATM.

      The disadvantage, of course, is either a plethora of tokens (one per account) or every Tom, Dick and Harry shop wanting to use your token for marketing and tracking purposes.

      • Re:Short answer (Score:4, Insightful)

        by daveewart (66895) on Thursday March 30, 2006 @01:21PM (#15027823)

        In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

        I think the point is that, since you can copy verbatim the HTML of a web site, it is trivial to create an identical copy of any site. So, trying to look for similarities and differences between the sites is a pointless exercise.

        The real way to avoid being stung by phishing scams is to know that emails from anyone asking for personal or private information, passwords, credit card numbers etc. are almost certainly fake.

        • He was fooled by a website identical in all respects except a visual URL spoof ( instead of It is not trivial to create an identical copy of a site including URL, certificates etc; in fact, it is impossible. A careful enough investigation would have exposed it.

          That said, you're right that it's never a good idea to click on a link in an unsolicited email, and that is certainly the best approach for nonexperts (and experts, really).

      • When you go to the bank, you'll present your token so they know it's you.

        You mean your driver's license? I always have to show them mine when I go.
      • Re:Short answer (Score:3, Interesting)

        by DdJ (10790)

        In the paper, one guy was very paranoid.

        Not paranoid enough, by my standards. I don't think they mentioned one single person using any tools other than web tools. The one who looked stuff up via Yahoo was a start, but just a start.

        Whenever I have the least suspicion of any web site, I start probing DNS and whois. I try to make sure information I get via non-compuer channels matches what the computer tells me, and so forth.

        I wonder if I'd fall for any of the sites they used. I like to think I wouldn't,

    • Re:Short answer (Score:4, Insightful)

      by Sigma 7 (266129) on Thursday March 30, 2006 @01:01PM (#15027615)
      Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

      I'd agree on the concept, but the actual cause is different. The actual reason is because people believe that the word gullible is not in the dictionary.

      Recently, there was an "employment agency" that sent out paper forms to applicants which were to be filled out and mailed in with a $20 cheque for a processing fee. The forms included sections for the Social Insurance Number, Driver's License number, DOB, mother's Maiden name, and other information not normally used by employers.

      Their intent was to obtain credit cards from banks with the applicant's personal information - hence, they used four different company names. The good news was that they were raided.

      • "The actual reason is because people believe that the word gullible is not in the dictionary."

        Too true :( The one girl I saw that pulled on in high school even looked it up in the dictionary, and didn't get it even after reading the definition aloud. Worst part is that she probably got better grades than I did because she actually did her homework...

        But back on-topic, that's what's most amazing to me, that more people don't know what information a type of institution should have. Or that more people
    • by slashid (940815)
      We all know that if you teach a man to phish he will eat for a lifetime....

    • or lack thereof is what makes phishing work. I remember being taught it in High School and wondering why, since it seemed so natural and obvious, but a lot of people have trouble thinking critically, and take everything at face value. Combine that with reading skills that prevent them from recognizing bad grammar and you've got a health crop of suckers.
    • by Anonymous Coward
      In defense of the clueless (NOT Jerry Taylor!) I have to ask you, how many people understand how a physical lock works? Well, all of them. You put the key in and turn it.

      Few have a clue about its tumblers and other doodads and geegaws.

      How many understand how a car works? "Yeah, I know how it works, you put the key in and turn it, then you drive away."

      A certified Ford mechanic knows about the car's crankshaft, cylinders, pistons, fuel injectors, all the other components and how they're put together as well a
      • by Anonymous Coward
        What if people bought cars like they do computers?

        General Motors doesn't have a "help line" for people who don't know how to drive, because people don't buy cars like they buy computers -- but imagine if they did . . .

        HELPLINE: "General Motors Helpline, how can I help you?"
        CUSTOMER: "I got in my car and closed the door, and nothing happened!"
        HELPLINE: "Did you put the key in the ignition slot and turn it?"
        CUSTOMER: "What's an ignition?"
        HELPLINE: "It's a starter motor that draws current from your battery and
  • by SComps (455760) on Thursday March 30, 2006 @12:52PM (#15027501) Homepage
    It works because it plays on the concept that seeing is believing; and most people will trust their eyes over their minds any day of the week.

  • by plover (150551) * on Thursday March 30, 2006 @12:52PM (#15027502) Homepage Journal
    The paper hints that the people selected for the study may not adequately represent the web-surfing public -- they may be "above average".

    Humanity is doomed.

  • by jawtheshark (198669) * <slashdot@jawthes h a r k . c om> on Thursday March 30, 2006 @12:53PM (#15027513) Homepage Journal
    It is summarized by: There's a sucker born every minute.

  • by cfortin (23148) <> on Thursday March 30, 2006 @12:53PM (#15027515)
    People are stupid. Total knuckle biters. Every one of them.

    That is all ...
  • Not surprising (Score:5, Insightful)

    by op12 (830015) on Thursday March 30, 2006 @12:53PM (#15027524) Homepage
    Think of the average internet user. I'm surprised that 77% are actually looking at more than just the content. It's probably because the media has made a big thing about it (as they should).
  • by TheCoders (955280) on Thursday March 30, 2006 @12:55PM (#15027552) Homepage
    "There's a sucker born every minute." Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams! It's not people like you and me that are the targets of phishing. Ask your grandmother what a URL is, and (with some exceptions, of course) you'll get a blank stare. Heck, ask the cute cocktail waitress at your local bar, and you'll get the same response (and I wonder why I can't get a date...). That's what we're up against.

    Don't get me wrong, I applaud these researchers and all other approaches to making the web a safer place, but in the end, at some point you have to trust that the user is going to take resposibility for their actions. The best we can do is bring the percentages down. The problem is it is so cheap to set up a phishing web site, that even if only one in several thousand potential targets fall for it, that's usually enough to ensure a profit.
    • Actually, these guys did nothing to make the web safer. They just tested methods for phishing, and identified the ones that worked best. A good example? Bank of the West [] and Bank of the West [] are two URLS, but only one of them leads to the real site. Even font makes a difference -- look at the slashdot [] link, and check out the link preview in the status bar. The difference is surprisingly hard to catch.
    • Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams!

      From the article summary: Some users think that favicons and lock icons in HTML are more important indicators.

      Want to take a guess why they think that "lock icon" is so important? Because for years they've been told by "toolt

    • Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams!

      From the article summary: Some users think that favicons and lock icons in HTML are more important indicators.

      As some other posters pointed out, "these were above average users, we're doomed". Not exactly the world's best paral

  • the phishers or the idiots who follow them.
  • by Geek_3.3 (768699)
    When the suspect site, for arguement's sake let us say it was a credit card scam (since i had one of those a couple of days ago) asks for EVERYTHING--card #, PIN, security code, mother's maiden name, login name, and LOGIN PASSWORD, alarm bells should go off in your head. Also, it is highly unlikely that someone is going to give you a carrot on the end of a stick(in this case, $20 for a simple 3 question blurb about how the site was running or some bs like that) without a big catch involved. The obvious ca
    • You know, there are scams that do look completely legitimate. In fact, there was recently an article in slashdot about how some scammer was able to obtain a valid ssl. Here it is []. Personally, I just don't click on any html links in my mail.
    • I suspected from the very beginning that it was a Phising scam, but it took me quite a while to figure out how it was done.

      They sent me an html email with a link that looked like it was going to my bank but actually went to an ip address in taiwan. The webpage they loaded created a popup window asking for login information and then used meta-refresh to load []

      Their login popup was presented in a look and feel that was completely consistent with my bank, and behind it was my real bank
  • by eldavojohn (898314) * <eldavojohn @ g m a i l . com> on Thursday March 30, 2006 @12:57PM (#15027573) Journal
    Why Phishing Works
    Phishing will always work. The intelligence and cautiousness of the population who use the internet is represented by some form of a normal curve. On the far left, a line falls for those users who will (out of innocence or ignorance) 'bite' on a phishing site. Thanks to e-mail, it is increasingly easier for phishermen (and phisherwomen) to select a random sample from this normal curve and those that fall to the left of the threshold will invariably become victims.

    To disrupt or completely stop this from happening is currently an impossible Herculean task.

    Even netting one person can result in thousands of dollars worth of damages. If one in every one million phishing works, of course they'll keep doing it.
    • I don't like arguments using the intelligence curve. That's like saying a certain percentage of people would do the Lemming thing, or a certain percentage of girls *will* go with strangers, or people *will* smoke whatever you give them (say, Crack).

      I rather believe that everything can be learned, and that current software/hardware systems simply suck, and of course that something like Phishing has to be very *carefully* examined and a good solution has to be chosen that's likely to be noticed by users.

      Of c
    • by Aspirator (862748) on Thursday March 30, 2006 @04:03PM (#15029564)
      It isn't helped by some of the 'genuine' emails one receives from
      supposedly reputable financial institutions.

      For example I received an email purporting to be from American Express,
      one of the links in it was of the form that showed [],
      however it actually pointed to ?mid=AnIdentifyingNumber&msrc=ENG-YES&url=https:// []

      i.e It purported to be a secure link, but actually was not.
      It piped the request through another (insecure) URL.

      I sent it on to the American Expresses Phishing people, and got only an
      automatic reply.

      Finally I phoned American Express Customer service who assured me that it was real,
      on the basis that they did actually send out emails like that. (!!!!)

      It showed all the hallmarks of a phishing email, and yet ultimately was genuine.

      How I am ever going to explain to Aunt Mary what signs to look out for
      in phishing emails, while the real financial institutions send out
      stuff like this, I don't know.

      You're right, it is a Herculean task.
  • People believe what they see, even when they shouldn't.

    People believe what they hear, even when it shouldn't be there.

    And people's experience shows that 99 percent of everything they see on the Internet must be true, or it wouldn't be written down, like for example the obvious Fact that not only is the Moon made of Yellow Cheese, but it's quite tasty.
  • With news of the obvious (to us geeks) like this, it won't take long for the US Congress to enact on-line voting.

    "Dauh, I thought I voted for the other guy when I clicked his picture in the e-mail reminding me to vote!"
  • DRTFA (Score:5, Interesting)

    by Billosaur (927319) * <wgrother AT optonline DOT net> on Thursday March 30, 2006 @01:03PM (#15027629) Journal

    People fall for phishing because:

    1. Most are not tech savvy, and have no idea the difference between http and https, don't look at the links they click on, and can't tell a spoofed URL from a real one on sight.
    2. Most people are pretty gullible. They believe what they're told, whether by a newscaster, the President, scientists, or the glowing pixels of a web page. Critical reasoning skills are lacking.
    3. Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.
    4. Most people believe the Internet is infallible. They think every person who has a blog or web page knows what they are talking about. They think if a page looks a little like what they normally see when they bank online, that it's the same thing, even though the URLs to the links are all wrong.
    You can't protect people from themselves, although our Congress tries to do this every day by passing inane laws that protect no one but the large corporations and billionaires. People who go online will continue to be duped as long as no concerted effort is made to educate them. Cue the PSAs.
    • Re:DRTFA (Score:5, Interesting)

      by Lumpy (12016) on Thursday March 30, 2006 @01:56PM (#15028266) Homepage
      Most people are pretty stupid. They get an email purportedly from their bank telling them they need to update their information for security purposes or have lost their bank account number, or something equally unlikely, and don't question it. They don't call their local bank branch to verify it, they simply click.

      Dude you seriousally underestimate the stupidity of the average human.

      I have seen people at the ATM intentionally swipe their card through a "card cleaner" stuck to the wall that was a reader.

      99% of the masses do not understand any of the technology they use daily in any way. They do not understand basic safety (Driving 4 feet from someone at 90mph is unsafe and stupid) and to top it off, they have to be told not to insert curling irons into a bodily orfice, and other things. Humans are too stupid to use most products safely which is why everything has a damned disclaimer on it.

      I will bet you that someone in Manhattan right now is getting a bridge sold to them, and they are seriousally considering it!
  • Give a man a victim, and he will feed on him till the victim stays, teach him to phish, and he stays alive for a lifetime.

    Light a fire, and the man stays warm till it is put off, set him on fire, and he stays warm for his lifetime.

  • by BlueCodeWarrior (638065) <> on Thursday March 30, 2006 @01:07PM (#15027681) Homepage
    I remember the one time I almost thought that I fell for a phishing scam.

    I got an email saying that my student loan company needed some more information to give me the loan. I had to log into thier website to check out what exactly it was and what I needed to send in.

    I just clicked the link in the email and typed my login information (of which the username is my SSN) and got a message to the effect of 'password incorrect, please try again.'

    I did this two or three times with some of the different passwords that I usually use...and then I thought about it.

    Oh fuck! The address bar said '' and my bank was Chase. I freaked out, thinking that I'd fallen for it...

    Turns out terri is the company that processes the loan or whatever and I had just mistyped the password. But I reminded myself to not be so trusting on the internet, and always re-type the site in for things like that...
    • by jafiwam (310805) on Thursday March 30, 2006 @01:56PM (#15028270) Homepage Journal
      Your experience is not just a failure of attention to detail of the user.

      It's a complete failure of the financial institution to realize they are creating situations where it is incredibly easy to teach bad habits.

      They should not be sending emails with links in them at all. (Better yet, no emails not already contained in the online banking web site where the user is already logged in.)

      So a HUGE portion of this problem is there _are_ legit emails that go out where there should be NONE.

      It's a little like teaching your cute little 14 year old girl with the budding boobies that all guys really do love and respect them and are all christians and tell the truth especially if they are 40 or older and have their own van. Yeah it may be true most of the time but the concequences sure are high.

      A little paranoia is a GOOD THING.

      A bank expecting the average user to differentiate between good emails and bad emails is just stupid, stupid, stupid. They should KNOW better. There should be flat laws against it and the problem would go away overnight.
  • by smooth wombat (796938) on Thursday March 30, 2006 @01:10PM (#15027701) Journal
    If you want to see how gullible or just plain stupid people are, check out the story in my Journal titled, 'Renowned psychiatrist bilked by Nigerian scam'. It was rejected by the editors so I plunked in my Journal.

    Even after the guy knew it was a scam and promised his son he wouldn't send any more money, he still did it anyway!

    Maybe a bit different than a phishing scam but along the same lines.
  • In stunning outcome of research on security indicates that people are weakest link in security chain.

    Other amazing developments include discovery water is wet, fire is hot, the sky is blue.

    Film at 11!
  • The home page for my housemate's Web browser was set to Yahoo, so whenever she needed to enter a URL, she just entered it into the Yahoo search field. It worked... most of the time. I mean she'd get a list of Web pages and one of them would be the right one. But it makes my teeth itch just thinking about it. She didn't seem to understand what a URL was at all.
  • by egarland (120202) on Thursday March 30, 2006 @01:18PM (#15027788)
    This is a post I wrote in response to the phishing site with a valid SSL cert []. I'll highlight the appropriate portion for this discussion.

    SSL Certificates don't have to be signed. You can create X509 self signed certs no problem. Web browsers just don't like them and pop up all kinds of warnings.

    They should tier SSL certs and make the higher level ones more difficult and time consuming to get:
    0 None
    1 Self Signed
    2 Small business
    3 Mid-sized business
    4 Large business
    5 Financial Institution

    Browsers should display a lock with a number explaining what encryption a site used (even when none is used) and could explain the rank when the icon is moused over. Then people always would have a place to look to check the rank before deciding if they should punch information in.

    The original SSL design was a good first step but it is definitely showing it's age today.

    For Anti-Phishing to work it needs a UI with support right down into the SSL layer.

    Currently it's next to impossible to diferentiate things on the web. It's the great equalizer, and as we are finding, it makes things *too* equal. You are on equal footing with a bank when trying to convince people to enter finantial information. We need a bit more structure, a few more checks and balances.
    • Why is a large business safer than a small business? One is actively trying to fuck me out of my money, the other's livelyhood usually depends on my satisfaction.
    • The article shows that the technology as it is now is too confusing. why would an extra layer of complexity make things better?
      Instead one should teach to make people learn the indicators: Creditcard companies should mail out phishing spam out themselves, an block every cardnumber they harvest. Lather, rinse, repeat. Only after they show in some test that they have the required knowledge should their cards be reinstated/reissued. Repeat offenders pay a pretty high reissue fee.
  • Nonsense (Score:2, Insightful)

    by rbowles (245829)

    Con-artists are older than recorded time. Snake-oil salesmen, crooked used-car lots, (snail) mail scams and their ilk are likely at least as prevalent even in our quasi-"Information Age".

    How many educated people have bought a lemon? I've known otherwise educated, extremely intelligent college-educated (students and grads alike) who've done this. Perhaps everyone should be fully educated about the hazards of auto-buying, phishing web-sites and maybe get a medical degree for proper evaluation of physicians

    • Re:Nonsense (Score:3, Insightful)

      by bckrispi (725257)
      The con artist is the same, but the scale is increased by an order of magnitude. If you wanted to find your mark through mail, you'd have the expense of postage and print materials. Plus the problem that once the scam is noticed, it's usually easy to trace. If you are a shady car salesman, you only have so many hours in the day to give your spiel. That, and you can usually only scam one person at a time.

      Phishing is a whole new level. Crooks have instant access to *millions* of targets. Email is free.

  • I was caught by a phishing scam once at my old company.

    An email was sent out that looked exactly like an official email and was linked to a page that looked exactly like the employee intranet page.

    I let my guard down just a tiny bit and got snagged.

    Phishing works because people are sometimes stupid and frequently lazy.
    • That should have read, "Phishing works because even tech savvy people are sometimes stupid and frequently lazy."
  • Phishing works because most people are suckers.

    On a related topic, I was trying to pay my Bank of America bill online yesterday and they had some new security system (called "SiteKey", I think. Probably (r)(tm) and whatever) where it gives me some picture and also had me provide 3 answers to 3 questions (like lost password questions). Now, I kind of went through it quickly, but I was under the impression that whenever I login, it was supposed to show me the picture (my Site Key) and told me not to use the s
  • I thought everyone knew about phishing and how to watch out for it, but then I got a great view of how average computer users obviously don't have any clue.

    A few months ago, my sister freaked out when someone broke into her PayPal account.

    I didn't find out until just a week or two ago that this was the direct result of her falling for a phishing attack - and that my mom fell for it too! They're lucky I live 12 hours away so I could smack them both upside the head. I'm not exactly shocked that my mom fel

  • Well, perhaps an unpopular opinion, but I don't see why favicons need to be shown for the current page anyway. It makes sense for bookmarks, but it seems showing it on the current page is just asking for this kind of confusion. How about just showing a generic icon until a site is bookmarked?
  • "the purpose of any scientific study is to prove what everyone already knows"
  • From the synopsis (and echoed in the paper): "The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate."

    While I don't mind taking a swipe at M$ft from time to time, I find it difficult to imagine how a brightly colored red address bar (even one outside the focus of attention) with "Phishing Website" written on it will be ignored.

    The only thing (and I am keeping in mind users that are not extremely tech savvy) that would be more obvious would be
  • by fak3r (917687) on Thursday March 30, 2006 @01:30PM (#15027929) Homepage
    I always encourage others to 'go on the offensive []' and help polute phisher's databases with the awesome site: []. Set a few tabs open to fill the phisher's database with useless Data, check back later and see the site is offline (likely from the attention garnered from all the bandwidth useage!

    As bosses would say "It's a win-win!"
  • Being able to identify a phony/suspicious URL? Hardly!

    I've had support calls here at the *hospital* from *doctors* who are trying to 'log in' to their computer in the Address Bar of IE.

    Phishing has the highest job security rating on the planet.
  • Something like over 300 Americans have fallen for the Nigerian 419 schemes too. Sixty minutes did a piece on a victim several years ago. Earlier year the son of demented California college professor tried to get guardianship over his father who fell for the scheme too.

    Judging by the fact I still get several of these emails a week, and used to get US mail paper letters in the 1980s; they perputrators are getting results from less than one per million emails. But someone is still making money.
  • []

    You have to admit it has the best name :-)

  • Clueless Companies (Score:2, Interesting)

    by penttan (720818)
    I have recently received some emails that I think may be legitimate but look like phishing attempts. Also Thunderbird thinks that it is a phising attempt.

    I am a registered at the BBC Shop. I have allowed them to send me email and they have been sending some offers. Lately the links in the email seem to go to [] with some unique id added. Even to the point that a link that has a text "" and looks like an email link is actually a link to a http request at the bbcshop
  • For the same reasons if tomorrow we just went and gave everyone a high-powered laser, 80% would burn their eye out (and probably their hand off).

    The three reasons phishing works:

    1) People are stupid
    2) More people have computers than should have them
    3) People are too lazy to learn how to properly use anything they own

    Computers should require an access card for use. An "I'm smart enough to use a computer" card. Initially getting the card should require a few months of testing and certification. What you are t
  • Congratulations, I could have told you that. This is why I'm glad not to be in IT support any more.
  • Hello greeating and God bless, friendly Slashdot reader chap bloke homeboy. I am Prince Roberto of Nigeria, and for to be further reading of this Slashdot post, I am need you for updating credit cards information in reply message, after which I be deopsit sixty millions of American dollars into your bnak accounts.
  • Sure, Phishing works. We know it does, and some of the most technical people can be caught offguard. It goes with any forgery of any secure material, be it fake IDs, S.S. Cards, etc.

    However, with regard to TFA, I have some doubts about their data. First, they use *only* 22 participants, which is a horribly low number. They give no background information of how they chose them. It could have just been 22 of their friends that they could con into playing with some web pages.

    Also, there are no controls wi
  • Maybe it's genetic (Score:3, Interesting)

    by MrNougat (927651) <> on Thursday March 30, 2006 @03:09PM (#15029067)
    No, seriously.

    I recall hearing about a study wherein monkeys were given the option of pressing one of two buttons at mealtime. Button A would always produce normal food. Button B would infrequently produce a treat, and usually produce nothing. The monkeys always pressed Button B.

    (I know, you can't let monkeys starve to death in an experiment, so it wasn't perfect perhaps, but it makes my point.)

    Shifting gears just a bit -- I have wondered for a long time myself how humanity has accomplished all that it has when such a large proportion of humans (those in charge of things as well as not) are complete morons. It seems to defy logic.

    Let's presume that the results of that experiment are correct. (If anyone has a link to substantiate my claim, I would appreciate it.) Monkeys gamble; they try to get something for nothing instead of going for the sure steady payoff. The inference, of course, is that humans do the same thing.

    Perhaps, over the long term (and I'm talking generations long), the "gambles" that individual human beings take pay off to the benefit of humanity as a whole. Think of the vast numbers of people, in attempts to invent fireworks, who must have blown their fingers or hands or heads off. People still do it. That's individual stupidity.

    But we've gone to the moon, we've sent probes to far-off planets, we have a world-girdling network of communications satellites. None of that would have been possible without the moronic work of tens of thousands of individual idiots.

    So, my hypothesis is as follows:

    The sum of individual stupidity is communal success.

    It's not tools, or language or brain size that sets humans apart from the beasts. We are more successful as a species because we are stupider as individuals.
  • I got "phished" a week ago from some scammer with a eBay handle of "precisionlaptops4u" looking for eBay logins. I emailed eBay and hoped they could shut the perp down. And then again yesterday I got another one. Same guy, same scam. The URL is : http://1342912795/intranet/forum/templates/subSilv er/images/wsbleh/ebay/index.html [1342912795] I started looking at the problem myself and put my findings at my Bloger blog. [] Same guy is still up, and doing it today.
  • by blueZ3 (744446) on Thursday March 30, 2006 @04:54PM (#15029978) Homepage
    If all email was plain text, phishing would decrease significantly. Unfortunately, we have "helpful" things like hyperlinks in email (a well-intentioned but bad idea) that help prepetuate this type of problem. I can't recall the last time I clicked a link in an email, but I can tell you it was a long time ago.

    Chances are, if the user had to copy and paste the bank's URL out of the email, it would be a lot harder to hide the fact that the URL directs to some non-official site (bankofthevvest is a counter-example, but it would still help). Most likely, people would type in the banks URL and create a bookmark. Then when they got the email they would open their browser and click the bookmark and log in. Problem eliminated.

    This isn't an IE/Outlook problem only, I admit. There are a lot of mail clients that provide this same "helpful" behavior. But as with auto-executing scripts in the OUtlook preview pane, it would be better (IMO) if they didn't.

Leveraging always beats prototyping.