Why Phishing Works1

This article copes with Internet Phishing, a common incident that directing users to
fraudulent web sites and has a rapid expansion over the web in the last years. Phishing
attacks in the United States soared in 2007 as $3.2 billion was lost to these attacks,
according to a survey by Gartner, Inc. The survey found that 3.6 million adults lost money in
2007, as compared with the 2.3 million who did so the year before 2. Most of the researches
on this issue deal with the website's credibility and ignore the attack strategies of the
Phishers. There are many strategies used by Phishers and partitioned to 3 dimensions:
1) Lack of Knowledge- Many users lack the underlying knowledge of emails and security
indicators. For example: many user think that the address www.ebay-members-security.com
belong to www.ebay.com. In addition, they don’t realize what is the meaning of the padlock
icon (SSL) in the address bar. These things are used by the Phishers to attack. 2) Visual
deception- Phishers use different tricks to mimic legitimate texts (switching letters in the
address name: write "paypai.com" instead of "paypal.com"), images and windows (placing
an illegitimate browser window on top, with the same look and feel the users may mistake).
3) Bounded Attention- This dimension is referring to strategies that exploit the inattention
of the users to security indicators or their absence.
In order to examine the main question, "Why Phishing Works?", the researchers
executed study on 22 participants and let them check the credibility of e-commerce and
finance websites, some spoofed and some real. The conclusion was pointed on 5 factors
that are trying to explain the question and the Phishers' attacks: a) Security indicators in
website content only- 23% of the users check only the website content – logo, graphic
design, links, etc. b) Content and domain name only- the highest percentage of users (36%)
check only the content and the address bar. c) Content and address, plus HTTPS- 9% of the
users also relied on the presence of "HTTPS", security issue. d) All of above, plus padlock
icon- 23% of the users also looked for the padlock icon, but most of them gave more
credence to padlock icons that appeared within the content of the page. e) All of above, plus
certificates- 9% of the users also checked the certificate of the browser. Example: 90.9%
of the users incorrectly judged the website www.bankofthevvest.com (two "v" instead of
"w"), many of them said the content showed credibility, part of them clicked on the VeriSign
logo (SSL) and got a known window that verified the SSL (any site can provide this
window). One user click on the Chinese version and the content was perfect.

1
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.115.4430&rep=rep1&type=pdf

2
McCall, Tom (December 17, 2007). "Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3 Billion Lost to These Attacks"
 Conclusion, when Phishers know all these weaknesses they can easily defraud the
users. Therefore, when we design a website we have to take into account the security
issues and the easiest way to create a fake site. The article suggests designing a remote
server that proves websites identity in a way that is easy for a user to verify but difficult for
an attacker to spoof. I think the focusing on these Phisher's attack strategies is the right
way to emphasis the internet fraudulence. Therefore, when we will know these methods and
strategies, we will have the awareness which is the most crucial factor and we will be able
to handle these attacks more easily. In the past, I had a couple experiences with web
fraudulence, I got spoof emails several times from "PayPal" and I have been asked to enter
the attach link in order to change my personal information. In one occasion, I entered that
link and allegedly changed my information, later on I noticed that my bank account has
been debited on total purchase of 200$ that I wasn’t familiar with. Eventually the credit card
company refunded me. This personal pattern shows us that we should be more careful and
knows all the above attackers strategies when we are using e-commerce.
In our course we talked about all the advantages of the web and how it simplifies
our life, however following these article conclusions, one of the biggest disadvantages of the
web is the internet fraudulence. As I mentioned before, the main Phishers' proficiency is in
the e-commerce field, however we have to know that they can intrude through other fields
(Social Networks etc.) and get users' discreet information. Therefore, when we are creating
a security system we must help the user to distinguish legitimate security indicators and
alert users from spoof websites.