CUNA News Now: Study: Why phishing works

News Now LiveWire

Most CUs will provide wage increases for at least some of their employees, according to CUNA's just-released Small CU Staff Salary Survey. 12 hours ago

St. L Post Dispatch on GAO report:Consumers may not benefit from altering Interchange system;would cut card competition. http://ow.ly/ETyX 13 hours ago

CUNA's Hampel: Consumer holiday spending will be up slightly from last year. See Tues NN. 17 hours ago

NCCUL and WOCCU met with Romanian CUs this week. The CUs are experiencing growth and want to increase their public relations efforts. 4 days ago

Kent Buckham has been named by NCUA as director of the newly created Office of Consumer Protection. The 7-person dept. launches in Jan. 4 days ago

Sign up; more tweets...

BOSTON (4/19/06)--Harvard University and University of California Berkeley researchers analyzed why the use of look-alike sites and urgent e-mails are so effective in tricking consumers into giving their personal information. Despite widespread public warnings about the dangers of phishing, consumers tend not to look for clues that help distinguish real sites from fake ones (Harvard University April 2006).

Phishing is a type of fraud that directs computer users to bogus websites. About two million users gave information to bogus websites resulting in direct losses of $1.2 billion for financial institutions and card issuers in 2003. Gartner Research (June 22, 2005) found that the number of phishing attack e-mail recipients grew 28% by mid-2005, based on a survey of 5,000 online U.S. consumers.

After conducting tests on a small sample of users, researchers found that most users were unable to distinguish fake from legitimate e-mails. Nearly a quarter of subjects in the study didn't look at the address bar, status bar, or other security indicators on the fraudulent sites. Phishers exploit the fact that some users don't understand the meaning or syntax of domain names and therefore can't distinguish legitimate URLs from fraudulent ones. When presented with ebay-members-security.com, many users mistakenly believed the URL belongs to ebay.com.

Many computer users don't have the skills to distinguish forged from legitimate headers, and they don't know that a closed padlock icon in the browser indicates that the page they're viewing was delivered securely by SSL. More specifically, many users don't know that legitimate padlock icons must appear in the area around the web page; phishers can arbitrarily place the icon in the content of the web page to make you think the site is legitimate.

Users often are fooled by substitute letters that often go unnoticed (for example, using a lowercase "i" which looks similar to the letter "I", or using the number "1" for the letter "I"). And, while images and logos may be copied perfectly, many users don't know to look for misspellings or other signs of unprofessional design. In one carefully spoofed e-mail, researchers used bankofthevvest.com (with a double "v" instead of "w"), inserted a padlock in the content, spoofed the VeriSign logo and certificate validation seal, and added a pop-up consumer security alert. Despite multiple opportunities to catch the phish, 91% or participants mistakenly guessed it was legitimate.

The Federal Trade Commission and the Anti-Phishing Working Group offer the following additional tips:



SEARCH Headlines Washington CU System Market Products & Services Consumer Print Today’s News Photo Gallery Videos Monthly Top 10 Archive Headlines via Email Enter your email address: text or HTML RSS Feed What is RSS? Contact News Now
	News Now LiveWire Most CUs will provide wage increases for at least some of their employees, according to CUNA's just-released Small CU Staff Salary Survey. 12 hours ago St. L Post Dispatch on GAO report:Consumers may not benefit from altering Interchange system;would cut card competition. http://ow.ly/ETyX 13 hours ago CUNA's Hampel: Consumer holiday spending will be up slightly from last year. See Tues NN. 17 hours ago NCCUL and WOCCU met with Romanian CUs this week. The CUs are experiencing growth and want to increase their public relations efforts. 4 days ago Kent Buckham has been named by NCUA as director of the newly created Office of Consumer Protection. The 7-person dept. launches in Jan. 4 days ago Sign up; more tweets... Study: Why phishing works BOSTON (4/19/06)--Harvard University and University of California Berkeley researchers analyzed why the use of look-alike sites and urgent e-mails are so effective in tricking consumers into giving their personal information. Despite widespread public warnings about the dangers of phishing, consumers tend not to look for clues that help distinguish real sites from fake ones (Harvard University April 2006). Phishing is a type of fraud that directs computer users to bogus websites. About two million users gave information to bogus websites resulting in direct losses of $1.2 billion for financial institutions and card issuers in 2003. Gartner Research (June 22, 2005) found that the number of phishing attack e-mail recipients grew 28% by mid-2005, based on a survey of 5,000 online U.S. consumers. After conducting tests on a small sample of users, researchers found that most users were unable to distinguish fake from legitimate e-mails. Nearly a quarter of subjects in the study didn't look at the address bar, status bar, or other security indicators on the fraudulent sites. Phishers exploit the fact that some users don't understand the meaning or syntax of domain names and therefore can't distinguish legitimate URLs from fraudulent ones. When presented with ebay-members-security.com, many users mistakenly believed the URL belongs to ebay.com. Many computer users don't have the skills to distinguish forged from legitimate headers, and they don't know that a closed padlock icon in the browser indicates that the page they're viewing was delivered securely by SSL. More specifically, many users don't know that legitimate padlock icons must appear in the area around the web page; phishers can arbitrarily place the icon in the content of the web page to make you think the site is legitimate. Users often are fooled by substitute letters that often go unnoticed (for example, using a lowercase "i" which looks similar to the letter "I", or using the number "1" for the letter "I"). And, while images and logos may be copied perfectly, many users don't know to look for misspellings or other signs of unprofessional design. In one carefully spoofed e-mail, researchers used bankofthevvest.com (with a double "v" instead of "w"), inserted a padlock in the content, spoofed the VeriSign logo and certificate validation seal, and added a pop-up consumer security alert. Despite multiple opportunities to catch the phish, 91% or participants mistakenly guessed it was legitimate. The Federal Trade Commission and the Anti-Phishing Working Group offer the following additional tips: Use anti-virus software and a firewall, and keep them up to date. They can protect you from inadvertently accepting fraudulent files. Download free software patches if your browser offers them. Never give personal or financial information in e-mail messages. E-mail isn't a secure method of transmitting personal information. If you want to provide personal or financial information through an organization's website, look for a padlock icon on the browser's status bar (not in the content of the Web page), or a URL that begins "https." Check all statements for unauthorized charges. Be careful about opening attachments or downloading files from e-mail messages; these files may contain viruses or software that can weaken your computer's security. Forward fraudulent e-mails to the credit union, company, or organization impersonated in the phishing e-mail. If you think you've been a victim of phishing, file a complaint at ftc.gov and then visit the Federal Trade Commission's Identity Theft website at consumer.gov/idtheft. Resource Links Statement Stuffer: Phishing: Don’t Take the Bait Statement Stuffer: ID Theft: How to Prevent It and How to Get Over It Federal Trade Commission FTC's Identity Theft website Phishing and Pharming and More, Oh My! webinar Related stories: Phish Fraud More Consumer
	Copyright © 2009 - Credit Union National Association, Inc.

More Consumer